Black ridge Br-2120 User manual

BlackRidge BR-2120

Gateway for AWS

Setup Guide

BlackRidge Technology Inc.

10615 Professional Circle Suite 201

Reno, NV 89521

U.S.A

Part No. 2120-0030-01

Revision 1.0, September 2016

Preface.................................................................................................................................. 7

About This Guide......................................................................................................................... 7

Related Material ................................................................................................................... 8

Who Should Use This Guide ........................................................................................................ 9

How This Guide is Organized .................................................................................................... 10

Typographical Conventions....................................................................................................... 11

SECTION I ............................................................................................................................ 12

Task Map for the BlackRidge BR-2120 TAC Gateway for AWS............................................... 13

SECTION II ........................................................................................................................... 14

Identify Security Use Case & BlackRidge Solution Requirements ........................................... 15

Security Problem....................................................................................................................... 15

Setup Requirements ................................................................................................................. 15

VPC Requirements for the BR-2120 Gateway for AMS ......................................................... 16

Select Resources to Trust and to Protect .............................................................................. 17

Criteria to Determine Role(s) ............................................................................................... 18

Trusted Hosts: ................................................................................................................... 18

Protected Resources:......................................................................................................... 18

Design the Network Topology.............................................................................................. 19

Port Assignments for the BR-2120 Gateway for AWS............................................................ 20

SECTION III .......................................................................................................................... 21

Create and Configure Virtual Private Cloud .......................................................................... 22

Task: Create VPC ....................................................................................................................... 23

Task: Configure Internet Gateway ............................................................................................ 24

Task: Create Subnets................................................................................................................. 25

Task: Create Route Tables......................................................................................................... 27

Task: Create Route Under the MGMT Route Table................................................................... 30

Task: Create Security Groups .................................................................................................... 31

SECTION IV .......................................................................................................................... 35

Launch and Configure a Gateway AMI Instance ................................................................... 36

Task: Configure and Launch an AMI Instance........................................................................... 36

Task: Stop the AMI Instance ..................................................................................................... 42

Task: Review Settings of the eth0/Management Interface for the AMI Instance .................... 42

Task: Create Additional Interfaces for the AMI Instance.......................................................... 43

Task: Attach Additional Interfaces to the AMI Instance ........................................................... 45

Task: Allocate a New Elastic IP Address for the MGMT Interface ............................................ 46

Task: Associate Elastic IP with MGMT Interface....................................................................... 47

Task: Modify Route Table for (Trusted + Protected) Side of BRT GW....................................... 49

Task: Disable Source/Destination Check for Untrusted and Trusted Interfaces....................... 51

Task: Disable Source/Destination Check for Untrusted and Trusted Interfaces....................... 53

Task: Associate Elastic IP with the Public/Untrusted Interface ................................................ 54

SECTION V ........................................................................................................................... 55

Deploy a Jump Host into the MGMT Subnet in VPC .............................................................. 56

Task: Create the Jump Host Instance........................................................................................ 57

Task: Assign an Elastic IP to the Jump Host .............................................................................. 64

SECTION VI .......................................................................................................................... 68

Deploy a (Trusted + Protected) Host into Trusted Subnet in VPC ........................................... 69

Task: Provision an Instance of the Amazon Linux AMI ............................................................. 70

Task: Check Boot Status through AWS CLI................................................................................ 76

Task: SSH into Trusted + Protected Instance............................................................................. 77

Task: Configure Static Networking and Routes on the Trusted + Protected Instance .............. 78

SECTION VII ......................................................................................................................... 80

Configure Layer 3 NAT –External-to-VPC (Unidirectional) .................................................... 81

Task: Inserter –Generate and Export SKEY................................................................................... 86

Task: Resolver –Import SKEY........................................................................................................ 86

Task: Inserter –Add NAT and Routes............................................................................................ 86

Task: Inserter –Add NAT and Routes............................................................................................ 87

Task: Inserter –Add and Enable Identity ...................................................................................... 88

Task: Inserter –Create Trusted Host and Associate Identity ........................................................ 88

Task: Resolver –Add and Enable Identity Using SKEY .................................................................. 89

Task: Resolver –Add Protected Resource ..................................................................................... 89

Task: Resolver –Add Rule and Link Identity.................................................................................. 90

Task: Inserter –Enable Enforce Mode .......................................................................................... 90

Task: Resolver –Enable Enforce Mode ......................................................................................... 90

SECTION VIII ........................................................................................................................ 91

