Black Box ET1000A, ET0100A, ET0010A User Manual

EncrypTight User Guide

EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight Enforcement Points.

EncrypTight consists of a suite of tools that performs various tasks of appliance and policy management, including Policy Manager (PM), Key Management System (KMS), and EncrypTight Enforcement Points

ET0010A ET0100A ET1000A

(ETEPs).

Customer

Support

Information

Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018

Web site: w ww.blackbox.com • E-mail : info@blackbox.com

Preface....................................................................................................................................... 13

About This Document.......................................................................................................................... 13

Contacting Black Box Technical Support ............................................................................................ 14

Part I: EncrypTight Installation and Maintenance

Chapter 1: EncrypTight Overview ........................................................................................... 17

Distributed Key Topologies ..................................................................................................................17

EncrypTight Elements ................................................................................................................... 19

EncrypTight Element Management System............................................................................20

Policy Manager .......................................................................................................................20

Key Management System ....................................................................................................... 20

Policy Enforcement Point ........................................................................................................21

Point-to-Point Negotiated Topology .....................................................................................................22

Security within EncrypTight.................................................................................................................. 23

Secure Communications Between Devices................................................................................... 24

Secure Key Storage within the ETKMS.........................................................................................24

Chapter 2: EncrypTight Deployment Planning ...................................................................... 25

EncrypTight Component Connections ................................................................................................. 25

Management Station Connections ................................................................................................26

ETPM to ETKMS Connections ...................................................................................................... 26

ETPM and ETKMS on the Same Subnetwork ........................................................................ 27

ETPM and ETKMS on Different Subnetworks ........................................................................ 27

External ETKMS to ETKMS Connections...................................................................................... 29

Connections for Backup ETKMSs...........................................................................................29

Connecting Multiple ETKMSs in an IP Network ......................................................................30

ETKMS to ETKMS Connections in Ethernet Networks ........................................................... 30

ETKMS to PEP Connections ......................................................................................................... 31

ETKMS to PEP Connections in IP Networks .......................................................................... 31

ETKMS to PEP Connections in Ethernet Networks ................................................................ 32

Network Clock Synchronization ...........................................................................................................33

IPv6 Address Support .......................................................................................................................... 33

Certificate Support ...............................................................................................................................34

Network Addressing for IP Networks ...................................................................................................35

Chapter 3: Installation and Configuration .............................................................................. 37

Before You Start...................................................................................................................................37

Hardware Requirements................................................................................................................38

Software Requirements ................................................................................................................. 38

Firewall Ports.................................................................................................................................39

EncrypTight Software Installation......................................................................................................... 39

Installing EncrypTight Software for the First Time .........................................................................39

Upgrading to a New Version of EncrypTight ................................................................................. 40

EncrypTight User Guide 3

Table of Contents

Uninstalling EncrypTight Software.................................................................................................40

Starting EncrypTight ...................................................................................................................... 40

Exiting EncrypTight........................................................................................................................41

Management Station Configuration...................................................................................................... 41

Securing the Management Interface .............................................................................................42

Enabling the Microsoft FTP Server................................................................................................42

Configuring the Syslog Server....................................................................................................... 43

Installing ETKMSs................................................................................................................................ 43

Configuring ETKMSs............................................................................................................................ 43

Basic Configuration for Local ETKMSs .........................................................................................44

About Local ETKMSs ..............................................................................................................44

Adding a Local ETKMS ...........................................................................................................44

Launching and Stopping a Local ETKMS ...............................................................................45

Starting the Local ETKMS Automatically ................................................................................ 45

Configuring External ETKMSs....................................................................................................... 46

Logging Into the ETKMS ......................................................................................................... 47

Changing the Admin Password...............................................................................................47

Changing the Root Password .................................................................................................48

Configure the Network Connection .........................................................................................49

Configure Time and Date Properties....................................................................................... 51

Check the Status of the Hardware Security Module ............................................................... 53

Starting and Stopping the ETKMS Service ............................................................................. 53

Checking the Status of the ETKMS......................................................................................... 54

Secure the Server with the Front Bezel .................................................................................. 54

Configuring Syslog Reporting on the ETKMSs.............................................................................. 54

Policy Enforcement Point Configuration............................................................................................... 55

Default User Accounts and Passwords................................................................................................56

Managing Licenses ..............................................................................................................................56

Installing Licenses ......................................................................................................................... 57

Upgrading Licenses....................................................................................................................... 58

Upgrading the EncrypTight License ........................................................................................ 58

Upgrading ETEP Licenses ......................................................................................................58

Next Steps............................................................................................................................................ 58

Chapter 4: Managing EncrypTight Users ............................................................................... 61

Working with EncrypTight User Accounts ............................................................................................61

Configuring EncrypTight User Authentication ...................................................................................... 62

Managing EncrypTight Accounts ......................................................................................................... 65

Changing an EncrypTight User Password ...........................................................................................66

How EncrypTight Users Work with ETEP Users..................................................................................67

Chapter 5: Maintenance Tasks ................................................................................................ 69

Working with the EncrypTight Workspace ........................................................................................... 69

About the EncrypTight Workspace ................................................................................................ 69

Saving a Workspace to a New Location ........................................................................................ 70

Loading an Existing Workspace .................................................................................................... 71

Moving a Workspace to a New PC ................................................................................................ 72

Deleting a Workspace ................................................................................................................... 72

Installing Software Updates .................................................................................................................73

Step 1: Schedule the Upgrade ......................................................................................................73

4 EncrypTight User Guide

Table of Contents

Step 2: Prepare ETPM Status and Renew Keys ........................................................................... 74

Step 3: Upgrade the EncrypTight Software ................................................................................... 74

Step 4: Verify ETKMS Status and Deploy Policies ........................................................................ 74

Step 5: Upgrade PEP Software ..................................................................................................... 75

Step 6: Change the PEP Software Version and Check Status...................................................... 77

Step 7: Return Status Refresh and Key Renewal to Original Settings ..........................................78

Upgrading External ETKMSs ...............................................................................................................78

Part II: Working with Appliances using ETEMS

Chapter 6: Getting Started with ETEMS.................................................................................. 83

