Windows server 2008 sp2 and windows server 2008 r2 on hp integrity servers overview (13 pages)
Summary of Contents for HP Sa3110 - VPN Server Appliance
Page 1
Hewlett-Packard Company HP: 5971-3009 P/N: A55310-001 March 2001...
Page 3
Except as provided in Hewlett-Packard Company’s Terms and Conditions of Sale for such products, Hewlett-Packard Company assumes no liability whatsoever, and Hewlett-Packard Company disclaims any...
HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview The purpose of this HP VPN Concepts Guide is to provide you with information on the Hewlett-Packard Company virtual private networking (VPN) suite, consisting of five modular components that work together to provide secure communications across any network.
Using a powerful graphical user Manager Manager Manager Manager interface (GUI), you can configure and monitor VPN devices deployed in the field. The VPN Manager is also used to define and grant access to VPN Client users. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 11
VPN devices. As your network grows, you can add additional VPN devices, remote clients, and central management at any time. These components are illustrated next in a typical network configuration. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 12
Figure: Typical Network Configuration Figure: Typical Network Configuration Figure: Typical Network Configuration Related Related Related Related Operational Overview (page 1-5) Information Information Information Information TCP/IP Basics Overview (page 1-6) HP VPN Concepts Guide Overview (page1-1) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Telnet session from a computer on the VPN's trusted network. Related Related Related Related HP VPN Concepts Guide Overview (page1-1) Information Information Information Information TCP/IP Basics Overview (page 1-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Each component of the subnet mask (either 255 or 0 in the example) is called an octet. A class C subnet mask means that there are 254 addresses with which the device can directly communicate. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 15
Number of Subnets Addresses in Each Addresses in Each (Binary Value) (Binary Value) (Binary Value) (Binary Value) Subnet Subnet Subnet Subnet 255 (1111-1111) 254 (1111-1110) 252 (1111-1100) 248 (1111-1000) 240 (1111-0000) 224 (1110-0000) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Most desktop computers do not have static routes added to them and therefore rely on the default gateway being set to be able to communicate outside their local subnet. This Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 17
Note that a Web server can be configured to listen on another port, but most follow the standard. Packets with the source and destination application ports set to 2233 are encrypted with a HP VPN device. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 18
HP VPN Concepts Guide Overview Related Related Related Related HP VPN Concepts Guide Overview (page1-1) Information Information Information Information Operational Overview (page 1-5) The Template Concept 1-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 19
Key Space and Brute Force Attacks .........2-13 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 20
Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Decryption is the opposite of encryption, a mathematical operation that transforms cipher text to clear text. Decryption usually requires a key and can be expressed as the formula: Clear Text = g ( Cipher Text , Kd ) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 22
"undoes" the steps performed by the algorithm f, and Kd represents a key. Related Related Related Related Symmetric Cryptographic Systems (page 2-3) Information Information Information Information Asymmetric Cryptographic Systems (page 2-9) Symmetric Vs. Asymmetric Cryptography (page 2-10) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related Data Encryption Standard (DES) (page 2-4) Information Information Information Information Triple Pass DES (page 2-5) 3DES (page 2-7) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
They estimate that a 90-bit key protects data for about 20 years in the face of expected advances in computing power. Related Related Related Related Triple Pass DES (page 2-5) Information Information Information Information 3DES (page 2-7) Outer Cipher Block Chaining (CBC) (page 2-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
AT = shift-left( DW , K1 = 3 ) The steps for both the triple pass DES technique and the 3DES technique are illustrated with the simple symmetric cryptographic system in the following table. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 26
K2 = 5 K3 = 4 (Key Space = 3*26 =78) Related Related Related Related 3DES (page 2-7) Information Information Information Information Data Encryption Standard (DES) (page 2-4) Outer Cipher Block Chaining (CBC) (page 2-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
K1 = 3 K2 = 5 K3 = 4 (Key Space = 3*26 =78) Related Related Related Related Data Encryption Standard (DES) (page 2-4) Information Information Information Information Outer Cipher Block Chaining (CBC) (page 2-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
This is important since most file structures and application protocols use identical header information. Related Related Related Related Data Encryption Standard (DES) (page 2-4) Information Information Information Information Triple Pass DES (page 2-5) 3DES (page 2-7) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related Symmetric Cryptographic Systems (page 2-3) Information Information Information Information Symmetric Vs. Asymmetric Cryptography (page 2-10) Key Space and Brute Force Attacks (page 2-13) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
DES, Triple Pass RSA, PGP DES, 3DES, rc4 Related Related Related Related Asymmetric Cryptographic Systems (page 2-9) Information Information Information Information Symmetric Cryptographic Systems (page 2-3) Key Space and Brute Force Attacks (page 2-13) 2-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
The effort required to break keys with lengths of 512, 1024, or 2048 bits makes this attack impractical. The vulnerability of this type of key exchange protocol is the public key exchange. Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-11...