Configure Layer 3 NAT –VPC-to-VPC (Bidirectional) ............................................................. 92

Task: Inserter + Resolver –Add NAT and Routes .......................................................................... 94

Task: Inserter + Resolver –Configure Trusted Host and Protected Resource............................... 95

Task: Inserter –Generate and Export SKEY................................................................................... 95

Task: Resolver –Import SKEY........................................................................................................ 96

Task: Inserter –Add and Enable Identity ...................................................................................... 96

Task: Inserter –Associate Identity with Trusted Host................................................................... 97

Task: Resolver –Add and Enable Identity Using SKEY .................................................................. 97

Task: Resolver –Add Rule for and Link Identity to Protected Resource ....................................... 97

Task: Inserter –Enable Enforce Mode .......................................................................................... 98

Task: Resolver –Enable Enforce Mode ......................................................................................... 98

SECTION IX .......................................................................................................................... 99

Add Certificates to BlackRidge TAC Gateway...................................................................... 100

Initiate a BlackRidge Certificate Signing Request (CSR)....................................................... 101

Task: Generate BlackRidge TAC Gateway Keys ...................................................................... 102

Task: Generate a Certificate Signing Request (CSR) ............................................................... 102

Loading the BlackRidge Technology-Signed Certificates ........................................................ 103

Task: Extract the Encrypted Certificate File ............................................................................ 103

Importing Certificates into TAC Gateway ............................................................................... 107

Task: Import the Root and Intermediate Certificates ............................................................. 107

Task: Import the BlackRidge TAC Gateway Certificates ......................................................... 108

Task: Validate the BlackRidge TAC Gateway Certificates....................................................... 108

SECTION X ......................................................................................................................... 109

Testing the Configuration .................................................................................................. 110

Task: Test the Gateways’ Ability to Route Locally in Layer 3 Mode ........................................... 110

Task: Test the Trusted + Protected Connection Using SSH ......................................................... 110

SECTION XI ........................................................................................................................ 111

Set Transport Access Control (TAC) Mode of Operation ...................................................... 112

Task: Display TAC Mode.......................................................................................................... 113

Task: Set TAC Mode as “Bridge” ............................................................................................. 113

Task: Set the TAC Mode as “Monitor” .................................................................................... 114

Task: Set the TAC Mode as “Enforce” ..................................................................................... 114

Congratulations................................................................................................................. 115

Appendix A: Accessing the BlackRidge Gateway (SSH)........................................................ 116

Using PuTTY and SSH to Access the Gateways ....................................................................... 116

Appendix B: CLI Commands for Configuring the IP Network Attributes of the BlackRidge TAC

Gateway ........................................................................................................................... 119

Configure DHCP Network Settings for the Management Port ............................................... 119

cfg (static IP) - Configure IPv4 Network Settings for the Management Port ......................... 120

/etc/mgt/ipv6/ –Configure an IPv6 Address on the admin Port ......................................... 121

add –Associate IPv6 Addresses with the Management Port................................................. 121

del –Remove IPv6 Addresses from the Management Port ................................................... 121

disable –Disable IPv6 on the Admin Port............................................................................... 122

enable –Enable IPv6 on the Admin Port ................................................................................ 122

mod –Modify IPv6 Address on the Admin Port ..................................................................... 123

Appendix C: CLI Commands for Configuring the DNS Network Attributes of the BlackRidge TAC

Gateway ........................................................................................................................... 124

/etc/dns/ - DNS Configuration ........................................................................................... 124

cfg - Configure DNS ................................................................................................................. 124

show - Show DNS Settings ...................................................................................................... 125

Appendix D: CLI Commands for Configuring the Host Name Attributes of the BlackRidge TAC

Gateway ........................................................................................................................... 126

/etc/hostname/ - Host Name and Domain Name Configuration......................................... 126

cfg - Configure Hostname ....................................................................................................... 126

show - Show the Hostname and Domain Name..................................................................... 127

This document is protected by copyright and distributed under licenses restricting its use,

copying, distribution and decompilation. No part of this document may be reproduced in any

form by any means without prior written authorization of BlackRidge Technology Inc.

Documentation is provided as is without warranty of any kind, either expressed or implied,

including any kind of implied or expressed warranty of non-infringement or the implied

warranties of merchantability or fitness for a particular purpose.

