DotNetPanel Manuals Center, Guides, "HOW TO" On-Line Library
How to secure the communication channel between Portal and ES using IPSec
How to secure the communication channel between Portal and ES using IPSec Edit Page Page Info
Last edited Mon, 26 Mar 2007 09:17:59 GMT by Feodor Fitsner, revision 2

How to secure the communication channel between Portal and ES using IPSec with Preshared Key (PSK) Authentication Method:

  1. Add new filter into filter list of  IP Security Policies on Local Computer:
    1. Mirrored = YES
    2. Protocol = TCP
    3. Source Port = ANY
    4. Destination Port = 9002 (or other port assigned to ES)
    5. Source Address = ANY (or IP Address of Portal, or IP Address of ES)
    6. Destination Address = My IP Address
  2. Add new filter action into filter action list of  IP Security Policies on Local Computer:
    1. Security Methods = Negotiate Security
    2. Type = Encryption and Integrity
    3. AH Integrity = None
    4. ESP Confidentiality = 3DES
    5. ESP Integrity = SHA1
    6. Key Lifetimes = 0/0

      Note : parameters 2.1) - 2.6) are the default parameters if you choose Security Type = Encryption and Integrity from IP Traffic Security panel of Filter Action Wizard.
  3. Add new IP Security Rule into the list of  Assigned Policy:
    1. IP Filter List = filter created in step 1
    2. Filter Action = filter action created in step 2
    3. Authentication Method = Preshared Key
    4. Tunnel Setting = None
    5. Connection Type = All

      Note : The recommended length of the Preshared Key (PSK) is at least 25 char.
  4. Protocols used/ Firewall considerations:
    1. ISAKMP (Internet Security Association and Key Management Protocol) defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. All implementations must include send and receive capability for ISAKMP using UDP on port 500.
    2. ESP (Encapsulating Security Payload) can be used to provide confidentiality, data origin authentication, connectionless integrity.
    3. Testing your communication channel:
    4. Using your preferred network monitor you should be able to capture the ISAKMP frames (security negotiation) followed by encrypted ESP frames (encrypted SOAP messages).
  5. You can try other encryption/hash/authentication methods depending of your configuration/needs:
    1. The encryption algorithm: Data Encryption Standard (DES), Triple DES (3DES).
    2. The hash algorithm: MD5 (Message Digest function 5) or SHA1 (Secure Hash Algorithm 1).
    3. The authentication method (Kerberos V5, Certificate, or pre-shared key authentication).

 

Tags (0)
No tags have been added yet.
Comments (0)
No comments have been added yet.
Attachments (0)
No page attachments found.