RadiSys SEG-100 Instruction Manual

Administration Guide

SECURITY GATEWAY

SEG-100

SOFTWARE RELEASE 1.1

February 2012 007-03416-0003

Revision history

Version Date Description

-0000 August 2011 First edition.

-0001 September 2011 Second edition. Updated to include new authentication profiles, RADIUS authentication, and I-WLAN solution.

Added information on local user databases, CLI scripting, statistics, and log receivers. Made significant

updates to the NAT and SAT sections, and made other corrections and clarifications.

-0002 January 2012 Third edition. Updated for the 1.1.1 software release. Added information to the SCP, licensing, and backup

and restore sections. Added IPv6 information. Made other corrections and clarifications.

-0003 February 2012 Fourth edition. Updated for the 1.1.2 software release. See What’s new in this manual on page 6 for a

description of changes in this edition.

©2011‐2012byRadiSysCorporation.Allrightsreserved.

RadisysisaregisteredtrademarkofRadiSysCorporation.AdvancedTCA,ATCA,andPIGMGareregisteredtrademarksofPCIIndustrial

ComputerManufacturersGroup.

Allothertrademarks,registeredtrademarks,servicemarks,andtradenamesarethepropertyoftheirrespectiveowners.

Table of Contents

Preface ................................................................................................................................................ 6

About this manual........................................................................................................................................6

What’s new in this manual...........................................................................................................................6

Where to get more product information.......................................................................................................6

Related documents......................................................................................................................................7

Notational conventions................................................................................................................................7

Chapter 1: Overview........................................................................................................................... 8

SEG overview..............................................................................................................................................8

SEG architecture.........................................................................................................................................8

Chapter 2: Management................................................................................................................... 12

Management access .................................................................................................................................12

Date and time............................................................................................................................................33

Licensing...................................................................................................................................................37

Backup and restore ...................................................................................................................................39

Crashdumps..............................................................................................................................................42

Statistics....................................................................................................................................................44

Events and logging....................................................................................................................................47

Chapter 3: Addressing..................................................................................................................... 54

Interfaces...................................................................................................................................................54

ARP...........................................................................................................................................................58

Address books...........................................................................................................................................63

IPv6 support..............................................................................................................................................66

DNS...........................................................................................................................................................70

Chapter 4: Address Translation...................................................................................................... 73

Overview....................................................................................................................................................73

NAT...........................................................................................................................................................73

SAT ...........................................................................................................................................................78

Chapter 5: Routing .......................................................................................................................... 86

Principles of routing ..................................................................................................................................86

Static routing..............................................................................................................................................91

Chapter 6: Firewall........................................................................................................................... 96

IP rules......................................................................................................................................................96

Services...................................................................................................................................................103

Access rules............................................................................................................................................107

Internet access........................................................................................................................................110

Chapter 7: IPsec VPN .................................................................................................................... 113

Overview..................................................................................................................................................113

IPsec components...................................................................................................................................117

Setting up IPsec tunnels .........................................................................................................................135

NAT traversal...........................................................................................................................................138

CA server access....................................................................................................................................140

IPsec troubleshooting .............................................................................................................................143

Chapter 8: Authentication.............................................................................................................. 153

Authentication profiles.............................................................................................................................153

RADIUS authentication ...........................................................................................................................154

The radiussnoop command ....................................................................................................................156

Chapter 9: High Availability........................................................................................................... 157

Overview .................................................................................................................................................157

HA mechanisms .....................................................................................................................................159

Setting up HA .........................................................................................................................................161

HA issues ...............................................................................................................................................166

Chapter 10: Advanced Settings .................................................................................................... 168

Flow timeout settings ..............................................................................................................................168

Length limit settings ................................................................................................................................169

Fragmentation settings ...........................................................................................................................171

Local fragment reassembly settings .......................................................................................................176

Chapter 11: I-WLAN........................................................................................................................ 177

I-WLAN overview ....................................................................................................................................177

GTP tunnels.............................................................................................................................................178

Interface stitching....................................................................................................................................181

Using IP rules .........................................................................................................................................182

Adding client routing................................................................................................................................182

Certificates with I-WLAN .........................................................................................................................183

Support for multiple GGSNs....................................................................................................................184

I-WLAN use case ....................................................................................................................................184

Appendix A: Glossary of Terms.................................................................................................... 185

Appendix B: OSI Model.................................................................................................................. 197

Overview .................................................................................................................................................197

Preface

About this manual

ThismanualdescribestheRadisysSEG,ahighlyscalablesecuritygatewayoptimizedforLong

TermEvolution(LTE)deployments.ThismanualintroducesSEGsoftwareconceptsandserves

asareferenceforproceduralandusageinformation.

