Manuals / SnapGear / Computer Equipment / Network Card

SnapGear 2.0.1 user manual Create the self-signed root CA certificate, Virtual Private Networking

Models: 2.0.1

1 189

Download 189 pages 52.42 Kb

Page 147

4. Create the self-signed root CA certificate:

openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes

.. where DAYS_VALID is the number of days the root CA is valid for.

Remove the –nodesoption if you want to use a password to secure the CA key.

For each certificate you wish to create, there are two steps:

1.Create the certificate request:

openssl req -config openssl.cnf -new -keyout cert1.key -out cert1.req

Enter a PEM pass phrase (this is the same pass phrase required when you upload the key to the CyberGuard SG appliance) and then the certificate details. All but the Common Name are optional and may be omitted.

2.Sign the certificate request with the CA :

openssl ca -config openssl.cnf -out cert1.pem -notext - infiles cert1.req

Then you will have a certificate/key pair, cert1.pem and cert1.key, ready to use in the CyberGuard SG appliance.

For each certificate required, change the cert1.* filenames appropriately.

143

Virtual Private Networking

Image 147

SnapGear 2.0.1 user manual Create the self-signed root CA certificate, Virtual Private Networking

Contents

Revision June 7 Contents 104 Firewall177 159169 170Introduction CyberGuard SG Gateway AppliancesIntroduction CyberGuard SG PCI Appliances Secure by default Bridged modeDocument Conventions Text like this highlights important issuesYour CyberGuard SG Gateway Appliance Front panel LEDsSG300 model includes two blue straight through UTP cables Rear panel Virtual Private Networking is enabledDMZ link features SG570, SG575 only CyberGuard SG Gateway Appliance FeaturesInternet link features LAN link featuresLEDs Your CyberGuard SG PCI ApplianceCyberGuard SG PCI Appliance Features Network link featuresEnvironmental features Getting Started 255.255.255.0 192.168.0.1Page Right click on Local Area Connection and select Properties 192.168.0.100 Set up the Password and LAN Connection SettingsRoot Getting Started Getting Started DSL modem Set up Internet Connection SettingsCable modem Analog modemSet up the PCs on your LAN to Access the Internet LAN with no Dhcp server LAN with a Dhcp serverTo manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Set up your PC to Connect to the Web Management Console Install the Network Driver on your PCSelect Use the following DNS server addresses and enter Select Internet Protocol TCP/IP and click PropertiesSet up the Password and Network Connection Settings Network Setup Connections page will display Ensure Dhcp assigned is unchecked Click Apply and RebootGetting Started Click Apply and Reboot Getting Started Page Network Connections ConnectionsNetwork Connections Bridging LANInternet Internet Connection Methods Physically connect modem deviceCable Direct Internet Bridged Internet COM/Modem Failover Direct/Cable/ADSL InternetDialout Internet ISP. The Password and Confirm Password fields must Field DescriptionOptional Dialin access Direct DMZBridged DMZ DMZ as a second Internet connection Services on the DMZ NetworkDirect LAN Bridged LANDMZ as a backup/failover Internet connection Load BalancingInternet Failover Set up a secondary backup Internet connection Enable the primary connection for failoverNetwork Connections Routes Additional routesRoute management Advanced HostnameDNS Proxy Network Address Translation NAT/masquerading Dynamic DNS Interface aliases Change MAC address QoS Traffic ShapingDialin Setup Dialin SetupDialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Windows 95/98/Me Remote User ConfigurationDialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Configuration Dhcp ServerDhcp Server Dhcp Server Subnet Enable/DisableSubnet List InterfaceDhcp Server Dhcp Proxy Incoming Access FirewallFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http Add Local and Private Certificates SSL Certificate SetupAction Packet FilteringIncoming Interface Outgoing InterfaceAddresses Service groups Rules Enable Destination NAT/port forwardingDescriptive Name Destination Address Destination ServicesSource NAT Source AddressTo-1 NAT Rules User authentication Access Control and Content FilteringPage Click Advanced