IP45 Security Platform
User’s Guide
Version 4.0
Part Number: N450000261 Rev. 001
December 2006
COPYRIGHT
©2006 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS
This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
060101
2 |
Nokia IP45 Security Platform User’s Guide v4.0 |
Nokia Contact Information
Corporate Headquarters
Web Site |
http://www.nokia.com |
|
|
Telephone |
1-888-477-4566 or |
|
1-650-625-2000 |
|
|
Fax |
1-650-691-2170 |
|
|
Nokia Inc. |
|
Address |
313 Fairchild Drive |
|
Mountain View, California |
|
94043-2215 USA |
|
|
Regional Contact Information
Americas |
Nokia Inc. |
Tel: 1-877-997-9199 |
|
313 Fairchild Drive |
Outside USA and Canada: +1 512-437-7089 |
|
Mountain View, CA 94043-2215 |
email: info.ipnetworking_americas@nokia.com |
|
USA |
|
|
|
|
Europe, |
Nokia House, Summit Avenue |
Tel: UK: +44 161 601 8908 |
Middle East, |
Southwood, Farnborough |
Tel: France: +33 170 708 166 |
and Africa |
Hampshire GU14 ONG UK |
email: info.ipnetworking_emea@nokia.com |
|
|
|
Asia-Pacific |
438B Alexandra Road |
Tel: +65 6588 3364 |
|
#07-00 Alexandra Technopark |
email: info.ipnetworking_apac@nokia.com |
|
Singapore 119968 |
|
|
|
|
Nokia Customer Support
Web Site: |
https://support.nokia.com/ |
|
|
|
|
|
|
Email: |
tac.support@nokia.com |
|
|
|
|
|
|
Americas |
|
Europe |
|
Voice: |
1-888-361-5030 or |
Voice: |
+44 (0) 125-286-8900 |
|
1-613-271-6721 |
|
|
Fax: |
1-613-271-8782 |
Fax: |
+44 (0) 125-286-5666 |
|
|
|
|
Asia-Pacific |
|
|
|
Voice: |
+65-67232999 |
|
|
Fax: |
+65-67232897 |
|
|
|
|
|
|
|
|
|
050602 |
Nokia IP45 Security Platform User’s Guide v4.0 |
3 |
4 |
Nokia IP45 Security Platform User’s Guide v4.0 |
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Conventions this Guide uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Nokia IP45 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Nokia IP45 Satellite 16, Satellite 32, Satellite Unlimited . . . . . . . . . . . . . . . . . . . . 22
Nokia IP45 Security Platform Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
VPN Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Diagnostics and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nokia IP45 Security Platform Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nokia IP45 Security Platform Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2 Installing the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
37 |
Before you Install the Nokia IP45 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . 37 Setting Up the Nokia IP45 Security Platform with
Microsoft Windows 98 or Millennium Operating Systems . . . . . . . . . . . . . . . . . . . . 38 Setting Up the Nokia IP45 Security Platform with
Microsoft Windows XP and 2000 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . 43 Setting Up the Nokia IP45 Security Platform with an Apple Computer . . . . . . . . . . 47 Connecting the Nokia IP45 Security Platform to the Network . . . . . . . . . . . . . . . . 47 Installing your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Nokia IP45 Security Platform User’s Guide v4.0 |
5 |
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
First-Time Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring the Nokia IP45 Security Platform for Internet Connection . . . . . . . . . . 50 Making Initial Nokia IP45 Security Platform Settings . . . . . . . . . . . . . . . . . . . . . . . 51 Setting the Nokia IP45 Security Platform Time . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Registering with the Nokia Support Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Connecting to a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Logging On to the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . 55 Accessing Nokia IP45 Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Logging Off from the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . 58 Understanding the Nokia IP45 Web GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Using the Nokia IP45 Security Platform Web-based User Interface . . . . . . . . . . 60 Graphical User Interface Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4 Accessing the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Connection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Configuration Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Connecting the Nokia IP45 Security Platform
to a Computer by Using the Console Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Using Telnet to Connect to the Nokia IP45 Security Platform . . . . . . . . . . . . . . . 68 Enabling and Disabling Telnet Access to Nokia IP45 . . . . . . . . . . . . . . . . . . . . 69 Using Secure Shell to Connect to the Nokia IP45 Security Platform . . . . . . . . . . 70 Accessing Nokia IP45 with HTTP and HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Managing Large Scale Deployments of Nokia IP45 . . . . . . . . . . . . . . . . . . . . . . . . 70 Deploying the Nokia IP45 Security Platform with the Nokia Horizon Manager . . 71
Deploying the Nokia IP45 Security Platform with the
Check Point SmartCenter Large Scale Manager . . . . . . . . . . . . . . . . . . . . . . . 71 Deploying Nokia IP45 with SofaWare Management Portal . . . . . . . . . . . . . . . . . 71
5 Connecting to the Internet with the Nokia IP45 Security Platform . . . . . . . . . . 73
Configuring an Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Using the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Cable Modem Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 MAC Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Cloning a MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Manually Configuring the Internet Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Dial-Up PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring Dial-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring Dial-up Setting by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Multiple Dial-up Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Enabling or Disabling the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Using Quick Internet Connect or Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6 |
Nokia IP45 Security Platform User’s Guide v4.0 |