Thetargetaudienceforthismanualisadministratorswhoareresponsibleforconfiguringand

managingtheSEGanditsoperatingsystem.Itisassumedthattheadministratorshavebasic

knowledgeofnetworksandnetworksecurity.

What’s new in this manual

•AddedtroubleshootingwithICMPpingonpage25.

• Changedthetypesofauthenticationavailableonpage153.

• UpdatedverifyingHAsynchronizationonpage165.

Where to get more product information

VisittheRadisyswebsiteatwww.radisys.comforproductinformationandotherresources.

Downloads(manuals,releasenotes,software,etc.)areavailableat

www.radisys.com/downloads.

SeethefollowingresourcesforinformationontheSEGnotdescribedinthismanual:

•TheSEG‐100GettingStartedGuidedescribeshowtosetuptheSEG‐100modulesandthe

SEG‐11002system,andhowtoconfiguretheSEGsoftwareforinitialuse.

•TheSEG‐100CommandLineInterfaceReferencedescribestheSEGcommandline

interfaceandservesasareferenceforcommandsyntaxandoptions.

•TheSEG‐100LogReferencedescribesalllogmessagesgeneratedbytheSEG.

•TheSEG‐100StatisticsReferencedescribesallstatisticalvaluesandassociatedparameters

thataremaintainedbytheSEG.

•TheSEG‐100TTGInterfaceReferencedescribestheinterfacesfortheSEGTunnel

TerminatingGateway(TTG).

Preface

Related documents

RFC791,InternetProtocol,IETF,September1981.

RFC1191,PathMTUDiscovery,IETF,November1990.

RFC1305,NetworkTimeProtocol(Version3),IETF,March1992.

RFC1321,TheMD5Message‐DigestAlgorithm,IETF,April1992.

RFC1777,LightweightDirectoryAccessProtocol,IETF,March1995.

RFC1918,AddressAllocationforPrivateInternets,IETF,February1996.

RFC2030,SimpleNetworkTimeProtocol(SNTP)Version4forIPv4,IPv6andOSI,IETF,

October1996.

RFC2138,RemoteAuthenticationDialInUserService(RADIUS),IETF,April1997.

RFC2139,RADIUSAccounting,IETF,April1997.

RFC2251,LightweightDirectoryAccessProtocol(v3),IETF,December1997.

RFC2401,SecurityArchitecturefortheInternetProtocol,IETF,November1998.

RFC2406,IPEncapsulatingSecurityPayload(ESP),IETF,November1998.

RFC2460,InternetProtocol,Version6(IPv6)Specification,IETF,December1998.

RFC3947,NegotiationofNAT‐TraversalintheIKE,IETF,January2005.

RFC4306,InternetKeyExchange(IKEv2)Protocol,IETF,December2005.

RFC5905,NetworkTimeProtocolVersion4:ProtocolandAlgorithmsSpecification,IETF,June

2010.

Notational conventions

Thismanualusesthefollowingconventions

Allnumbersaredecimalunlessotherwisestated.

ItalicText File,function,andutilitynames.

MonoText Screentextandsyntaxstrings.

BoldMonoText Acommandtoenter.

ItalicMonoText Variableparameters.

Brackets[] Commandoptions.

Curlybraces{}Agroupedlistofparameters.

Verticalline|An“OR”inthesyntax.Indicatesachoiceofparameters.

Chapter

Overview

SEG overview

TheRadisysSEGisarobusttelecomsecuritygatewaybasedonNetworkDomainSecurity

(NDS)standardsthatprovidesstatefulfirewallingandIPsectunnelinginasingleplatform.The

SEGcanbeusedtosecureanylargeIPbasednetwork.Initsfirstrelease,theSEGistargeted

foruseasasecuritygatewaybetweeninfrastructureelementsinLTEAccess/BackhaulandLTE

EvolvedPacketCorenetworks.Insubsequentreleases,theSEGwillsupportcurrent

generation(2G/3G)wirelessoffloadapplicationslikeI‐WLAN,UMA/GANandFemtocellthat

areevolvingtoLTE.Itisalsoideallysuitedforhighperformanceandnext‐genfirewalling

scenarios.

