Sie sind auf Seite 1von 30

SiPass Access Control IPSEC Secure Communications Configuration Instructions

Liefermglichkeiten und technische nderungen vorbehalten. Data and design subject to change without notice. / Supply subject to availability. Sous rserve de modifications techniques et de la disponibilit. 2005 Copyright by Siemens Building Technologies AG Wir behalten uns alle Rechte an diesem Dokument und an dem in ihm dargestellten Gegenstand vor. Der Empfnger anerkennt diese Rechte und wird dieses Dokument nicht ohne unsere vorgngige schriftliche Ermchtigung ganz oder teilweise Dritten zugnglich machen oder auerhalb des Zweckes verwenden, zu dem es ihm bergeben worden ist. We reserve all rights in this document and in the subject thereof. By acceptance of the document the recipient acknowledges these rights and undertakes not to publish the document nor the subject thereof in full or in part, nor to make them available to any third party without our prior express written authorization, nor to use it for any purpose other than for which it was delivered to him. Nous nous rservons tous les droits sur ce document, ainsi que sur l'objet y figurant. La partie recevant ce document reconnat ces droits et elle s'engage ne pas le rendre accessible des tiers, mme partiellement, sans notre autorisation crite pralable et ne pas l'employer des fins autres que celles pour lesquelles il lui a t remis. DOCUMENT NUMBER: A24205-A335-B228

2 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Table of Contents

1 1.1 1.1.1 1.1.2 1.1.3 2 2.1 2.2 2.3 2.4 3

Overview ..................................................................................................5 Introduction ...............................................................................................5 SiPass Client-Server Security...................................................................5 Benefits of IPsec .......................................................................................5 Architecture ...............................................................................................6 Configuring Secure Communications ..................................................7 Configuring IPsec......................................................................................7 Testing IPsec ..........................................................................................20 Configuring the VPN Tunnel ...................................................................21 Configuring the VPN Client .....................................................................25 Keyword index.......................................................................................29

3 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Overview

Overview
This Configuration Guide explains the benefits and process of configuring IPsec on a network for secure communications between a SiPass Server and SiPass Workstation Client. This Guide is aimed at system administrators who are familiar with configuring Windows TCP/IP networks and VPN tunnels. It consists of a single configuration chapter divided into three sections.

1.1
1.1.1

Introduction
SiPass Client-Server Security
Windows 2000 can protect the files stored on its drives by encrypting them and placing them behind a wall of permissions, but when a network user attempts to access a file, the server accesses it with the user's credentials and decrypts it before sending it on its way over the network. The data, as transmitted over the network, is left completely unprotected and vulnerable to a variety of attacks. On today's large enterprise networks, the Internet is not the only source of potential intruders. Internal users might attempt to access sensitive data in many ways, including the following:
z Packet capturing z Data modification z Spoofing z Password compromise. z Denial of service attacks z Key compromise. z Application layer attack

and many others.

1.1.2

Benefits of IPsec
Instead of securing the network itself, you can secure the data transmitted over a Windows 2000 network using IPsec. IPsec is a series of standards that provide a method for encrypting IP datagrams before they are transmitted. Because IP is responsible for carrying all application data on a TCP/IP network, this type of encryption can protect all types of sensitive data and eliminate vulnerability to attack. Intruders still might be able to capture packets as they travel over the network, but since they cannot decrypt any of the data inside the packets, they cannot make use of the information.

5 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Overview

1.1.3

Architecture
The following diagram illustrates a typical secure VPN link that uses IPsec to preserve data encryption in a SiPass security network.

Figure 1: Diagram showing VPN link with IPsec

6 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

2
2.1

Configuring Secure Communications


Configuring IPsec
To configure the local system to use IPsec, you can activate one of the default policies as it is, modify its properties, or create new policies for your own use. To create a new policy on the local system, use the following procedure. 1. Select Start > Run from the Windows taskbar.

2. Enter mmc into the Open field and click OK. The Console will appear.

3. Select Add/Remove Snap-in from the Console menu. The Add/Remove Snap-in dialog will appear.

7 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

4. Click Add to add a new Snap-in. The Add Standalone Snap-in dialog will appear.

5. Select IP Security Policy Management and click Add. The Select Computer dialog will appear.
8 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

6. Select the Local Computer option and click Finish. You will be returned to the Add Stand-alone Snap-in dialog. 7. Click Close at the Add Standalone Snap-in screen. 8. Click OK to close the Add/Remove Snap-in screen. You will be returned to the Console, and the IP security policy will have been added to the right hand pane.

9. Double-click on IP Security Policies in the right hand pane.


9 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

10.

Right-click Secure Server in the right hand pane and select Properties from the menu that appears. The Secure Server dialog will appear.

11.

Click Add to add a new rule. The Security Rule Wizard will appear.

10 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

12.

Click Next at the Welcome New Rule Wizard page.

13. Select the This rule does not specify a tunnel option and click Next.

11 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

14. Select Local area network (LAN) and click Next.

15.

If the Sipass Client and Server are not members of the same Windows Domain, select Use this string to protect key exchange. Otherwise select Windows 2000 default (Kerberos V5 Protocol).

