CEQURUX Proprietary Virtual Private Networks

  

Figure 4.64: The CEQURUX VPNs Setup Screen

If your VPN is connected entirely by CEQURUX Technologies firewalls or VPN gateways, then you can use the proprietary VPN features as an alternative to IPSec. Although you will be sacrificing interoperability with other vendor's products, there are some advantages for going this route. The architecture is simpler, the security is at least as good, communication takes place using TCP rather than the IPSec protocols (which may be useful if intervening routers block non-TCP/UDP/ICMP traffic) and you get the additional benefits of consistent service access logging and distributed DNS tunneling.

The CEQURUX VPNs Setup Screen (Figure 4.64) allows you to specify how long the secure tunnel connections should be maintained if not in use, and how frequently the session encryption keys should be renegotiated. You can also access the IP Tunnels Setup Screen by pressing F2.

  

Figure 4.65: The CEQURUX VPN IP Tunnels Setup Screen

  

Figure 4.66: The CEQURUX Virtual Private Networks Setup Screen

To set up CEQURUX VPNs, you first need to define tunnel connections between your CEQURUX firewalls or VPN gateways, which is done from the IP Tunnels Setup Screen (Figure 4.65). For each tunnel, you need to specify:

Name

Each tunnel must be given a name; these names are then used when setting up the VPN details.

Address

The IP address of the remote CEQURUX firewall/router.

Domain

The domain of the remote firewall/router; this is used by the firewall to determine which DNS requests should be tunnelled.

Cipher

The type of encryption to use. You can choose between a number of different types. Not all types are available in all countries, due to patent restrictions on some of the algorithms.

Port

The TCP port that should be used to listen for tunnel connections. A pair of ports is used, so the firewall will use the port specified as well as the next consecutive port number.

Compress

The tunnelled packets can be compressed. Both Lev-Zimpel compression of all tunnel traffic, and modified Van Jacobsen compression of the TCP/IP headers is supported, and you can select either, both or none. Compression is useful if you have slow links; it will actually degrade performance in the case of fast links. However, even then it may useful to achieve enhanced security - as compression occurs before encryption, statistical attacks on the encrypted data are then almost impossible. A good compromise is to enable header compression only, as it is much easier to predict the plaintext of packet headers than of payloads.

In order to work symmetrical tunnels need to be configured on either end. That is, if you configure a tunnel, the host specified by the address field must be a CEQURUX Firewall or VPN Gateway, and it should have a tunnel configured giving the address of this firewall or VPN gateway. Furthermore, the cipher, port and compression fields must be identical for both ends of the tunnel for the tunnel to work correctly. Finally, each end needs to know the public key of the other end so that the authentication mechanism used to set up the tunnel securely can work. To do this, each side must export its VPN key to diskette and import the other side's VPN key from diskette.

Once you have configured the tunnels, you can define the VPNs that use the tunnels from the CEQURUX VPN Tunnel Users Setup Screen (Figure 4.66). Before you can do this you need to save any changes you have made to the tunnels, so first press F8 to exit the IP Tunnel Setup Screen, then re-enter this screen and press F4 to go to the CEQURUX VPN Tunnel Users Setup Screen. For each VPN, you need to specify the local and remote network addresses and masks, and the associated tunnel. Any packet received on the internal interface by a CEQURUX Firewall which has source and destination addresses matching those specified for a VPN will be relayed via the associated IP tunnel to the remote CEQURUX Firewall associated with the tunnel, from where it will be relayed onwards through the remote internal network.

You can further restrict the packets that are passed via the VPNs by entering local or remote port/service restrictions. You can enter a protocol name (icmp, tcp or udp), a service name, or `all' (no restriction). There should be symmetry here; if you stipulate a restriction for the local service on one CEQURUX Firewall, the corresponding remote should allow that service as one of the enabled remote services, and vice-versa.

For example, if you create an entry which specifies that the remote service is telnet, this allows connections from local clients to remote telnet servers to be passed through the VPN. The CEQURUX Firewall protecting the remote servers should in turn have an entry which allows server responses from local telnet servers to be passed through to the remote clients; thus the local service is telnet in this case.