Black Box ET1000A Manual de usuario

BL A C K B OX®EncrypTight acts as a transparent overlay that integrates easily into any existing network architecture, providing encryption rules a

Table of ContentsEncrypTight User Guide 11Interface Configuration...

Provisioning BasicsEncrypTight User Guide 101Figure 28 Compare the ETEMS and appliance configurationsTo compare and update configurations:1 In the App

Provisioning Appliances102 EncrypTight User Guide.3 To restore all appliances in the Appliances view, enter a single asterisk in the Filter Appliances

Appliance User ManagementEncrypTight User Guide 103appliance that is available to that role. The ETEP can track appliance events based on user name, s

Provisioning Appliances104 EncrypTight User GuideUser Name ConventionsFollow the guidelines below when creating user names. These conventions apply re

Appliance User ManagementEncrypTight User Guide 105● Do not use dictionary words. ETEMS does prevent the use of dictionary words, but a password conta

Provisioning Appliances106 EncrypTight User GuideManaging Appliance UsersYou can add, modify, and delete appliance users directly from ETEMS. You can

Appliance User ManagementEncrypTight User Guide 1077 On appliances that are enforcing strong passwords, configure the password expiration settings as

Provisioning Appliances108 EncrypTight User GuideRelated topics: ● “ETEP User Roles” on page 102● “User Name Conventions” on page 104● “Default Passwo

Appliance User ManagementEncrypTight User Guide 109To delete a user from the ETEP:1 In the Appliance Manager, select the target appliances in the Appl

Provisioning Appliances110 EncrypTight User GuideWorking with Default ConfigurationsEach appliance requires a unique name and management port IP addre

12 EncrypTight User GuideTable of ContentsFactory Defaults ...

Provisioning Large Numbers of AppliancesEncrypTight User Guide 1114Click OK.NOTEETEMS will not save a default configuration that contains an error or

Provisioning Appliances112 EncrypTight User GuideRelated topics:● “Creating a Configuration Template” on page 112● “Importing Configurations from a CS

Provisioning Large Numbers of AppliancesEncrypTight User Guide 113specifies the document type, which ETEMS needs to successfully import the file. The

Provisioning Appliances114 EncrypTight User GuideFigure 34 Put configurations and reboot appliances Related topics:● “Importing Remote and Local Inter

Provisioning Large Numbers of AppliancesEncrypTight User Guide 115Figure 35 CSV import examples with remote and local interface attributes When import

Provisioning Appliances116 EncrypTight User GuideFigure 36 Set the preference for importing configurationsChecking the Time on New AppliancesAfter imp

EncrypTight User Guide 1178 Managing AppliancesThis section includes the following topics:● Editing Configurations● Deleting Appliances● Connecting Di

Managing Appliances118 EncrypTight User GuideChanging the Management IP AddressETEMS uses the appliance’s 10/100 Ethernet management port to communica

Editing ConfigurationsEncrypTight User Guide 119Figure 37 Change Management IP window Related topics:● “Changing the Address in ETEMS” on page 119● “M

Managing Appliances120 EncrypTight User GuideFigure 38 Operation failed message in response to management IP change Changing the Date and TimeETEMS ca

EncrypTight User Guide 13PrefaceAbout This DocumentPurposeThe EncrypTight User Guide provides detailed information on how to install, configure, and t

Editing ConfigurationsEncrypTight User Guide 121NOTEThe SNTP client must be disabled on an appliance in order to change its date or time manually. If

Managing Appliances122 EncrypTight User Guide● SNTP client● Software version● Syslog serversOther settings that can be edited on multiple appliances a

Connecting Directly to an ApplianceEncrypTight User Guide 123To delete appliances:1 In the Appliance Manager, select the appliances to delete in the A

Managing Appliances124 EncrypTight User GuideThe amount of time it takes to complete a software upgrade depends on the appliance model and speed of th

Upgrading Appliance SoftwareEncrypTight User Guide 125Figure 41 Upgrade software on multiple appliances from a central locationCAUTIONAppliances must

Managing Appliances126 EncrypTight User Guide6Click Upgrade. ETEMS confirms that the FTP site is reachable before it begins the upgrade operation. Upg

Restoring the Backup File SystemEncrypTight User Guide 127Canceling an UpgradeTo cancel a software upgrade that is underway for a series of appliances

Managing Appliances128 EncrypTight User GuideReview the following recommendations and cautions prior to restoring the file system:● Make sure that you

Part III Using ETPM to Create Distributed Key Policies

130 EncrypTight User Guide

Preface14 EncrypTight User GuideContacting Black Box Technical SupportContact our FREE technical support, 24 hours a day, 7 days a week: Phone 724-746

EncrypTight User Guide 1319 Getting Started with ETPMThe Policy Manager (ETPM) is the security policy management component of the EncrypTight. You use

Getting Started with ETPM132 EncrypTight User Guide● Editors are used to add and modify EncrypTight components and policies.● Policy view is used to v

About the ETPM User InterfaceEncrypTight User Guide 133EncrypTight Components ViewThe EncrypTight Components view lets you configure the network compo

Getting Started with ETPM134 EncrypTight User GuideEditors Editors allow you to add or change EncrypTight components and policies. When you first star

About the ETPM User InterfaceEncrypTight User Guide 135Policy ViewThe Policy view allows you to view, add, and edit policies. Figure 45 Policy viewThe

Getting Started with ETPM136 EncrypTight User GuideNOTEThe status indicators displayed in the ETPM Policy view change only after you click Deploy poli

About the ETPM User InterfaceEncrypTight User Guide 137ETPM Toolbar The ETPM toolbar provides shortcuts to frequently performed tasks. ETPM Status Ref

Getting Started with ETPM138 EncrypTight User GuideAbout ETPM PoliciesA policy specifies what traffic to protect and how to protect it. Each packet or

Policy Generation and DistributionEncrypTight User Guide 139● ETKMSs distribute the keys and policies to the PEPs● VLAN ID ranges enable filtering bas

Getting Started with ETPM140 EncrypTight User GuideFigure 48 Key generation with one ETKMS In this scenario, you could use either a local ETKMS or an

