ncp secure enterprise server · ncp_rn_secure_enterprise_vpn_server_8_11_linux ... page 1 of 26...

© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com

NCP_RN_Secure_Enterprise_VPN_Server_8_11_Linux_19770_en.docx Technical specification subject to change

page 1 of 26

Release Notes

NCP Secure Enterprise VPN Server Service Release 8.11 rev 19770 (Linux 64) October 2014

Prerequisites

Linux Distributions

This version is released only for the 64 bit versions of the following distributions:

SuSE Linux Enterprise Server 11 SP3

CentOS 7.0

Ubuntu Server 14.04

Debian GNU/Linux 7.6.0

NCP Secure Enterprise VPN Server for Linux in HA Environments

If the Linux VPN Server (version 8.11) is a member of a High Availability Services environment, HA Server version 3.04 or later is required.

Important: when updating the components:

- first, update the Secure Enterprise VPN Server for Linux to version 8.11

- second, update the HA Server for Linux to version 3.04, i.e. after the VPN Server has been

updated.

Prerequisites for management by Secure Enterprise Management

Secure Enterprise Management server: version 3.01 015 or later

Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later

1. New Features and Enhancements None

2. Improvements / Problems Resolved

CVE-2014-3566 / "POODLE" issue – SSL v2.0 and v3.0 withdrawn from this product.

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC

padding, which makes it easier for man-in-the-middle attackers to obtain clear-text data via a padding-oracle attack, aka the "POODLE" issue.

For this reason the SSL v2.0 and v3.0 protocols are no longer incorporated in this product. The TLS protocol now provides all underlying secure web service (HTTPS) encryption and authentication services.

3. Known Issues None



page 2 of 26

Release Notes

Service Release 8.11 rev 17880 (Linux 64) July 2014

Prerequisites

Linux Distributions

This version is released only for the 64 bit versions of the following distributions:


CentOS 6.5

Ubuntu Server 12.04.4



If the Linux VPN Server (version 8.11) is a member of a High Availability Services environment, HA Server

version 3.04 or later is required.



- second, update the HA Server for Linux to version 3.04, i.e. after the VPN Server has been updated.






Behavior changed when re-connecting Client to a different gateway in Load Balancing mode

When re-connecting a Client to another gateway in the Load Balancing network, DHCP Release is no

longer issued by the previously used gateway (which received a Session Manager Disconnect signal). This ensures that the Client is uniquely addressable from the central site.

Open SSL 1.0.1 H after expert assessment of 5. June 2014

The 5. June 2014 expert assessment of the security breach resulted in the release of Open SSL 1.0.1 H and this version has been implemented in the latest version of the NCP Secure Enterprise VPN Server. (See https://www.openssl.org/news/secadv_20140605.txt)




page 3 of 26

Release Notes

Service Release 8.11 rev 16500 (Linux 32/64) April 2014

Prerequisites

Linux Distributions

This version is released only for the 32 and 64 bit versions of the following distributions:


CentOS 6.5














OpenSSL Heartbleed-Bugs (CVE-2014-0160)

OpenSSL Heartbleed Bug - cryptographic library - problem resolved




page 4 of 26

Release Notes

Service Release 8.11 rev 16022 (Linux 32/64) April 2014

Prerequisites

Linux Distributions



CentOS 6.5














None




page 5 of 26

Release Notes

Service Release 8.11 rev 15815 (Linux 32/64) March 2014

Prerequisites

Linux Distributions



CentOS 6.5














Buffer Handling

Problems resolved

Routing Information Protocol (RIP) Handling

Problems associated with RIP and DHCP addresses resolved




page 6 of 26

Release Notes

Service Release 8.11 rev 15127 (Linux 32/64) January 2014

Prerequisites

Linux Distributions



CentOS 6.5














Buffers in MultiProcessor Configurations

Number of buffers in MP configurations has been increased to 400 per processor.

MultiProcessor and IPsec Compression

Problems associated with MP and IPsec compression have been resolved.

Advanced Authentication Connector

Various problems associated with Advance Authentication have been resolved.

The timeout for receipt of the SMS at the Client has been increased to 2 minutes (IKEv2) and to 1 minute

(IKEv1).

