NCP Secure Enterprise Server - ncp-e.com · NCP Secure Enterprise VPN Server for Linux in HA...
Transcript of NCP Secure Enterprise Server - ncp-e.com · NCP Secure Enterprise VPN Server for Linux in HA...
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 1 of 13
Release Notes
NCP Secure Enterprise VPN Server
Service Release 8.10 Build 4324 (Linux 32/64) May 2013
Prerequisites
NCP Secure Enterprise VPN Server for Linux in HA Environments
If the Linux VPN Server (version 8.10) is a member of a High Availability Services environment, HA Server
version 3.03 or later is required.
Important: when updating the components:
- first, update the Secure Enterprise VPN Server for Linux to version 8.10
- second, update the HA Server for Linux to version 3.03, ie after the VPN Server has been updated.
Linux Distributions
This version is released only for the 32 and 64 bit versions of the following distributions:
1. SuSE Linux Enterprise Server 11 SP2 2. CentOS 6.4
3. Ubuntu Server 12.04 Precise Pangolin LTS
4. Debian GNU/Linux 6.0.6 Squeeze
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
VPN Connection Aborted after IKE Phase 2 Rekeying
After expiry of the "Duration" timer (IPsec Policies - Configuration - Duration / Default 8 hours), instead of
the phase 2 re-keying being carried out, the connection was aborted. This problem has now been resolved.
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 2 of 13
Release Notes
Service Release 8.10 Build 049 (Linux 32/64) December 2012
Prerequisites
NCP Secure Enterprise VPN Server for Linux in HA Environments
If the Linux VPN Server (version 8.10) is a member of a High Availability Services environment, HA Server version 3.03 or later is required.
Important: when updating the components:
- first, update the Secure Enterprise VPN Server for Linux to version 8.10
- second, update the HA Server for Linux to version 3.03, ie after the VPN Server has been updated.
Linux Distributions
This version is released only for the 32 and 64 bit versions of the following distributions:
1. openSuSE 11.4
2. openSuSE 12.1 3. SuSE Linux Enterprise Server 11
4. SuSE Linux Enterprise Server 11 SP2
5. CentOS 6.2 6. Ubuntu Server 10.04.3 Lucid Lynx LTS
7. Ubuntu Server 12.04 Precise Pangolin LTS 8. Debian GNU/Linux 5.0.8 Lenny
9. Debian GNU/Linux 6.0.5 Squeeze
1. New Features and Enhancements
The following new features have been introduced in this release:
AES CTR Encryption Algorithm
The following implementations of the AES CTR Encryption Algorithm (defined by RFC 3686) have been incorporated in the Secure VPN Server: AES CTR 128 bit, AES CTR 192 bit and AES CTR 256 bit.
AES CTR can be used in either IKE policies (Web Interface: IKE Policies / Encryption) or in IPSec policies (Web Interface: IPsec Policies / Transform), providing IKEv2 is being used.
Downloading the extracted Server Certificate
The PKCS#12 file used for authenticating server with client (Web Interface: Configuration / Server Certificates / PKCS#12 filename) contains the issuer as well as the server certificate, and, for special
applications, the server certificate can be extracted from the PKCS#12 file.
To extract the server certificate, press button located next to the filename. The server certificate will be
extracted as a crt file, and, using Windows Explorer, this can then be stored in a separate location, and its contents viewed
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 3 of 13
Release Notes
2. Improvements / Problems Resolved
None
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 4 of 13
Release Notes
1. New Features and Enhancements of Version 8.10 Build 029
The following new features have been introduced in this release:
New, separate switches for IKEv1 and IKEv2
Connections via IPsec Native and IPsec over L2TP can only be established if the key exchange is handled via either the IKEv1 or IKEv2 protocol. If these neither of these key exchange protocols is selected,
connections can only be established via L2Sec or L2TP.
The switches are located at the Local System level and both protocols are active by default.
IKEv2 including MobIKE
The gateway now supports IKEv2 including MobIKE. The following EAP types are supported with this
implementation:
EAP-MD5-Challenge
EAP-TLS
EAP-MSCHAP-V2
Seamless Roaming
Seamless Roaming provides the user with an “always on“ capability: in the event that a communication
medium fails, Seamless Roaming in an NCP Secure Enterprise Client (for Windows from version 9.30) automatically switches to the next available medium, choosing from LAN, WiFi and 3G. Applications that
make use of the VPN tunnel are not disturbed by the switchover from one medium to another.
