Secure FND Server
Secure Friendly Net Detection Server July 2006
Disclaimer Considerable care has been taken in the preparation and publication of this manual, errors in content, typographical or otherwise may occur. If you have any comments or recommendations concerning the accuracy, then please contact NCP as desired. NCP makes no representations or warranties with respect to the contents or use of this manual, and explicitly disclaims all expressed or implied warranties of merchantability or use for any particular purpose. Furthermore NCP reserves the right to revise this publication and to make amendments to the content, at any time, without obligation to notify any person or entity of such revisions and changes. Copyright This manual is the sole property of NCP and may not be copied for resale, commercial distribution or translated to another language without the express written permission of NCP engineering GmbH, Dombühler Str. 2, D - 90449 Nürnberg, Germany. Trademarks All trademarks or registered trademarks appearing in this manual belong to their respective owners. 2006 NCP engineering GmbH. All rights reserved. 2 NCP engineering GmbH
Network Communications Products engineering GmbH GERMANY Headquarters: Dombühler Straße 2 D-90449 Nürnberg Tel.:+49-911-99680 Fax: +49-911 - 9968 299 Internet http://www.ncp.de E-mail: info@ncp.de NCP engineering GmbH 3
Support NCP offers support for all international users by means of Fax and Internet Mail. Fax Hotline Number +49 911 99 68 458 Internet Mail Address support@ncp.de When contacting NCP with your problems or queries please include the following information: exact product name serial number Version number Accurate description of your problem Any error message(s) NCP will do its best to respond as soon as possible, but we do not guarantee a fixed response period. 4 NCP engineering GmbH
Inhalt NCP Friendly Net Detection...................... 7 1. Installation............................. 8 2. Configuration............................ 9 2.1 [General]............................ 9 LogLevel......................... 9 LogPath.......................... 9 Port........................... 9 LocalIPAdress....................... 9 PKCS12FileName..................... 10 PKCS12Pin........................ 10 2.2 [SysLog]............................ 11 2.3 [FND-USER 1]......................... 12 Enabled.......................... 12 UserName......................... 12 Password......................... 12 EAP-Type......................... 12 Forming groups..................... 12 IP-Range......................... 13 2.4 [FND-USER 2]......................... 14 Enabled.......................... 14 UserName......................... 14 EAP-Type......................... 14 IP-Range......................... 14 3. Configuration on the Client...................... 15 3.1 Basic Settings....................... 15 3.2 Filter Rules........................ 16 3.3 Automatic Friendly Network Detection............. 17 IP address of the service for detection of friendly nets...... 17 User name, password (FNDS)................ 17 User (subject) of the incoming certificate........... 18 Issuer certificate fingerprint................. 18 Friendly Net Detection via TLS.............. 18 4. Configuration on the Management Console............... 19 5. Starting the NCPFND Service..................... 21 5.1 Uninstalling........................ 22 5.2 Test........................... 22 NCP engineering GmbH 5
6 NCP engineering GmbH
NCP Friendly Net Detection Friendly Net Detection (FND) is a classic client/server application. Since the server (FND Server) is a service that must be installed separately, and it is completely independent from the VPN gateway, it can be installed on any computer within the network. The client (FND Client) is part of the NCP Secure Client Software and can be configured in the firewall settings. The operating principle of Friendly Net Detection is based on established standards. These standards ensure the security of the system and safeguard against errors that frequently occur with proprietary solutions. The prerequisite for the use of Friendly Net Detection is installation of the FND Server in a network that has been declared as a Friendly Net. This service must then be reachable from all network connections, i.e. it may be necessary to make changes to the firewall rules. If an employee operates his end device directly on the corporate network, then the Secure Client (that has been configured for automatic Friendly Net Detection) attempts to contact the configured FND Server. If the FND Server is reached and authenticated, then the system confirms that the computer is located in a friendly network and the appropriate firewall rules that have been pre-configured for this network will be activated automatically. The standardized authentication protocols MD5 (RFC2284), and TLS (RFC2716), provide the basis, however only the server is authenticated by the Client. NCP engineering GmbH 7
1. Installation The software for the NCP Friendly Net Detection Server can be downloaded from the NCP web site. It consists of five files that you can copy into any directory on a PC that is connected to a network that has been defined as a Friendly Net. These files have the following functions: ncpfnd.exe fndtest.exe ncpfnd.conf vpngw.p12 readme.txt service program (Friendly Net Detection Server) test client configuration file PKCS#12 file (soft certificate) command description After the files have been copied, the service can be started. Go to the installation directory and use the command: ncpfnd -install After successful installation the following message will appear: Service successfully installed The NCPFND service must be listed in under Services under Administrative Tools of the system as autostart type Automatic", then it will start automatically after a boot process of the PC (see below Starting the NCPFND service ). 8 NCP engineering GmbH