Page 32
Related Related Related Related Triple Pass DES (page 2-5) Information Information Information Information 3DES (page 2-7) Packet Keys (page 3-8) 2-12 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
The higher the key space, the more difficult the encryption is to break. Related Related Related Related Symmetric Cryptographic Systems (page 2-3) Information Information Information Information Asymmetric Cryptographic Systems (page 2-9) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-13...
Page 34
Cryptographic Systems and Encryption Terminology Symmetric Vs. Asymmetric Cryptography (page 2-10) 2-14 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
The original packet is said to be encapsulated. Related Related Related Related Secure Profiles (page 3-2) Information Information Information Information ESP Encapsulation (page 3-4) SST Encapsulation (page 3-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
VPN device before declaring the session terminated and attempting to renegotiate the tunnel. If you specify a timeout on one end of a tunnel, you must specify a keepalive on the other end of the tunnel. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 39
ESP authentication to none, and selecting a value for the Authentication Header (AH). Transport mode encrypts only the payload. Related Related Related Related SST Encapsulation (page 3-6) Information Information Information Information ESP Encapsulation (page 3-4) Encapsulation Overview (page 3-1) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
0 and 64 bytes. This value specifies the length of the key to be used when hashing the packet to produce the authentication header. The longer the key, the more secure the authentication, but the more time-consuming to manually enter. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 41
ESP Encapsulation Related Related Related Related SST Encapsulation (page 3-6) Information Information Information Information Packet Handling (page 3-7) Packet Keys (page 3-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related ESP Encapsulation (page 3-4) Information Information Information Information Packet Handling (page 3-7) Packet Keys (page 3-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Prot Payload Data Port Port Figure: Simplified Packet Figure: Simplified Packet Figure: Simplified Packet Figure: Simplified Packet Related Related Related Related Packet Keys (page 3-8) Information Information Information Information Encapsulation Overview (page 3-1) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Therefore, the nature of the packet is hidden from anyone intercepting the packet. The protocol has been modified and set to UDP. The original packet, if it was an http (www) packet, has its protocol set to Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 45
The frequency with which session keys are changed is called the crypto period. Related Related Related Related Packet Handling (page 3-7) The Template Concept Information Information Information Information Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 46
Encapsulation and Packet Handling 3-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Entrust by means of the Entrust Certificate Authority Related Related Related Related Challenge Phrase Authentication (page 4-2) Information Information Information Information SecurID Authentication (page 4-3) RADIUS Authentication (page 4-4) Entrust Authentication (page 4-5) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related SecurID Authentication (page 4-4) Information Information Information Information RADIUS Authentication (page 4-5) Challenge Phrase Authentication (page 4-3) Entrust Authentication (page 4-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related SecurID Authentication (page 4-4) Information Information Information Information RADIUS Authentication (page 4-5) Entrust Authentication (page 4-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
SecurID access code. For further information on using SecurID, consult Security Dynamics' SecurID documentation. Related Related Related Related RADIUS Authentication (page 4-5) Information Information Information Information Challenge Phrase Authentication (page 4-3) Entrust Authentication (page 4-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
It is not necessary to have a RADIUS Accounting Server to use the RADIUS method of authentication. Related Related Related Related Challenge Phrase Authentication (page 4-3) Information Information Information Information SecurID Authentication (page 4-4) Entrust Authentication (page 4-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Certificate Authority, and updates its own revocation by means of the Certificate Authority. Related Related Related Related SecurID Authentication (page 4-4) Information Information Information Information RADIUS Authentication (page 4-5) The Template Concept Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Related Related Related Related Firewall Functions (page 5-2) Information Information Information Information Tunnel Types (page 5-8) Tunnel Modes (page 5-20) Tunnel Termination and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
