Radisys Seg-100 Instruction Manual

Administration Guide

SECURITY GATEWAY

SEG-100

SOFTWARE RELEASE 1.1

February 2012 007-03416-0003

Revision history

Version Date Description

-0000 August 2011 First edition.

-0001 September 2011 Second edition. Updated to include new authentication profiles, RADIUS authentication, and I-WLAN solution.

Added information on local user databases, CLI scripting, statistics, and log receivers. Made significant

updates to the NAT and SAT sections, and made other corrections and clarifications.

-0002 January 2012 Third edition. Updated for the 1.1.1 software release. Added information to the SCP, licensing, and backup

and restore sections. Added IPv6 information. Made other corrections and clarifications.

-0003 February 2012 Fourth edition. Updated for the 1.1.2 software release. See What’s new in this manual on page 6 for a

description of changes in this edition.

©2011‐2012byRadiSysCorporation.Allrightsreserved.

RadisysisaregisteredtrademarkofRadiSysCorporation.AdvancedTCA,ATCA,andPIGMGareregisteredtrademarksofPCIIndustrial

ComputerManufacturersGroup.

Allothertrademarks,registeredtrademarks,servicemarks,andtradenamesarethepropertyoftheirrespectiveowners.

Table of Contents

Preface ................................................................................................................................................ 6

About this manual........................................................................................................................................6

What’s new in this manual...........................................................................................................................6

Where to get more product information.......................................................................................................6

Related documents......................................................................................................................................7

Notational conventions................................................................................................................................7

Chapter 1: Overview........................................................................................................................... 8

SEG overview..............................................................................................................................................8

SEG architecture.........................................................................................................................................8

Chapter 2: Management................................................................................................................... 12

Management access .................................................................................................................................12

Date and time............................................................................................................................................33

Licensing...................................................................................................................................................37

Backup and restore ...................................................................................................................................39

Crashdumps..............................................................................................................................................42

Statistics....................................................................................................................................................44

Events and logging....................................................................................................................................47

Chapter 3: Addressing..................................................................................................................... 54

Interfaces...................................................................................................................................................54

ARP...........................................................................................................................................................58

Address books...........................................................................................................................................63

IPv6 support..............................................................................................................................................66

DNS...........................................................................................................................................................70

Chapter 4: Address Translation...................................................................................................... 73

Overview....................................................................................................................................................73

NAT...........................................................................................................................................................73

SAT ...........................................................................................................................................................78

Chapter 5: Routing .......................................................................................................................... 86

Principles of routing ..................................................................................................................................86

Static routing..............................................................................................................................................91

Chapter 6: Firewall........................................................................................................................... 96

IP rules......................................................................................................................................................96

Services...................................................................................................................................................103

Access rules............................................................................................................................................107

Internet access........................................................................................................................................110

Chapter 7: IPsec VPN .................................................................................................................... 113

Overview..................................................................................................................................................113

IPsec components...................................................................................................................................117

Setting up IPsec tunnels .........................................................................................................................135

NAT traversal...........................................................................................................................................138

CA server access....................................................................................................................................140

IPsec troubleshooting .............................................................................................................................143

Chapter 8: Authentication.............................................................................................................. 153

Authentication profiles.............................................................................................................................153

RADIUS authentication ...........................................................................................................................154

The radiussnoop command ....................................................................................................................156

Chapter 9: High Availability........................................................................................................... 157

Overview .................................................................................................................................................157

HA mechanisms .....................................................................................................................................159

Setting up HA .........................................................................................................................................161

HA issues ...............................................................................................................................................166

Chapter 10: Advanced Settings .................................................................................................... 168

Flow timeout settings ..............................................................................................................................168

Length limit settings ................................................................................................................................169

Fragmentation settings ...........................................................................................................................171

Local fragment reassembly settings .......................................................................................................176

Chapter 11: I-WLAN........................................................................................................................ 177

I-WLAN overview ....................................................................................................................................177

GTP tunnels.............................................................................................................................................178

Interface stitching....................................................................................................................................181

Using IP rules .........................................................................................................................................182

Adding client routing................................................................................................................................182

Certificates with I-WLAN .........................................................................................................................183

Support for multiple GGSNs....................................................................................................................184

I-WLAN use case ....................................................................................................................................184

Appendix A: Glossary of Terms.................................................................................................... 185

Appendix B: OSI Model.................................................................................................................. 197

Overview .................................................................................................................................................197

Preface

About this manual

ThismanualdescribestheRadisysSEG,ahighlyscalablesecuritygatewayoptimizedforLong

TermEvolution(LTE)deployments.ThismanualintroducesSEGsoftwareconceptsandserves

asareferenceforproceduralandusageinformation.