This version of the NCP Secure Enterprise VPN Server includes the functionality necessary to support Seamless Roaming at the NCP Secure Clients.
Seamless Roaming – Force Single VPN Connection
This switch (in HA Server) prevents multiple VPN connections, from a single NCP Secure Client, remaining
open when Seamless Roaming is in operation.
When the option "Force single VPN connection" under "General" is set (the default state) and a VPN connection request is received at a gateway, that gateway sends a message to all other gateways in the
load balancing/HA group, indicating that this Secure Client is now connected to gateway x and all other tunnels established for this Secure Client must be terminated.
Pre-requisites: HA Server (Linux): Version 3.03 from build xxx
Secure Enterprise VPN Server (Linux): Version 8.10 from build xxx
Server Plug-in (SEM): from build 15
Execute Endpoint Security only for NCP Clients
A feature (a switch in "Local System") has been added to enable Endpoint Security to be executed only with NCP Clients. Other clients that do not support NCP Endpoint Security, e.g. iPads, can now use the
same profile, even when Endpoint Security is enabled.
This is especially useful when, in addition to NCP Secure Clients, mixed operation is supported and, for example, iPADs with their integrated VPN Client are in use.
If this function is NOT activated, then connection requests from clients from other manufacturers, i.e. that do not support NCP Endpoint Security, or that do not fulfill the security policies will be rejected.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 5 of 13
Release Notes
IP Address Assignment by DHCP [Domain Groups]
The VPN gateway can automatically assign an available address to each Client when that Client connects to the gateway. This address can be assigned either from a pool or by means of IP address assignment
from a DHCP server, and is assigned for the duration of the session. A Domain Group can contain the configuration details of one DHCP server (with IP address and DHCP Source IP Address).
FIPS Inside
The Secure Enterprise VPN Server incorporates cryptographic algorithms conformant to the FIPS standard. The embedded cryptographic module incorporating these algorithms has been validated as
conformant to FIPS 140-2 (certificate #1051).
FIPS conformance will always be maintained when any of the following algorithms are used for
establishment and encryption of the IPsec connection:
Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 Bit)
Hash Algorithms: SHA1, SHA 256, SHA 384, or SHA 512 Bit
Encryption Algorithms: AES with 128, 192 or 256 Bit or Triple DES
IF-MAP
The ESUKOM project aims to develop a real-time security solution for enterprise networks that works
based upon the correlation of metadata. A key challenge for ESUKOM is the steadily increasing adoption of mobile consumer electronic devices (smartphones) for business purposes which generate new threats
for enterprise networks ESUKOM focuses on the integration of available and widely deployed security measures (both commercial and open source) based upon the IF-MAP (Interface for Metadata Access
Points) specification from the Trusted Computing Group (TCG).
As of release 8.10 of the NCP Secure Server, the IF-MAP Server in Hannover University can be used, cost free, for test purposes. The URL is http://trust.inform.fh-hannover.de.
Realtime Enforcement through the IF-MAP Protocol
Using IF-MAP Protocol Events, the Server can trigger an action such as disconnecting a connection or
switching the Filter Group. IF-MAP Events can be configured accordingly in the Domain Group.
Single Sign-on for SSL VPN
Single Sign-on can be used when the web server application (configured under Web Proxies) being
accessed requires the same access data as that being used by the SSL VPN client. Usernames and passwords can then be centrally managed by Active Directory, RADIUS or LDAP.
Dependent on application, Single Sign-on authentication can be performed with HTTP Authentication (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM (Microsoft)), or using the Post Form Method.
SSO with web applications has been tested with Outlook Web Access (OWA) 2003, 2007 and 2010, RDP
Client and CITRIX Webinterface 4.5, 5.1. SSO with port forwarding is only supported for an application that can accept parameters (username and password) via its command line.
Virtual Private Desktop
The Virtual Private Desktop is a work area (sandbox), decoupled from the underlying operating system
and made available to the user by means of the SSL VPN session. Applications started and running in this
work area, together with any files created, are disconnected from the underlying operating system. Files such as e-mail attachments are stored in the Virtual Private Desktop in a private container that is
encrypted using AES. When the SSL VPN session is terminated, all files in the container are deleted.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 6 of 13
Release Notes
Only NCP Clients allowed
This switch ensures that connections can only be established from NCP VPN Clients. If connection establishment attempts are made from clients of other manufacturers, these will be refused. The function
can be applied globally or on a domain group basis.
