BenutzerhandbuchInhaltsverzeichnisTable of Contents2Preface12Part I EncrypTight Installation and Maintenance141 EncrypTight Overview16Distributed Key Topologies16EncrypTight Elements18EncrypTight Element Management System19Policy Manager19Key Management System19Policy Enforcement Point20Point-to-Point Negotiated Topology21Security within EncrypTight22Secure Communications Between Devices23Secure Key Storage within the ETKMS232 EncrypTight Deployment Planning24EncrypTight Component Connections24Management Station Connections25ETPM to ETKMS Connections25ETPM and ETKMS on the Same Subnetwork26ETPM and ETKMS on Different Subnetworks26External ETKMS to ETKMS Connections28Connections for Backup ETKMSs28Connecting Multiple ETKMSs in an IP Network29ETKMS to ETKMS Connections in Ethernet Networks29ETKMS to PEP Connections30ETKMS to PEP Connections in IP Networks30ETKMS to PEP Connections in Ethernet Networks31Network Clock Synchronization32IPv6 Address Support32Certificate Support33Network Addressing for IP Networks343 Installation and Configuration36Before You Start36Hardware Requirements37Software Requirements37Firewall Ports38EncrypTight Software Installation38Installing EncrypTight Software for the First Time38Upgrading to a New Version of EncrypTight39Uninstalling EncrypTight Software39Starting EncrypTight39Exiting EncrypTight40Management Station Configuration40Securing the Management Interface41Enabling the Microsoft FTP Server41Configuring the Syslog Server42Installing ETKMSs42Configuring ETKMSs42Basic Configuration for Local ETKMSs43About Local ETKMSs43Adding a Local ETKMS43Launching and Stopping a Local ETKMS44Starting the Local ETKMS Automatically44Configuring External ETKMSs45Logging Into the ETKMS46Changing the Admin Password46Changing the Root Password47Configure the Network Connection48Configure Time and Date Properties50Check the Status of the Hardware Security Module52Starting and Stopping the ETKMS Service52Checking the Status of the ETKMS53Secure the Server with the Front Bezel53Configuring Syslog Reporting on the ETKMSs53Policy Enforcement Point Configuration54Default User Accounts and Passwords55Managing Licenses55Installing Licenses56Upgrading Licenses57Upgrading the EncrypTight License57Upgrading ETEP Licenses57Next Steps574 Managing EncrypTight Users60Working with EncrypTight User Accounts60Configuring EncrypTight User Authentication61Managing EncrypTight Accounts64Changing an EncrypTight User Password65How EncrypTight Users Work with ETEP Users665 Maintenance Tasks68Working with the EncrypTight Workspace68About the EncrypTight Workspace68Saving a Workspace to a New Location69Loading an Existing Workspace70Moving a Workspace to a New PC71Deleting a Workspace71Installing Software Updates72Step 1: Schedule the Upgrade72Step 2: Prepare ETPM Status and Renew Keys73Step 3: Upgrade the EncrypTight Software73Step 4: Verify ETKMS Status and Deploy Policies73Step 5: Upgrade PEP Software74Step 6: Change the PEP Software Version and Check Status76Step 7: Return Status Refresh and Key Renewal to Original Settings77Upgrading External ETKMSs77Part II Working with Appliances using ETEMS806 Getting Started with ETEMS82ETEMS Quick Tour82Defining Appliance Configurations82Pushing Configurations to Appliances83Upgrading Appliance Software84Comparing Configurations84Maintenance and Troubleshooting85Policy and Certificate Support86Understanding the ETEMS Workbench86Toolbars88Status Indicators89Understanding Roles90EncrypTight User Types90ETEP Appliance Roles90Modifying Communication Preferences917 Provisioning Appliances94Provisioning Basics94Adding a New Appliance95Saving an Appliance Configuration96Pushing Configurations to Appliances96Viewing Appliance Status97Comparing Configurations99Filtering Appliances Based on Address100Rebooting Appliances101Appliance User Management101ETEP User Roles101Configuring the Password Enforcement Policy102User Name Conventions103Default Password Policy Conventions103Strong Password Policy Conventions103Cautions for Strong Password Enforcement104Managing Appliance Users105Adding ETEP Users105Modifying ETEP User Credentials107Deleting ETEP Users107Viewing ETEP Users108Working with Default Configurations109Customizing the Default Configuration109Restoring the ETEMS Default Configurations110Provisioning Large Numbers of Appliances110Creating a Configuration Template111Importing Configurations from a CSV File111Importing Remote and