Home » Symantec Manuals » Computer Software » Symantec 360R » Manual Viewer

Symantec 360R Administration Guide - Page 82

About using this Creating security policies, Understanding VPN policies

UPC - 037648240185

Add to My Manuals
Save this manual to your list of manuals

Page 82 highlights

82 Establishing secure VPN connections About using this chapter About using this chapter Each section begins with an explanation of the feature it is describing (such as what a VPN policy is, how it works, and how you use it). If you are an experienced network or IT administrator, you may want to proceed directly to the latter half of the section for configuration instructions. If you do not have significant network or IT experience or have never configured a security gateway (Symantec or otherwise), you should read the first half of each section before configuring the feature. At the end of "Configuring Gateway-to-Gateway tunnels" on page 88 and "Configuring Client-to-Gateway VPN tunnels" on page 96, there are worksheets for you to fill out with the information you entered so that you may easily share connection information with your clients and remote gateway administrators. Creating security policies The VPN tunnel establishment negotiation occurs in two phases. In Phase 1, the Internet Key Exchange (IKE) negotiation creates an IKE security association with its peer to protect Phase 2 of the negotiation, which determines the protocol security association for the tunnel. For Gateway-to-Gateway connections, either security gateway can initiate Phase 1 or Phase 2 renegotiation at any time. Either security gateway can also specify intervals after which to renegotiate. For Client-to-Gateway connections, only the client can initiate Phase 1 or Phase 2 renegotiation. Phase 2 renegotiation is referred to as quick mode renegotiation. Note: Symantec Gateway Security 300 Series does not support VPN tunnel compression. To create a Gateway-to-Gateway tunnel between an Symantec Gateway Security 300 Series appliance and a remote Symantec Gateway Security 5400 Series appliance or Symantec Enterprise Firewall, set the compression to NONE on the remote gateway. Understanding VPN policies For each phase of negotiation, the appliance uses a policy, which is a predefined set of parameters. The appliance supports two types of security policies, Global IKE and VPN.