ETEMS Quick Tour ..............................................................................................................................83

Defining Appliance Configurations ................................................................................................83

Pushing Configurations to Appliances...........................................................................................84

Upgrading Appliance Software ...................................................................................................... 85

Comparing Configurations............................................................................................................. 85

Maintenance and Troubleshooting ................................................................................................86

Policy and Certificate Support .......................................................................................................87

Understanding the ETEMS Workbench ...............................................................................................87

Toolbars......................................................................................................................................... 89

Status Indicators............................................................................................................................90

Understanding Roles............................................................................................................................ 91

EncrypTight User Types ................................................................................................................ 91

ETEP Appliance Roles .................................................................................................................. 91

Modifying Communication Preferences ............................................................................................... 92

Chapter 7: Provisioning Appliances ....................................................................................... 95

Provisioning Basics .............................................................................................................................. 95

Adding a New Appliance ...............................................................................................................96

Saving an Appliance Configuration ...............................................................................................97

Pushing Configurations to Appliances...........................................................................................97

Viewing Appliance Status .............................................................................................................. 98

Comparing Configurations........................................................................................................... 100

Filtering Appliances Based on Address ....................................................................................... 101

Rebooting Appliances..................................................................................................................102

Appliance User Management.............................................................................................................102

ETEP User Roles ........................................................................................................................ 102

Configuring the Password Enforcement Policy ...........................................................................103

User Name Conventions .......................................................................................................104

Default Password Policy Conventions .................................................................................. 104

Strong Password Policy Conventions ................................................................................... 104

Cautions for Strong Password Enforcement .........................................................................105

Managing Appliance Users..........................................................................................................106

Adding ETEP Users ..............................................................................................................106

Modifying ETEP User Credentials......................................................................................... 108

Deleting ETEP Users ............................................................................................................108

Viewing ETEP Users............................................................................................................. 109

Working with Default Configurations .................................................................................................. 110

Customizing the Default Configuration ........................................................................................ 110

Restoring the ETEMS Default Configurations .............................................................................111

EncrypTight User Guide 5

Table of Contents

Provisioning Large Numbers of Appliances ....................................................................................... 111

Creating a Configuration Template..............................................................................................112

Importing Configurations from a CSV File ................................................................................... 112

Importing Remote and Local Interface Addresses ................................................................114

Changing Configuration Import Preferences ...............................................................................115

Checking the Time on New Appliances ....................................................................................... 116

Shutting Down Appliances .................................................................................................................116

Chapter 8: Managing Appliances .......................................................................................... 117

Editing Configurations ........................................................................................................................117

Changing the Management IP Address....................................................................................... 118

Changing the Address on the Appliance...............................................................................118

Changing the Address in ETEMS .........................................................................................119

Changing the Date and Time....................................................................................................... 120

Changing Settings on a Single Appliance ...................................................................................121

Changing Settings on Multiple Appliances ..................................................................................121

Deleting Appliances ...........................................................................................................................122

Connecting Directly to an Appliance .................................................................................................. 123

Connecting to the Command Line Interface ................................................................................ 123

Upgrading Appliance Software........................................................................................................... 123

Canceling an Upgrade................................................................................................................. 127

What to do if an Upgrade is Interrupted....................................................................................... 127

Checking Upgrade Status............................................................................................................127

Restoring the Backup File System ..................................................................................................... 127

Part III: Using ETPM to Create Distributed Key Policies

Chapter 9: Getting Started with ETPM.................................................................................. 131

Opening ETPM...................................................................................................................................131

About the ETPM User Interface .........................................................................................................131

EncrypTight Components View ................................................................................................... 133

Editors ......................................................................................................................................... 134

Policy View ..................................................................................................................................135

ETPM Status Indicators............................................................................................................... 135

Sorting and Using Drag and Drop ...............................................................................................136

ETPM Toolbar ............................................................................................................................. 137

ETPM Status Refresh Interval ..................................................................................................... 137

About ETPM Policies .........................................................................................................................138

IP Policies....................................................................................................................................138

Ethernet Policies..........................................................................................................................138

Policy Generation and Distribution.....................................................................................................139

Creating a Policy: An Overview.......................................................................................................... 141

Chapter 10: Managing Policy Enforcement Points.............................................................. 147

Provisioning PEPs..............................................................................................................................147

Adding a New Appliance .............................................................................................................147

Adding a New PEP in ETEMS ..............................................................................................148

Adding a New PEP Using ETPM ..........................................................................................150

Adding Large Numbers of PEPs..................................................................................................150

Pushing the Configuration ........................................................................................................... 151

6 EncrypTight User Guide

Table of Contents

Editing PEPs ...................................................................................................................................... 151

Editing PEPs From ETEMS.........................................................................................................151

Editing Multiple PEPs ..................................................................................................................152

Editing PEPs From ETPM ........................................................................................................... 152

Changing the IP Address of a PEP .............................................................................................153

Changing the PEP from Layer 3 to Layer 2 Encryption............................................................... 153

Deleting PEPs ....................................................................................................................................153

Chapter 11: Managing Key Management Systems.............................................................. 155

Adding ETKMSs................................................................................................................................. 156

Editing ETKMSs .................................................................................................................................157

Deleting ETKMSs............................................................................................................................... 157

Chapter 12: Managing IP Networks....................................................................................... 159

Adding Networks ................................................................................................................................159

Advanced Uses for Networks in Policies............................................................................................ 161

Grouping Networks into Supernets.............................................................................................. 161

Using Non-contiguous Network Masks........................................................................................ 162

Editing Networks ................................................................................................................................ 164

Deleting Networks .............................................................................................................................. 164

Chapter 13: Managing Network Sets..................................................................................... 167

Types of Network Sets .......................................................................................................................168

Adding a Network Set ........................................................................................................................170

Importing Networks and Network Sets...............................................................................................172

Editing a Network Set......................................................................................................................... 174

Deleting a Network Set ......................................................................................................................174

Chapter 14: Creating VLAN ID Ranges for Layer 2 Networks............................................. 177

Adding a VLAN ID Range .................................................................................................................. 177