TheRadisysSEGisbuiltaroundthecarrier‐gradeAdvancedTelecommunicationsComputing

Architecture(ATCA),andoffersworld‐classsecurityfeatureswithmulti‐gigabitthroughput

andperformance.ThemaincomponentoftheRadisysSEGistheSEG‐100securitymodule,a

fullycontainedsecuritygatewayresidingonanATCAmodule.TheSEG‐100canbedeployedin

astandaloneSEG‐11002system,orintegratedintootherATCAbasednetworkelements.Both

standaloneandintegratedconfigurationssupportcarriergradehighavailabilitywith

redundanthardwareandsophisticatedfaulttolerantsoftware.

TheSEG‐11002isa2U,2‐slotATCAsystem,ideallysuitedforinitialtrialsandsmall‐to‐

mediumsizedeployments.ItcontainsoneortwoSEG‐100modules,andcanbeconfiguredas

ahighavailabilitysystem,withactiveandpassiveSEG‐100sprovidingfullstatefulredundancy

forIPsectunnelsandpacketflows.

TheSEGsecuritysoftwareisbasedonaproprietaryoperatingcorewithasmallattacksurface,

makingtheapplicationprocessinghighlysecureandefficient.Thesoftwareprocessesmillions

ofconcurrentIPpacketflowsinrealtime,whileapplyingarichsetoffirewallingrulesand

routingpolicies.ItalsosetsupVPN/IPsectunnels,usingsecurekeysandapplyingadvanced

dataintegrityandencryptiontechniques.

SEG architecture

TheSEGarchitectureiscenteredontheconceptofflows.TraditionalIProutersorswitches

commonlyinspectallpacketsandthenperformforwardingdecisionsbasedoninformation

foundinthepacketheaders.Withthisapproach,packetsareforwardedwithoutanysenseof

context,whicheliminatesanypossibilitytodetectandanalyzecomplexprotocolsandenforce

correspondingsecuritypolicies.

Overview

Stateful inspection

TheSEGemploysatechniquecalledstatefulinspectionwhichmeansthatitinspectsand

forwardstrafficonaper‐flowbasis.TheSEGdetectswhenanewflowbetweenasourceand

destinationisbeingestablished,andkeepsinformationabouttheflowoveritslifetime.By

doingthis,theSEGisabletounderstandthecontextofnetworktraffic,enablingittoperform

avarietyofimportantfunctions.

Thestatefulinspectionapproachadditionallyprovideshighthroughputperformancewiththe

addedadvantageofadesignthatishighlyscalable.TheSEGsubsystemthatimplements

statefulinspectionissometimesreferredtoastheSEGstate‐engine.

Allflowshaveaspecifiedidlelifetime,afterwhichtheyareremovedfromtheflowtable.

Basic building blocks

Fromtheadministrator’sviewpoint,thebasicSEGbuildingblocksare:

•InterfacessuchasphysicalEthernetinterfacesorlogicalVPNtunnels.

•LogicalobjectsthatareindividuallogicaldefinitionswithintheSEG.Forexample,Address

objectscanbedefinedintheAddressBooktogivelogicalnamestoIPandothertypesof

addresses.

•Rulesetsthatmakeupthesecuritypoliciesthatyouwanttoimplement.TheseincludeIP

rules.

Thesethreetypesofbuildingblocksarediscussednext.

Interfaces

Interfacesarethedoorwaysthroughwhichnetworktrafficentersorleavesthesecurity

gateway.Withoutinterfaces,anSEGsystemhasnomeansforreceivingorsendingtraffic.

ThefollowingtypesofinterfacearesupportedintheSEG:

•Physicalinterfaces

ThesecorrespondtotheactualphysicalEthernetinterfaceportsthroughwhichtraffic

arrivesandleavesthehardwareplatformrunningtheSEG.