Configuring a Backup Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Viewing Internet Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Detecting Dead Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6 Managing your Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Enabling and Disabling the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Customizing DHCP Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring a DMZ Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Configuring OfficeMode Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Tag-Based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Deleting a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Configuring DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Backing Up DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Backing Up DHCP Relay by Using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Changing IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Configuring Network Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Static NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Editing Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Viewing Static NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Deleting Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configuring DHCP Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Deleting Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Configuring Source Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Defining the Port Link Speed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Viewing Ports Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
About QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Using Traffic Shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Default QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Enabling QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Adding QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Editing and Deleting QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
8 Setting Up the Nokia IP45 Security Platform Security Policy . . . . . . . . . . . . . 135
VStream Embedded Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Nokia IP45 Security Platform User’s Guide v4.0 |
7 |
Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 VStream Antivirus Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Enabling and Disabling VStream Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Viewing VStream Signature Database Information . . . . . . . . . . . . . . . . . . . . . . 138 Configuring VStream Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configuring the antivirus policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configuring the advanced settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Updating VStream Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Setting the Firewall Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Configuring Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Customizing the Nokia IP45 Security Platform
Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Allow and Block Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Deleting and Editing Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Viewing the Rules Log for Accepted Connections . . . . . . . . . . . . . . . . . . . . . 157 Editing or Deleting an Exposed Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 SmartDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 SmartDefense Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Restoring Default Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Configuring SmartDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 IP and ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Port Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 HTTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Microsoft Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Peer to Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Instant Messaging Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Secure HotSpot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Enabling Secure HotSpot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9 Configuring Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Changing your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Adding Guest HotSpot Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Viewing and Editing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Setting Up Remote VPN Access for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Using RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8 |
Nokia IP45 Security Platform User’s Guide v4.0 |
RADIUS Vendor Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Configuring SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Enabling or Disabling SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 SSH Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Using SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Configuring Advanced Secure Shell Server Options. . . . . . . . . . . . . . . . . . . . . . 204 Configuring Server Authentication of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Configuring and Managing SSH Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Managing Authorized Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Enabling HTTPS Web Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Generating a Self-Signed Certificate and Private Key by Using the CLI. . . . . . . 207 Installing a Certificate and Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Viewing Certificate Fingerprint Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
10 Configuring and Monitoring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
SNMP Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 SNMP Configuration from the Nokia IP45 Security Platform . . . . . . . . . . . . . . . 209 Setting Up SNMP Access to the Nokia IP45 Security Platform. . . . . . . . . . . . . . 209 Configuring the SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Configuring SNMP Parameters from the Command-Line Interface . . . . . . . . . . 212
Setting SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Viewing SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
11 High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
High-Availability Sample Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Configuring Multiple HA Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Configuring High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Configuring High-Availability by Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . 216 High-Availability over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Dual Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuring for Dual Homing ISP Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Configuring ISP Dial-Up Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Generic High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Advanced High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Route-Based VPN and BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Configuring the BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 High-Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 High-Availability Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Nokia IP45 Security Platform User’s Guide v4.0 |