Editing a VLAN ID Range................................................................................................................... 179

Deleting a VLAN ID Range ................................................................................................................179

Chapter 15: Creating Distributed Key Policies .................................................................... 181

Policy Concepts .................................................................................................................................181

Policy Priority...............................................................................................................................182

Schedule for Renewing Keys and Refreshing Policy Lifetime .....................................................182

Policy Types and Encryption Methods ........................................................................................183

Encapsulation........................................................................................................................ 183

Encryption and Authentication Algorithms ............................................................................ 184

Key Generation and ETKMSs .....................................................................................................185

Addressing Mode.........................................................................................................................185

Using Encrypt All Policies with Exceptions .................................................................................. 185

Policy Size and ETEP Operational Limits....................................................................................186

Minimizing Policy Size ................................................................................................................. 187

Adding Layer 2 Ethernet Policies ....................................................................................................... 188

Adding Layer 3 IP Policies .................................................................................................................191

Adding a Hub and Spoke Policy ..................................................................................................191

Adding a Mesh Policy .................................................................................................................. 195

EncrypTight User Guide 7

Table of Contents

Adding a Multicast Policy.............................................................................................................199

Adding a Point-to-point Policy .....................................................................................................203

Adding Layer 4 Policies...................................................................................................................... 206

Policy Deployment .............................................................................................................................207

Verifying Policy Rules Before Deployment .................................................................................. 207

Deploying Policies ....................................................................................................................... 208

Setting Deployment Confirmation Preferences ...........................................................................208

Editing a Policy................................................................................................................................... 209

Deleting Policies.................................................................................................................................209

Chapter 16: Policy Design Examples.................................................................................... 211

Basic Layer 2 Point-to-Point Policy Example .....................................................................................211

Layer 2 Ethernet Policy Using VLAN IDs ........................................................................................... 212

Complex Layer 3 Policy Example ...................................................................................................... 214

Encrypt Traffic Between Regional Centers.................................................................................. 214

Encrypt Traffic Between Regional Centers and Branches .......................................................... 215

Passing Routing Protocols ..........................................................................................................218

Part IV: Troubleshooting

Chapter 17: ETEMS Troubleshooting ................................................................................... 223

Possible Problems and Solutions....................................................................................................... 223

Appliance Unreachable ..............................................................................................................224

Appliance Configuration ..............................................................................................................225

Pushing Configurations ...............................................................................................................226

Status Indicators..........................................................................................................................226

Software Upgrades......................................................................................................................227

Pinging the Management Port............................................................................................................ 227

Retrieving Appliance Log Files........................................................................................................... 228

Viewing Diagnostic Data .................................................................................................................... 230

Viewing Statistics.........................................................................................................................230

Viewing Port and Discard Status .................................................................................................232

Exporting SAD and SPD Files .....................................................................................................232

CLI Diagnostic Commands.......................................................................................................... 233

Working with the Application Log ....................................................................................................... 234

Viewing the Application Log from within EncrypTight .................................................................. 234

Sending Application Log Events to a Syslog Server ................................................................... 235

Exporting the Application Log...................................................................................................... 235

Setting Log Filters........................................................................................................................235

Other Application Log Actions ..................................................................................................... 236

Chapter 18: ETPM and ETKMS Troubleshooting................................................................. 237

Learning About Problems................................................................................................................... 237

Monitoring Status.........................................................................................................................237

Symptoms and Solutions............................................................................................................. 238

Policy Errors.......................................................................................................................... 239

Status Errors .........................................................................................................................240

Renew Key Errors .................................................................................................................240

Viewing Log Files ........................................................................................................................ 241

ETPM Log Files..................................................................................................................... 241

8 EncrypTight User Guide

Table of Contents

ETKMS Log Files ..................................................................................................................241

PEP Log Files .......................................................................................................................242

ETKMS Troubleshooting Tools .......................................................................................................... 242

ETKMS Server Operation............................................................................................................ 242

Optimizing Time Synchronization ................................................................................................ 243

Shutting Down or Restarting an External ETKMS .......................................................................243

Resetting the Admin Password ...................................................................................................243

PEP Troubleshooting Tools ...............................................................................................................243

Statistics ......................................................................................................................................244

Changing the Date and Time....................................................................................................... 244

ETEP PEP Policy and Key Information ....................................................................................... 244

Replacing Licensed ETEPs ......................................................................................................... 245

Troubleshooting Policies ....................................................................................................................245

Checking Traffic and Encryption Statistics ..................................................................................245

Solving Policy Problems .............................................................................................................. 246

Viewing Policies on a PEP ....................................................................................................246

Placing PEPs in Bypass Mode..............................................................................................246

Allowing Local Site Exceptions to Distributed Key Policies................................................... 247

Expired Policies..................................................................................................................... 247

Cannot Add a Network Set to a Policy ..................................................................................248

Packet Fragments are Discarded in Point-to-Point Port-based Policies ...............................248

Solving Network Connectivity Problems ............................................................................................248

Modifying EncrypTight Timing Parameters ........................................................................................ 249

Certificate Implementation Errors....................................................................................................... 249

Cannot Communicate with PEP .................................................................................................. 249

ETKMS Boot Error....................................................................................................................... 250

Invalid Certificate Error ................................................................................................................ 250

Invalid Parameter in Function Call...............................................................................................250

Part V: Reference

Chapter 19: Modifying the ETKMS Properties File .............................................................. 255

About the ETKMS Properties File ......................................................................................................255

Hardware Security Module Configuration ..........................................................................................256

Digital Certificate Configuration.......................................................................................................... 256

Logging Setup .................................................................................................................................... 256

Base Directory for Storing Operational State Data ............................................................................ 257

Peer ETKMS and ETPM Communications Timing.............................................................................257

Policy Refresh Timing ........................................................................................................................258

PEP Communications Timing ............................................................................................................258

Chapter 20: Using Enhanced Security Features.................................................................. 261

About Enhanced Security Features ................................................................................................... 261

About Strict Authentication................................................................................................................. 262

Prerequisites................................................................................................................................263

Order of Operations..................................................................................................................... 263

Certificate Information .................................................................................................................264