This is called stateless filtering, since the VPN device does not remember that a packet passed through a filter rule. If a packet is considered invalid, it is simply not allowed entry to the red (trusted) network. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 59
Web servers usually listen on this port. Action Stateful Direction Inbound The group comes from the black (untrusted) and crosses to the red (trusted). Protocol HTTP is transported by means of TCP, not UDP. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 60
VPN device. Only if the packet is permitted by the firewall rule is it then routed to the destination computer according to the IP addressing information it carries. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 61
A Firewalled LAN Figure: Figure: A Firewalled LAN A Firewalled LAN Related Related Related Related One-Way Out Firewall Rules (page 5-24) Information Information Information Information One-Way In Firewall Rules (page 5-22) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Parameter Parameter Parameter Parameter Parameter Value Parameter Value Parameter Value Parameter Value Comments Comments Comments Comments Description Description Description Description Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 63
TCP, not UDP. Action permit You allow access. Related Related Related Related Firewall and Tunnels Overview (page 5-1) Information Information Information Information Tunnel Types (page 5-8) Tunnel Termination and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
VPN devices is encrypted, it is as if the data is traveling in a tunnel. Related Related Related Related Site-to-Site Tunnels (page 5-9) Information Information Information Information Single-User Tunnels (page 5-12) Multiuser Tunnels (page 5-16) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
The mode of the tunnel specifies where the tunnel terminates. Finally, the IP route specifies which packets should enter the tunnel. The following example illustrates a secure tunnel, which secures all communication between two networks. Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 66
IP route IP route 192.168.10.0 10.1.1.0 255.255.255.0 255.255.255.0 198.53.144.120 205.250.128.240 Note that the tunnel has to be defined on both VPN devices. Therefore, when you specify the opposing VPN device on device 5-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 67
VPN device. Finally, the route statements tell the VPN devices which packets should enter the tunnel. Related Related Related Related Single-User Tunnels (page 5-12) Information Information Information Information Multiuser Tunnels (page 5-16) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-11...
The following table describes a tunnel that allows a remote user (called chris) full access to the red (trusted) network available through VPN device A, while not allowing access to the network available through VPN device B. 5-12 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 69
For example, to allow a remote user (called leslie) access to the Web server available through VPN device A while not allowing access to the rest of that network or to the network available Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-13...
Page 70
From IP address 10.1.1.193 User leslie is being assigned Client IP 10.1.1.193. From subnet mask 255.255.255.255 From application The application port port used to make the HTTP (www) request is usually unknown. 5-14 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 71
(trusted) network. Protocol HTTP is transported by means of TCP, not UDP. Related Related Related Related Site-to-Site Tunnels (page 5-9) Information Information Information Information Multiuser Tunnels (page 5-16) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-15...
Note: If the ahuthentication method specified in the secure Note: Note: profile associated with a multiuser tunnel is a challenge phrase, the same challenge phrase must be given out to each member of the group. This is not recommended. 5-16 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 73
VPN Device A VPN Device A VPN Device B VPN Device B VPN Device A VPN Device A VPN Device B VPN Device B Parameters Parameters Parameters Parameters Group name sales No access Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-17...
Page 74
The Web Server’s IP address. To subnet mask 255.255.255.255 Access Web Server only. Parameter Parameter Parameter Parameter Parameter Value Parameter Value Comments Comments Parameter Value Parameter Value Comments Comments Description Description Description Description 5-18 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 75
(trusted) network. Protocol HTTP is transported by means of TCP, not UDP. Related Related Related Related Site-to-Site Tunnels (page 5-9) Information Information Information Information Single-User Tunnels (page 5-12) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-19...
In this case, one network trusts the other while the trust is not reciprocated. 5-20 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 77
Figure: Firewalled LANs With Encrypted Tunnels Figure: Firewalled LANs With Encrypted Tunnels Figure: Firewalled LANs With Encrypted Tunnels Related Related Related Related Tunnel Types (page 5-8) Information Information Information Information Tunnel Termination and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-21...