9 |
High-Availability Solutions with a Single Nokia IP45 Device. . . . . . . . . . . . . . 229 High-Availability Solutions with Dual Nokia IP45 Devices. . . . . . . . . . . . . . . . 229 Generic HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 HA Coupled With BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
12 Configuring Nokia IP45 Through |
|
Out-of-Band Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
233 |
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
233 |
Configuring OOB from the Nokia IP45 |
|
Security Platform GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
234 |
Secure Shell and HTTPS Access Through Out-of-Band Dial-In . . . . . . . . . . . . . . |
235 |
Remote Configuration Mode in the Nokia IP45 Security Platform . . . . . . . . . . . . |
235 |
13 Configuring Device Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
237 |
Host Name Configuration by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
237 |
Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
237 |
System Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
238 |
Setting the Syslog Server by Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . |
239 |
Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
239 |
Managing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
241 |
Exporting the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
241 |
Importing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
242 |
Upgrading Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
243 |
Installing your Product Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
244 |
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
246 |
Configuring DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
246 |
Resetting the Nokia IP45 Security Platform to Factory Defaults. . . . . . . . . . . . . . |
247 |
Resetting the Nokia IP45 Security Platform by Using the Reset Button . . . . . . |
248 |
Restarting the Nokia IP45 Security Platform by Using the GUI . . . . . . . . . . . . . . |
248 |
14 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Viewing Reports on the Nokia IP45 Security Platform . . . . . . . . . . . . . . . . . . . . . 249
Viewing the Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Viewing the Traffic Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Viewing Active Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Viewing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Viewing the Diagnostics Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
15 Working with VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
About VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Setting Up the Nokia IP45 Security Platform as a VPN Server. . . . . . . . . . . . . . . 259 Configuring Remote Access VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Configuring Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10 |
Nokia IP45 Security Platform User’s Guide v4.0 |
Completing Site Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Configuring Route-Based VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Deleting a VPN Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Logging On to a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Logging On from the Nokia IP45 Security Platform GUI . . . . . . . . . . . . . . . . . 272 Logging On Through my.vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Logging Off a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 VPN Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Installing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Generating a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Importing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Installing VPN Certificates from SmartCenter . . . . . . . . . . . . . . . . . . . . . . . . . 278 Uninstalling the VPN Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Viewing VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Viewing IKE Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Downloading the Precompiled Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 VPN Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Nokia IP45 Security Platform as a VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . 282
SecuRemote to Nokia IP45 Satellite X
(VPN Client to Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Setting Up Nokia IP45 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Nokia IP45 Security Platform as VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Setting Up Nokia IP45 Tele 8 as a VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Adding VPN Sites by Using Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Nokia IP45 Site-to-Site VPNs support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Adding VPN Sites by Using Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . 287 Nokia IP45 Tele to IP45 Satellite X (VPN Client to Gateway) . . . . . . . . . . . . . . . . 289 Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Nokia IP45 Tele 8 to Check Point FP1, FP2, FP3, NG, NG AI, NGX R60 or NGX R61
289
Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Setting Up Check Point Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Nokia IP45 Tele 8 to Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Setting Up Nokia IP45 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Setting Up Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Nokia Satellite X to Nokia Satellite X
(VPN Gateway-to-Gateway). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Setting Up Nokia IP45 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Nokia IP45 Satellite X in NAT and Bypass NAT Modes . . . . . . . . . . . . . . . . . . . 292 NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Bypass NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Nokia IP45 Security Platform User’s Guide v4.0 |
11 |
Bypass Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Defining a Backup VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Nokia IP45 Satellite X to VPN-1 (Site-to-Site VPN) . . . . . . . . . . . . . . . . . . . . . . 294 Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Nokia IP45 Satellite X to Check Point FP3 or DAIP. . . . . . . . . . . . . . . . . . . . . . 295 Setting Up Check Point FP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Setting Up Nokia IP45 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Nokia IP45 Satellite X to Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . 296 Setting Up Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . . . . . . . . . . . 296