Using Certificates in an EncrypTight System .....................................................................................265

Changing the Keystore Password......................................................................................................266

EncrypTight User Guide 9

Table of Contents

Changing the EncrypTight Keystore Password ........................................................................... 266

Changing the ETKMS Keystore Password .................................................................................. 266

Changing the Keystore Password on a ETKMS ................................................................... 267

Changing the Keystore Password on a ETKMS with an HSM .............................................. 268

Configuring the Certificate Policies Extension ...................................................................................269

Working with Certificates for EncrypTight and the ETKMSs ..............................................................272

Generating a Key Pair ................................................................................................................. 272

Requesting a Certificate .............................................................................................................. 273

Importing a CA Certificate ........................................................................................................... 274

Importing a CA Certificate Reply .................................................................................................274

Exporting a Certificate ................................................................................................................. 275

Working with Certificates and an HSM............................................................................................... 275

Configuring the HSM for Keytool .................................................................................................275

Importing CA Certificates into the HSM ....................................................................................... 276

Generating a Key Pair for use with the HSM ............................................................................... 276

Generating a Certificate Signing Request for the HSM ...............................................................277

Importing Signed Certificates into the HSM.................................................................................277

Working with Certificates for the ETEPs ............................................................................................277

Understanding the Certificate Manager Perspective ...................................................................278

Certificate Manager Workflow .....................................................................................................279

Working with External Certificates ...............................................................................................279

Obtaining External Certificates.............................................................................................. 279

Installing an External Certificate............................................................................................ 280

Working with Certificate Requests...............................................................................................281

Requesting a Certificate........................................................................................................281

Installing a Signed Certificate................................................................................................ 283

Viewing a Pending Certificate Request................................................................................. 283

Canceling a Pending Certificate Request .............................................................................284

Setting Certificate Request Preferences ...............................................................................284

Managing Installed Certificates ................................................................................................... 285

Viewing a Certificate .............................................................................................................286

Exporting a Certificate........................................................................................................... 286

Deleting a Certificate............................................................................................................. 287

Validating Certificates ........................................................................................................................287

Validating Certificates Using CRLs..............................................................................................287

Configuring CRL Usage in EncrypTight and the ETKMSs .......................................................... 288

Configuring CRL Usage on ETEPs .............................................................................................288

Handling Revocation Check Failures ..........................................................................................289

Validating Certificates Using OCSP ............................................................................................ 289

Enabling and Disabling Strict Authentication ..................................................................................... 292

Removing Certificates ........................................................................................................................293

Using a Common Access Card ..........................................................................................................294

Configuring User Accounts for Use With Common Access Cards .............................................. 295

Enabling Common Access Card Authentication ..........................................................................295

Handling Common Name Lookup Failures.................................................................................. 297

Chapter 21: ETEP Configuration ........................................................................................... 299

Identifying an Appliance .....................................................................................................................300

Product Family and Software Version ......................................................................................... 300

Appliance Name .......................................................................................................................... 300

Throughput Speed.......................................................................................................................301

10 EncrypTight User Guide

Table of Contents

Interface Configuration....................................................................................................................... 301

Management Port Addressing ..................................................................................................... 302

IPv4 Addressing ....................................................................................................................303

IPv6 Addressing ....................................................................................................................304

Auto-negotiation - All Ports.......................................................................................................... 305

Remote and Local Port Settings ..................................................................................................306

Transparent Mode................................................................................................................. 306

Local and Remote Port IP Addresses ...................................................................................307

Transmitter Enable................................................................................................................ 308

DHCP Relay IP Address ....................................................................................................... 309

Ignore DF Bit ......................................................................................................................... 310

Reassembly Mode ................................................................................................................310

Trusted Hosts..................................................................................................................................... 311

SNMP Configuration ..........................................................................................................................313

System Information...................................................................................................................... 313

Community Strings ...................................................................................................................... 314

Traps ........................................................................................................................................... 315

SNMPv2 Trap Hosts.................................................................................................................... 316

SNMPv3 ...................................................................................................................................... 316

Generating the Engine ID...................................................................................................... 318

Retrieving and Exporting Engine IDs .................................................................................... 318

Configuring the SNMPv3 Trap Host Users ........................................................................... 319

Logging Configuration ........................................................................................................................321

Log Event Settings ...................................................................................................................... 322

Defining Syslog Servers .............................................................................................................. 323

Log File Management.................................................................................................................. 324

Advanced Configuration.....................................................................................................................325

Path Maximum Transmission Unit............................................................................................... 326

Non IP Traffic Handling ............................................................................................................... 327

CLI Inactivity Timer......................................................................................................................327

Password Strength Policy............................................................................................................327

XML-RPC Certificate Authentication ...........................................................................................328

SSH Access to the ETEP ............................................................................................................ 329

SNTP Client Settings...................................................................................................................329

IKE VLAN Tags ........................................................................................................................... 329

OCSP Settings ............................................................................................................................ 330

Certificate Policy Extensions ....................................................................................................... 330

Features Configuration....................................................................................................................... 330

FIPS Mode...................................................................................................................................331

Enabling FIPS Mode .............................................................................................................331

Disabling FIPS ......................................................................................................................332

Verifying FIPS Status on the ETEP....................................................................................... 332

EncrypTight Settings ................................................................................................................... 333

Encryption Policy Settings ...........................................................................................................334

Working with Policies .........................................................................................................................334

Using EncrypTight Distributed Key Policies ................................................................................335

Creating Layer 2 Point-to-Point Policies...................................................................................... 335

Selecting a Role ....................................................................................................................337

Using Preshared Keys for IKE Authentication.......................................................................337

Using Group IDs................................................................................................................

....337

Selecting the Traffic Handling Mode .....................................................................................338

How the ETEP Encrypts and Authenticates Traffic............................................................... 338

EncrypTight User Guide 11

Table of Contents

Factory Defaults ................................................................................................................................. 339

Interfaces.....................................................................................................................................339

Trusted Hosts ..............................................................................................................................340

SNMP .......................................................................................................................................... 340

Logging........................................................................................................................................341

Policy ...........................................................................................................................................341

Advanced.....................................................................................................................................341

Features ...................................................................................................................................... 342

Hard-coded Settings.................................................................................................................... 342

Index......................................................................................................................................... 343

12 EncrypTight User Guide

Preface

About This Document

Purpose

The EncrypTight User Guide provides detailed information on how to install, configure, and troubleshoot EncrypTight components: ETEMS, Policy Manager (ETPM), and Key Management System (ETKMS). It also contains information about configuring EncrypTight Enforcement Points (ETEPs) using ETEMS.