16. Click Next.

12 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

17. Click Add to add a new IP filter.

18. Enter a name for the IP filter. Note: The next series of steps will depend on whether you are configuring the SiPass Server PC, or a client PC. If you are configuring the Server PC, you must perform steps 19-28 for each SiPass Client PC in your network, entering the IP address of the a client each time. If you are configuring a Client PC, steps 19-28 will only be performed once. 19. Click Add.
13 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications 20. Click Next at the Wizard Welcome screen.

21. Select My IP Address from the Source address drop down list. 22. Click Next.

23.

Select A specific IP address from the Destination Address drop down list.

24. Enter the IP address of the destination computer.

14 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications If you are configuring the SiPass Server PC, the IP address entered will be the IP address of one of the clients. If you are configuring a Client PC, the IP address will be the IP address of the SiPass Server. 25. Click Next. Note: If the Sipass and computers are on a corporate domain, ensure that they are assigned a specific IP address rather than via DHCP server.

26. Select Any from the protocol type drop down list. 27. Click Next. 28. Click Finish to close the IP Filter Wizard. You will be returned to the IP Filter List dialog.

Note: If you are configuring the SiPass Server PC, you must repeat steps 19-28 for each Client PC in your network.

15 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

29. Click Close to return to the IP filter list.

30. Select the IP filter that you just created and click Next.

16 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

31. Select Require Security from the filter actions. 32. Click Next.

33. Click OK and close the Edit Rules Properties dialog.

17 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

34. Click Finish to close the Security Rule Wizard.

35. Select your new IP security rule and deselect the other rules. 36. Click OK.

18 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

37. 38.

Right-click Secure Server from the right hand pane and select Assign from the menu that appears. Repeat the above procedure on all other Sipass Server and Client PCs in the network.

19 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

2.2

Testing IPsec
1. Open the command window by selecting Start > Run from the taskbar.

2.

Enter cmd into the Open field to open up a command prompt.

3. At the command prompt type ping followed by the IP address of the other computer. If you receive Negotiating IP Security message repeat the ping command until you receive a reply from the other computer. 4. To verify that IPsec is working un-assign the policy on one computer and repeat the ping command. You should receive the Negotiating IP Security message. Re-assign the policy and verify using the ping command.

20 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

2.3

Configuring the VPN Tunnel


To establish the VPN connection between the Sipass Server and Sipass Client, the Sipass server must be configured to except incoming VPN connections. 1. Select Settings > Control Panel > Network and Dial up connections from the Windows Start menu, and choose New Connection. The Network Connection Wizard will appear.

2. Select Accept incoming connections. 3. Click Next.

21 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

4.

Verify that all devices are unchecked in the Devices and Incoming Connections dialog.

5. Click Next.

6. Select Allow Virtual Private Connections. 7. Click Next.

22 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

8. Click Add.

9. Add a username and password. 10. Click OK.

23 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

11. Select Internet Protocol (TCP/IP) and click Properties.

12. Select Assign TCP/IP addresses automatically using DHCP. 13. Click OK. 14. Choose Finish to close the Wizard.

24 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

2.4

Configuring the VPN Client


1. Open Network and Dial up connections from Start > Settings > Control Panel and click New Connection.

2. Select Connect to a private network through the Internet. 3. Click Next.

4. Select Do Not Dial The Initial Connection. 5. Click Next.


25 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

6. Enter the IP address of the SiPass server. 7. Click Next.

8. Select Only for myself. 9. Click Next.

26 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Configuring Secure Communications

10. Click Finish. You have now configured IPsec successfully for secure communications between the SiPass Server and clients in your security network.

27 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Keyword index

3
D

Keyword index
N
Negotiating IP addressing, 19 Network connection wizard, 21

Destination IP Address, 14 DHCP, 14

I
IP Address, SiPass Server, 25 IP Addresses, dynamic, 14 IP Filter, 13 IP Filter, actions, 16 IP Security Policy, 8, 9 IPsec Overview, 5 IPsec, Architecture, 6 IPsec, benefits, 5 IPsec, How to configure, 7 IPsec, user requirements, 5

P
Ping command, 19

R
Run dialog, 7

S
Secure Server Policies, 10 Security Rule Wizard, 11 Security, risks, 5 Security, Server Comms, 5 Snap-in, add, 7 Subnet Mask, 14

K
Kerberos V5 Protocol, 12 Key Exchange, 12

T
Testing IPsec, 19

L
LAN, 12

V
VPN Client, configuring, 24 VPN Tunnel, configuring, 20 VPN, automatic IP addressing, 23 VPN, enabling, 21 VPN, username and password, 22

M
MMC Console, 7

29 Siemens Building Technologies Fire & Security Products IPSEC_ConfigurationManual_en.doc Instructions 05.2004

Issued by Siemens Building Technologies Fire & Security Productst GmbH & Co. oHG D-76181 Karlsruhe www.sbt.siemens.com/fsp Document no. Edition A24205-A335-B228 05.2004

2005 Copyright by Siemens Building Technologies AG Data and design subject to change without notice. Supply subject to availability. Printed in the Federal Republic of Germany on environment-friendly chlorine-free paper.