Setting Up Nokia IP45 Satellite X
for VPN Connection with SmartCenter FP3 . . . . . . . . . . . . . . . . . . . . . . . . . 297 Setting Up Check Point SmartCenter NG AI by Using
Certificates with Smart LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Site-to-Site VPN with Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Site-to-Site VPN with Nokia CryptoCluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Site-to-Site VPN with Cisco PIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 VPN Routing Between two Nokia IP45 Security Platforms . . . . . . . . . . . . . . . . 299 IPSec NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Mesh VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Enhanced MEP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16 Using Managed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Starting your Subscription Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Viewing Service Information from the Account Page . . . . . . . . . . . . . . . . . . . . . . 306 Refreshing your Service Center Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Configuring your Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Disconnecting from your Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 SofaWare Security Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Selecting Categories to Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Enabling or Disabling Email Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Selecting Protocols for Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Temporarily Disabling Email Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Automatic and Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Checking for Software Updates when Locally Managed . . . . . . . . . . . . . . . . . . 314 Checking for Software Updates when Remotely Managed . . . . . . . . . . . . . . . . 315 Managing with the Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Check Point SmartCenter LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
17 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring Debugging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
12 |
Nokia IP45 Security Platform User’s Guide v4.0 |
Viewing Debugging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Viewing Firmware Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Resetting the IP45 Security Platform to Factory Defaults . . . . . . . . . . . . . . . . . . 326 Failsafe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Upgrading Firmware in Failsafe Mode by Using Console . . . . . . . . . . . . . . . . . . . 327 Upgrading Firmware from Failsafe Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Running Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Using Packet Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
A Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Technical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Nokia IP45 Security Platform User’s Guide v4.0 |
13 |
14 |
Nokia IP45 Security Platform User’s Guide v4.0 |
This guide provides information and procedures about how to install and configure the Nokia IP45 security platform. This guide provides information about the new features incorporated in the Nokia IP45. This version of the Nokia IP45 uses the SofaWare VPN-1 Embedded NG. For a quick reference on how to configure features in the Nokia IP45, see the Nokia IP45 Security Platform Quick Start Guide v4.0 and the Nokia IP45 Security Platform Online Help, part of the graphical user interface (GUI) in the device.
Installation and maintenance should be performed by experienced technicians or Nokiaapproved service providers only.
This preface provides the following information:
Conventions this Guide uses
Related Documentation
In this Guide
This guide is organized into the following chapters and appendixes:
Chapter 1, “Introduction” provides the information you need to know before installing the Nokia IP45 security platform.
Chapter 2, “Installing the Nokia IP45 Security Platform” describes how to install the device, lists operating system requirements, protocols and how to establish a network connection.
Chapter 3, “Getting Started” describes how to start by using the IP45, and provides information on first-time login and connecting to the Internet.
Chapter 4, “Accessing the Nokia IP45 Security Platform” describes different methods of connecting to your IP45, and methods of configuring the device.
Chapter 5, “Connecting to the Internet with the Nokia IP45 Security Platform” describes how to configure your IP45 for connecting to the Internet, and viewing and managing your Internet connection.
Chapter 6, “Managing your Local Area Network,” describes how to configure the Nokia IP45 features.
Chapter 7, “Quality of Service” provides information about Quality of Service (QoS) and how to configure the QoS classes.
Nokia IP45 Security Platform User’s Guide v4.0 |
15 |
Chapter 8, “Setting Up the Nokia IP45 Security Platform Security Policy”describes methods to define the firewall level, configure virtual servers, and create firewall rules.
Chapter 9, “Configuring Network Access,” describes the network access procedures and usage of SSH and SSL.
Chapter 10, “Configuring and Monitoring SNMP,” describes the procedure to configure Simple Network Management Protocol, set community strings, send and enable SNMP traps.
Chapter 11, “High-Availability,” describes about the High Availability feature.
Chapter 12, “Configuring Nokia IP45 Through Out-of-Band Management,” describes the method to configure the Nokia IP45 through Out of Band Management.
Chapter 13, “Configuring Device Functions,” discusses how to configure device functions such as setting date and time, loading factory defaults and performing firmware upgrade.
Chapter 14, “Viewing Reports,” describes how to view reports such as Event Log, Active Computers, Active Connections, and VPN Tunnels.
Chapter 15, “Working with VPNs,” describes how to configure a VPN by using the Nokia IP45.
Chapter 16, “Using Managed Services” describes methods for enabling and using subscription services such as Web filtering, email antivirus, automatic and manual updates.
Chapter 17, “Troubleshooting,”discusses typical problems users encounter and provides solutions to these problems.