BlackRidge Technology Inc. reserves the right to change any products described herein at any

time and without notice. BlackRidge Technology Inc. assumes no responsibility or liability

arising from the use of products described herein, except as expressly agreed to in writing by

BlackRidge Technology Inc. The use and purchase of this product does not convey a license

under any patent rights, trademark rights or any other intellectual property rights of BlackRidge

Technology Inc.

Document Part Number: 2120-0030-01

Preface

About This Guide

The BlackRidge BR-2120 is a TAC Gateway for Amazon™ Web Services (AWS). There are a

number of initial tasks that must be completed to set up the TAC Gateway(s) for network access

and operation. This document contains the instructions for deploying a single BlackRidge TAC

Gateway into the AWS Elastic Compute Cloud (EC2) cloud server.

The setup instructions are divided into a number of categories, each of which contains one or

more basic tasks to complete. These tasks are designed to simplify the overall process of setting

up your gateway(s) to be operational and connected to the network.

This Setup Guide provides guidance in the following procedures:

Identifying resource requirements

Selecting resources to trust and protect

Designing a network topology

Creation of a Virtual Private Cloud (VPC)

Deployment of a Gateway from AMI

Deployment of a Management Instance in AWS

Deployment of trusted hosts/protected resources in AWS

Configuration of Layer 3 mode for the Gateway in AWS

Connecting an Insertion Gateway in an external network to a Resolving Gateway in AWS

(Unidirectional)

Connecting an Insertion Gateway to a Resolving Gateway in AWS between VPCs

(Bidirectional)

Testing the configuration

Use this Setup Guide as the prerequisite to the BlackRidge TAC Gateway - Quick Start Guide.

Related Material

The BlackRidge documentation set consists of:

BlackRidge TAC Gateway - Getting Started Guide provides a high-level roadmap for

leveraging the documentation set to successfully install and configure each model of the

BlackRidge family of gateway products.

BlackRidge BR-3110 1G Branch TAC Gateway - Setup Guide outlines the steps required

to set up the gateway for network access and operation.

BlackRidge BR-2110 1G Virtual TAC Gateway - Setup Guide outlines the steps required to

set up the gateway for network access and operation.

BlackRidge BR-2210 10G Virtual TAC Gateway - Setup Guide outlines the steps required

to set up the gateway for network access and operation.

BlackRidge BR-3100 1G Enterprise TAC Gateway - Setup Guide outlines the steps

required to set up the gateway for network access and operation.

BlackRidge BR-3120/BR-3121 1G Enterprise TAC Gateway - Setup Guide outlines the

steps required to set up the gateway for network access and operation.

BlackRidge BR-3220-T/BR-3221-T 10G Enterprise TAC Gateway - Setup Guide outlines

the steps required to set up the gateway for network access and operation.

BlackRidge BR-3220-F 10G Enterprise TAC Gateway - Setup Guide outlines the steps

required to set up the gateway for network access and operation.

BlackRidge BR-3221-SR/BR-3221-LR 10G Enterprise TAC Gateway - Setup Guide outlines

the steps required to set up the gateway for network access and operation.

BlackRidge BR-2051 Gateway for IBM z Systems - Setup Guide outlines the steps

required to set up the gateway for network access and operation on the IBM z Systems

platform.

BlackRidge BR-2061 Gateway for z/VM Systems - Setup Guide outlines the steps

required to set up the gateway for network access and operation on the IBM z/VM®

platform.

BlackRidge BR-2120 Gateway for AWS - Setup Guide outlines the steps required to set

up the gateway for network access and operation on the Amazon Web Services™ (AWS)

platform.

BlackRidge TAC Gateway - Quick Start Guide describes the concepts and procedures to

configure cloaking and Static Identities for unidirectional authentication of IPv4 network

endpoints.

BlackRidge TAC Gateway - Configuration Guide describes the advanced concepts and

procedures to configure cloaking, Static and Dynamic AD Identities for bidirectional

authentication for multiple IPv4 and IPv6 network endpoints.

BlackRidge TAC Gateway –Command Reference Guide contains the descriptions of the

commands, arguments and options that are used by the administrator to set up,

configure, and maintain the BlackRidge TAC Gateways.

Who Should Use This Guide

This guide is intended for experienced systems and networking IT professionals who are

responsible for the initial setup of the BlackRidge BR-2120 TAC Gateway for AWS.

How This Guide is Organized

Section I provides a high-level map of the tasks that are performed during the initial setup of

the gateway. It acquaints the administrator with the scope of the activities involved with

connecting the gateway to the network.