Intended Audience

This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment. Some knowledge of network security issues and encryption technologies is assumed.

Assumptions

This document assumes that its readers have an understanding of the following:

● EncrypTight encryption appliance features, installation and operation

● Basic principles of network security issues

● Basic principles of encryption technologies and terminology

● Basic principles of TCP/IP networking, including IP addressing, switching and routing

● Personal computer (PC) operation, common PC terminology, use of terminal emulation software and

FTP operations

● Basic knowledge of the Linux operating system

Conventions used in this document

Bold Indicates one of the following:

• a menu item or button

• the name of a command or parameter

Italics Indicates a new term

Monospaced Indicates machine text, such as terminal output and filenames

Monospaced bold

EncrypTight User Guide 13

Indicates a command to be issued by the user

Preface

Contacting Black Box Technical Support

Contact our FREE technical support, 24 hours a day, 7 days a week:

Phone 724-746-5500

Fax 724-746-0746

e-mail info@blackbox.com

Web site www.blackbox.com

14 EncrypTight User Guide

Part I EncrypTight Installation and

Maintenance

16 EncrypTight User Guide

1 EncrypTight Overview

EncrypTight™ Policy and Key Manager is an innovative approach to network-wide encryption. EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight encryption appliances.

EncrypTight consists of a suite of tools that perform various tasks of appliance and policy management:

● EncrypTight Element Management System (ETEMS) is the network management component of the

EncrypTight software. Use ETEMS to configure and manage your encryption appliances.

● EncrypTight Policy Manager (ETPM) is the policy generation and management tool. Use ETPM to

create polices for hub and spoke, mesh, point-to-point, and multicast networks that require common keys to secure traffic between multiple nodes.

● EncrypTight Key Management System (ETKMS) is the key generation and distribution tool that is

used with ETPM-generated policies. ETKMS can be run on a local machine for small deployments or on a dedicated server for larger scale networks.

● EncrypTight Enforcement Points (ETEPs) are the encryption appliances that enforce the security

policies. EncrypTight appliances are also referred to as PEPs.

The type of policies that you create, and the tools that you use to create them, are dependent on your network topology. EncrypTight supports two types of policies for the following topologies:

● Distributed key policies are appropriate for securing a variety of networks, including mesh, hub and

spoke, point-to-point (Layer 3/4 only), and multicast networks.

● Negotiated policies are appropriate in Layer 2 point-to-point networks where keys are negotiated with

a peer rather than distributed from a central key server.

This section includes the following topics:

● Distributed Key Topologies

● Point-to-Point Negotiated Topology

● Security within EncrypTight

Distributed Key Topologies

EncrypTight centralizes the creation and distribution of encryption keys and policies. It separates the functions of policy management, key generation and distribution, and policy enforcement. By doing so,

EncrypTight User Guide 17

EncrypTight Overview

multiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the function of renewing keys at pre-determined intervals.

In this system, you use ETEMS to configure the PEPs, Policy Manager (ETPM) to create and manage policies, and Key Management System (ETKMS) to generate keys and distribute keys and policies to the appropriate PEPs. The PEPs encrypt traffic according to the policies and keys that they receive.

Figure 1 EncrypTight components

Using EncrypTight, you can create distributed key policies for the network topologies shown in Table 1.

Table 1 Network topologies

Topology Description

Layer 3 IP topologies

Hub and Spoke In a hub and spoke network, a hub network communicates with the

Multicast In multicast transmission, one or more networks send unidirectional

Point-to-point In a point-to-point network, one network sends and receives data to

Mesh In a mesh network, any network can send or receive data from any

Layer 2 Ethernet topologies

Mesh For Ethernet, you can create policies for mesh networks. Note that if

spoke networks and the spoke networks communicate only with the hub network.

streams to a multicast network address. The multicast routers detect the multicast transmission, determine which nodes have joined the multicast network as destination networks, and duplicate the packet as needed to reach all multicast destination networks.

and from one other network.

other network.

the network uses VLAN ID tags, you can also create policies for virtual point-to-point connections.

18 EncrypTight User Guide

Distributed Key Topologies

Regardless of topology, PEPs are typically located at the point in the network where traffic is being sent to an untrusted network or coming from an untrusted network. As an example, Figure 2 shows a hub and spoke network secured with EncrypTight.

Figure 2 PEPs in a Hub and Spoke network

PEP A encrypts data traffic from Network A that goes to Networks B or C. PEP A also decrypts data that originates from Networks B and C. PEP B encrypts data from Network B that goes to Network A and decrypts data that comes from Network A. PEP C encrypts data from Network C that goes to Network A and decrypts data that comes from Network A.

EncrypTight Elements

EncrypTight consists of a suite of tools that perform various tasks of appliance and policy management:

● EncrypTight Element Management System is the element management component of the EncrypTight

software

● Policy Manager is the policy generation and management tool

● Key Management System is the key generation and distribution tool

● Policy Enforcement Points are the encryption appliances that enforce the security policies

The number of ETEPs that you can manage and the speed at which they run is controlled by licenses. You must enter a license for EncrypTight before you can install licenses on the ETEPs.

EncrypTight User Guide 19

EncrypTight Overview

EncrypTight Element Management System

The EncrypTight Element Management System (ETEMS) is the device management component of the EncrypTight software, allowing you to provision and manage multiple encryption appliances from a central location. It provides capabilities for appliance configuration, software updates, and maintenance and troubleshooting for your EncrypTight encryption appliances.

Policy Manager

The Policy Manager (ETPM) is the policy component of the EncrypTight software. You use ETPM to create and manage policies, and monitor the status of the PEPs and ETKMSs.