2. Configuration Configure the FND Server by editing the configuration file ncpfnd.conf that is divided into the following sections. 2.1 [General] The most important parameters for the FNDS service are described in this section. LogLevel = 0 LogPath =.\log Port = 12521 #LocalIpAddr = 192.168.1.1 Pkcs12FileName =.\vpngw.p12 Pkcs12Pin = 1234 LogLevel Usually the LogLevel is set to 0" so that no log messages are written. Log messages are only required for maintenance purposes. LogPath The LogPath is the current directory of the FNDS software. It is only required for maintenance purposes. Port Port 12521 is pre-set as standard port for the FND service and should not be changed. LocalIPAdress LocalIpAddr, the local IP address must only be entered if the computer has multiple IP addresses and it only should respond to the entered IP address. In the standard setting the IP address is commented out with #. If an IP address is entered here then it must agree with one of the IP address that have been used in the firewall setting of the client under Friendly Nets as the IP address of the service for detection of friendly nets NCP engineering GmbH 9
(see below -> Configuration of the client). This means that this FND server must be reachable with the IP address specified in the client configuration. PKCS12FileName LocalIpAddr, the local IP address must only be entered if the computer has multiple IP addresses and it only should respond to the entered IP address. In the standard setting the IP address is commented out with #. If an IP address is entered here then it must agree with one of the IP address that have been used in the firewall setting of the client under Friendly Nets as the IP address of the service for detection of friendly nets (see below -> Configuration of the client). This means that this FND server must be reachable with the IP address specified in the client configuration. PKCS12Pin Plcs12Pin must be entered as the PIN of the certificate stored here. The PIN 1234" only applies for the NCP test certificate. 10 NCP engineering GmbH
2.2 [SysLog] After configuration of this section log messages can be transferred to a Syslog server. Host = 192.168.1.1 Port = 514 LogEnabled = 0 LogFacility = 24001 TraceEnabled = 0 TraceFacility = 24002 As standard the Syslog Server (with the specified IP address) is addressed via the UDP port 514. The messages are generated if LogEnabled and/or TraceEnabled are set to 1". The log files are identified on the Syslog Server via LogFacility / TraceFacility. NCP engineering GmbH 11
2.3 [FND-USER 1] This section in the sample configuration specifies the authentication protocol MD5. This means that user name and password in the firewall settings of the client must agree with the user name and password entered here. Enabled = 1 UserName = testmd5 Password = testmd5 EAP-TYPE = MD5 #IP-Range1 = 192.168.1.2-192.168.1.127 #IP-Range2 = 192.168.1.128-192.168.1.254 Enabled Enabled (switched on)the authentication is set via MD5 by setting 1". With 0" the authentication is switched off for this section via MD5. UserName UserName corresponds to the parameter UserName in the firewall settings of the client under the header Friendly Nets. Password Password corresponds to the parameter Password in the firewall settings of the client under the header Friendly Nets. EAP-Type You can choose between the authentication protocols MD5 and TLS as EAP type. If the MD5 protocol is selected as EAP type, then UserName and password must be entered as described above. Forming groups Group formation can be undertaken via the correspondence of UserName and password with the parameters in the firewall settings of the client. This is done by duplication of above section of the configuration file [FND-USER 1] and by entering other placehol- 12 NCP engineering GmbH
ders in the duplicated section for UserName and password, which then must also be transferred accordingly into the configurations of the clients for this group. IP-Range The IP range describes the IP addresses that the FND Server accepts. These can be individual IP addresses or address ranges. If these ranges are commented out with # thenalladdressesfromthelanwillbeallowed. NCP engineering GmbH 13
2.4 [FND-USER 2] This section in the sample configuration specifies TLS as the authentication protocol. This means that in the firewall settings of the client a user name must agree with the UserName entered here. The password is not required. In addition, for authentication via TLS the issuer certificate or all certificates that are necessary for validation of the FNDS certificate must be available to the client. Moreover the fingerprint of the issuer certificate, and of the user (subject) of the FNDS certificate, can be configured on the client. Thus you can prevent a knowledgeable user fromsimulatinganfnathome(seebelow Configuration on the client). Enabled = 1 UserName = testtls EAP-TYPE = TLS #IP-Range1 = 192.168.1.2-192.168.1.127 #IP-Range2 = 192.168.1.128-192.168.1.254 Enabled Enabled (switched on) the authentication is switched on via TLS by setting the 1". With 0" the authentication is switched off for this section. UserName UserName corresponds to the parameter UserName in the firewall settings of the client under the header Friendly Nets. EAP-Type You can choose between the authentication protocols, MD5 and TLS, as EAP type. If the TLS protocol is selected as EAP type, then it suffices to enter a UserName, as described above. IP-Range The IP range describes the IP address that the server accepts. This can be individual IP addresses or address ranges. If these ranges are commented out with # then all addresses from the LAN will be allowed. 14 NCP engineering GmbH