Part I EncrypTight Installation and Maintenance

Creating a Policy: An OverviewEncrypTight User Guide 141Figure 49 Key generation with multiple ETKMSs The ETKMS generating the key for a PEP’s outboun

Getting Started with ETPM142 EncrypTight User GuideFigure 50 Sample point-to-point IP policy Figure 50 illustrates an EncrypTight deployment with two

Creating a Policy: An OverviewEncrypTight User Guide 143To create a policy:1 In the ETEMS Appliance Manager, add PEP A and PEP B (File > New Applia

Getting Started with ETPM144 EncrypTight User Guide3 In the Appliance Manager, add and configure ETKMS 1 (File > New Appliance). In the sample illu

Creating a Policy: An OverviewEncrypTight User Guide 1457 Click the Network Sets tab and in the editor, add Network Set A and Network Set B.In the sam

Getting Started with ETPM146 EncrypTight User Guide9 Click the New Point-to-Point Policy editor and configure a point-to-point IPSec policy using the

EncrypTight User Guide 14710 Managing Policy Enforcement PointsPolicy Enforcement Points (PEPs) enforce the policies created in ETPM and distributed b

Managing Policy Enforcement Points148 EncrypTight User Guidenetwork sets in Layer 3 IP policies. L2 PEPs can be used in Layer 2 Ethernet policies. You

Provisioning PEPsEncrypTight User Guide 149NOTE● For more information about PEP configuration options, see the chapter for the PEP model that you are

Managing Policy Enforcement Points150 EncrypTight User GuideAdding a New PEP Using ETPMNormally, you should add PEPs using the ETEMS Appliance Manager

16 EncrypTight User Guide

Editing PEPsEncrypTight User Guide 151Pushing the ConfigurationAfter you define the PEP configurations, push the configurations from ETEMS to the targ

Managing Policy Enforcement Points152 EncrypTight User GuideIf you changed the PEP’s Appliance name in ETEMS, redeploy your policies. If you don’t red

Deleting PEPsEncrypTight User Guide 153Changing the IP Address of a PEPOccasionally, you might need to change the IP address on a PEP. For example, yo

Managing Policy Enforcement Points154 EncrypTight User GuideTo delete PEPs:1 In the Appliances view in ETEMS, select the PEPs to delete.2On the Edit m

EncrypTight User Guide 15511 Managing Key Management SystemsBased on the policies received from the ETPM, the Key Management Systems (ETKMSs) generate

Managing Key Management Systems156 EncrypTight User GuideIn order to ensure network resiliency, some EncrypTight configurations may have external ETKM

Editing ETKMSsEncrypTight User Guide 1574Click Save when complete. Editing ETKMSsIf you change the name or the IP address of a local ETKMS, stop the l

Managing Key Management Systems158 EncrypTight User GuideCAUTIONDo not delete any ETKMSs currently used by any network sets or policies. Before you de

EncrypTight User Guide 15912 Managing IP NetworksIn EncrypTight, networks are the IP networks that you want to protect. One or more of these networks

Managing IP Networks160 EncrypTight User GuideTo add a network:1 From the EncrypTight Components view, click the Networks tab.The Networks tab lists a

EncrypTight User Guide 171 EncrypTight OverviewEncrypTight™ Policy and Key Manager is an innovative approach to network-wide encryption. EncrypTight a

Advanced Uses for Networks in PoliciesEncrypTight User Guide 161clear. ETPM accepts non-contiguous network masks, which allow you to create policies b

Managing IP Networks162 EncrypTight User GuideFigure 56 Two networks with contiguous addressing defined as a supernet If you group the two networks in

Advanced Uses for Networks in PoliciesEncrypTight User Guide 163Figure 57 Networks with non-contiguous network masks are used in a bypass policy that

Managing IP Networks164 EncrypTight User GuideEditing NetworksTo edit an existing network:1 In the EncrypTight Components view, click the Networks tab

Deleting NetworksEncrypTight User Guide 165To delete a network:1 In the EncrypTight Components view, click the Networks tab.2 Right-click the desired

Managing IP Networks166 EncrypTight User Guide

EncrypTight User Guide 16713 Managing Network SetsA network set is a collection of IP networks, the associated PEPs, and a default ETKMS. A network se

Managing Network Sets168 EncrypTight User GuideTypes of Network SetsThe following examples illustrate the different types of network sets:● Subnet● Lo

Types of Network SetsEncrypTight User Guide 169Figure 61 Network set for a collection of networks Figure 61 illustrates a network set comprised of two

Managing Network Sets170 EncrypTight User GuideAdding a Network SetTo add a Network Set:1 In the EncrypTight Components view, click the Network Sets t

EncrypTight Overview18 EncrypTight User Guidemultiple Policy Enforcement Points (PEPs) can use common keys, while a centralized platform assumes the f

Adding a Network SetEncrypTight User Guide 171Key Management SystemSelect the desired Key Management System from the Default ETKMS list. You must sele

Managing Network Sets172 EncrypTight User GuideFigure 63 Network Set editorImporting Networks and Network SetsIf you need to work with a large number

Importing Networks and Network SetsEncrypTight User Guide 173line and is ignored by ETPM during the import operation. In the CSV file, commas are used

Managing Network Sets174 EncrypTight User GuideTo import networks and network sets into ETPM:1 Create a CSV file that identifies the networks and netw

Deleting a Network SetEncrypTight User Guide 175CAUTIONPrior to deleting a network set, modify any policies using that network set to use another netw

Managing Network Sets176 EncrypTight User Guide

EncrypTight User Guide 17714 Creating VLAN ID Ranges for Layer 2 NetworksIf the network uses VLAN ID tags, you have the option of creating policies th

Creating VLAN ID Ranges for Layer 2 Networks178 EncrypTight User Guide2 Right-click anywhere in the VLAN Ranges view and then click Add new Element.3

Editing a VLAN ID RangeEncrypTight User Guide 179Editing a VLAN ID RangeTo edit a VLAN ID range:1 In the EncrypTight Components view, click the VLAN R

Creating VLAN ID Ranges for Layer 2 Networks180 EncrypTight User Guide3Click OK.