Section II provides a sample network topology based on a pre-defined use case, and the

resources that are required to architect it. Each port on the BlackRidge gateway is uniquely

identified with a description of its function. Deciding what operational roles to assign the

network endpoints is based on the criteria provided in this section.

Section III provides procedures for creating and configuring the Virtual Private Cloud (VPC).

Section IV outlines the procedure for launching and configuring an AMI instance.

Section V provides procedures for deploying a jump host into the MGMT Subnet in VPC.

Section VI describes how to deploy a trusted + protected host into the trusted subnet in the

VPC.

Section VII describes the configuration of Layer 3 NAT, external-to-VPC (unidirectional).

Section VIII describes the configuration of Layer 3 NAT, VPC-to-VPC (bidirectional).

Section IX provides procedures for adding certificates to a BlackRidge TAC gateway.

Section X contains instructions for testing the gateway configuration.

Section XI outlines the procedures for setting the TAC mode of operation.

Appendix A: contains instructions for accessing the BlackRidge TAC Gateway using SSH.

Appendix B: contains CLI commands for configuring the IP network attributes of the Blackridge TAC

Gateway.

Appendix C: contains CLI commands for configuring the DNS network attributes of the BlackRidge

TAC Gateway.

Appendix D: contains CLI commands for configuring the host name and domain name attributes of

the BlackRidge TAC Gateway.

Typographical Conventions

This document uses the following typographic conventions to help you locate and identify

information:

Italic text

Identifies new terms, emphasis, and book titles

Bold text

Identifies button names and other items that you can click or touch in the graphical user

interface or press on a computer keyboard

Courier New

Identifies commands, command syntax, command arguments and system prompts

Bold Courier New

Identifies command strings being executed by the system through the CLI.

Note: Notes provide extra information about a topic that is good to know but not essential to

the process.

Caution: Cautions draw your attention to actions that could compromise the security of your

system or result in the loss of data.

SECTION I

Task Map for the BlackRidge BR-2120 TAC Gateway for

AWS

Set the Transport Access Control (TAC) Mode of Operation

Bridge Monitor Enforce

INITIATE

Certificate Signing Request (CSR)

VALIDATE

Network connectivity for the BlackRidge BR-2120 Gateway for AWS

CONFIGURE

Layer 3 mode for the BlackRidge BR-2120 Gateway for AWS

DEPLOY

Gateway from AMI, management instance and trusted hosts/protected resources

CREATE

Virtual Private Cloud

DESIGN

Network topology

SELECT

Resources to trust and protect

IDENTIFY

Security use case and the BlackRidge solution requirements

SECTION II

Identify Security Use Case & BlackRidge Solution

Requirements

Security Problem

For the purpose of this document, the security problem is defined as the need to provide a level

of security protection that is only available through BlackRidge Technology. The objective is to

protect a critical network-attached resource from both internal and external reconnaissance

and unauthorized access.

For this sample configuration, the virtual-network-attached resource is a server Virtual Machine

(VM) running on a Linux platform. Since it is identified as a resource to be protected by the

BlackRidge solution, it is designated a Protected Resource.

Only one system is identified as being trustworthy to be given access to the Protected Resource.

That system is a Linux client. Since it has been identified as an endpoint to be trusted by the

BlackRidge solution, it is designated a Trusted Host. It is the only resource granted authorized

access to the Protected Resource.

Setup Requirements

The following is required to set up the BR-2120 TAC Gateway for AWS:

Account created in AWS.

Latest build of Gateway uploaded into AWS and available to AWS user account.

Note: In a future version, the latest build will be available through the AWS Market

Place.

VPC Requirements for the BR-2120 Gateway for AMS

Since it runs in a Virtual Private Cloud (VPC), there are no Physical Host requirements for the

BR-2120 Gateway for AMS. However, the following components must be configured:

Untrusted Subnet

Jump Host/Management Virtual Machine

Note: The AMI Instance for the jump/management host can be a t2.micro. The

BlackRidge GW AMI AWS requirement, however, is t2.medium.

oTrusted Subnet

With Corresponding security group (shown later in document)

oManagement Subnet

With Corresponding security group (shown later in document)

oPublic/Untrusted Subnet

With Corresponding security group (shown later in document)

oThree Elastic IP addresses (for Internet Access to BRT GW, Jump/Management

Host and the Trusted resource NAT IP)

Select Resources to Trust and to Protect

For the purpose of the sample configuration, it has been decided that the following trust

relationships will be established:

The Linux client (VM) or a Windows client (VM) is designated as the Trusted Host.