3. Configuration on the Client The prerequisite for use of Friendly Net Detection is installation of the FND Server in a network that has been declared as a Friendly Net. This service must then be reachable from all network connections, i.e. it may be necessary to make changes to the firewall rules. If an employee operates his end device directly on the corporate network, then the Secure Client (that has been configured for automatic Friendly Net Detection) attempts to contact the configured FND Server. If the FND Server is reached and authenticated, then the system confirmed that the computer is located in a friendly network and the appropriate firewall rules that have been pre-configured for this network will be activated automatically. 3.1 Basic Settings The NCP Secure Client s integrated Personal Firewall enables extremely flexible organization of firewall rules. Thus it is possible to define rules that are derived from a blocked base setting (everything is prohibited that is not allowed), or open base setting (everything is allowed that is not prohibited). Normally the Blocked base setting is selected. NCP engineering GmbH 15
3.2 Filter Rules Network packets can be filtered according to certain criteria depending on the base setting. Examples: Sender address Recipient address Protocol (IP, UDP, ICMP, usw.) Application program See the detailed description in the Secure Client manual for information on configuring the firewall rules. The criteria that are specified in the Security Policy precisely define what a user is allowed to do, and not allowed to do, from his computer in a network e.g. Intranet, central data network (corporate network), Internet etc. The Security Policy is usually created and maintained by the network administrator. So that a user cannot circumvent this security policy and deactivate, delete, or change firewall rules, Secure Enterprise Management enables an access block to these configuration parameters. This also applies for users with administrator rights, i.e. regardless of the rights of the system environment. For information in this regard see the section Configuration on the Management Console". 16 NCP engineering GmbH
3.3 Automatic Friendly Network Detection In order to activate Automatic detection of friendly nets, select the appropriate function in the firewall settings under the header Friendly Nets. This Fig. shows an MD5 configuration. Compare the description for the configuration section 2.3 [END-USER 1] of the server. IP address of the service for detection of friendly nets The Friendly Net Detection Server (FNDS), which must be installed in a network that has been defined as a Friendly Net is required. This Friendly Net Detection Server must be reachable via IP and its IP address must be entered here. This IP address corresponds to the LocalIpAddr" in the section General of the configuration file ncpfnd.conf (see above). To increase redundancy the IP address of a second FND server can be entered after a semicolon. In this case, ensure that the appropriate configuration file ncpfnd.conf is also available on the second FND Server. If the Client is in the friendly net, then it will attempt to reach the first FND server, three times in 3-second intervals. If contact cannot be established, then the second IP address is selected. User name, password (FNDS) The Friendly Net Detection Server is authenticated via MD5 or TLS. The user name and password that must be entered here must agree with those stored on the FNDS. When using MD5, authentication occurs via User name and password. When using TLS a password is not required. NCP engineering GmbH 17
User name and Password correspond to UserName and Password in the sections FND User 1" and FND User 2" in the configuration file, ncpfnd.conf. This illustration shows a TLS configuration. Compare the description for the configuration section 2.4 [FND USER 2] of the server. User (subject) of the incoming certificate The incoming certificate of the FNDS server is checked for this string. Only if there is agreement will the connected network be recognized as a friendly net. The appropriate issuer certificate, or all certificates that are necessary for validation of the incoming FNDS certificate, must be available on the Client in the installation directory under CaCerts. Issuer certificate fingerprint In order to offer maximum security relative to forgery, you can specify that the fingerprint of the issuer certificate must be checked. The fingerprint must agree with the hash value entered here. Friendly Net Detection via TLS If friendly Net detection will occur via TLS (including authentication via the fingerprint of the issuer certificate), then this issuer certificate must be located in the program directory CaCerts, and its fingerprint must agree with the one configured here. Thus you can prevent a knowledgeable user from simulating a friendly net at home. 18 NCP engineering GmbH
4. Configuration on the Management Console So that a user cannot circumvent this security policy and deactivate, delete, or change firewall rules, Secure Enterprise Management enables an access block to these configuration parameters. This also applies for users with administrator rights, i.e. regardless of the rights of the system environment. For this, first one or more firewall templates are created in the Management Console for the desired users. This is done in precisely the same manner as it is done in the Client Configuration (described above). NCP engineering GmbH 19
Then the desired firewall template is transferred into the Client template by selecting it in the configuration field (see Fig. above). Thereafter the rights to change the firewall settings can be assigned or blocked in the Client template (see Fig. above). 20 NCP engineering GmbH
5. Starting the NCPFND Service The NCPFND service must be listed in under Services under Administrative Tools of the system as autostart type Automatic", then it will start automatically after a boot process of the PC (see below Starting the NCPFND service ). The service can also be started and stopped manually with the commands: net start ncpfnd and net stop ncpfnd NCP engineering GmbH 21
5.1 Uninstalling In order to deinstall the service, the command below must be entered: ncpfnd -remove 5.2 Test Use the program fndtest.exe to test the respective type of authentication that has been set in the configuration file, without having to install a Secure Client. For this specify the authentication type after the command fndtest, and specify the client parameters as described under Automatic detection of friendly nets. 22 NCP engineering GmbH