Each deployment of EncrypTight uses a single ETPM. The ETPM sends metapolicies to one or more ETKMSs. A metapolicy is a file that describes the policies created in ETPM and for each policy it specifies:

● The PEPs each ETKMS controls

● The networks each PEP protects

● The action that is performed (encrypt, send in the clear, or drop)

● The kind of traffic the policy affects

Key Management System

Distribution functions are provided by the EncrypTight Key Management System (ETKMS). All ETKMSs receive policies from a single ETPM. Based on the metapolicies received from the ETPM, the ETKMS generates keys for each of the PEPs within its network. The ETKMS distributes the keys and policies associated with its networks to the appropriate PEPs.

Depending on the size and configuration of your network, you can use a single ETKMS or multiple ETKMSs distributed throughout the network. When multiple ETKMSs are used, each ETKMS controls different sets of PEPs. All ETKMSs include the policy information and keys for the entire network. When policies are deployed or keys are renewed, each PEP receives its information from its designated ETKMS.

The EncrypTight system supports two types of ETKMSs: external ETKMSs and local ETKMSs.

● External ETKMSs are dedicated computers running the ETKMS software. By running on a dedicated

computer, external ETKMSs inherently provide more security and reliability, and can be used to help protect significantly larger networks. Each ETKMS can support several hundred PEPs.

● Local ETKMSs run as a separate process on the same management workstation as the EncrypTight

software. Local ETKMSs are intended for use with small to medium networks with no more than 10 PEPs. A local ETKMS is included with the EncrypTight software.

Figure 3 shows a single ETKMS distributing the keys for PEPs A, B, C, and D.

20 EncrypTight User Guide

Distributed Key Topologies

Figure 3 Single ETKMS for multiple sites

Figure 4 illustrates an EncrypTight deployment using multiple ETKMSs. With large, complex networks

that have hundreds of PEPs, you might want to use multiple ETKMSs. Each ETKMS distributes keys for the PEPs it controls. For example: ETKMS 1 distributes the policies and keys to PEPs A, B, and C. ETKMS 2 distributes the policies and keys to PEPs D and E. ETKMS 3 distributes the policies and keys to PEPs F and G.

Figure 4 Multiple ETKMSs in a network

Policy Enforcement Point

EncrypTight enforcement points (ETEPs) are encryption appliances that provide policy enforcement functions, and are referred to generically as PEPs (policy enforcement points). According to the policies distributed by the ETKMSs, the PEPs can encrypt and decrypt traffic, send traffic in the clear, or drop traffic. Each PEP can be used in multiple policies simultaneously.

EncrypTight User Guide 21

EncrypTight Overview

To securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One PEP uses the shared key to encrypt the data for transmission over the untrusted network, while the second PEP uses the same shared key to decrypt the data. Figure 5 illustrates the shared key concepts between two PEPs.

Figure 5 Shared keys

In this example, traffic moves between two trusted networks: Network A and Network B. PEP A and PEP B work in unison to insure data security as the traffic passes through an unsecured network. PEP A uses Shared Key 2 to encrypt all outbound traffic intended for Network B. PEP B uses the same shared key to decrypt all traffic inbound from Network A. Traffic flowing in the opposite direction is secured in the same manner using Shared Key 1.

EncrypTight Policy Enforcement Points (PEPs) can be configured for Layer 2 or Layer 3/4 operation. Models include:

● ET0010A

● ET1000A

Point-to-Point Negotiated Topology

You can protect simple, point-to-point Ethernet links using ETEMS. Two PEPs can be configured with ETEMS to protect a Layer 2 Ethernet link, without any need for ETPM or ETKMS. The policies and key are negotiated directly by the two PEPs, without requiring a centralized key generation and distribution tool.

This option provides a simple, quick, and straightforward way to secure a single point-to-point Layer 2 Ethernet link. All you need to secure your traffic is ETEMS and two ETEP encryption appliances.

The ETEP can be managed in-line or out-of-band through a dedicated Ethernet management interface, as shown in Figure 6.

22 EncrypTight User Guide

Figure 6 Layer 2 Point-to-Point Deployment

Security within EncrypTight

Use the Policy Manager (ETPM) and Key Management System (ETKMS) to create a Layer 3 point-topoint distributed key policy as one of several policies in a larger, more complex EncrypTight deployment.

The ETEP’s variable speed feature is controlled by the installation of a license. Note that you cannot install a license on the ETEP until you first enter a license for EncrypTight. For more information about licensing, see “Managing Licenses” on page 56.

Secure Communications Between Devices

Each node in the distributed key system, the EncrypTight management station, the ETKMSs, and the PEPs, communicate policy and status information with other nodes. Given the distributed nature of networks, much of this communication occurs across public networks.

EncrypTight uses Transport Layer Security (TLS) to encrypt management traffic between EncrypTight components. This protocol allows secure communication between the devices in the system while providing information about the secure stream to EncrypTight. You can enhance that security by authenticating the management communications between EncrypTight components using certificates. To learn more about certificates and strict authentication, see “Using Enhanced Security Features” on

page 261.

Secure Key Storage within the ETKMS

Key generation and key storage on the ETKMS are critical to maintaining security in EncrypTight. The ETKMS uses the following mechanisms to protect the keys:

● Generates keys using known secure algorithms

● Encrypts keys that are distributed and stored locally

● Limits access to keys to authorized administrators

● Prevents external probing to access or modify keys

● Optionally generates and stores keys in a hardware security module

24 EncrypTight User Guide

2 EncrypTight Deployment Planning

When deploying EncrypTight, you must plan the following:

● EncrypTight Component Connections

● Network Clock Synchronization

● IPv6 Address Support

● Certificate Support

● Network Addressing for IP Networks

EncrypTight Component Connections

EncrypTight can be managed in-line or out-of-band. When managing in-line, management traffic flows through the data path. You must enable the Passing TLS traffic in the clear feature on all PEPs for proper communication among EncrypTight components (ETEMS, ETPM, ETKMS, PEPs). When passing TLS in the clear is enabled on Layer 2 PEPs, TLS and ARP packets are sent unencrypted.