The Linux server (VM) is designated as the Protected Resource.

The two BlackRidge BR-2120 gateways will cooperate in establishing trusted

communications between the Windows or Linux client and the Linux server.

In this guide, the BlackRidge BR-2120 Gateway for AWS, with the user-defined hostname

Gateway-1, will control which connected network endpoints can establish an outbound TCP/IP

connection to a Protected Resource behind another BlackRidge gateway. This is done through

the process of inserting Transport Access Control (TAC) tokens.

Since Gateway-1 is inserting the TAC tokens on behalf of its trusted network endpoints, it is

referred to as the TAC Token Insertion Gateway. Only Trusted Hosts will have the TAC token

inserted. Since all other devices will not have these tokens inserted, they are unable to

establish outbound TCP/IP connections to BlackRidge Protected Resources.

The BlackRidge BR-2120 Gateway for AWS, with the user-defined hostname Gateway-2, will

control which remote network endpoints can access a Protected Resource(s) attached to it. This

is done through the process of resolving the TAC tokens that were inserted by the TAC Token

Insertion Gateway (Gateway-1).

Since Gateway-2 is resolving the TAC tokens that were inserted by Gateway-1, it is referred to

as the TAC Token Resolution Gateway. Only Trusted Hosts with valid TAC tokens that are

successfully resolved by the TAC Token Resolution Gateway, are authorized to access a

Protected Resource.

Criteria to Determine Role(s)

The following criteria can be used to determine what role (Trusted Host or Protected Resource)

a particular network endpoint should be assigned:

Trusted Hosts:

Any BlackRidge-authenticated network endpoint that is given access to a BlackRidge-

protected, network-attached asset, is by definition a Trusted Host.

A single network endpoint can be configured as Trusted Host or a Protected Resource, or

both.

If the network endpoint is to only initiate outbound TCP/IP connection requests through

its BlackRidge gateway, configure it as a Trusted Host.

If the network endpoint is to initiate both outbound TCP/IP connection requests and

accept inbound TCP/IP connection requests through its BlackRidge gateway, configure it

as both a Trusted Host and a Protected Resource.

Protected Resources:

All networked attached assets (for example, servers and devices) that are protected by

the BlackRidge gateway are by definition a Protected Resource.

A single network endpoint can be configured as Protected Resource or a Trusted Host, or

both.

If the network endpoint is to only accept inbound TCP/IP connection requests through

its BlackRidge gateway, configure it as a Protected Resource.

If the network endpoint is to both accept inbound TCP/IP connection requests and

initiate outbound TCP/IP connection requests through its BlackRidge gateway, configure

it as both a Protected Resource and a Trusted Host.

Design the Network Topology

The following configurations are used as the basis for the procedures outlined in this document.

It is used for illustration purposes only. All host names and network addresses contained in this

guide are not intended to be representative of any real entity outside the scope of this guide or

test lab environment.

Figure 2.1 –Sample AMI Instance Topology Using BlackRidge BR-2120 Gateway for AMS

Table of contents

Popular Gateway manuals by other brands

RTA

RTA 460ESBS-N700 Product user guide

TANDBERG

TANDBERG Gateway Installation

OBSIDIAN CONTROL SYSTEMS

OBSIDIAN CONTROL SYSTEMS NETRON EP2 installation guide

Pathport

Pathport PWPP DIN P4 manual

Planet Networking & Communication

Planet Networking & Communication Hot Spot WSG-403 user manual

ZyXEL Communications

ZyXEL Communications ZyXEL ZyWALL USG-1000 manual

Kärcher

Kärcher 26453130 manual

SonicWALL

SonicWALL SSL-VPN 2000 Administrator's guide

AudioCodes

AudioCodes Mediant 3000 user manual

Poly

Poly ATA 400 Series Deployment guide

IXXAT

IXXAT CAN@net Hardware manual

Murata

Murata LBAC0ZZ1SU user manual

Pahlen

Pahlen EC220 user manual

Logic IO

Logic IO RTCU LX5 pro Technical manual

AddPac

AddPac VoiceFinder AP 160 user guide

Juniper

Juniper SRX220 Hardware guide

Quark-Elec

Quark-Elec QK-AS00 manual

iSMA CONTROLLI

iSMA CONTROLLI iSMA-B-MG-IP user manual

Black Ridge BR-2120 User manual

Popular Gateway manuals by other brands