Appendix A, “Specifications,” describes the Nokia IP45 specifications.
Appendix B, “Compliance Information,” contains the compliance information of the Nokia IP45 security platform.
The following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.
Warning
Warnings advise the user that either bodily injury might occur because of a physical hazard, or that damage to a structure, such as a room or equipment closet, might occur because of equipment damage.
Caution
Cautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.
16 |
Nokia IP45 Security Platform User’s Guide v4.0 |
Conventions this Guide uses
Note
Notes provide information of special interest or recommendations.
This section defines the elements of commands that are available in Nokia products. You might encounter one or more of the following elements on a command-line path.
Table 1 Command-Line Conventions
Convention |
Description |
|
|
Command |
This required element is usually the product name or other short |
|
word that invokes the product or calls the compiler or preprocessor |
|
script for a compiled Nokia product. It might appear alone or |
|
precede one or more options. You must spell a command exactly |
|
as shown and use lowercase letters. |
Italics
Angle brackets < >
Square brackets [ ]
Vertical bars, also called a pipe (|)
Indicates a variable in a command that you must supply. For example:
delete interface if_name
Supply an interface name in place of the variable. For example: delete interface nic1
Indicates arguments for which you must supply a value: retry-limit <1–100>
Supply a value. For example: retry-limit 60
Indicates optional arguments. delete [slot slot_num]
For example: delete slot 3
Separates alternative, mutually exclusive elements. framing <sonet | sdh>
To complete the command, supply the value. For example: framing sonet
or
framing sdh
Nokia IP45 Security Platform User’s Guide v4.0 |
17 |
Table 1 Command-Line Conventions (continued)
Convention |
Description |
|
|
-flag |
A flag is usually an abbreviation for a function, menu, or option |
|
name, or for a compiler or preprocessor argument. You must enter |
|
a flag exactly as shown, including the preceding hyphen. |
.ext |
A filename extension, such as .ext, might follow a variable that |
|
represents a filename. Type this extension exactly as shown, |
|
immediately after the name of the file. The extension might be |
|
optional in certain products. |
( . , ; + * - / ) |
Punctuation and mathematical notations are literal symbols that |
|
you must enter exactly as shown. |
' ' |
Single quotation marks are literal symbols that you must enter as |
|
shown. |
|
|
Table 2 describes the text conventions this guide uses.
Table 2 Text Conventions
Convention |
Description |
|
|
Monospace font |
Indicates command syntax, or represents computer or window |
|
output, for example: |
|
Log error 12453 |
Bold monospace font
Key names
Menu commands
The words enter and type
Italics
Indicates text you enter or type, for example:
# configure nat
Keys that you press simultaneously are linked by a plus sign (+): Press Ctrl + Alt + Del.
Menu commands are separated by a greater than sign (>): Choose File > Open.
Enter indicates you type something and then press the Return or Enter key.
Do not press the Return or Enter key when an instruction says type.
•Emphasizes a point or denotes new terms at the place where they are defined in the text.
•Indicates an external book title reference.
•Indicates a variable in a command:
delete interface if_name
18 |
Nokia IP45 Security Platform User’s Guide v4.0 |
The Nokia IP45 menu items in procedures are separated by the greater than sign (>).
For example, Start > Programs > Nokia > Security indicates that you first click Start, then choose the Programs menu command, then choose Nokia, and finally choose Security.
Related Documentation
In addition to this guide, documentation for this product includes the following:
Nokia IP45 Security Platform Quick Start Guide Version 4.0—describes the system features and provides an overview of how to get your appliance up and running.
Nokia IP45 Security Platform Getting Started Guide Version 4.0—describes how to install and configure the Nokia IP45 security platform.
Nokia IP45 Security Platform CLI Reference Guide Version 4.0—describes all the IP45 commands that are used for managing the appliance.
Nokia IP45 Security Platform Release Notes Version 4.0—describes what you should know before you install and configure the IP45.