Distributed Key TopologiesEncrypTight User Guide 19Regardless of topology, PEPs are typically located at the point in the network where traffic is bei

EncrypTight User Guide 18115 Creating Distributed Key PoliciesFrom the Policy view, you can add, modify, and delete policies for Layer 3/Layer 4 IP ne

Creating Distributed Key Policies182 EncrypTight User Guide● “Key Generation and ETKMSs” on page 185● “Addressing Mode” on page 185● “Using Encrypt Al

Policy ConceptsEncrypTight User Guide 183TIPNetwork connectivity problems can prevent new keys from being distributed to the PEPs before the old keys

Creating Distributed Key Policies184 EncrypTight User GuideFigure 69 Data payload encryption Encryption and Authentication AlgorithmsFor Layer 3 IP po

Policy ConceptsEncrypTight User Guide 185Key Generation and ETKMSsWith multicast IP policies and Layer 2 Ethernet policies, you choose a single ETKMS

Creating Distributed Key Policies186 EncrypTight User Guide1 Create a policy to encrypt all data to and from all networks. Assign this policy a relati

Policy ConceptsEncrypTight User Guide 187Minimizing Policy Size Using EncrypTight with large, complex networks with multiple subnets protected by sepa

Creating Distributed Key Policies188 EncrypTight User GuideAdding Layer 2 Ethernet PoliciesFor Layer 2 Ethernet networks, policies can be created for

Adding Layer 2 Ethernet PoliciesEncrypTight User Guide 1894Click Save when complete. Table 47 Layer 2 Mesh policy entries Field DescriptionName Enter

Creating Distributed Key Policies190 EncrypTight User GuideFigure 71 Layer 2 Mesh policy editorNOTEIf you need to encrypt or pass in the clear specifi

EncrypTight Overview20 EncrypTight User GuideEncrypTight Element Management SystemThe EncrypTight Element Management System (ETEMS) is the device mana

Adding Layer 3 IP PoliciesEncrypTight User Guide 191Adding Layer 3 IP PoliciesAn IP policy can be created for hub and spoke, mesh, multicast, and poin

Creating Distributed Key Policies192 EncrypTight User GuideTo add a new hub and spoke policy:1 In the Policy view, right-click anywhere in the view an

Adding Layer 3 IP PoliciesEncrypTight User Guide 193IPSec Specifies the encryption and authentication algorithms used in an IPSec policy.Select the en

Creating Distributed Key Policies194 EncrypTight User GuideFigure 73 Hub and spoke policy editor

Adding Layer 3 IP PoliciesEncrypTight User Guide 195Adding a Mesh PolicyIn a mesh network, any network or network set can send or receive data from an

Creating Distributed Key Policies196 EncrypTight User GuideTable 49 Mesh policy entries Field DescriptionName Enter a unique name to identify the pol

Adding Layer 3 IP PoliciesEncrypTight User Guide 197Addressing Mode OverrideOverrides the Network addressing setting for the network sets. • Preserve

Creating Distributed Key Policies198 EncrypTight User GuideFigure 75 Mesh policy editor

Adding Layer 3 IP PoliciesEncrypTight User Guide 199Adding a Multicast PolicyIn a multicast network, one or more networks send unidirectional streams

Creating Distributed Key Policies200 EncrypTight User GuideTo add a multicast policy:1 In the Policy view, right-click anywhere in the view and click

EncrypTight User Guide 3Table of ContentsPreface...

Distributed Key TopologiesEncrypTight User Guide 21Figure 3 Single ETKMS for multiple sites Figure 4 illustrates an EncrypTight deployment using multi

Adding Layer 3 IP PoliciesEncrypTight User Guide 201IPSec Specifies the encryption and authentication algorithms used in an IPSec policy.Select the en

Creating Distributed Key Policies202 EncrypTight User GuideFigure 77 Multicast policy editor

Adding Layer 3 IP PoliciesEncrypTight User Guide 203Adding a Point-to-point PolicyIn a point-to-point network, one network or network set sends and re

Creating Distributed Key Policies204 EncrypTight User Guide4Click Save when complete. Table 51 Point-to-point policy entries Field DescriptionName En

Adding Layer 3 IP PoliciesEncrypTight User Guide 205Addressing Mode OverrideOverrides the Network addressing setting for the network sets. • Preserve

Creating Distributed Key Policies206 EncrypTight User GuideFigure 79 Point-to-point policy editorAdding Layer 4 PoliciesLayer 4 policies encrypt only

Policy DeploymentEncrypTight User Guide 207You create Layer 4 policies using ETEPs that are configured to operate as Layer 3 PEPs. Create the networks

Creating Distributed Key Policies208 EncrypTight User GuideTo verify policies:1Click Tools > Verify policies. ETPM displays a confirmation message

Editing a PolicyEncrypTight User Guide 209Figure 81 ETPM Preferences3 Select or clear the Ask for confirmation before deploying a metapolicy checkbox.

Creating Distributed Key Policies210 EncrypTight User GuideTo delete an existing policy:1 From the Policy view, right-click the desired policy name an

EncrypTight Overview22 EncrypTight User GuideTo securely transfer data between two PEPs over an untrusted network, both PEPs must share a key. One PEP

EncrypTight User Guide 21116 Policy Design ExamplesThis section provides two examples of creating policies with EncrypTight:● Basic Layer 2 Point-to-P

Policy Design Examples212 EncrypTight User GuideIn ETEMS, configure the interfaces for both PEPs, then click the Features tab and do the following:1 S

Layer 2 Ethernet Policy Using VLAN IDsEncrypTight User Guide 213Figure 83 Using VLAN IDs Policy DetailsPolicy 1: Headquarters and BranchesName: HQ/Bra

Policy Design Examples214 EncrypTight User GuideTo create the policies:1 In ETEMS, add and configure the ETEPs to operate as Layer 2 PEPs.2 Add the ET

Complex Layer 3 Policy ExampleEncrypTight User Guide 215The network sets required for this policy are:Using the four network sets, create the mesh pol

Policy Design Examples216 EncrypTight User GuideThese hub and spoke policies require the four network sets created in “Encrypt Traffic Between Regiona

Complex Layer 3 Policy ExampleEncrypTight User Guide 217Using Network Sets B, B1, B2, and B3, create a hub and spoke policy for region B as shown in t