Automatic Thin Client Authentication at a Proxy
If a proxy, located within the same Windows domain as the Thin Client, is being used for access to the
Internet and authentication of accesses via the proxy is handled by the HTTP Negotiate / Kerberos protocol, the details of the user’s existing domain registration at his/her associated Windows system will
be used to authenticate the connection from the Thin Client to that proxy. If all these conditions are fulfilled, authentication of the Thin Client at the proxy will be automatic. If not, the user will be presented
with the proxy’s authentication request prompt.
Note: this feature is independent of the Single Sign-on for SSL VPN functionality mentioned above.
2. Improvements / Problems Resolved
Changes to the Permissions Structure of the Web Server that Displays the Configuration Web
Interface
Web document templates can no longer be accessed by entering a complete path, unless the user has already registered the browser with the web server. Before this change, the HTML structure could be
explored and displayed without any configuration details.
The web server is now executed under the user "ncpuser" and group "ncpuser", and web documents are
readable exclusively by the user "ncpuser".
3. Known Issues
Failure to download Endpoint Policies (EP) from Secure Enterprise Management (SEM versions earlier than 3.0) to Secure Enterprise VPN Server (SES) 8.10
Endpoint policies download to a SES v8.10 will fail IF from a SEM version earlier than v3.0 AND the SES is
not managed by the SEM.
Background: SEM v2.x transmitted packets with an incorrect length. SES v8.10 now checks and ignores
packets with incorrect length. Secure Enterprise Management v3.0 has been corrected to transmit packets with correct length.
4. Getting Help for the NCP Secure Enterprise VPN Server To ensure that you always have the latest information about NCP’s products, always check the NCP
website at:
http://www.ncp-e.com/en/downloads.html
For further assistance with the NCP Secure Enterprise VPN Server, visit:
http://www.ncp-e.com/en/support.html
Mail: [email protected]
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 7 of 13
Release Notes
5. Features
Operating System
32 bit Operating System
Linux Kernel 2.6 from 2.6.16 64 bit Operating System
Linux Kernel 2.6 from 2.6.16 Linux Distributions Supported
see Prerequisites, page 1
Recommended System Requirements
Computer CPU: Pentium III (or higher) 150 MHz or comparable x86 processor, 512 MB RAM (minimum), per 250
concurrently useable tunnels 64 MB RAM.
Clock speed:
Data throughput of app. 4,5 mbit/s can be realized for each 150 MHz with a Single Core CPU
(including encryption)
Data throughput of app. 9 mbit/s can be realized for each 150 MHz with a Dual/Quad Core CPU
(including encryption). System Requirements for Concurrent SSL VPN Sessions
10 Concurrent Users (CU) CPU: Intel Pentium III 700 MHz or comparable x86 processor, 512 MB RAM
50 Concurrent Users
CPU: Intel Pentium III 1.5 MHz or comparable x86 processor, 512 MB RAM
100 Concurrent Users CPU: Intel Dual Core 1.83 GHz or comparable x86 processor, 1024 MB RAM
200 Concurrent Users
CPU: Intel Dual Core 2.66 GHz or comparable x86 processor, 1024 MB RAM
Dependent on the type of end-device. Mobile end-devices such as Tablet PCs (using iOS or Android), Smartphones, PDAs and others have some restrictions.
The above are approximate values that are significantly influenced by user activity profiles or applications. If a large number of concurrent file transfers (file upload and download) are anticipated
then we recommend increasing the memory value by 50%.
Network Protocols
IP (Internet Protocol), VLAN support
Management
The NCP Secure Enterprise VPN Server is configured and managed either via an NCP Secure Enterprise
Management using the Secure Server plug-in or directly via the Web Interface.
Network Access Control (Endpoint Security) Endpoint Policy Enforcement for incoming data connections.
Verification of predefined, security relevant Client parameters.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 8 of 13
Release Notes
Measures in the event of target/actual deviation in IPsec VPN:
Disconnect or continue in the quarantine zone with instructions for action
Message in Messagebox or start of external applications (e.g. virus scanner update), Logging in Logfiles (see the Secure Enterprise Management data sheet for more information).
Measures in the event of attempts to perform other than just pre-defined activities in SSL VPN:
Granular reduction in access authorization to certain applications in accordance with defined
security levels. Dynamic Switching of Filter Rules dependent on Endpoint Security Requirements
(8.10) Execute Endpoint Security only for NCP Clients (8.10) IF-MAP (Interface for Metadata Access Points) Support
(8.10) Realtime Enforcement through the IF-MAP Protocol
Dynamic DNS (DynDNS/DDNS) Connection establishment via Internet with dynamic IP addresses.