Thetargetaudienceforthismanualisadministratorswhoareresponsibleforconfiguringand

managingtheSEGanditsoperatingsystem.Itisassumedthattheadministratorshavebasic

knowledgeofnetworksandnetworksecurity.

What’s new in this manual

•AddedtroubleshootingwithICMPpingonpage25.

• Changedthetypesofauthenticationavailableonpage153.

• UpdatedverifyingHAsynchronizationonpage165.

Where to get more product information

VisittheRadisyswebsiteatwww.radisys.comforproductinformationandotherresources.

Downloads(manuals,releasenotes,software,etc.)areavailableat

www.radisys.com/downloads.

SeethefollowingresourcesforinformationontheSEGnotdescribedinthismanual:

•TheSEG‐100GettingStartedGuidedescribeshowtosetuptheSEG‐100modulesandthe

SEG‐11002system,andhowtoconfiguretheSEGsoftwareforinitialuse.

•TheSEG‐100CommandLineInterfaceReferencedescribestheSEGcommandline

interfaceandservesasareferenceforcommandsyntaxandoptions.

•TheSEG‐100LogReferencedescribesalllogmessagesgeneratedbytheSEG.

•TheSEG‐100StatisticsReferencedescribesallstatisticalvaluesandassociatedparameters

thataremaintainedbytheSEG.

•TheSEG‐100TTGInterfaceReferencedescribestheinterfacesfortheSEGTunnel

TerminatingGateway(TTG).

Preface

Related documents

RFC791,InternetProtocol,IETF,September1981.

RFC1191,PathMTUDiscovery,IETF,November1990.

RFC1305,NetworkTimeProtocol(Version3),IETF,March1992.

RFC1321,TheMD5Message‐DigestAlgorithm,IETF,April1992.

RFC1777,LightweightDirectoryAccessProtocol,IETF,March1995.

RFC1918,AddressAllocationforPrivateInternets,IETF,February1996.

RFC2030,SimpleNetworkTimeProtocol(SNTP)Version4forIPv4,IPv6andOSI,IETF,

October1996.

RFC2138,RemoteAuthenticationDialInUserService(RADIUS),IETF,April1997.

RFC2139,RADIUSAccounting,IETF,April1997.

RFC2251,LightweightDirectoryAccessProtocol(v3),IETF,December1997.

RFC2401,SecurityArchitecturefortheInternetProtocol,IETF,November1998.

RFC2406,IPEncapsulatingSecurityPayload(ESP),IETF,November1998.

RFC2460,InternetProtocol,Version6(IPv6)Specification,IETF,December1998.

RFC3947,NegotiationofNAT‐TraversalintheIKE,IETF,January2005.

RFC4306,InternetKeyExchange(IKEv2)Protocol,IETF,December2005.

RFC5905,NetworkTimeProtocolVersion4:ProtocolandAlgorithmsSpecification,IETF,June

2010.

Notational conventions

Thismanualusesthefollowingconventions

Allnumbersaredecimalunlessotherwisestated.

ItalicText File,function,andutilitynames.

MonoText Screentextandsyntaxstrings.

BoldMonoText Acommandtoenter.

ItalicMonoText Variableparameters.

Brackets[] Commandoptions.

Curlybraces{}Agroupedlistofparameters.

Verticalline|An“OR”inthesyntax.Indicatesachoiceofparameters.

Chapter

Overview

SEG overview

TheRadisysSEGisarobusttelecomsecuritygatewaybasedonNetworkDomainSecurity

(NDS)standardsthatprovidesstatefulfirewallingandIPsectunnelinginasingleplatform.The

SEGcanbeusedtosecureanylargeIPbasednetwork.Initsfirstrelease,theSEGistargeted

foruseasasecuritygatewaybetweeninfrastructureelementsinLTEAccess/BackhaulandLTE

EvolvedPacketCorenetworks.Insubsequentreleases,theSEGwillsupportcurrent

generation(2G/3G)wirelessoffloadapplicationslikeI‐WLAN,UMA/GANandFemtocellthat

areevolvingtoLTE.Itisalsoideallysuitedforhighperformanceandnext‐genfirewalling

scenarios.