Local Interface Addresses113Changing Configuration Import Preferences114Checking the Time on New Appliances115Shutting Down Appliances1158 Managing Appliances116Editing Configurations116Changing the Management IP Address117Changing the Address on the Appliance117Changing the Address in ETEMS118Changing the Date and Time119Changing Settings on a Single Appliance120Changing Settings on Multiple Appliances120Deleting Appliances121Connecting Directly to an Appliance122Connecting to the Command Line Interface122Upgrading Appliance Software122Canceling an Upgrade126What to do if an Upgrade is Interrupted126Checking Upgrade Status126Restoring the Backup File System126Part III Using ETPM to Create Distributed Key Policies1289 Getting Started with ETPM130Opening ETPM130About the ETPM User Interface130EncrypTight Components View132Editors133Policy View134ETPM Status Indicators134Sorting and Using Drag and Drop135ETPM Toolbar136ETPM Status Refresh Interval136About ETPM Policies137IP Policies137Ethernet Policies137Policy Generation and Distribution138Creating a Policy: An Overview14010 Managing Policy Enforcement Points146Provisioning PEPs146Adding a New Appliance146Adding a New PEP in ETEMS147Adding a New PEP Using ETPM149Adding Large Numbers of PEPs149Pushing the Configuration150Editing PEPs150Editing PEPs From ETEMS150Editing Multiple PEPs151Editing PEPs From ETPM151Changing the IP Address of a PEP152Changing the PEP from Layer 3 to Layer 2 Encryption152Deleting PEPs15211 Managing Key Management Systems154Adding ETKMSs155Editing ETKMSs156Deleting ETKMSs15612 Managing IP Networks158Adding Networks158Advanced Uses for Networks in Policies160Grouping Networks into Supernets160Using Non-contiguous Network Masks161Editing Networks163Deleting Networks16313 Managing Network Sets166Types of Network Sets167Adding a Network Set169Importing Networks and Network Sets171Editing a Network Set173Deleting a Network Set17314 Creating VLAN ID Ranges for Layer 2 Networks176Adding a VLAN ID Range176Editing a VLAN ID Range178Deleting a VLAN ID Range17815 Creating Distributed Key Policies180Policy Concepts180Policy Priority181Schedule for Renewing Keys and Refreshing Policy Lifetime181Policy Types and Encryption Methods182Encapsulation182Encryption and Authentication Algorithms183Key Generation and ETKMSs184Addressing Mode184Using Encrypt All Policies with Exceptions184Policy Size and ETEP Operational Limits185Minimizing Policy Size186Adding Layer 2 Ethernet Policies187Adding Layer 3 IP Policies190Adding a Hub and Spoke Policy190Adding a Mesh Policy194Adding a Multicast Policy198Adding a Point-to-point Policy202Adding Layer 4 Policies205Policy Deployment206Verifying Policy Rules Before Deployment206Deploying Policies207Setting Deployment Confirmation Preferences207Editing a Policy208Deleting Policies20816 Policy Design Examples210Basic Layer 2 Point-to-Point Policy Example210Layer 2 Ethernet Policy Using VLAN IDs211Complex Layer 3 Policy Example213Encrypt Traffic Between Regional Centers213Encrypt Traffic Between Regional Centers and Branches214Passing Routing Protocols217Part IV Troubleshooting22017 ETEMS Troubleshooting222Possible Problems and Solutions222Appliance Unreachable223Appliance Configuration224Pushing Configurations225Status Indicators225Software Upgrades226Pinging the Management Port226Retrieving Appliance Log Files227Viewing Diagnostic Data229Viewing Statistics229Viewing Port and Discard Status231Exporting SAD and SPD Files231CLI Diagnostic Commands232Working with the Application Log233Viewing the Application Log from within EncrypTight233Sending Application Log Events to a Syslog Server234Exporting the Application Log234Setting Log Filters234Other Application Log Actions23518 ETPM and ETKMS Troubleshooting236Learning About Problems236Monitoring Status236Symptoms and Solutions237Policy Errors238Status Errors239Renew Key Errors239Viewing Log Files240ETPM Log Files240ETKMS Log Files240PEP Log Files241ETKMS Troubleshooting Tools241ETKMS Server Operation241Optimizing Time Synchronization242Shutting Down or Restarting an External ETKMS242Resetting the Admin Password242PEP Troubleshooting Tools242Statistics243Changing the Date and Time243ETEP PEP Policy and Key Information243Replacing Licensed ETEPs244Troubleshooting Policies244Checking Traffic and Encryption Statistics244Solving Policy Problems245Viewing Policies on a PEP245Placing PEPs in Bypass Mode245Allowing Local Site Exceptions