Policy Design Examples218 EncrypTight User GuidePassing Routing ProtocolsWith Layer 3 routed networks, you might need to pass routing protocols in the

Complex Layer 3 Policy ExampleEncrypTight User Guide 219This policy must be set to a higher priority than the mesh policy created in “Encrypt Traffic

Policy Design Examples220 EncrypTight User Guide

Security within EncrypTightEncrypTight User Guide 23Figure 6 Layer 2 Point-to-Point Deployment Use the Policy Manager (ETPM) and Key Management System

Part IV Troubleshooting

222 EncrypTight User Guide

EncrypTight User Guide 22317 ETEMS TroubleshootingThis section includes the following topics:● Possible Problems and Solutions● Pinging the Management

ETEMS Troubleshooting224 EncrypTight User GuideAppliance Unreachable Symptom Explanation and possible solutionsSymptoms of ETEMS’s inability to commun

Possible Problems and SolutionsEncrypTight User Guide 225Appliance ConfigurationThe ETEP cannot ping the management workstation. The request times out

ETEMS Troubleshooting226 EncrypTight User GuidePushing ConfigurationsStatus IndicatorsSymptom Explanation and possible solutionsNew configuration isn’

Pinging the Management PortEncrypTight User Guide 227Software UpgradesPinging the Management PortIf ETEMS is having trouble communicating with an appl

ETEMS Troubleshooting228 EncrypTight User GuideFigure 88 Tools preferencesTo change the default ping tool:1 In the Edit menu, click Preferences.2Click

Retrieving Appliance Log FilesEncrypTight User Guide 229To retrieve log files from an appliance:1 Verify that an FTP server is running on the ETEMS wo

ETEMS Troubleshooting230 EncrypTight User GuideViewing Diagnostic DataETEMS retrieves the following performance and diagnostic data from an appliance:

EncrypTight Overview24 EncrypTight User GuideSecure Communications Between DevicesEach node in the distributed key system, the EncrypTight management

Viewing Diagnostic DataEncrypTight User Guide 231Figure 89 Encryption statistics and packet counters displayed for two ETEPs To display statistics:1 I

ETEMS Troubleshooting232 EncrypTight User GuideViewing Port and Discard StatusThe Status view displays information about local and remote port status,

Viewing Diagnostic DataEncrypTight User Guide 233Figure 91 Export the SAD or SPD to a CSV file To export the SAD or SPD from the ETEP:1 In the Applian

ETEMS Troubleshooting234 EncrypTight User GuideWorking with the Application LogThe application log provides information about significant events and f

Working with the Application LogEncrypTight User Guide 235a On the application log tool bar, click .b In the application log menu, click Activate on

ETEMS Troubleshooting236 EncrypTight User GuideFigure 94 Application log filters NOTEIncreasing the visible event limit to a large number (more than 2

EncrypTight User Guide 23718 ETPM and ETKMS TroubleshootingThis section provides information to help you with ETPM and ETKMS problem resolution, inclu

ETPM and ETKMS Troubleshooting238 EncrypTight User GuideTable 65 ETPM status problems and solutions TIPAfter you deploy policies, if the indicators a

Learning About ProblemsEncrypTight User Guide 239NOTEAlways check the status of the PEPs in the Policy View after deploying policies, refreshing statu

ETPM and ETKMS Troubleshooting240 EncrypTight User GuideStatus ErrorsRenew Key ErrorsSymptom Explanation and possible solutionsETEMS cannot verify tha

EncrypTight User Guide 252 EncrypTight Deployment PlanningWhen deploying EncrypTight, you must plan the following:● EncrypTight Component Connections●

Learning About ProblemsEncrypTight User Guide 241Viewing Log FilesEach component in the EncrypTight system creates and maintains log files that you ca

ETPM and ETKMS Troubleshooting242 EncrypTight User GuidePEP Log FilesYou can retrieve and view log files from any PEP using ETEMS. When a PEP receives

PEP Troubleshooting ToolsEncrypTight User Guide 243Optimizing Time SynchronizationWith NTP, time synchronization does not always happen instantaneousl

ETPM and ETKMS Troubleshooting244 EncrypTight User GuideStatisticsFor ETEP PEPs, you can use the Statistics view in the ETEMS Appliance Manager to dis

Troubleshooting PoliciesEncrypTight User Guide 245deployed to the PEP, including the destination and source IP addresses, priority, and the policy typ

ETPM and ETKMS Troubleshooting246 EncrypTight User Guide3 In the MAC Statistics section (for ETEP PEPs), note the values in the Transmit and Receive p

Troubleshooting PoliciesEncrypTight User Guide 247Do one of the following:● In the Appliance Manager view, select the ETEP and choose Tools > Clear

ETPM and ETKMS Troubleshooting248 EncrypTight User GuideTo fix these issues, redeploy your policies from ETPM to make sure that your PEPs have current

Modifying EncrypTight Timing ParametersEncrypTight User Guide 249● For ETPM to ETKMS communications errors, check the ETEMS or ETPM application log fo

ETPM and ETKMS Troubleshooting250 EncrypTight User GuideTo add a new PEP in a system configured to use strict authentication:1 In the ETEMS preference

EncrypTight Deployment Planning26 EncrypTight User Guide● “Management Station Connections” on page 26The EncrypTight software includes ETEMS for appli

Certificate Implementation ErrorsEncrypTight User Guide 251To disable strict authentication on ETEPs:1 Connect to the serial port of the appliance and

ETPM and ETKMS Troubleshooting252 EncrypTight User Guide

Part V Reference

254 EncrypTight User Guide

EncrypTight User Guide 25519 Modifying the ETKMS Properties FileThis section provides information about settings in the ETKMS properties file that you

Modifying the ETKMS Properties File256 EncrypTight User GuideHardware Security Module ConfigurationThe following entries control whether the encryptio

Base Directory for Storing Operational State DataEncrypTight User Guide 257log4j.appender.R.layout=org.apache.log4j.PatternLayoutlog4j.appender.R.layo

Modifying the ETKMS Properties File258 EncrypTight User GuidePolicy Refresh TimingThe policy refresh timing controls the timing between the initiation

PEP Communications TimingEncrypTight User Guide 259Once the nth retry (defined by retryCount) is unsuccessful, the ETKMS waits a period of time define

