Black Box ET0010A User Manual
Network Addressing for IP Networks
EncrypTight User Guide
35
Another factor to consider if you plan to use certificates is the size of your EncrypTight deployment.
Generating requests and installing certificates for a large number of appliances can take a considerable
amount of time. Therefore, you need to plan for sufficient time to accomplish the necessary tasks.
Generating requests and installing certificates for a large number of appliances can take a considerable
amount of time. Therefore, you need to plan for sufficient time to accomplish the necessary tasks.
In addition to strict authentication, EncrypTight supports the use of smart cards such as the DoD
Common Access Card (CAC) to limit access to authorized personnel and to enhance auditing. When a
smart card is used, EncrypTight uses certificates from the card in addition to the certificates you install.
For more information about using smart cards with EncrypTight, see
Common Access Card (CAC) to limit access to authorized personnel and to enhance auditing. When a
smart card is used, EncrypTight uses certificates from the card in addition to the certificates you install.
For more information about using smart cards with EncrypTight, see
.
To learn more about working with certificates and strict authentication, see
.
Network Addressing for IP Networks
With Layer 3 networks, EncrypTight can use one of three network addressing methods to specify the
source IP address used in the encapsulated packet’s header:
source IP address used in the encapsulated packet’s header:
With most distributed key policies, you will preserve the network addressing of the protected networks,
which is referred to as transparent mode. When you preserve the network addressing of the protected
network, the encapsulated packets are routed to their proper destination without changing the routing
tables within the WAN.
which is referred to as transparent mode. When you preserve the network addressing of the protected
network, the encapsulated packets are routed to their proper destination without changing the routing
tables within the WAN.
However, in certain situations you might want to conceal the original source IP address and replace it
with either the IP address of the PEP’s remote port or a virtual IP address, which is referred to as non-
transparent mode. For example, since private IP addresses cannot be routed over the internet, any traffic
between private networks transmitted over the internet must use public IP addresses.
with either the IP address of the PEP’s remote port or a virtual IP address, which is referred to as non-
transparent mode. For example, since private IP addresses cannot be routed over the internet, any traffic
between private networks transmitted over the internet must use public IP addresses.
●
If you need to route traffic through a specific PEP, use the PEP’s remote port IP address.
●
For load balanced traffic, use a virtual IP address.
In the example shown in
, traffic is being sent between a corporate data center and remote
locations over a Layer 3 public internet. The traffic is encrypted using a policy defined in ETPM. The
PEPs are configured to operate in non-transparent mode in order to hide the source IP address of the
packets. The traffic to and from the data center is load balanced and therefore a virtual IP address is used
on both data center PEPs (labeled #2 in
PEPs are configured to operate in non-transparent mode in order to hide the source IP address of the
packets. The traffic to and from the data center is load balanced and therefore a virtual IP address is used
on both data center PEPs (labeled #2 in
). The remote sites use a remote port IP address to force
traffic through a specific PEP. The specified IP addresses appear in the encryption header rather than the
original source IP address.
original source IP address.
Table 3
Network Addressing Options
Addressing Method
Description
Preserve network addressing of
the protected network
Uses the original source IP address in the packet header. This is
the default network addressing method.
Use the PEP’s remote port
address
Replaces the original source IP address in the packet header with
the PEP’s remote port IP address.
Use a virtual IP address
Replaces the original source IP address in the packet header with a
virtual IP address specified in the network set.