Java 7 Update 51

Support for Java 7 update 51 has been included in the NCP Secure Enterprise VPN Server.

IPv6

Various problems in connection with IPv6 have been resolved.



page 7 of 26

Release Notes




page 8 of 26

Release Notes

Service Release 8.11 rev 13714 (Linux 32/64) November 2013

Prerequisites

Linux Distributions



CentOS 6.4












4. New Features and Enhancements

IKEv2 Configuration with Web Interface

The web interface has been enhanced for IKEv2 configuration of link profiles. The enhancements are

contained in the "Link Profile" "Domain Groups" and "Local System" configuration folders plus the "IKEv2 Policies" folder.

SNMP Enhancements

SMNP support enhancements in connection with statistic enquiries about Domain Groups.

Windows Internet Explorer version 11 Support

From this revision onwards Windows Internet Explorer version 11 can be used as the web browser for:

accessing the VPN Server configuration web interface

connecting via an SSL VPN tunnel to corporate resources

RESTRICTION: IE 11 cannot be used in connection with Virtual Private Desktop or Port

Forwarding - please discuss detailed requirements with NCP support. This release incorporates cache protection for Internet Explorer 9, 10 and 11.


IPsec over L2TP and Packet Fragmentation

IPsec over L2TP now works correctly, even when packets are being fragmented.



page 9 of 26

Release Notes

VLAN functionality in connection with Linux version 3.0 (and later) Kernels

Full VLAN functionality is now available when using Linux version 3.0 (and later) kernels.

6. Known Issues

IKEv2 authentication

Although the EAP TLS method can be configured within the IKEv2 authentication, it is not yet implemented.



page 10 of 26

Release Notes

Service Release 8.11 rev 5620 (Linux 32/64) August 2013

Prerequisites

Linux Distributions



CentOS 6.4








- second, update the HA Server for Linux to version 3.03, ie after the VPN Server has been updated.


Multi processor-/core support

Support for modern multi core architectures for better use of current hardware to enhance VPN throughput.

Support for ECC (ECC: Elliptic curve cryptography)

Support for certificates whose signature is created using the elliptic curve algorithm instead of the RSA algorithm.

Accessing the Gateway

The Secure Enterprise VPN Server can be accessed from an NCP HA Server using IPv6 addressing. Pre-requisites:

HA Server (Linux): Version 3.04 from rev 3933

Secure Enterprise Server (Linux): Version 8.11 from rev 5620 Server Plug-in (SEM): Version 8.11 from build 48

Prioritization of clients

NCP Secure Enterprise VPN Server, operating in Load Balancing Mode of an HA Server environment

enables the HA Server to prioritize VPN access by Clients.

This is particularly important when the HA Server is overloaded or when there are insufficient licenses available for all Clients; in such circumstances, only users with a high priority are allowed access.



page 11 of 26

Release Notes

Setting the Priority in the Server Configuration:

User priority is defined at the server in the HA Server configuration, in the template of the respective HA Server and is effective for all gateways connected to it. The User Priority, defined there for the users of a

Domain Group, defines the priority Clients must have been assigned, in order to be allowed access. Highest priority is "1", lowest is "255", and access is allowed for users with the highest priority.

The default setting, "0" means that priority based access is switched off and all VPN users are allowed

access. If User Priority functionality is in use, all VPN users with priority less than the priority value configured

here will be blocked from establishing VPN connections. Highest priority is "1". For example, if User Priority "5" is defined at the Server, all users with a lower priority, i.e. 6 to 255, will

be blocked. This happens immediately on setting the parameter. VPN tunnels from Clients which, at this

point in time, have been assigned a lower priority, will be disconnected, and renewed attempts to establish a connection will be rejected. Disconnections and rejections of VPN connection establishment

attempts are logged with a corresponding message. Assigning User Priority in the Client Configuration:

The priority allocated to a specific user can only be defined in the RADIUS or LDAP configuration of the respective Client.

Highest priority is "1", lowest is "255", and access is allowed for users with the highest priority.