Modifying the ETKMS Properties File260 EncrypTight User Guide

EncrypTight Component ConnectionsEncrypTight User Guide 27This section describes the planning for the following connections: ● “ETPM and ETKMS on the

EncrypTight User Guide 26120 Using Enhanced Security FeaturesThis section includes the following topics:● About Enhanced Security Features● About Stri

Using Enhanced Security Features262 EncrypTight User Guide● Strong password enforcementETEPs with software version 1.6 or later can be configured to u

About Strict AuthenticationEncrypTight User Guide 263Related topics:● “Prerequisites” on page 263● “Order of Operations” on page 263● “Certificate Inf

Using Enhanced Security Features264 EncrypTight User Guide4 Temporarily enable strict authentication in ETEMS and make sure that you can still communi

Using Certificates in an EncrypTight SystemEncrypTight User Guide 265In usage, you type this string as follows:-dname “cn=<common name>, ou=<

Using Enhanced Security Features266 EncrypTight User GuideChanging the Keystore PasswordBefore you begin using certificates, you need to change the de

Changing the Keystore PasswordEncrypTight User Guide 267Changing the Keystore Password on a ETKMSChanging the password on a ETKMS involves multiple st

Using Enhanced Security Features268 EncrypTight User GuideChanging the Password Used in the ETKMS Properties FileThe ETKMS properties file includes an

Configuring the Certificate Policies ExtensionEncrypTight User Guide 269./HSMPwdChg.shThe script will print out the new value of the password. Make no

Using Enhanced Security Features270 EncrypTight User GuideTIPIf you are deploying numerous ETEPs, you can save time by modifying the default configura

EncrypTight Deployment Planning28 EncrypTight User GuideFigure 8 In-line ETKMS management in an IP network ETPM and ETKMS in Layer 2 Ethernet Policies

Configuring the Certificate Policies ExtensionEncrypTight User Guide 271Figure 95 Communications PreferencesAbout the Policy Constraints ExtensionThe

Using Enhanced Security Features272 EncrypTight User GuideWorking with Certificates for EncrypTight and the ETKMSsFor both the workstation running the

Working with Certificates for EncrypTight and the ETKMSsEncrypTight User Guide 273To generate a key pair:1 From the command line, use the following co

Using Enhanced Security Features274 EncrypTight User GuideImporting a CA Certificate Depending on the CA that you use, you could receive a single cert

Working with Certificates and an HSMEncrypTight User Guide 275Exporting a CertificateFor other devices to authenticate the identity of an entity, they

Using Enhanced Security Features276 EncrypTight User GuideImporting CA Certificates into the HSMTo import CA certificates into the HSM:1 To import a C

Working with Certificates for the ETEPsEncrypTight User Guide 277Generating a Certificate Signing Request for the HSMTo generate a certificate signing

Using Enhanced Security Features278 EncrypTight User GuideTo start the Certificate Manager do one of the following: ● In the Windows menu, click Open.

Working with Certificates for the ETEPsEncrypTight User Guide 279The Certificate Requests view displays pending certificate requests for selected appl

Using Enhanced Security Features280 EncrypTight User GuideNOTEThe procedure for obtaining a CA certificate varies with each CA. These are the typical

EncrypTight Component ConnectionsEncrypTight User Guide 29External ETKMS to ETKMS ConnectionsETKMSs must be able to communicate with each other in two

Working with Certificates for the ETEPsEncrypTight User Guide 281Figure 97 Certificates view shows installed certificates and their usageWorking with

Using Enhanced Security Features282 EncrypTight User GuideFigure 98 Generate a certificate signing requestTo generate a certificate signing request:1

Working with Certificates for the ETEPsEncrypTight User Guide 283Installing a Signed CertificateWhen a certificate authority accepts a certificate req

Using Enhanced Security Features284 EncrypTight User GuideFigure 100 View pending certificate signing requestsCanceling a Pending Certificate RequestT

Working with Certificates for the ETEPsEncrypTight User Guide 285The Common Name (CN) defaults to the appliance name; it cannot be set as a preference

Using Enhanced Security Features286 EncrypTight User Guide● “Deleting a Certificate” on page 287Viewing a CertificateThe Certificate Details view of a

Validating CertificatesEncrypTight User Guide 287Deleting a CertificateDelete external certificates if they have expired or are no longer used. Extern

Using Enhanced Security Features288 EncrypTight User Guideyou must remember to periodically retrieve a copy of the CRL and install it on each of the E

Validating CertificatesEncrypTight User Guide 289To install a CRL on the ETEP:1 Switch to the Certificate Manager perspective.2 In the Appliances view

Using Enhanced Security Features290 EncrypTight User GuideIn order to use OCSP, you must enable it on each EncrypTight component. ETEPs can read the U

EncrypTight Deployment Planning30 EncrypTight User GuideConnecting Multiple ETKMSs in an IP NetworkFigure 10 shows two external ETKMSs located on diff

Validating CertificatesEncrypTight User Guide 291NOTEFor enhanced security, if you want to validate certificates using OCSP only, disable the options

Using Enhanced Security Features292 EncrypTight User GuideEnabling and Disabling Strict AuthenticationAfter you have installed certificates on each En

Removing CertificatesEncrypTight User Guide 2938Click Put to push the configurations.9Click Close to return to the Appliances view, and then refresh t

Using Enhanced Security Features294 EncrypTight User GuideTo remove certificates:1 If necessary, switch to the Certificate Manager and select the ETEP

Using a Common Access CardEncrypTight User Guide 2955 Add the authorized common names to the cnAuth.cfg file on the ETKMS. For instructions, see “Conf

Using Enhanced Security Features296 EncrypTight User GuideTo enable CAC Authentication on the ETEP:1 Verify that strict authentication is enabled on t

Using a Common Access CardEncrypTight User Guide 297NOTEWhen Common Access Card Authentication is enabled, users of the EncrypTight software can log i

Using Enhanced Security Features298 EncrypTight User Guide

EncrypTight User Guide 29921 ETEP ConfigurationThis chapter provides procedures and reference information for configuring ETEP appliances.To prepare t