Nokia IP45 Security Platform User’s Guide v4.0 |
19 |
20 |
Nokia IP45 Security Platform User’s Guide v4.0 |
This chapter introduces the Nokia IP45 security platform and includes the following topics:
Nokia IP45 Security Platform Features
Network Requirements
Nokia IP45 Security Platform Front Panel
Nokia IP45 Security Platform Rear Panel
About the Nokia IP45 Security Platform
The Nokia IP45 security platform provides dependable Internet access for the remote and branch offices of a distributed enterprise. The Nokia IP45 supports features like dial-up connection, redundant WAN connection to headquarters, and dual homing with BGP to route return traffic securely, over VPN. IP45 appliances are RoHS complaint.
The Nokia IP45 security platform can be integrated with an overall enterprise security policy for maximum security. The IP45 facilitates centralized management and automatic deployment with the security management architecture of Check Point and Nokia Horizon Manager.
The Nokia IP45 security platform is available with the following licenses:
Nokia IP45 Satellite 16
Nokia IP45 Satellite 32
Nokia IP45 Satellite U (Unlimited)
All these versions of the Nokia IP45 provide a Web-based interface that enables you to configure and manage the Nokia IP45.
The Nokia IP45 security platform comes pre-installed with the license of your choice. You can upgrade the IP45 security platform to a more advanced configuration without replacing the hardware. For details about license upgrade, contact your local reseller.
Nokia IP45 Tele 8
Nokia IP45 Tele 8 is for home telecommuters and work extenders who also need VPN client access. The IP45 Tele 8 supports both firewall and VPN client capabilities over an eight-node
Nokia IP45 Security Platform User’s Guide v4.0 |
21 |
1 Introduction
network. The device supports VPN client capabilities for users to connect to the central office from their home with firewall protection, extending the enterprise network to the employees’ home offices.
IP45 Tele 8 can act as a VPN server, which allows a single user to securely access resources protected by the device from home or while travelling.
Note
Computers that actually pass through the firewall are counted. Devices such as network printers connected in LAN that do not normally get connected to the Internet are not counted.
Nokia IP45 Satellite 16, IP45 Satellite 32, and IP45 Satellite Unlimited provide full firewall, and VPN connectivity for remote and branch offices or independent, small, and medium enterprises with sixteen, thirty-two, and unlimited node networks, respectively. Using these solutions, remote and branch offices can securely exchange information between them with distributed enterprises and small and medium enterprises at a low price with excellent performance.
The following section contains a summary of the Nokia IP45 security platform features.
Table 3 provides details about the IP45 v4.0 connectivity.
Table 3 Nokia IP45 Security Platform Connectivity
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
16/32/Unlimited |
LAN, WAN, and console ports
DMZ Support
Manual Ethernet port settings
22 |
Nokia IP45 Security Platform User’s Guide v4.0 |
About the Nokia IP45 Security Platform
Table 3 Nokia IP45 Security Platform Connectivity (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
16/32/Unlimited |
Dynamic routing by using OSPF
Unnumbered PPP
Users (nodes) |
8 |
16, 32, unlimited |
PPPoE client |
|
|
PPTP client
DHCP client
DHCP server
DHCP relay
Backup DHCP relay
DHCP reservation
Nokia IP45 Security Platform User’s Guide v4.0 |
23 |
1 Introduction
Table 3 Nokia IP45 Security Platform Connectivity (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
16/32/Unlimited |
Customizing DHCP Options (DNS servers, WINS servers, NTP servers, Domain name, VoIP call managers, TFTP server and TFTP boot file name)
Static IP
MAC cloning
MAC Cloning for WAN2
Static NAT, static routes
Dial-up Internet connection
Routing support by using BGP
Source routing
High-Availability
(Group ID, enhanced interface tracking, VPN effect, WAN Virtual IP)
Traffic Shaper
24 |
Nokia IP45 Security Platform User’s Guide v4.0 |
About the Nokia IP45 Security Platform
Table 3 Nokia IP45 Security Platform Connectivity (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
16/32/Unlimited |
|
|
|
Traffic Shaper |
|
|
enhancements |
|
|
Traffic Monitor |
|
|
Dead Connection |
|
|
Detection |
|
|
Table 4 provides details about the IP45 security platform firewall connectivity.