If your network uses other routing protocols that need to pass in the clear, consider the following:

● At Layer 3, create policies to pass the routing protocols in the clear. The PEPs must also be

configured to pass non-IP traffic in the clear (this is the default setting on the Advanced tab in ETEMS).

● At Layer 2, consider a separate out-of-band management network, or put the management traffic on a

separate VLAN and create a Layer 2 policy to pass packets with this VLAN tag in the clear. Customer support can advise you on a solution that works best in your network.

● Use local site policies

Local site policies allow you to create locally configured policies using CLI commands, without requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer

3. Mesh policies can be created by adding policies that share the identical keys and SPIs to multiple ETEPs.

The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted networks. These policies supplement existing encryption policies, adding the flexibility to encrypt or pass in the clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.

For information on creating and using local site policies, see the CLI User Guide.

This chapter discusses connections between each of the EncrypTight components, providing in-line and out-of-band examples.

EncrypTight User Guide 25

EncrypTight Deployment Planning

● “Management Station Connections” on page 26

The EncrypTight software includes ETEMS for appliance configuration, ETPM for policy management, and a local ETKMS. The local ETKMS deploys keys and policies to all of the PEPs that it manages and checks the PEPs’ status. The management station also uses other services such as NTP, syslog, and SNMP.

● “ETPM to ETKMS Connections” on page 26

The ETPM passes metapolicies to the ETKMSs and checks the status of the PEPs through the ETKMSs.

● “External ETKMS to ETKMS Connections” on page 29

When multiple ETKMSs are used in a system, the ETKMSs must be able to share keys. If you set up a ETKMS to serve as a backup for another ETKMS, the backup ETKMS periodically checks the status of the primary ETKMS in case of ETKMS failure.

● “ETKMS to PEP Connections” on page 31

Each ETKMS deploys keys and policies to all of the PEPs that it manages and checks the PEPs status.

Management Station Connections

Keep the following items in mind when setting up your management connections:

● PEPs can be managed in-line or out-of-band. When managing the PEPs in-line, management traffic

flows through the data path. In distributed key deployments, enable the Pass TLS traffic in the clear option on the PEPs to ensure proper communication between the PEP and other EncrypTight components. This is configured on the Features tab of the ETEMS Appliance editor.

● The PEP management ports and management services such as NTP, syslog, and SNMP must be

directly addressable on the same network.

● EncrypTight to PEP connections when using a local ETKMS:

The EncrypTight software includes ETEMS, ETPM and local ETKMS. When you use a local ETKMS, the ETKMS software runs as a separate process on the same workstation as the ETPM software. In this scenario, ETPM communicates directly with the ETKMS without using a network connection.

The communications between the local ETKMS and the PEPs require a connection between an Ethernet port on the management workstation and the management port on each PEP. For these connections, follow the same general guidelines as external ETKMSs, outlined in “ETKMS to PEP

Connections” on page 31. The only difference is that the connections originate from the management

workstation and not an external ETKMS.

ETPM to ETKMS Connections

The ETPM sends metapolicies to the ETKMSs and checks the status of the PEPs through the ETKMSs. The communications between EncrypTight components depend on a connection between the Ethernet ports on each device. External ETKMSs can be located on the same subnetwork with the ETPM, or the ETPM and ETKMSs can be located on different subnetworks. If you use a local ETKMS, ETPM communicates directly with the ETKMS without using a network connection.

26 EncrypTight User Guide

This section describes the planning for the following connections:

NOTE

● “ETPM and ETKMS on the Same Subnetwork” on page 27

● “ETPM and ETKMS on Different Subnetworks” on page 27

ETPM and ETKMS on the Same Subnetwork

When the ETPM is located on the same subnetwork as the external ETKMS, the ETPM communicates with the ETKMS over the internal protected network using Ethernet connections as shown in Figure 7.

Figure 7 ETPM and ETKMS located in the same subnetwork

EncrypTight Component Connections

ETPM and ETKMS on Different Subnetworks

The ETPM and ETKMS interconnections on different subnetworks depends on the type of policy: Layer 3 IP policy or Layer 2 Ethernet policy.

ETPM and ETKMS in Layer 3 IP Policies

With larger IP networks, the ETPM and the external ETKMSs could be located on different subnetworks, as shown in Figure 8. When managing the ETPM and ETKMS in-line, the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. For in-line management, in which management traffic can flow through the data path, be sure that the Enable passing TLS traffic in the clear feature is selected on all PEPs. Enable this feature from the ETEMS Appliance editor. By default, the Layer 3 PEPs are configured to pass all TLS traffic (port 443) in the clear.

The Enable passing TLS traffic in the clear feature passes all TLS traffic in the clear for all destination addresses. For added security, disable passing TLS traffic in the clear and create a policy for all TLS traffic (port 443) between EncrypTight components. For more information on creating policies, see

“Creating Distributed Key Policies” on page 181.

EncrypTight User Guide 27

EncrypTight Deployment Planning

Figure 8 In-line ETKMS management in an IP network

ETPM and ETKMS in Layer 2 Ethernet Policies

With Ethernet networks, you use Layer 2 PEPs. As with IP networks, when managing the ETPM and external ETKMS in-line the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. For in-line management with Layer 2 PEPs be sure that the Enable passing TLS traffic in the clear feature is selected in the ETEMS Appliance editor.

If you need to pass additional traffic in the clear, such as routing protocols, you can route the management communications using out-of-band connections or put your management traffic on a separate VLAN.

If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2 policy to pass packets with this VLAN tag in the clear. To prevent an interruption in management traffic, set the policy’s key renewal/lifetime to zero, so that the policy does not expire.

With out-of-band management, the management traffic between the ETPM and ETKMS is routed over a separate network path through the ISP. When the communications path passes through any firewalls, be sure to configure the firewall to pass TLS traffic. Figure 9 shows an out-of-band management scenario with the ETPM connecting to an external ETKMS with Layer 2 PEPs encrypting Ethernet data.