To subnet mask 255.255.255.255 The mail must arrive at this IP address only. To application port The SMTP mail server listens on this port. 5-22 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 79
Protocol SMTP is transported by means of TCP, not UDP. Related Related Related Related Inbound Proxy (page 5-28) Information Information Information Information Outbound Proxy (page 5-26) One-Way Out Firewall Rules (page 5-24) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-23...
From application The application port port used to make the HTTP (www) request is usually unknown. To IP address 0.0.0.0 This address allows you to go to any Web site on the Internet. 5-24 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 81
Protocol HTTP is transported by means of TCP, not UDP. Related Related Related Related Inbound Proxy (page 5-28) Information Information Information Information Outbound Proxy (page 5-26) One-Way In Firewall Rules (page 5-22) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-25...
From application The application port port used to make the HTTP (www) request is usually unknown. To IP address 0.0.0.0 This address allows you to go to any Web site on the Internet. 5-26 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 83
HTTP is transported by means of TCP, not UDP. Related Related Related Related Inbound Proxy (page 5-28) Information Information Information Information One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-27...
Inbound and Outbound Proxies If you want to allow SMTP mail from people on the Internet to be sent into a mail server, define an inbound proxy as described in the following table. 5-28 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 85
To application port The SMTP mail server listens on this port. Protocol SMTP is transported by means of TCP, not UDP. Related Related Related Related Outbound Proxy (page 5-26) Information Information Information Information Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-29...
Page 86
Firewalls and Tunnels One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) 5-30 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
VPN device. Because the tunnel bypasses the (Trusted) (Trusted) (Trusted) (Trusted) firewall, the destination addresses of the traffic are examined Network Network Network Network only for the purpose of routing the packets to their destination. Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-31...
Page 88
Figure: Tunnel Terminates in the Black (Untrusted) Network Figure: Tunnel Terminates in the Black (Untrusted) Network Figure: Tunnel Terminates in the Black (Untrusted) Network Figure: Tunnel Terminates in the Black (Untrusted) Network 5-32 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 89
(Untrusted) (Untrusted) (Untrusted) (Untrusted) Network, Network, Network, Network, Destined for the Destined for the Destined for the Destined for the Black Black Black Black (Untrusted) (Untrusted) (Untrusted) (Untrusted) Network Network Network Network Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-33...
Page 90
Network, Destined for the Black (Untrusted) Network Related Related Related Related Tunnel Modes (page 5-20) Information Information Information Information One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) The Template Concept 5-34 Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Secure profile (must dialup dialup be previously defined) Tunnel mode IP route Not required Not required Related Related Related Related Redundancy (page 6-2) Information Information Information Information Tunnel Modes (page 5-20) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide...
VPN device to send its replies to. In other words, a different set of Client IPs is used on each gateway. An example of redundancy is shown in the following figure. Figure: Figure: Enterprise Redundancy Enterprise Redundancy Figure: Figure: Enterprise Redundancy Enterprise Redundancy Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 95
Tunnel mode IP route Not required Not required Related Related Related Related Load Balancing (page 6-1) Information Information Information Information Tunnel Modes (page 5-20) Tunnel Types (page 5-8) The Template Concept Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 96
Load Balancing and Redundancy Hewlett-Packard Company Virtual Private Networking Concepts Guide...
Page 97
Index Index Index Index Numerics Numerics Numerics Numerics E E E E ........... 3DES Encapsulating Security Payload (ESP) ......... AH key length A A A A ....authentication headers ........AH key length ......... iv length ..........algorithms See also encapsulation See also secure profiles ........
Page 98
..................key pairs 2-10 redundancy .................. key spaces 2-13 routing tables L L L L S S S S ........ – limited access secure profiles ..............multiuser tunnels 5-17 algorithms ............single-user tunnels 5-13 encapsulation ................
Page 99
Index Index Index Index ..limited access with multiuser 5-17 ..limited access with single-user 5-13 ........... modes 5-20 ....... – multiuser 5-16 5-19 ......– single-user 5-12 5-15 ........site-to-site .......... trusted 5-20 ........untrusted 5-20 U U U U ......