Table 4 Firewall Connectivity
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
(16/32/Unlimited) |
|
|
|
Firewall Type |
Check Point Firewall-1 |
Check Point Firewall-1 |
|
Embedded NG |
Embedded NG |
Network Address |
|
|
Translation (NAT) |
|
|
INSPECT policy rules |
|
|
User defined rules |
|
|
Three levels of Preset |
|
|
security policies |
|
|
DoS protection |
|
|
|
|
|
Nokia IP45 Security Platform User’s Guide v4.0 |
25 |
1 Introduction
Table 4 |
Firewall Connectivity (continued) |
|
|
|
|
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
(16/32/Unlimited) |
Anti-spoofing
Attack logging
Voice over IP (H.323) support
Exposed host
DMZ network
VLAN support
SmartDefense and
Application Intelligence
Table 5 provides details about the IP45 security platform VPN connectivity.
26 |
Nokia IP45 Security Platform User’s Guide v4.0 |
|
|
|
About the Nokia IP45 Security Platform |
|
|
Table 5 VPN Connectivity |
|
|
|
|
|
|
|
|
|
|
|
Nokia IP45 Satellite |
|
|
Feature |
Nokia IP45 Tele8 |
16/32/Unlimited |
|
|
|
|
|
|
|
IPSEC VPN remote |
|
|
|
|
access server |
|
|
|
|
IPSEC VPN site-to-site |
|
|
|
|
gateway |
|
|
|
|
IPSEC VPN remote |
|
|
|
|
access client |
|
|
|
|
Authentication |
|
|
|
|
X.509 certificates |
|
|
|
|
RSA secure ID |
|
|
|
|
Office Mode Network |
|
|
|
|
VPN pass through |
|
|
|
|
Enhanced MEP support |
|
|
|
|
Advanced VPN |
|
|
|
|
configuration |
|
|
|
|
Encryption |
AES/3DES/DES |
AES/3DES/DES |
|
|
Authentication |
SHA1/MD5 |
SHA1/MD5 |
|
|
SecuRemote server |
|
|
|
|
|
|
|
|
Nokia IP45 Security Platform User’s Guide v4.0 |
27 |
1 Introduction
Table 5 VPN Connectivity (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele8 |
16/32/Unlimited |
|
|
|
L2TP VPN server |
|
|
RADIUS Client |
|
|
RADIUS Enhancements |
|
(vendor specific |
|
|
attribute (VSA), Radius |
|
|
Realm support, |
|
|
Radius time-out and |
|
|
retries setting) |
DAIP with VPN |
|
|
certificates |
|
|
Backup VPN gateways |
|
|
SmartCenter Connector |
|
|
(SSC) NG AI support |
|
|
Bypass NAT |
|
|
Bypass Firewall |
|
|
NAT Traversal |
|
|
Route all traffic |
|
|
|
|
|
28 |
Nokia IP45 Security Platform User’s Guide v4.0 |
About the Nokia IP45 Security Platform
Table 5 VPN Connectivity (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele8 |
16/32/Unlimited |
|
|
|
Route-Based VPN and |
|
|
failover |
|
|
Multiple PPP |
|
|
connections |
|
|
Enhanced active |
|
|
tunnels display |
|
|
Table 6 provides details about the IP45 security platform management.
Table 6 Management
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
(16/32/Unlimited) |
|
|
|
Web-based |
|
|
management |
|
|
Access to the IP45 |
|
|
through OOB, SSH and |
|
|
SNMP |
|
|
Telnet access |
|
|
HTTPS access |
|
|
(local and remote) |
|
|
Remote firmware |
|
|
upgrades |
|
|
|
|
|
Nokia IP45 Security Platform User’s Guide v4.0 |
29 |
1 Introduction
Table 6 Management (continued)
|
|
Nokia IP45 Satellite |
Feature |
Nokia IP45 Tele 8 |
(16/32/Unlimited) |
Nokia Horizon Manager support from v1.5 SP1 onwards
Multiple administrators
Users Manager
Guest HotSpot Users
User account expiration
Nokia CLI shell
Management systems (
Nokia Horizon Manager,
SofaWare SMP, Check
Point SmartCenter,
Check Point Smart
Update)
Check Point Smart LSM
Check Point Provider-1
Packet Sniffer
SmartDefense policy wizard
30 |
Nokia IP45 Security Platform User’s Guide v4.0 |