Figure 9 Out-of-band ETKMS management in an Ethernet network

28 EncrypTight User Guide

External ETKMS to ETKMS Connections

ETKMSs must be able to communicate with each other in two situations:

● Backup ETKMSs are used for redundancy

● Multiple ETKMSs share policy information and keys to distribute to the PEPs that they control

This section addresses the connections between two or more external ETKMSs. If you also use a local ETKMS, the basic principles discussed here still apply.

If the ETKMSs are on the same subnetwork, the ETKMS to ETKMS interconnection is straightforward. ETKMSs communicate with each other using the Ethernet ports on each ETKMS. For large, dispersed networks, multiple ETKMSs must be able to share keys with each other. The connections between ETKMSs depend on the network type: IP network or Ethernet network.

This section includes the following topics:

● “Connections for Backup ETKMSs” on page 29

● “Connecting Multiple ETKMSs in an IP Network” on page 30

● “ETKMS to ETKMS Connections in Ethernet Networks” on page 30

EncrypTight Component Connections

Connections for Backup ETKMSs

In some EncrypTight configurations a pair of ETKMSs, a primary ETKMS and a secondary ETKMS, are used to provide network redundancy. The ETPM distributes the policies to both the primary ETKMS and backup ETKMS. Only the primary ETKMS distributes the keys and policies to the PEPs. If the backup ETKMS detects a communication failure with the primary ETKMS due to a ETKMS failure or network failure, the backup ETKMS assumes the generation and distribution of the keys and policies to the PEPs. Once communication with the primary ETKMS is reestablished, the primary resumes the distribution of the keys and policies to the PEPs.

Backup ETKMSs should be external ETKMSs. Using a local ETKMS as a backup ETKMS is not recommended. If you use backup ETKMSs, the backup ETKMS must be able to check the status of the primary ETKMS so that it can take over operations in the event of a communication failure. It is recommended that you locate the backup ETKMS and the primary ETKMS together. The primary and backup ETKMSs communicate using the Ethernet ports on each ETKMS.

Also keep in mind the following:

● Both the primary ETKMS and the backup ETKMS must be able to communicate with the same PEPs.

● Each ETKMS can only use one backup ETKMS. Similarly, each backup ETKMS can only serve as a

backup to one ETKMS.

● Backup ETKMSs must use the same type of IP address as the primary ETKMS. For example, if the

primary uses an IPv6 address, the backup ETKMS must use an IPv6 address.

● You do not explicitly add backup ETKMSs to the Appliance Manager in ETEMS and they are not

listed in that window. Instead, you specify a backup ETKMS when you add a primary ETKMS in ETEMS, and only the primary ETKMS is listed in the Appliance Manager.

EncrypTight User Guide 29

EncrypTight Deployment Planning

Connecting Multiple ETKMSs in an IP Network

Figure 10 shows two external ETKMSs located on different IP networks. Both ETKMSs are used as

primary ETKMSs in a large, dispersed network.

When the ETKMSs are managed in-line, the communications path between the devices must pass through one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS traffic (port 443) in the clear. Be sure that the Enable passing TLS traffic in the clear feature is enabled for all PEPs which must pass TLS traffic. Enable this feature from the ETEMS Appliance editor.

Figure 10 In-line management of ETKMSs located on different IP networks

ETKMS to ETKMS Connections in Ethernet Networks

For in-line management when the ETKMSs are on different Ethernet networks, make sure that the Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.

If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2 policy to pass the VLAN tag in the clear. To prevent an interruption in management traffic, set the policy’s key renewal/lifetime to zero, which means “do not expire or update.”

With out-of-band management, the management traffic between the ETKMSs is routed over a separate network path through the ISP. When the communications path passes through any firewalls, be sure to configure the firewall to pass TLS traffic. Figure 11 shows an out-of-band management scenario with the external ETKMS connecting to another external ETKMS, with Layer 2 PEPs encrypting Ethernet data.

30 EncrypTight User Guide

Figure 11 Out-of-band management of ETKMSs located on different Ethernet networks

ETKMS to PEP Connections

The communications between the ETKMSs and the PEPs require a connection between the Ethernet ports on each ETKMS and the management port on each PEP. The ETKMS to PEP connections depend on the network type: IP network or Ethernet network.

EncrypTight Component Connections

This section addresses connections between external ETKMSs and the PEPs. If you also use a local ETKMS, the basic principles discussed here still apply. However, a local ETKMS runs on the same workstation as the ETPM. Therefore the communications between the local ETKMS and the PEPs require a connection between an Ethernet port on the management workstation and the management port on each PEP.

This section includes the following topics:

● “ETKMS to PEP Connections in IP Networks” on page 31

● “ETKMS to PEP Connections in Ethernet Networks” on page 32

ETKMS to PEP Connections in IP Networks

Figure 12 shows one external ETKMS connecting to two PEPs. The connections between the ETKMS

and the first PEP co-located on the same network is a straightforward connection. The ETKMS’s Ethernet port connects through the internal protected network to the PEP’s management port.

When managing in-line, the connection between the ETKMS and the second PEP located on a different network must pass through the data ports on both PEPs to get to the management port on the second PEP.

To successfully pass management traffic, be sure that the Enable passing TLS traffic in the clear feature is enabled on all of the PEPs. By default, the Layer 3 PEPs pass all TLS traffic (port 443) in the clear. This option is configured on the Features tab of the ETEMS Appliance editor.

EncrypTight User Guide 31

+ 322 hidden pages

Black Box ET1000A, ET0100A, ET0010A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Preface

1 EncrypTight Overview

Distributed Key Topologies

EncrypTight Elements

EncrypTight Element Management System

Policy Manager

Key Management System

Policy Enforcement Point

Point-to-Point Negotiated Topology

Security within EncrypTight

Secure Communications Between Devices

Secure Key Storage within the ETKMS

2 EncrypTight Deployment Planning

EncrypTight Component Connections

Management Station Connections

ETPM to ETKMS Connections

ETPM and ETKMS on the Same Subnetwork

ETPM and ETKMS on Different Subnetworks

External ETKMS to ETKMS Connections

Connections for Backup ETKMSs

Connecting Multiple ETKMSs in an IP Network

ETKMS to ETKMS Connections in Ethernet Networks

ETKMS to PEP Connections

ETKMS to PEP Connections in IP Networks