to Distributed Key Policies246Expired Policies246Cannot Add a Network Set to a Policy247Packet Fragments are Discarded in Point-to-Point Port-based Policies247Solving Network Connectivity Problems247Modifying EncrypTight Timing Parameters248Certificate Implementation Errors248Cannot Communicate with PEP248ETKMS Boot Error249Invalid Certificate Error249Invalid Parameter in Function Call249Part V Reference25219 Modifying the ETKMS Properties File254About the ETKMS Properties File254Hardware Security Module Configuration255Digital Certificate Configuration255Logging Setup255Base Directory for Storing Operational State Data256Peer ETKMS and ETPM Communications Timing256Policy Refresh Timing257PEP Communications Timing25720 Using Enhanced Security Features260About Enhanced Security Features260About Strict Authentication261Prerequisites262Order of Operations262Certificate Information263Using Certificates in an EncrypTight System264Changing the Keystore Password265Changing the EncrypTight Keystore Password265Changing the ETKMS Keystore Password265Changing the Keystore Password on a ETKMS266Changing the Keystore Password on a ETKMS with an HSM267Configuring the Certificate Policies Extension268Working with Certificates for EncrypTight and the ETKMSs271Generating a Key Pair271Requesting a Certificate272Importing a CA Certificate273Importing a CA Certificate Reply273Exporting a Certificate274Working with Certificates and an HSM274Configuring the HSM for Keytool274Importing CA Certificates into the HSM275Generating a Key Pair for use with the HSM275Generating a Certificate Signing Request for the HSM276Importing Signed Certificates into the HSM276Working with Certificates for the ETEPs276Understanding the Certificate Manager Perspective277Certificate Manager Workflow278Working with External Certificates278Obtaining External Certificates278Installing an External Certificate279Working with Certificate Requests280Requesting a Certificate280Installing a Signed Certificate282Viewing a Pending Certificate Request282Canceling a Pending Certificate Request283Setting Certificate Request Preferences283Managing Installed Certificates284Viewing a Certificate285Exporting a Certificate285Deleting a Certificate286Validating Certificates286Validating Certificates Using CRLs286Configuring CRL Usage in EncrypTight and the ETKMSs287Configuring CRL Usage on ETEPs287Handling Revocation Check Failures288Validating Certificates Using OCSP288Enabling and Disabling Strict Authentication291Removing Certificates292Using a Common Access Card293Configuring User Accounts for Use With Common Access Cards294Enabling Common Access Card Authentication294Handling Common Name Lookup Failures29621 ETEP Configuration298Identifying an Appliance299Product Family and Software Version299Appliance Name299Throughput Speed300Interface Configuration300Management Port Addressing301IPv4 Addressing302IPv6 Addressing303Auto-negotiation - All Ports304Remote and Local Port Settings305Transparent Mode305Local and Remote Port IP Addresses306Transmitter Enable307DHCP Relay IP Address308Ignore DF Bit309Reassembly Mode309Trusted Hosts310SNMP Configuration312System Information312Community Strings313Traps314SNMPv2 Trap Hosts315SNMPv3315Generating the Engine ID317Retrieving and Exporting Engine IDs317Configuring the SNMPv3 Trap Host Users318Logging Configuration320Log Event Settings321Defining Syslog Servers322Log File Management323Advanced Configuration324Path Maximum Transmission Unit325Non IP Traffic Handling326CLI Inactivity Timer326Password Strength Policy326XML-RPC Certificate Authentication327SSH Access to the ETEP328SNTP Client Settings328IKE VLAN Tags328OCSP Settings329Certificate Policy Extensions329Features Configuration329FIPS Mode330Enabling FIPS Mode330Disabling FIPS331Verifying FIPS Status on the ETEP331EncrypTight Settings332Encryption Policy Settings333Working with Policies333Using EncrypTight Distributed Key Policies334Creating Layer 2 Point-to-Point Policies334Selecting a Role336Using Preshared Keys for IKE Authentication336Using Group IDs336Selecting the Traffic Handling Mode337How the ETEP Encrypts and Authenticates Traffic337Factory Defaults338Interfaces338Trusted Hosts339SNMP339Logging340Policy340Advanced340Features341Hard-coded Settings341Index342Numerics342A342B342C342D344E344F345G346H346I346K346L346M347N347O348P348R349S349T350U351V351W351X351Größe: 7,52 MBSeiten: 352Language: EnglishHandbuch öffnen