Casio ACS V6000 Security, Authentication, VPN based on IPSec with NAT traversal, Packet filtering

Page 8

Chapter 1: Introduction 3

administrator can assign to custom user groups. For more information, see Users Accounts and User Groups on page 38.

Security

Security profiles determine which network services are enabled on the virtual console server. Administrators can either allow all users to access enabled ports or allow the configuration of group authorizations to restrict access. You can also select a security profile, which defines which services (FTP, ICMP, IPSec and Telnet) are enabled and SSH and HTTP/HTTPS access. The administrator can select either a preconfigured security profile or create a custom profile. See Security profiles on page 16.

Authentication

Authentication can be performed locally, with One Time Passwords (OTP), a remote Kerberos, LDAP, NIS, RADIUS, TACACS+ authentication server or a DSView 3 server. The virtual console server also supports remote group authorizations for the LDAP, RADIUS and TACACS+ authentication methods. Fallback mechanisms are also available.

Any authentication method configured for the console server or the ports is used for authentication of any user who attempts to log in through Telnet, SSH or the web manager.

VPN based on IPSec with NAT traversal

If IPSec is enabled in the selected security profile, an administrator can use the VPN feature to enable secure connections. IPSec encryption with optional NAT traversal (which is configured by default) creates a secure tunnel for dedicated communications between the virtual console server and other computers that have IPSec installed. ESP and AH authentication protocols, RSA Public Keys and Shared Secret are supported.

Packet filtering

An administrator can configure a virtual console server to filter packets like a firewall. Packet filtering is controlled by chains, which are named profiles with user-defined rules. The virtual console server filter table contains a number of built-in chains that can be modified but not deleted. An administrator can also create and configure new chains.

SNMP

If SNMP is enabled in the selected security profile, an administrator can configure the Simple Network Management Protocol (SNMP) agent on the virtual console server to send notifications or traps to an SNMP management application.

The virtual console server SNMP agent supports SNMP v1/v2 and v3, MIB-II and Enterprise MIB.

Image 8

Contents ACS Page ACS B L E of C on TE N TS Iii ACS v6000 Installation/Administration/User Guide Features and Benefits Access optionsFlexible users and groups Web ManagerIPv4 and IPv6 support Authentication SecurityVPN based on IPSec with NAT traversal Packet filteringData logging, notifications, alarms and data buffering Auto discoveryTo create the virtual machine using the vSphere client ACS v6000 virtual console server requirementsPage Using Telnet or SSH To use Telnet to connect to a device through a serial port # telnet hostname IPaddressTo close a Telnet session To use SSH to connect to a device through a serial portTo close an SSH session ACS v6000 Installation/Administration/User Guide Web Manager Overview for Administrators To log into the web managerWizard Mode Wizard Screen To configure Ports To configure network parametersTo configure licenses Expert Mode AccessTo configure users and change the default user passwords To view and connect to devices using the web managerSecurity profiles System ToolsSystem Select System Security Security Profile To configure the Security ProfileTo configure DSView 3 software security settings Date and Time Help and LanguageUsage VM SettingsInformation VCenter To configure a vCenterTo add an association by Datacenter License To power control targets using the web managerNetwork Settings To configure a network deviceDevices IPv4 and IPv6 static routesConfiguring the firewall HostsFirewall To add a hostProtocol options To add a chainTo change the policy for a default chain IPSecVPNTo add a rule To edit a rulePayload or AH Authentication Header Click Network Snmp Snmp ConfigurationTo configure Snmp To enable or disable one or more serial ports PortsSerial ports Select Ports Serial PortsCAS Ctrl-X Parameter Description Auto discovery To copy/clone the configuration of one port to other portsCAS Profile Select Ports CAS Profile Auto Answer To configure the input/output strings used by auto answerSelect Probe Strings or Match Strings Click Ports Pool of CAS Ports To configure a pool of CAS portsPool of CAS ports Authentication Pool of CAS Ports Parameters Parameter DescriptionAppliance authentication Authentication serversTo set authentication for the console server To configure a Radius authentication serverTo configure a TACACS+ authentication server Select Authentication Authentication Servers TACACS+To configure an Ldapsad authentication server Select Authentication Authentication Servers LdapsadTo configure a Kerberos authentication server To configure an NIS authentication serverTo configure a DSView authentication server Users Accounts and User GroupsLocal accounts To add new usersTo configure password rules Click Users Local Accounts Password RulesAdmin group User groupsTo view admin Appliance Access Rights Appliance-admin group Shell-login-profileUser group Managing user groupsTo remove members from a user group To configure a login profile for a user groupCheck the Enable Log-In Profile box To add access to serial ports for a user group To assign appliance access rights for custom user groupsTo configure a group in a TACACS+ authentication server To configure a group in a Radius authentication serverEvent Destinations Event NotificationsEvent List Select Events and Logs Data Buffering To configure Data BufferingData Buffering To configure Appliance Logging Active SessionsMonitoring Appliance LoggingChange Password To change your own passwordSelect Change Password Web Manager Overview for Regular UsersACS v6000 Installation/Administration/User Guide Appendix a BootP Configuration Retrieval ConfigurationTo resolve an issue Appendix B Technical SupportFor Technical Support