TheRadisysSEGisbuiltaroundthecarrier‐gradeAdvancedTelecommunicationsComputing

Architecture(ATCA),andoffersworld‐classsecurityfeatureswithmulti‐gigabitthroughput

andperformance.ThemaincomponentoftheRadisysSEGistheSEG‐100securitymodule,a

fullycontainedsecuritygatewayresidingonanATCAmodule.TheSEG‐100canbedeployedin

astandaloneSEG‐11002system,orintegratedintootherATCAbasednetworkelements.Both

standaloneandintegratedconfigurationssupportcarriergradehighavailabilitywith

redundanthardwareandsophisticatedfaulttolerantsoftware.

TheSEG‐11002isa2U,2‐slotATCAsystem,ideallysuitedforinitialtrialsandsmall‐to‐

mediumsizedeployments.ItcontainsoneortwoSEG‐100modules,andcanbeconfiguredas

ahighavailabilitysystem,withactiveandpassiveSEG‐100sprovidingfullstatefulredundancy

forIPsectunnelsandpacketflows.

TheSEGsecuritysoftwareisbasedonaproprietaryoperatingcorewithasmallattacksurface,

makingtheapplicationprocessinghighlysecureandefficient.Thesoftwareprocessesmillions

ofconcurrentIPpacketflowsinrealtime,whileapplyingarichsetoffirewallingrulesand

routingpolicies.ItalsosetsupVPN/IPsectunnels,usingsecurekeysandapplyingadvanced

dataintegrityandencryptiontechniques.

SEG architecture

TheSEGarchitectureiscenteredontheconceptofflows.TraditionalIProutersorswitches

commonlyinspectallpacketsandthenperformforwardingdecisionsbasedoninformation

foundinthepacketheaders.Withthisapproach,packetsareforwardedwithoutanysenseof

context,whicheliminatesanypossibilitytodetectandanalyzecomplexprotocolsandenforce

correspondingsecuritypolicies.

Overview

Stateful inspection

TheSEGemploysatechniquecalledstatefulinspectionwhichmeansthatitinspectsand

forwardstrafficonaper‐flowbasis.TheSEGdetectswhenanewflowbetweenasourceand

destinationisbeingestablished,andkeepsinformationabouttheflowoveritslifetime.By

doingthis,theSEGisabletounderstandthecontextofnetworktraffic,enablingittoperform

avarietyofimportantfunctions.

Thestatefulinspectionapproachadditionallyprovideshighthroughputperformancewiththe

addedadvantageofadesignthatishighlyscalable.TheSEGsubsystemthatimplements

statefulinspectionissometimesreferredtoastheSEGstate‐engine.

Allflowshaveaspecifiedidlelifetime,afterwhichtheyareremovedfromtheflowtable.

Basic building blocks

Fromtheadministrator’sviewpoint,thebasicSEGbuildingblocksare:

•InterfacessuchasphysicalEthernetinterfacesorlogicalVPNtunnels.

•LogicalobjectsthatareindividuallogicaldefinitionswithintheSEG.Forexample,Address

objectscanbedefinedintheAddressBooktogivelogicalnamestoIPandothertypesof

addresses.

•Rulesetsthatmakeupthesecuritypoliciesthatyouwanttoimplement.TheseincludeIP

rules.

Thesethreetypesofbuildingblocksarediscussednext.

Interfaces

Interfacesarethedoorwaysthroughwhichnetworktrafficentersorleavesthesecurity

gateway.Withoutinterfaces,anSEGsystemhasnomeansforreceivingorsendingtraffic.

ThefollowingtypesofinterfacearesupportedintheSEG:

•Physicalinterfaces

ThesecorrespondtotheactualphysicalEthernetinterfaceportsthroughwhichtraffic

arrivesandleavesthehardwareplatformrunningtheSEG.