• Tunnelinterfaces

UsedforreceivingandsendingtrafficthroughVPNtunnels.Thesearetreatedaslogically

equivalenttophysicalinterfaceswhenyouconfiguretheSEG.Forexample,arouteinan

SEGroutingtablecouldspecifyeitheraphysicalortunnelinterfaceasthedestinationfor

aparticularnetwork.

TheSEGinterfacedesignissymmetric,meaningthattheinterfacesofthedevicearenotfixed

asbeingonthe“insecureoutside”or“secureinside”ofanetworktopology.Thenotionof

whatisinsideandoutsideiscompletelyforyoutodefine.

Overview

Logical objects

Youcanconsiderlogicalobjectstobepredefinedbuildingblocksforuseinrulesets.For

example,theaddressbookcontainsnamedobjectsrepresentinghostandnetworkaddresses.

Anotherexampleoflogicalobjectsareservicesthatrepresentspecificprotocolandport

combinations.

SEG rule sets

Finally,ruleswhicharedefinedbytheadministratorinthevariousrulesetsareusedfor

actuallyimplementingSEGsecuritypolicies.ThemostfundamentalsetofrulesaretheIP

Rules,whichareusedtodefineLayer3IPfilteringpolicies.

Basic packet flow

ThissectionoutlinesthebasicflowforpacketsreceivedandforwardedbytheSEG.The

followingdescriptionissimplifiedandmightnotbefullyapplicableinallscenarios,however,

thebasicprincipleswillbevalidforallSEGdeployments.

1. AnEthernetframeisreceivedononeoftheEthernetinterfacesinthesystem.Basic

Ethernetframevalidationisperformedandthepacketisdroppediftheframeisinvalid.

2. TheIPdatagramwithinthepacketispassedontotheSEGconsistencychecker.The

checkerperformsanumberofconsistencychecksonthepacket,includingvalidationof

checksums,protocolflags,packetlengthandsoon.Iftheconsistencychecksfail,the

packetgetsdroppedandtheeventislogged.

3. TheSEGnowtriestolookupanexistingflowbymatchingparametersfromtheincoming

packet.Anumberofparametersareusedinthematchattempt,includingthesource

interface,sourceanddestinationIPaddresses,andIPprotocol.Ifamatchcannotbe

found,aflowestablishmentprocessstarts.

4. TheAccessRulesareevaluatedtofindoutifthesourceIPaddressofthenewflowis

allowedonthereceivedinterface.IfnoAccessRulematchesthenareverseroutelookup

willbedoneintheroutingtables.

Inotherwords,bydefault,aninterfacewillonlyacceptsourceIPaddressesthatbelongto

networksroutedoverthatinterface.Areverselookupmeansthatalookupisdoneinthe

routingtablestoconfirmthatarouteexiststhatwouldroutetrafficdestinedfortheIP

addressoverthatinterface.

IftheAccessRulelookupdeterminesthatthesourceIPisinvalid,thepacketisdropped

andtheeventislogged.

5. Aroutelookupismadeusingtheroutingtable.Thedestinationinterfacefortheflowhas

nowbeendetermined.

Table of contents

Other RadiSys Gateway manuals

RadiSys

RadiSys PM6264S ONT User manual

Popular Gateway manuals by other brands

LST

LST M500RFE-AS Specification sheet

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

Mitsubishi Heavy Industries

Mitsubishi Heavy Industries Superlink SC-WBGW256 Original instructions

ZyXEL Communications

ZyXEL Communications ZYWALL2 ET 2WE user guide

Telsey

Telsey CPVA 500 - SIP Technical manual

RTA

RTA 460A-NNA4 Product user guide

Shaw

Shaw Gateway HDPVR user manual

ABB

ABB VSN900 Commissioning manual

Commander

Commander Pulse owner's manual

2N Telekomunikace

2N Telekomunikace ATEUS EasyGate 501309E manual

NETGEAR

NETGEAR C6300BD installation guide

Amit

Amit CDW531AM user guide

HMS

HMS Netbiter EasyConnect EC150 user manual

Huawei

Huawei EchoLife HG620 user guide

AT&T

AT&T U-verse 3801 Replacement self-installation guide

Logic IO

Logic IO RTCU MX2 turbo Technical manual

Suttle

Suttle MediaMAX MXM-521 installation instructions