Secure Computing SafeNet manual Configuring a security policy on the Soft-PK

Page 63

Configuring a security policy on the Soft-PK

Configuring a security policy on the Soft-PK

Basic connection options

Setting up an Other

Connections policy

As an administrator, you can configure end user security policies on your Soft-PK system, save them to a diskette, and distribute them to your users. Your end users then simply import the security policy you’ve set up.

When you configure a user policy on Soft-PK, you can specify to send all traffic over one VPN connection, or specify to send traffic over separate connections (some or all of which can be secured) for different traffic destinations. This choice is made by selecting Options -

>Secure from the main menu.

All Connections — This allows you to configure one, and only one connection that secures all IP communications with the option to direct all connections to a specific gateway.

Specified Connections — This option allows you to configure multiple simultaneous connections. This option includes a default connection configuration called "Other Connections," that controls traffic not covered by prior connection rules.

The remainder of this section describes the setup of a single connection policy under the Specified Connections scenario. The connection settings you configure must coincide with configured settings/capabilities on the Sidewinder VPN Gateway.

Note: This procedure assumes your client system will not use this policy for every connection. That is, the system may sometimes be used in a local network where a VPN connection is not needed.

1.Select Start -> Programs -> SafeNet/Soft-PK -> Security Policy Editor (or right click the SafeNet icon and select Security Policy Editor).

2.Select Options -> Secure Specified Connections.

3.Click on Other Connections. This is the catchall rule for all IP communications that do not conform to the proposals you will defined for individual connections. This policy will handle all traffic not defined in another policy.

Note: Configure this according to your site/user requirements. You can allow all traffic to pass through (Non-secure mode), configure a VPN policy (Secure mode), or stop all other traffic (Block mode).

Installing and Working with Soft-PK	4-13

Image 63

Contents VPN Administration Guide Page Copyright Notice Printing History B L E O F C O N T E N T S Installing and Working with Soft-PK Who should read this guide? About this GuideOrganized How this guide isViewing and printing this document online About Soft-PKAbout Sidewinder About digital certificatesViii About this chapter Getting StartedAbout Soft-PK & Sidewinder VPNs Sidewinder and other network requirements RequirementsSoft-PK requirements Roadmap to deploying your VPNs 4c1 Define remote identities within Sidewinder Sidewinder systemSatisfy Sidewinder, network, & system requirements Plan your VPN configurationCreate/Request the digital certificates If using pre-shared keys passwordsConfigure the VPN connections on the Sidewinder Troubleshoot any connection problems Planning Your VPN Configuration Identifying basic VPN connection needs Certificate file with public key Identifying authentication requirementsUsing digital certificate authentication Private key fileClients Closer look at self-signed certificatesNo CA needed For a small number of VPNCloser look at CA-based certificates Understanding pre-shared key authenticationExtended authentication VPN tunnel terminating on trusted burb Determining where you will terminate your VPNsSelect Firewall Administration Burb Configuration More about virtual burbs and VPNsDefining a virtual burb Sidewinder Understanding Sidewinder client address poolsUnderstanding Sidewinder client address pools Configuring Sidewinder for Soft-PK Clients Select VPN Configuration Isakmp Server Enable the cmd, egd, and isakmp serversClick Apply Configure the Isakmp server EnableConfiguring ACL & proxies entries for VPN connections Creating & exporting a firewall certificate Managing Sidewinder self- signed certsSpecify the following Firewall Certificate settings Click OK when doneMail Address Select Services Configuration Certificate Management Creating & exporting remote certificatesSelect the Remote Certificates tab. Click New Generated Specify the following Remote Certificate settingsClick Add to add the certificate to the Certificates list Key FileReturn to for each remote client Defining a CA to use and obtaining the CA root cert Managing CA- based certificatesRequesting a certificate for the firewall Specify the firewall certificate information Click Add to send the enrollment requestRetrieve the key, revoke, etc Determining identifying information for client certificates Certificate Identities defined on the firewall Defining remote client identities in SidewinderManaging pre- shared keys passwords Configuring the VPN on the Sidewinder Example, if you specify 24 with an IP address Field Setting Local Network/IPEnabled Select Yes Burb New button to specify the IP Address / HostnameThis field cannot be edited Require Extended Enable this checkbox AuthenticationCertificate VPN from the list provided Firewall Identity Type Firewall to the remote client ValueType ClientEdited Save your settings!4. Click Add to save the settings Click CloseRemote Identity Page Installing and Working with Soft-PK Soft-PK installation notes Determining Soft-PK status from icon variations Starting Soft-PKRight-click the Soft-PK tray icon to access menu Activating/Deactivating Soft-PKMeans Soft-PK security policy is currently active Log Viewer About the Soft-PK program optionsCertificate Manager Security Policy EditorManaging certificates on Soft-PK Setting up Sidewinder self-signed certificatesSetting up CA-based certificates Click Advanced to select a certificate service provider Get your CA administrator to approve your requestSelect the Generate Exportable Key check box Importing certificate in Soft-PK Verification window Importing a personal certificate into Soft-PK Import Certificate Password WindowCertificate file Select Options Secure Specified Connections Configuring a security policy on the Soft-PKNew connection Named SecureVPN If using digital certificatesEnable the Connect using Secure Gateway Tunnel box Specify the interface informationConfiguring a security policy on the Soft-PK Encryption and Data Integrity/Algorithms fields Optional Click Save to save the policy on this system SA Life Select Unspecified to default to Sidewinder settingsPage Deploying Soft-PK to Your End Users Overview WordFormat Soft-PK setup.exe file and supporting files Security policyCannot modify Specifying installation instructions Customizing the user worksheetSpecifying dial-up network instructions Specifying certificate import/request instructions Specifying basic connection information Specifying security policy instructionsAbout this appendix Soft-PK Log ViewerSoft-PK Connection Monitor To view the details More about the Connection MonitorSidewinder troubleshooting commands Page Part Number 86-0935037-A