Registration of each current IP address with an external Dynamic DNS provider. In this case the
VPN tunnel is established via name assignment (prerequisite: The VPN client must support DNS
resolution - NCP Secure Clients support this functionality) Extension of the Domain Name Server (DNS), reachability of the VPN client under a (permanent)
name despite a varying IP address
Periodic updating of DNS server with username and IP address of currently connected Client
Multi Company Support
Group capability,
support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter
groups, IP pools, bandwidth limitation, etc.)
User Administration Local user administration (up to 750 users),
External authentication via
OPT server
RADIUS
LDAP Support for LDAP over SSL
Novell NDS
MS Active Directory Services RADIUS, LDAP and SEM Forwarding
Statistics and Logging Detailed statistics,
Logging functionality,
Sending SYSLOG messages
Client/User Authentication Process
OTP token,
User and hardware certificates (IPsec) according to X.509 v.3,
User name and password (XAUTH)
External Authentication with LDAP Bind
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 9 of 13
Release Notes
Certificates (X.509 v.3)
Server Certificates
Certificates can be used that are provided via the following interfaces:
PKCS#11 interface for encryption tokens (USB and smart cards); PKCS#12 interface for private keys in soft certificates
Creation and Distribution of Server Certificates with SEM PKI Enrollment Plug-in
Transfer of SubCA Certificate
Server Certificates can be queried via SNMP
Revocation Lists Revocation:
EPRL (End-entity Public-key Certificate Revocation List, formerly CRL),
CARL (Certification Authority Revocation List, formerly ARL)
Online check
Automatic download of revocation lists from the CA at predefined intervals.
Online check: Checking certificates via OCSP or OCSP relative to the CA over http
IPsec VPN and SSL VPN – Connections
Transmission media
LAN
Direct operation on the WAN: Support of max. 120 ISDN B-channels (So, S)
Line management
DPD with configurable time interval
Short Hold Mode
Channel bundling (dynamic in ISDN) with freely configurable threshold value
Timeout (controlled by time and charges)
Point-to-Point protocols
PPP over ISDN,
PPP over GSM,
PPP over PSTN,
PPP over Ethernet,
LCP, IPCP, MLP, CCP, PAP, CHAP, ECP
Pool address management Reservation of an IP address from a pool for a defined period of time (lease time)
Trigger call
Direct dial of the distributed VPN gateway via ISDN, "knocking in the D-channel"
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 10 of 13
Release Notes
Virtual Private Networking with IPsec
Virtual Private Networking IPsec (Layer 3 tunneling), RFC-conformant
MTU size fragmentation and reassembly
DPD (Dead Peer Detection)
NAT-Traversal (NAT-T)
IPsec modes: Tunnel Mode, Transport Mode
Seamless Rekeying;
PFS (Perfect Forward Secrecy)
Automatic Return Route Determination (ARRD)
(8.10) Support for Seamless Roaming in NCP Secure Enterprise Clients
Internet Society RFCs and Drafts RFC 2401–2409 (IPsec)
RFC 3947 (NAT-T negotiations)
RFC 3948 (UDP encapsulation)
IP Security Architecture
ESP
ISAKMP/Oakley
IKE (v1 and v2)
(8.10) IKEv2 including MobIKE. EAP protocols supported: EAP-MD5-Challenge EAP-TLS EAP-MSCHAP-V2
XAUTH
IKECFG
DPD
NAT Traversal (NAT-T)
UDP encapsulation
IPCOMP
(8.10) FIPS Inside The Secure Enterprise VPN Server incorporates cryptographic algorithms conformant to the FIPS standard. The embedded cryptographic module incorporating these algorithms has been validated as conformant to FIPS 140-2 (certificate #1051).
FIPS conformance will always be maintained when any of the following algorithms are used for establishment and encryption of the IPsec connection:
Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 Bit) Hash Algorithms: SHA1, SHA 256, SHA 384, or SHA 512 Bit Encryption Algorithms: AES with 128, 192 or 256 Bit or Triple DES Encryption Symmetric processes: AES 128,192,256 bits; Blowfish 128,448 bits; Triple-DES 112,168 bits;
Dynamic processes for key exchange: RSA to 4096 bits; Diffie-Hellman Groups 1,2,5,14; Hash algorithm: MD5, SHA1, SHA 256, SHA 384, SHA 512
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 11 of 13
Release Notes
Firewall
Stateful Packet Inspection
IP-NAT (Network Address Translation)
Port filtering
LAN adapter protection
VPN Path Finder
NCP Path Finder Technology: Fallback IPsec/ HTTPS (port 443) if port 500 respectively UDP encapsulation is not possible.