Browser setupIP lists Web lists Content Categories ReportsZoneAlarm Intrusion Detection Intrusion DetectionBenefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web Cache Web cache is only available on SG575 modelsWeb Cache Cache size Web Cache SetupNetwork Shares Create a new user account100 Web Cache 101 Web Cache Create the network share102 Web Cache Set the CyberGuard SG appliance to use the network shareSet up LAN PCs to Use the Web Cache Peers103 Web Cache 104 Virtual Private Networking Virtual Private NetworkingPptp Client Setup 106 Virtual Private Networking 107 Virtual Private Networking Pptp Server Setup108 Virtual Private Networking Enable and configure the Pptp VPN serverData private as well as providing secure authentication Encryption is strongly recommended. This keeps your109 Virtual Private Networking Configuring user accounts for VPN server 111 Virtual Private Networking 112 Virtual Private Networking Configuring the remote VPN clientWindows 95, Windows 98 and Windows Me 114 Virtual Private Networking Windows115 Virtual Private Networking 116 Virtual Private Networking Windows XP117 Virtual Private Networking Connecting the remote VPN clientEnabling IPSec IPSec SetupSet up the Branch Office CyberGuard SG appliance to CyberGuard SG appliance119 Virtual Private Networking Configure a tunnel to connect to the headquarters office Tunnel settings120 Virtual Private Networking 121 Virtual Private Networking 122 Virtual Private Networking 123 Virtual Private Networking Local endpoint settings124 Virtual Private Networking 125 Virtual Private Networking Other options126 Virtual Private Networking 127 Virtual Private Networking 128 Virtual Private Networking TcgidPhase 1 settings Kept confidential129 Virtual Private Networking 130 Virtual Private Networking 131 Virtual Private Networking Phase 2 settings132 Virtual Private Networking Configuring the Headquarters133 Virtual Private Networking Remote endpoint settings Leave the Enable IP Payload Compression checkbox unchecked134 Virtual Private Networking 135 Virtual Private Networking 136 Virtual Private Networking Tunnel ListConnection Remote party137 Virtual Private Networking Status138 Virtual Private Networking 139 Virtual Private Networking NAT Traversal Support Dynamic DNS Support140 Virtual Private Networking Certificate Management Extracting certificates141 Virtual Private Networking 142 Virtual Private Networking Creating certificates143 Virtual Private Networking Create the self-signed root CA certificate144 Virtual Private Networking Adding certificates145 Virtual Private Networking Adding a CA or CRL certificate146 Virtual Private Networking Adding a local certificate147 Virtual Private Networking Troubleshooting148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking CyberGuard SG appliance in Slough Internet address Setting up a GRE tunnelCyberGuard SG appliance in Brisbane Internet address LAN addressRemote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking 155 Virtual Private Networking Local Internal Address Place on Ethernet Bridge156 Virtual Private Networking Troubleshooting157 Virtual Private Networking L2TP VPN client158 Virtual Private Networking L2TP serverNTP time server SystemDate and Time Set date and time160 System Locality161 System UsersUser settings AdministrationDiagnostic Encrypted save/restore allDiagnostics DiagnosticsInternet access via access controls Password164 System Network testsConfiguration files System log165 System Flash upgrade Reset button RebootTechnical Support Appendix a IP Address Ranges B.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e169 Appendix a IP Address Ranges Appendix B Terminology Term Meaning170 Appendix B Terminology 171 Appendix B Terminology DNS172 Appendix B Terminology IDB173 Appendix B Terminology Isakmp174 Appendix B Terminology NTP175 Appendix B Terminology SHA176 Appendix C System Log Access LoggingPpp Default DenyEth0 Eth1179 Appendix C System Log Creating Custom Log Rules180 Appendix C System Log 181 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp182 Appendix C System Log Rate LimitingAdministrative Access Logging Boot Log Messages183 Appendix C System Log 184 Appendix D Firmware Upgrade Practices and Precaut ions Appendix D Firmware Upgrade Practices and Precautions