Important: at the Client, "0" is the default value for User Priority, and the centrally applied priority-based restriction of Client access does not apply to Clients with User Priority "0". Such Clients are ALWAYS

allowed access. Text in the GUI (Domain-Groups):

As soon as User Priority functionality is in switched on, all VPN users with priority less than the priority

value configured here will be blocked from establishing VPN connections. Highest priority is "1", lowest is "255".

VPN tunnels already established from Clients with a lower priority are immediately disconnected. "0" switches off the prioritized tunnel-use functionality.


An issue when using LDAP attributes with a length of 256 characters has been resolved.

3. Known Issues IKEv2 authentication

Although the EAP TLS method can be configured within the IKEv2 authentication, it is not yet

implemented.



page 12 of 26

Release Notes

Service Release 8.10 Build 4324 (Linux 32/64) May 2013

Prerequisites

Linux Distributions



CentOS 6.3 and 6.4

Ubuntu Server 12.04.1 and 12.04.2

Debian GNU/Linux 6.0.5 and 6.0.6








None


VPN Connection Aborted after IKE Phase 2 Rekeying

After expiry of the "Duration" timer (IPsec Policies - Configuration - Duration / Default 8 hours), instead of

the phase 2 re-keying being carried out, the connection was aborted. This problem has now been resolved.

3. Known Issues

None



page 13 of 26

Release Notes

Service Release 8.10 Build 049 (Linux 32/64) December 2012

Prerequisites






Linux Distributions


openSuSE 11.4

openSuSE 12.1

SuSE Linux Enterprise Server 11


CentOS 6.2

Ubuntu Server 10.04.3 Lucid Lynx LTS

Ubuntu Server 12.04 Precise Pangolin LTS

Debian GNU/Linux 5.0.8 Lenny

Debian GNU/Linux 6.0.5 Squeeze


The following new features have been introduced in this release:

AES CTR Encryption Algorithm

The following implementations of the AES CTR Encryption Algorithm (defined by RFC 3686) have been

incorporated in the Secure VPN Server: AES CTR 128 bit, AES CTR 192 bit and AES CTR 256 bit.

AES CTR can be used in either IKE policies (Web Interface: IKE Policies / Encryption) or in IPSec policies

(Web Interface: IPsec Policies / Transform), providing IKEv2 is being used.

Downloading the extracted Server Certificate

The PKCS#12 file used for authenticating server with client (Web Interface: Configuration / Server

Certificates / PKCS#12 filename) contains the issuer as well as the server certificate, and, for special applications, the server certificate can be extracted from the PKCS#12 file.

To extract the server certificate, press button located next to the filename. The server certificate will be

extracted as a crt file, and, using Windows Explorer, this can then be stored in a separate location, and its contents viewed



page 14 of 26

Release Notes


None

3. Known Issues

None



page 15 of 26

Release Notes

Service Release 8.10 Build 030 (Linux 32/64) September 2012

Prerequisites






Linux Distributions


openSuSE 11.4

openSuSE 12.1

SuSE Linux Enterprise Server 11


CentOS 6.2

CentOS 6.3

Ubuntu Server 10.04.3 Lucid Lynx LTS

Ubuntu Server 12.04 Precise Pangolin LTS

Ubuntu Server 12.04.1 Precise Pangolin LTS

Debian GNU/Linux 5.0.8 Lenny

Debian GNU/Linux 6.0.5 Squeeze


The following new features have been introduced in this release:

New, separate switches for IKEv1 and IKEv2

Connections via IPsec Native and IPsec over L2TP can only be established if the key exchange is handled

via either the IKEv1 or IKEv2 protocol. If these neither of these key exchange protocols is selected, connections can only be established via L2Sec or L2TP.

The switches are located at the Local System level and both protocols are active by default.

IKEv2 including MobIKE

The gateway now supports IKEv2 including MobIKE. The following EAP types are supported with this

implementation:

EAP-MD5-Challenge

EAP-TLS

EAP-MSCHAP-V2

Seamless Roaming



page 16 of 26

Release Notes

Seamless Roaming provides the user with an “always on“ capability: in the event that a communication

medium fails, Seamless Roaming in an NCP Secure Enterprise Client (for Windows from version 9.30) automatically switches to the next available medium, choosing from LAN, WiFi and 3G. Applications that

make use of the VPN tunnel are not disturbed by the switchover from one medium to another.