Authentication Processes
IKEv1 (Aggressive and Main Mode), Quick Mode
IKEv2
XAUTH for extended user authentication
Support for certificates in a PKI: Soft certificates, smart cards, and USB tokens
Pre-shared keys
One-time passwords, and challenge response systems
RSA SecurID ready.
IP Address Allocation
DHCP (Dynamic Host Control Protocol) over IPsec;
DNS: Selection of the central gateway with changing public IP address by querying the IP address
via a DNS server; IKE config mode for dynamic assignment of a virtual address to clients from the internal address
range (private IP), or (8.10) IP address assignment by DHCP
Data Compression IPCOMP (lzs), Deflate
Other Features VPN via L2TP over IPsec for Android and IPsec for Apple iOS
SSL VPN
Protocols SSLv1,
SSLv2,
TLSv1 (Application Layer Tunneling)
Web Proxy (Web Applications)
Access to internal web applications and Microsoft network drives via a web interface.
Prerequisites for the end device:
SSL-capable web browser with Java Script functionality
(8.10) Single Sign-on (SSO) for SSL VPN
Support for SSO in Web Proxy (Web Applications).
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 12 of 13
Release Notes
Single Sign-on authentication:
Web server application must require the same access data as the SSL VPN client; usernames and passwords can then be centrally managed by Active Directory, RADIUS or LDAP.
Support for HTTP Authentication protocols (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM (Microsoft)), or using the Post Form Method.
Supported web applications:
Predefined SSO configuration files for Outlook Web Access (OWA) 2003, 2007 and 2010, and CITRIX Webinterface 4.5 and 5.1.
Customer specific application configurations.
Secure Remote File Access (Network Sharings) Upload and download, creation and deletion of directories, corresponds approximately to the
functionalities of the Windows Explorer under Windows.
Prerequisites for the end device: See Web Proxy
SSO functionality – Network Sharing username and password can be instantiated from SSL username
and password
Port Forwarding
Access to client/server applications (TCP/IP), including web applications.
Prerequisites for the end device:
SSL-capable web-browser with Java Script support,
Java Runtime Environment (>= V5.0) or ActiveX,
SSL Thin Client for Windows 7 (32/64 bit), Windows Vista (32/64 bit), Windows XP (32/64 bit)
Support for Port Forwarding under Mac OS X
(8.10) SSO Support – application dependent. Support only for applications, such as RDP, which take username/password as command parameter.
PortableLAN Transparent access to corporate network
Prerequisites for the end device:
SSL-capable web-browser with Java Script support,
Java Runtime Environment (>= V5.0) or ActiveX control,
PortableLAN Client for Windows 7 (32/64 bit), Windows Vista (32/64 bit), Windows XP (32/64 bit)
(8.10) Virtual Private Desktop Work area (sandbox), decoupled from the underlying operating system and made available to the user by means of the SSL VPN session.
Prerequisites for the end device:
Microsoft Windows 7 (32/64 bit), Windows Vista (32/64 bit), Windows XP (32/64 bit) Applications tested under Virtual Private Desktop: Microsoft Word, Excel, Powerpoint, Outlook and
Outlook Web Access, Adobe Acrobat Reader and Flashplayer, Foxit Reader, SSH (putty) and WinZip. Detailed OS / application support matrix available on request.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_8_10_Linux_4324_en.docx Technical specification subject to change
page 13 of 13
Release Notes
Cache Protection for Internet Explorer V.6, 7 and 8
Required when using Internet Explorers. All transmitted data on the end device will be deleted automatically after the connection is disconnected.
Prerequisites for the end device:
SSL-capable web-browser with Java Script support
Java Runtime Environment (>= V5.0),
SSL Thin Client for Windows 7 (32/64 bit), Windows Vista (32/64 bit) or Windows XP (32/64 bit)
Security Features
Restriction of the Cipher Suite (only AES256-SHA or DES-CBC3-SHA or AES128-SHA)
Prevention of Cross Site Scripting
Other Features
Extended SSL VPN Support for mobile end-user devices
Configuration and User Interface (SSL VPN Start Page)
The SSL service start page can be customized with company specific text and graphics
Placeholders (%SSLVPNPARAMn%) simplify the customization of complex configurations