Section	Page
Introducing the Symantec Gateway Security 300 Series	11
Intended audience	12
Where to get more information	12
Administering the security gateway	13
Accessing the Security Gateway Management Interface	13
Using the SGMI	15
Managing administrative access	15
Setting the administration password	16
Configuring remote management	17
Managing the security gateway using the serial console	19
Configuring a connection to the outside network	23
Network examples	24
Understanding the Setup Wizard	27
About dual-WAN port appliances	27
Understanding connection types	28
Configuring connectivity	30
DHCP	30
PPPoE	31
Static IP and DNS	34
PPTP	36
Dial-up accounts	39
Configuring advanced connection settings	43
Advanced DHCP settings	43
Advanced PPP settings	44
Maximum Transmission Unit (MTU)	45
Configuring dynamic DNS	45
Forcing dynamic DNS updates	47
Disabling dynamic DNS	48
Configuring routing	48
Enabling dynamic routing	48
Configuring static route entries	49
Configuring advanced WAN/ISP settings	50
High availability	50
Load balancing	51
SMTP binding	52
Binding to other protocols	52
Failover	52
DNS gateway	53
Optional network settings	54
Configuring internal connections	57
Configuring LAN IP settings	57
Configuring the appliance as DHCP server	58
Monitoring DHCP usage	60
Configuring port assignments	60
Standard port assignment	61
Network traffic control	63
Planning network access	63
Understanding computers and computer groups	64
Defining computer group membership	65
Defining computer groups	67
Defining inbound access	68
Defining outbound access	69
Configuring services	72
Redirecting services	73
Configuring special applications	74
Configuring advanced options	76
Enabling the IDENT port	76
Disabling NAT mode	77
Enabling IPsec pass-thru	77
Configuring an exposed host	78
Managing ICMP requests	79
Establishing secure VPN connections	81
About using this chapter	82
Creating security policies	82
Understanding VPN policies	82
Creating custom Phase 2 VPN policies	84
Viewing VPN Policies List	85
Identifying users	85
Understanding user types	86
Defining users	86
Viewing the User List	88
Configuring Gateway-to-Gateway tunnels	88
Understanding Gateway-to-Gateway tunnels	88
Configuring dynamic Gateway-to-Gateway tunnels	91
Configuring static Gateway-to-Gateway tunnels	93
Sharing information with the remote gateway administrator	96
Configuring Client-to-Gateway VPN tunnels	96
Understanding Client-to-Gateway VPN tunnels	97
Defining client VPN tunnels	99
Setting global policy settings for Client-to-Gateway VPN tunnels	101
Sharing information with your clients	101
Monitoring VPN tunnel status	102
Advanced network traffic control	103
How antivirus policy enforcement (AVpe) works	104
Before you begin configuring AVpe	105
Configuring AVpe	106
Enabling AVpe	107
Configuring the antivirus clients	109
Monitoring antivirus status	109
Log messages	110
Verifying AVpe operation	110
About content filtering	111
Special considerations	111
Managing content filtering lists	112
Special considerations	112
Enabling content filtering for LAN	113
Enabling content filtering for WAN	113
Monitoring content filtering	114
Preventing attacks	115
How intrusion detection and prevention works	115
Trojan horse protection	116
Setting protection preferences	116
Enabling advanced protection settings	117
IP spoofing protection	117
TCP flag validation	118
Logging, monitoring and updates	119
Managing logging	119
Configuring log preferences	120
Managing log messages	124
Updating firmware	124
Automatically updating firmware	125
Upgrading firmware manually	129
Checking firmware update status	133
Backing up and restoring configurations	133
Resetting the appliance	135
Interpreting LEDs	136
LiveUpdate and firmware upgrade LED sequences	139
Troubleshooting	141
About troubleshooting	141
Accessing troubleshooting information	143
Licensing	145
Session licensing for Symantec Gateway Security 300 Series Client-to-Gateway VPN functions	145
Additive session licenses	145
SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND WARRANTY AGREEMENT	146
Field descriptions	151
Logging/Monitoring field descriptions	151
Status tab field descriptions	152
View Log tab field descriptions	154
Log Settings tab field descriptions	155
Troubleshooting tab field descriptions	156
Administration field descriptions	157
Basic Management tab field descriptions	158
SNMP tab field descriptions	158
LiveUpdate tab field descriptions	159
LAN field descriptions	160
LAN IP & DHCP tab field descriptions	161
Port Assignment tab field descriptions	162
WAN/ISP field descriptions	162
Main Setup tab field descriptions	164
Static IP & DNS tab field descriptions	165
PPPoE tab field descriptions	166
Dial-up Backup & Analog/ISDN tab field descriptions	167
PPTP tab field descriptions	171
Dynamic DNS tab field descriptions	171
Routing tab field descriptions	174
Advanced tab field descriptions	175
Firewall field descriptions	176
Computers tab field descriptions	177
Computer Groups tab field descriptions	179
Inbound Rules field descriptions	180
Outbound Rules tab field descriptions	181
Services tab field descriptions	182
Special Application tab field descriptions	183
Advanced tab field descriptions	186
VPN field descriptions	187
Dynamic Tunnels tab field descriptions	189
Static Tunnels tab field descriptions	193
Client Tunnels tab field descriptions	197
Client Users tab field descriptions	199
VPN Policies tab field descriptions	200
Status tab field descriptions	202
Advanced tab field descriptions	203
IDS/IPS field descriptions	204
IDS Protection tab field descriptions	205
Advanced tab field descriptions	206
AVpe field descriptions	207

Match case Limit results 1 per page

Establishing secure VPN connections

About using this chapter

Each section begins with an explanation of the feature it is describing (such as

what a VPN policy is, how it works, and how you use it). If you are an

experienced network or IT administrator, you may want to proceed directly to

the latter half of the section for configuration instructions.

If you do not have significant network or IT experience or have never configured

a security gateway (Symantec or otherwise), you should read the first half of

each section before configuring the feature.

At the end of

“Configuring Gateway-to-Gateway tunnels”

on page 88 and

“Configuring Client-to-Gateway VPN tunnels”

on page 96, there are worksheets

for you to fill out with the information you entered so that you may easily share

connection information with your clients and remote gateway administrators.

Creating security policies

The VPN tunnel establishment negotiation occurs in two phases. In Phase 1, the

Internet Key Exchange (IKE) negotiation creates an IKE security association

with its peer to protect Phase 2 of the negotiation, which determines the

protocol security association for the tunnel. For Gateway-to-Gateway

connections, either security gateway can initiate Phase 1 or Phase 2

renegotiation at any time. Either security gateway can also specify intervals

after which to renegotiate. For Client-to-Gateway connections, only the client

can initiate Phase 1 or Phase 2 renegotiation. Phase 2 renegotiation is referred

to as quick mode renegotiation.

Note:

Symantec Gateway Security 300 Series does not support VPN tunnel

compression. To create a Gateway-to-Gateway tunnel between an Symantec

Gateway Security 300 Series appliance and a remote Symantec Gateway

Security 5400 Series appliance or Symantec Enterprise Firewall, set the

compression to NONE on the remote gateway.

Understanding VPN policies

For each phase of negotiation, the appliance uses a policy, which is a predefined

set of parameters. The appliance supports two types of security policies, Global

IKE and VPN.