ETEP Configuration300 EncrypTight User GuideThis section includes the following topics:● Identifying an Appliance● Interface Configuration● Trusted Ho

4 EncrypTight User GuideTable of ContentsUninstalling EncrypTight Software...

EncrypTight Component ConnectionsEncrypTight User Guide 31Figure 11 Out-of-band management of ETKMSs located on different Ethernet networks ETKMS to P

Interface ConfigurationEncrypTight User Guide 301● Alphanumeric characters are valid (upper and lower case alpha characters and numbers 0-9)● Spaces a

ETEP Configuration302 EncrypTight User GuideFigure 103 ET0100A interfaces configuration Related topics:● “Management Port Addressing” on page 302● “Au

Interface ConfigurationEncrypTight User Guide 303ETEPs running software version 1.6 and later include support for IPv4 and IPv6 addresses on the manag

ETEP Configuration304 EncrypTight User GuideFigure 104 Management port default gateway on the ETEP IPv6 AddressingThe use of IPv6 addressing is option

Interface ConfigurationEncrypTight User Guide 305IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can

ETEP Configuration306 EncrypTight User GuideOn the local and remote ports, the ETEPs support the speeds shown in Table 86.NOTEIf you are using copper

Interface ConfigurationEncrypTight User Guide 307preserves the network addressing of the protected network by copying the original source IP and MAC a

ETEP Configuration308 EncrypTight User GuideIP Address and Subnet MaskEnter the IP address and subnet mask that you want to assign to the port, in dot

Interface ConfigurationEncrypTight User Guide 309The transmitter behavior configuration should be the same on both the local and remote ports. DHCP Re

ETEP Configuration310 EncrypTight User GuideIgnore DF BitWhen the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior i

EncrypTight Deployment Planning32 EncrypTight User GuideFigure 12 In-line ETKMS to PEP communications in IP networks ETKMS to PEP Connections in Ether

Trusted HostsEncrypTight User Guide 311Related topic:● “Ignore DF Bit” on page 310● “Path Maximum Transmission Unit” on page 326● “Features Configurat

ETEP Configuration312 EncrypTight User GuideInbound host protocols (HTTPS, ICMP, and SNMP) are enabled and disabled in the Edit Trusted Host window. I

SNMP ConfigurationEncrypTight User Guide 313Figure 108 Trusted host editorRelated topics:● “Appliance Unreachable” on page 224● “IPv6 Addressing” on p

ETEP Configuration314 EncrypTight User GuideFigure 109 SNMP configuration for system information, community strings, and trapsTake note of the followi

SNMP ConfigurationEncrypTight User Guide 315TrapsTo configure SNMP traps, first select the trap types to be generated. All of the selected trap types

ETEP Configuration316 EncrypTight User GuideNOTEThe coldStart and notifyShutdown traps are always generated, even when Generic traps are disabled.Rela

SNMP ConfigurationEncrypTight User Guide 317● The engine ID identifies the ETEP as a unique SNMP entity. The ETEP’s engine ID must be configured on ev

ETEP Configuration318 EncrypTight User Guide● “Configuring the SNMPv3 Trap Host Users” on page 319● “FIPS Mode” on page 331Generating the Engine IDThe

SNMP ConfigurationEncrypTight User Guide 319Figure 111 Viewing SNMPv3 Engine IDs Related topics:● “Generating the Engine ID” on page 318Configuring th

ETEP Configuration320 EncrypTight User GuideFigure 112 SNMPv3 Trap Host configurationTo configure a trap host user:1 If you haven’t already done so, s

Network Clock SynchronizationEncrypTight User Guide 33Network Clock Synchronization CAUTIONFailure to synchronize the time of all EncrypTight componen

Logging ConfigurationEncrypTight User Guide 321Related topics:● “FIPS Mode” on page 331● ETEP CLI User Guide, ‘Securing Management Port Traffic with I

ETEP Configuration322 EncrypTight User GuideRelated topics:● “Log Event Settings” on page 322● “Defining Syslog Servers” on page 323● “Log File Manage

Logging ConfigurationEncrypTight User Guide 323means “error + critical + alert + emergency.” The priorities shown in Table 97 are listed from lowest (

ETEP Configuration324 EncrypTight User GuideRelated topics:● “IPv6 Addressing” on page 304● “Logging Configuration” on page 321● “Log Event Settings”

Advanced ConfigurationEncrypTight User Guide 325Figure 114 Log files extracted from the ETEPRelated topics:● “Retrieving Appliance Log Files” on page

ETEP Configuration326 EncrypTight User GuidePath Maximum Transmission UnitThe PMTU specifies the maximum payload size of a packet that can be transmit

Advanced ConfigurationEncrypTight User Guide 327● “Reassembly Mode” on page 310● “Features Configuration” on page 330Non IP Traffic HandlingThe non IP

ETEP Configuration328 EncrypTight User Guide● Maximum number of concurrent login sessions allowed per user● The number of login failures allowed befor

Advanced ConfigurationEncrypTight User Guide 329SSH Access to the ETEPSSH is used for secure remote CLI management sessions through the Ethernet manag

ETEP Configuration330 EncrypTight User Guide3 On the Advanced tab, select Enable IKE VLAN Tag. OCSP SettingsOnline Certificate Status Protocol (OCSP)

EncrypTight Deployment Planning34 EncrypTight User GuideIPv6 addresses are 128-bit addresses consisting of eight hexadecimal groups that are separated

Features ConfigurationEncrypTight User Guide 331FIPS ModeWhen operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and

ETEP Configuration332 EncrypTight User Guide● Performs a software integrity test ● Clears pre-existing polices and keys, as described in Table 104. ●

Features ConfigurationEncrypTight User Guide 333● “EncrypTight Settings” on page 333● “Encryption Policy Settings” on page 334● “Creating Layer 2 Poin

ETEP Configuration334 EncrypTight User Guide● “Encryption Policy Settings” on page 334● “Working with Policies” on page 334 Encryption Policy Settings

Working with PoliciesEncrypTight User Guide 335Related topics:● “Using EncrypTight Distributed Key Policies” on page 335● “Creating Layer 2 Point-to-P

ETEP Configuration336 EncrypTight User GuideFigure 115 ETEP Policy tabWhen ETEPs are first installed they pass all traffic in the clear until they rec