• Tunnelinterfaces

UsedforreceivingandsendingtrafficthroughVPNtunnels.Thesearetreatedaslogically

equivalenttophysicalinterfaceswhenyouconfiguretheSEG.Forexample,arouteinan

SEGroutingtablecouldspecifyeitheraphysicalortunnelinterfaceasthedestinationfor

aparticularnetwork.

TheSEGinterfacedesignissymmetric,meaningthattheinterfacesofthedevicearenotfixed

asbeingonthe“insecureoutside”or“secureinside”ofanetworktopology.Thenotionof

whatisinsideandoutsideiscompletelyforyoutodefine.

Overview

Logical objects

Youcanconsiderlogicalobjectstobepredefinedbuildingblocksforuseinrulesets.For

example,theaddressbookcontainsnamedobjectsrepresentinghostandnetworkaddresses.

Anotherexampleoflogicalobjectsareservicesthatrepresentspecificprotocolandport

combinations.

SEG rule sets

Finally,ruleswhicharedefinedbytheadministratorinthevariousrulesetsareusedfor

actuallyimplementingSEGsecuritypolicies.ThemostfundamentalsetofrulesaretheIP

Rules,whichareusedtodefineLayer3IPfilteringpolicies.

Basic packet flow

ThissectionoutlinesthebasicflowforpacketsreceivedandforwardedbytheSEG.The

followingdescriptionissimplifiedandmightnotbefullyapplicableinallscenarios,however,

thebasicprincipleswillbevalidforallSEGdeployments.

1. AnEthernetframeisreceivedononeoftheEthernetinterfacesinthesystem.Basic

Ethernetframevalidationisperformedandthepacketisdroppediftheframeisinvalid.

2. TheIPdatagramwithinthepacketispassedontotheSEGconsistencychecker.The

checkerperformsanumberofconsistencychecksonthepacket,includingvalidationof

checksums,protocolflags,packetlengthandsoon.Iftheconsistencychecksfail,the

packetgetsdroppedandtheeventislogged.

3. TheSEGnowtriestolookupanexistingflowbymatchingparametersfromtheincoming

packet.Anumberofparametersareusedinthematchattempt,includingthesource

interface,sourceanddestinationIPaddresses,andIPprotocol.Ifamatchcannotbe

found,aflowestablishmentprocessstarts.

4. TheAccessRulesareevaluatedtofindoutifthesourceIPaddressofthenewflowis

allowedonthereceivedinterface.IfnoAccessRulematchesthenareverseroutelookup

willbedoneintheroutingtables.

Inotherwords,bydefault,aninterfacewillonlyacceptsourceIPaddressesthatbelongto

networksroutedoverthatinterface.Areverselookupmeansthatalookupisdoneinthe

routingtablestoconfirmthatarouteexiststhatwouldroutetrafficdestinedfortheIP

addressoverthatinterface.

IftheAccessRulelookupdeterminesthatthesourceIPisinvalid,thepacketisdropped

andtheeventislogged.

5. Aroutelookupismadeusingtheroutingtable.Thedestinationinterfacefortheflowhas

nowbeendetermined.

Table of contents

Other RadiSys Gateway manuals

RadiSys

RadiSys PM6264S ONT User manual

Popular Gateway manuals by other brands

Telecom FM

Telecom FM onestream gfx Programming guide

UfiSpace

UfiSpace LoRa GPE810U Quick setup guide

Merak

Merak MMk-736F Quick setup guide

Robustel

Robustel R3010 user guide

turck

turck BL20-PG-EN-V3 user manual

IBM

IBM Security Web Gateway Appliance quick start guide

SSS Siedle

SSS Siedle Smart Gateway Commissioning instructions

ADTRAN

ADTRAN 424RG Installation

Chorus

Chorus Hyperfibre XGS-250WX-A user guide

Dragino

Dragino G308 user manual

Data Domain

Data Domain DD690g Installation and setup guide

Raritan

Raritan Laptop Release notes

Haivision

Haivision Torpedo quick start guide

ATCOM

ATCOM AG-268 user manual

LST

LST M500RFE-AS Specification sheet

Vega

Vega VEGA BS-3 user manual

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

RadiSys SEG-100 Instruction Manual

Popular Gateway manuals by other brands