This version of the NCP Secure Enterprise VPN Server includes the functionality necessary to support

Seamless Roaming at the NCP Secure Clients.

Seamless Roaming – Force Single VPN Connection

This switch (in HA Server) prevents multiple VPN connections, from a single NCP Secure Client, remaining

open when Seamless Roaming is in operation.

When the option "Force single VPN connection" under "General" is set (the default state) and a VPN

connection request is received at a gateway, that gateway sends a message to all other gateways in the

load balancing/HA group, indicating that this Secure Client is now connected to gateway x and all other tunnels established for this Secure Client must be terminated.

Pre-requisites:

HA Server (Linux): Version 3.03 from build 007

Secure Enterprise VPN Server (Linux): Version 8.10 from build 030

Server Plug-in (SEM): from build 15

Execute Endpoint Security only for NCP Clients

A feature (a switch in "Local System") has been added to enable Endpoint Security to be executed only with NCP Clients. Other clients that do not support NCP Endpoint Security, e.g. iPads, can now use the

same profile, even when Endpoint Security is enabled.

This is especially useful when, in addition to NCP Secure Clients, mixed operation is supported and, for

example, iPADs with their integrated VPN Client are in use.

If this function is NOT activated, then connection requests from clients from other manufacturers, i.e. that do not support NCP Endpoint Security, or that do not fulfill the security policies will be rejected.

IP Address Assignment by DHCP [Domain Groups]

The VPN gateway can automatically assign an available address to each Client when that Client connects

to the gateway. This address can be assigned either from a pool or by means of IP address assignment

from a DHCP server, and is assigned for the duration of the session. A Domain Group can contain the configuration details of one DHCP server (with IP address and DHCP Source IP Address).

FIPS Inside



page 17 of 26

Release Notes

The Secure Enterprise VPN Server incorporates cryptographic algorithms conformant to the FIPS

standard. The embedded cryptographic module incorporating these algorithms has been validated as conformant to FIPS 140-2 (certificate #1051).

FIPS conformance will always be maintained when any of the following algorithms are used for establishment and encryption of the IPsec connection:

Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 Bit)

Hash Algorithms: SHA1, SHA 256, SHA 384, or SHA 512 Bit

Encryption Algorithms: AES with 128, 192 or 256 Bit or Triple DES

IF-MAP

The ESUKOM project aims to develop a real-time security solution for enterprise networks that works based upon the correlation of metadata. A key challenge for ESUKOM is the steadily increasing adoption

of mobile consumer electronic devices (smartphones) for business purposes which generate new threats for enterprise networks ESUKOM focuses on the integration of available and widely deployed security

measures (both commercial and open source) based upon the IF-MAP (Interface for Metadata Access

Points) specification from the Trusted Computing Group (TCG).

As of release 8.10 of the NCP Secure Server, the IF-MAP Server in Hannover University can be used, cost

free, for test purposes. The URL is http://trust.inform.fh-hannover.de.

Realtime Enforcement through the IF-MAP Protocol

Using IF-MAP Protocol Events, the Server can trigger an action such as disconnecting a connection or switching the Filter Group. IF-MAP Events can be configured accordingly in the Domain Group.

Single Sign-on for SSL VPN

Single Sign-on can be used when the web server application (configured under Web Proxies) being accessed requires the same access data as that being used by the SSL VPN client. Usernames and

passwords can then be centrally managed by Active Directory, RADIUS or LDAP.

Dependent on application, Single Sign-on authentication can be performed with HTTP Authentication

(Basic (RFC2617), HTTP Digest (RFC2617) and NTLM (Microsoft)), or using the Post Form Method.

SSO with web applications has been tested with Outlook Web Access (OWA) 2003, 2007 and 2010, RDP Client and CITRIX Webinterface 4.5, 5.1.

SSO with port forwarding is only supported for an application that can accept parameters (username and password) via its command line.

