1 / 28

Technical Lab n°1 Guidelines

Technical Lab n°1 Guidelines. End-to-End Security and VPN. Agenda. Introduction Lab Presentation Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide. Introduction : Objectives.

borka
Télécharger la présentation

Technical Lab n°1 Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Technical Lab n°1Guidelines End-to-End Security and VPN

  2. Agenda • Introduction • Lab Presentation • Lab 1-1 : VPN Client to Gateway • Lab 1-2 : Hybrid Mode • Lab 1-3 : SecureClient • Lab 1-4 : SecureServer • Lab 1-5 : SR/SC behind NAT Hide

  3. Introduction : Objectives • Understand End-to-End Security and secure communications • Setup Hybrid Mode (strong authentication) • Setup / Manage VPN-1 SecureServer • Understand and setup the new SP2 fonctionnality : UDP encapsulation

  4. SERVER 192.168.2.31 VPN-1 192.168.1.25 FW/VPN Module + Management RADIUS H U B H U B SecureServer 192.168.1.30 CLIENT 192.168.2.30 SecureClient 192.168.2.32 Telnet Server SecureServer Lab Architecture – Lab 1

  5. Components • VPN-1 • NT 4.0 SP6a • VPN-1 4.1 SP2 • SERVER • NT 4.0 SP6a • Radius Server • SecureServer • NT 4.0 SP6a • Telnet Server + SecureServer 4.1 SP2 • Client • NT 4.0 SP6a • VPN-1 SecureClient build 4165

  6. Lab 1-1 : VPN Client to Gateway

  7. Logical architecture SERVER VPN-1 VPN FW/VPN Module + Management H U B H U B CLIENT SecureServer

  8. Lab 1-1 : VPN Client to Gateway • Configure VPN-1 to support client-to-site encryption • Create a remote user • Create SecuRemote Site • Access SecureServer with telnet • Check logs

  9. Lab 1-1 : VPN Client to Gateway (ADVANCED) • Debug SecuRemote • fwenc.log file • SRinfo file • Debug IKE negotiation • Use IKEview

  10. Lab 1-1 : VPN Client to Gateway (ADVANCED) Ike.elg and Ikeview • Use with FireWall-1/SecuRemote 4.1: • Generate a file IKE.elg on FW-1 4.1 or SR4.1.To do it, you need to : • Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1) • On FW-1 : fwstop, fwstart • On SR4.1 : kill SR, create a log directory (in SRDIR directory) and reload SR. • The file IKE.elg will be created in the log directory. • Load IKEView and open the IKE.elg file.

  11. Lab 1-2 : Hybrid Mode

  12. Logical architecture SERVER Auth VPN-1 VPN RADIUS FW/VPN Module + Management H U B H U B CLIENT SecureServer

  13. Lab 1-2 : Hybrid Mode • Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. • IMPORTANT: You must define a user with pre-shared secret to download the topology.

  14. Lab 1-2 : Hybrid Mode • Define a user with pre-shared secret to dowload the topology • Not member of any group • Create the Internal CA on the Management Station • Create a Certificate for the VPN/Firewall Module • Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) • Define a User with one of the classical authentication methods (ex: RADIUS) • Update the SecuRemote Site with the first user • Test authentication • Check logs

  15. Lab 1-3 : SecureClient

  16. Logical architecture SERVER VPN-1 VPN FW/VPN Module + Management + Policy Server H U B H U B CLIENT SecureServer

  17. Lab 1-3 : SecureClient • Define a Policy Server • Define a policy (encrypt only) • Update SecureClient Site • Reach TelnetServer • Try to ping 192.168.6.1 • Configure SCV (Desktop Configuration Verification) • Then bind NetBeui on the client • Try to reach TelnetServer • Then uncheck SCV

  18. Lab 1-3 : SecureClient (Advanced) • View unauthorized actions on SecureClient • View SR.log file

  19. Lab 1-4 : SecureServer

  20. Logical architecture SERVER VPN-1 FW/VPN Module + Management H U B H U B SecureServer CLIENT VPN

  21. Lab 1-4 : SecureServer • Goal is to establish end-to-end VPN between client and Server. • Create new encryption domain for VPN1 • Change VPN properties for VPN1 • Encryption domain • Enable VPN for SecureServer • Create Certificate for Secureserver (Hybrid mode) • Register SecureServer as a Radius Client

  22. Lab 1-4 : SecureServer • Update topology • Access Secureserver with telnet • Check Logs

  23. Lab 1-4 : SecureServer Warning: • A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways  ) • Features not available on SecureServer • User Authentication • Content Security (CVP, UFP..) • NAT • IP forwarding is turned off (…)

  24. Lab 1-5 : SR/SC behind NAT Hide

  25. FW/VPN Module + Management Logical architecture SERVER Customer site VPN-1 H U B H U B SecureServer VPN CLIENT SR/SC is NATed Hide behind this address (=Routeur) SecureServer

  26. NAT with SecuRemote Cont. • Create a new network object for Net 192.168.1.0 • Nated Hide behind 192.168.2.30 • Uncheck VPN properties for VPN1 • Bind Policy Server to SecureServer • Modify Rulebase • Create new SR site (Secureserver) • Access SecureServer with telnet • Check Logs

  27. Agenda • Lab 1-1 : VPN Client to Gateway • Lab 1-2 : Hybrid Mode • Lab 1-3 : SecureClient • Lab 1-4 : SecureServer • Lab 1-5 : SR/SC behind NAT Hide

  28. Q & A ? Thank you

More Related