Working with PoliciesEncrypTight User Guide 337deploy management port IPsec polices while in Layer 2 point-to-point mode, use manual key policies to e

ETEP Configuration338 EncrypTight User GuideSelecting the Traffic Handling ModeThe ETEP has three options for processing packets:● Encrypt all packets

Factory DefaultsEncrypTight User Guide 339Factory DefaultsETEMS’s factory settings are listed by appliance model and software version for the followin

ETEP Configuration340 EncrypTight User GuideTrusted HostsSNMPDefault gateway NoneFlow control NegotiatedLink speed NegotiatedTransmitter enable Follow

Network Addressing for IP NetworksEncrypTight User Guide 35Another factor to consider if you plan to use certificates is the size of your EncrypTight

Factory DefaultsEncrypTight User Guide 341LoggingPolicyAdvancedTable 112 Logging defaultsLogging Default SettingLocal 0 / System InformationalLocal 1

ETEP Configuration342 EncrypTight User GuideFeaturesHard-coded SettingsThe following settings are hard-coded in the ETEP:● Management port PMTU is 140

EncrypTight User Guide 343IndexNumerics3DES, 184Aaddressing mode, 171, 185advanced configurationETEP, 325–329Advanced Encryption Standard, 184AES, 184

Index344 EncrypTight User Guidecertificate revocation lists (CRLs), see CRLs, 287certificatesSee also Certificate Managerabout, 262and common access c

EncrypTight User Guide 345IndexDdatabaseSee workspacedate and timeabout clock synchronization, 33changing on an appliance, 121configuring on the ETKM

Index346 EncrypTight User Guidedefining appliance configurations, 83maintenance and troubleshooting, 86policy and certificate support, 87pushing confi

EncrypTight User Guide 347Indexfirewall ports, 39flow control configurationETEP, 305fragmentationETEPchoosing the reassembly mode, 310setting the PMTU

Index348 EncrypTight User Guidehub and spoke policy addressing mode override, 193mesh policy addressing mode override, 197multicast policy addressing

EncrypTight User Guide 349IndexNTP, 149OOCSPabout, 289communication preferences, 94enabling in EncrypTight, 290enabling in ETEPs, 291enabling on ETKMS

Index350 EncrypTight User GuideSee also ETPMintroduction, 20log file, 241monitoring status, 237port configuration See interface configurationport stat

EncrypTight Deployment Planning36 EncrypTight User GuideFigure 14 Using remote IP and virtual IP addresses to obscure the source address of the origin

EncrypTight User Guide 351Indexediting on multiple appliances, 152ETEP, 329ETKMS, 51for EncrypTight PEPs, 149software requirements, 38software updates

Index352 EncrypTight User GuideTriple Data Encryption Standard, 184troubleshootingSee also diagnostic toolsapplication log, 234certificate implementat

724-746-5500 | blackbox.com About Black BoxBlack Box Network Services is your source for more than 118,000 networking and infrastructure products.

EncrypTight User Guide 373 Installation and ConfigurationThis section describes how to install and configure EncrypTight for the first time, including

Installation and Configuration38 EncrypTight User Guide● “Software Requirements” on page 38● “Firewall Ports” on page 39Hardware RequirementsEncrypTig

EncrypTight Software InstallationEncrypTight User Guide 39Firewall PortsIn order for EncrypTight components to communicate, you need to make sure that

Installation and Configuration40 EncrypTight User GuideNOTEIt is strongly recommended that you synchronize the workstation hosting the EncrypTight sof

Table of ContentsEncrypTight User Guide 5Step 2: Prepare ETPM Status and Renew Keys ...

Management Station ConfigurationEncrypTight User Guide 41To start ETEMS:1From the Start menu, select All Programs > EncrypTight.2 In the Login scre

Installation and Configuration42 EncrypTight User GuideSecuring the Management InterfaceEncrypTight provides the methods listed in Table 7 for encrypt

Installing ETKMSsEncrypTight User Guide 43Configuring the Syslog ServerThe EncrypTight appliance can be configured to send log messages and events to

Installation and Configuration44 EncrypTight User GuideThis section includes the following topics:● “Basic Configuration for Local ETKMSs” on page 44●

Configuring ETKMSsEncrypTight User Guide 45To add a local ETKMS:1 In the Appliance Manager, click File > New.2 In the New Appliance editor, from th

Installation and Configuration46 EncrypTight User GuideChanges to the local ETKMS configuration or EncrypTight software may necessitate changes to the

Configuring ETKMSsEncrypTight User Guide 47This section includes the following topics:● “Logging Into the ETKMS” on page 47● “Changing the Admin Passw

Installation and Configuration48 EncrypTight User Guide6Type exit to log out from the admin account.For example:Localhost login: adminPassword:[admin@

Configuring ETKMSsEncrypTight User Guide 49Configure the Network ConnectionThe eth0 connection is the network connection with a path to the management

Installation and Configuration50 EncrypTight User GuideIPv6Setting up the network connections to use IPv6 addresses requires modifying several files.T

6 EncrypTight User GuideTable of ContentsProvisioning Large Numbers of Appliances ...

Configuring ETKMSsEncrypTight User Guide 518 At the command line, restart the ETKMS service by typing service etkms restart and press Enter.Verify the

Installation and Configuration52 EncrypTight User Guide2 Replace the defaults with your preferred time server. You can specify multiple time servers a

Configuring ETKMSsEncrypTight User Guide 53Related topics:● “Configure the Network Connection” on page 49● “Check the Status of the Hardware Security

Installation and Configuration54 EncrypTight User GuideChecking the Status of the ETKMSYou should check that the ETKMS service is running before you p

Policy Enforcement Point ConfigurationEncrypTight User Guide 55Replace x.x.x.x with the IP address or the hostname of the syslog server.7 Save and clo

Installation and Configuration56 EncrypTight User GuideDefault User Accounts and PasswordsChanging the default passwords for all of the EncrypTight co

Managing LicensesEncrypTight User Guide 57Before you begin adding PEPs and using the EncrypTight software, contact Customer Support to acquire your li

Installation and Configuration58 EncrypTight User GuideUpgrading LicensesWhen your needs change, you can easily upgrade the number of ETEPs that Encry

Next StepsEncrypTight User Guide 596 In ETPM, create your policies. 7 In ETPM, deploy the policies to the ETKMSs and PEPs.