Virtual Private Desktop

The Virtual Private Desktop is a work area (sandbox), decoupled from the underlying operating system

and made available to the user by means of the SSL VPN session. Applications started and running in this

work area, together with any files created, are disconnected from the underlying operating system. Files such as e-mail attachments are stored in the Virtual Private Desktop in a private container that is

encrypted using AES. When the SSL VPN session is terminated, all files in the container are deleted.

Only NCP Clients allowed

http://trust.inform.fh-hannover.de/



page 18 of 26

Release Notes

This switch ensures that connections can only be established from NCP VPN Clients. If connection

establishment attempts are made from clients of other manufacturers, these will be refused. The function can be applied globally or on a domain group basis.

Automatic Thin Client Authentication at a Proxy

If a proxy, located within the same Windows domain as the Thin Client, is being used for access to the

Internet and authentication of accesses via the proxy is handled by the HTTP Negotiate / Kerberos

protocol, the details of the user’s existing domain registration at his/her associated Windows system will be used to authenticate the connection from the Thin Client to that proxy. If all these conditions are

fulfilled, authentication of the Thin Client at the proxy will be automatic. If not, the user will be presented with the proxy’s authentication request prompt.

Note: this feature is independent of the Single Sign-on for SSL VPN functionality mentioned above.


Changes to the Permissions Structure of the Web Server that Displays the Configuration Web

Interface

Web document templates can no longer be accessed by entering a complete path, unless the user has already registered the browser with the web server. Before this change, the HTML structure could be

explored and displayed without any configuration details.

The web server is now executed under the user "ncpuser" and group "ncpuser", and web documents are

readable exclusively by the user "ncpuser".

3. Known Issues

Failure to download Endpoint Policies (EP) from Secure Enterprise Management (SEM versions earlier than 3.0) to Secure Enterprise VPN Server (SES) 8.10

Endpoint policies download to a SES v8.10 will fail IF from a SEM version earlier than v3.0 OR the SES is

not managed by the SEM.

Background: SEM v2.x transmitted packets with an incorrect length. SES v8.10 now checks and ignores

packets with incorrect length. Secure Enterprise Management v3.0 has been corrected to transmit packets with correct length.

4. Getting Help for the NCP Secure Enterprise VPN Server To ensure that you always have the latest information about NCP’s products, always check the NCP

website at:

http://www.ncp-e.com/en/downloads.html

For further assistance with the NCP Secure Enterprise VPN Server, visit:

http://www.ncp-e.com/en/support.html

Mail: [email protected]

5. Features



page 19 of 26

Release Notes

Operating System

32 bit Operating System

Linux Kernel 2.6 from 2.6.16 64 bit Operating System

Linux Kernel 2.6 from 2.6.16

Linux Distributions Supported see Prerequisites, page 1

Recommended System Requirements

Computer CPU:

Pentium III (or higher) 150 MHz or comparable x86 processor, 512 MB RAM (minimum), per 250

concurrently useable tunnels 64 MB RAM.

Clock speed: Data throughput of app. 4,5 mbit/s can be realized for each 150 MHz with a Single Core CPU

(including encryption)

Data throughput of app. 9 mbit/s can be realized for each 150 MHz with a Dual/Quad Core CPU

(including encryption). Web Browser for Web Interface and SSL VPN One of the newer versions of these web browsers:

Internet Explorer

Firefox or other Mozilla based browser

Safari

Chrome

System Requirements for Concurrent SSL VPN Sessions

10 Concurrent Users (CU)

CPU: Intel Pentium III 700 MHz or comparable x86 processor, 512 MB RAM

50 Concurrent Users CPU: Intel Pentium III 1.5 MHz or comparable x86 processor, 512 MB RAM

100 Concurrent Users

CPU: Intel Dual Core 1.83 GHz or comparable x86 processor, 1024 MB RAM

200 Concurrent Users

CPU: Intel Dual Core 2.66 GHz or comparable x86 processor, 1024 MB RAM

Dependent on the type of end-device. Mobile end-devices such as Tablet PCs (using iOS or Android),

Smartphones, PDAs and others have some restrictions.

The above are approximate values that are significantly influenced by user activity profiles or

applications. If a large number of concurrent file transfers (file upload and download) are anticipated then we recommend increasing the memory value by 50%.