Installation and Configuration60 EncrypTight User Guide

Table of ContentsEncrypTight User Guide 7Editing PEPs ...

EncrypTight User Guide 614 Managing EncrypTight UsersThis section includes the following topics:● Working with EncrypTight User Accounts● Configuring

Managing EncrypTight Users62 EncrypTight User GuideNOTEIf EncrypTight is managing ETEP 1.4 and later appliances, we recommend creating a user account

Configuring EncrypTight User AuthenticationEncrypTight User Guide 63Figure 15 Login preferencesTo set login preferences:1 From the Edit menu, click Pr

Managing EncrypTight Users64 EncrypTight User Guide If your EncrypTight deployment includes ETEPs running software version 1.6 or later, entering a p

Managing EncrypTight AccountsEncrypTight User Guide 65Although the Login preferences are not saved, user data is preserved through an upgrade (user ID

Managing EncrypTight Users66 EncrypTight User GuideTo add an EncrypTight user account:1 From the Edit menu, click User Accounts.2 In the User Accounts

How EncrypTight Users Work with ETEP UsersEncrypTight User Guide 67How EncrypTight Users Work with ETEP UsersEncrypTight manages ETEP user accounts. I

Managing EncrypTight Users68 EncrypTight User Guide3 In EncrypTight, add a new ETEP appliance and refresh its status. Because EncrypTight and the ETEP

EncrypTight User Guide 695 Maintenance TasksThis section includes the following topics:● Working with the EncrypTight Workspace● Installing Software U

Maintenance Tasks70 EncrypTight User GuideCAUTIONAppliance configurations and policy files are stored as .xml files. These files are not encrypted or

8 EncrypTight User GuideTable of ContentsAdding a Multicast Policy...

Working with the EncrypTight WorkspaceEncrypTight User Guide 71Figure 18 Saving one workspace to anotherLoading an Existing WorkspaceReasons for loadi

Maintenance Tasks72 EncrypTight User Guide4 Refresh the appliances’ status. From the Edit menu click Select All, then click .Related topic:“Moving a

Installing Software UpdatesEncrypTight User Guide 73Installing Software UpdatesSoftware updates for EncrypTight are available separately from the PEP

Maintenance Tasks74 EncrypTight User GuideYou can schedule the upgrade for each PEP at different time, depending on the rekey settings and data traffi

Installing Software UpdatesEncrypTight User Guide 75To deploy policies:1Click Tools > Deploy to synchronize the EncrypTight components with the cur

Maintenance Tasks76 EncrypTight User GuideCAUTIONSoftware upgrades require a reboot to take effect. Rebooting the PEP interrupts data traffic for appr

Installing Software UpdatesEncrypTight User Guide 77NOTE● You must reboot the ETEP PEPs after you upgrade. If you make any configuration changes to th

Maintenance Tasks78 EncrypTight User GuideStep 7: Return Status Refresh and Key Renewal to Original SettingsTo return status refresh and key renewal t

Upgrading External ETKMSsEncrypTight User Guide 79To mount the CDROM drive:1 Insert the disk in the drive and close it.2 If it doesn’t already exist,

Maintenance Tasks80 EncrypTight User Guide

Table of ContentsEncrypTight User Guide 9ETKMS Log Files ...

Part II Working with Appliances using ETEMS

82 EncrypTight User Guide

EncrypTight User Guide 836 Getting Started with ETEMSThis section includes the following topics:● ETEMS Quick Tour● Understanding the ETEMS Workbench●

Getting Started with ETEMS84 EncrypTight User Guidethe factory default configurations or define your own template for these common values (Edit > D

ETEMS Quick TourEncrypTight User Guide 85Upgrading Appliance SoftwareNew revisions of appliance software can be loaded on the appliances from an FTP s

Getting Started with ETEMS86 EncrypTight User GuideFigure 23 Compare the ETEMS configuration to the appliance to discover discrepancies Maintenance an

Understanding the ETEMS WorkbenchEncrypTight User Guide 87Figure 24 Statistics view displays a snapshot of performance data on the ET0100A Policy and

Getting Started with ETEMS88 EncrypTight User GuideFigure 25 Appliance Manager perspectiveViewsViews display information about items that ETEMS manage

Understanding the ETEMS WorkbenchEncrypTight User Guide 89● You can open multiple appliance editors at the same time. The editors are stacked in a tab

Getting Started with ETEMS90 EncrypTight User GuideThe Appliance Manager has its own toolbar that lets you minimize and maximize the view, and filter

10 EncrypTight User GuideTable of ContentsChanging the EncrypTight Keystore Password ...

Understanding RolesEncrypTight User Guide 91Understanding RolesEncrypTight and the EncrypTight appliances each have unique roles that control differen

Getting Started with ETEMS92 EncrypTight User Guidedeploying policies. ETEMS uses the Administrator user to log in to the appliance. The Administrator

Modifying Communication PreferencesEncrypTight User Guide 933 In the Communications window, modify any of the communication preferences (see Table 24

Getting Started with ETEMS94 EncrypTight User GuideIgnore CRL access failureWhen enabled, allows EncrypTight to set up communication with a component

EncrypTight User Guide 957 Provisioning AppliancesThis section includes the following topics:● Provisioning Basics● Appliance User Management● Working

Provisioning Appliances96 EncrypTight User Guide● “Pushing Configurations to Appliances” on page 97● “Working with Default Configurations” on page 110

Provisioning BasicsEncrypTight User Guide 97● “Provisioning Large Numbers of Appliances” on page 111● “Provisioning PEPs” on page 147Saving an Applian

Provisioning Appliances98 EncrypTight User Guide3 Optionally, for ETEP appliances with software version 1.6 and later, click Put Throughput License to

Provisioning BasicsEncrypTight User Guide 99Figure 27 Appliances viewBy default, automatic status refresh is disabled. You can refresh the status manu

Provisioning Appliances100 EncrypTight User GuideRelated topics:● “Comparing Configurations” on page 100● “Filtering Appliances Based on Address” on p