Network Protocols

IP (Internet Protocol), VLAN support



page 20 of 26

Release Notes

IPv4 protocol

IP traffic inside and outside VPN tunnel can use IPv4 protocol

IPv6 protocol

IP traffic used to establish and maintain the VPN tunnel can use IPv6 protocol (Client to VPN gateway and Client to NCP Secure Enterprise HA Server),

IP traffic inside any VPN tunnel MUST use IPv4 protocol.

Management

The NCP Secure Enterprise VPN Server is configured and managed either via an NCP Secure Enterprise

Management using the Secure Server plug-in or directly via the Web Interface.

Network Access Control (Endpoint Security) Endpoint Policy Enforcement for incoming data connections.

Verification of predefined, security relevant Client parameters.

Measures in the event of target/actual deviation in IPsec VPN:

Disconnect or continue in the quarantine zone with instructions for action

Message in Messagebox or start of external applications (e.g. virus scanner update),

Logging in Logfiles (see the Secure Enterprise Management data sheet for more information).

Measures in the event of attempts to perform other than just pre-defined activities in SSL VPN: Granular reduction in access authorization to certain applications in accordance with defined

security levels.

Dynamic Switching of Filter Rules dependent on Endpoint Security Requirements

Execute Endpoint Security only for NCP Clients

IF-MAP (Interface for Metadata Access Points) Support

Realtime Enforcement through the IF-MAP Protocol

Dynamic DNS (DynDNS/DDNS) Connection establishment via Internet with dynamic IP addresses.

Registration of each current IP address with an external Dynamic DNS provider. In this case the

VPN tunnel is established via name assignment (prerequisite: The VPN client must support DNS

resolution - NCP Secure Clients support this functionality)

Extension of the Domain Name Server (DNS), reachability of the VPN client under a (permanent)

name despite a varying IP address Periodic updating of DNS server with username and IP address of currently connected Client

Multi Company Support Group capability,

support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter

groups, IP pools, bandwidth limitation, etc.)

User Administration

Local user administration (up to 750 users),

External authentication via

OTP server RADIUS

LDAP Support for LDAP over SSL



page 21 of 26

Release Notes

Novell NDS

MS Active Directory Services RADIUS, LDAP and SEM Forwarding

Statistics and Logging Detailed statistics,

Logging functionality,

Sending SYSLOG messages

Client/User Authentication Process

OTP token,

User and hardware certificates (IPsec) according to X.509 v.3,

User name and password (IKEv1: XAUTH, IKEv2: EAP)

External Authentication with LDAP Bind

Certificates (X.509 v.3)

Server Certificates

Certificates can be used that are provided via the following interfaces:

PKCS#11 interface for encryption tokens (USB and smart cards); PKCS#12 interface for private keys in soft certificates

Creation and Distribution of Server Certificates with SEM PKI Enrollment Plug-in

Transfer of SubCA Certificate

Server Certificates can be queried via SNMP

Revocation Lists

Revocation:

EPRL (End-entity Public-key Certificate Revocation List, formerly CRL),

CARL (Certification Authority Revocation List, formerly ARL)

Online check

Automatic download of revocation lists from the CA at predefined intervals.

Online check: Checking certificates via OCSP or OCSP relative to the CA over http

IPsec VPN and SSL VPN – Connections

Transmission media

LAN

Direct operation on the WAN: Support of max. 120 ISDN B-channels (So, S)

Line management DPD with configurable time interval

Short Hold Mode

Channel bundling (dynamic in ISDN) with freely configurable threshold value

Timeout (controlled by time and charges)

Point-to-Point protocols PPP over ISDN,

PPP over GSM,



page 22 of 26

Release Notes

PPP over PSTN,

PPP over Ethernet,

LCP, IPCP, MLP, CCP, PAP, CHAP, ECP

Pool address management Reservation of an IP address from a pool for a defined period of time (lease time)

Trigger call

Direct dial of the distributed VPN gateway via ISDN, "knocking in the D-channel"

Virtual Private Networking with IPsec

Virtual Private Networking

IPsec (Layer 3 tunneling), RFC-conformant

MTU size fragmentation and reassembly

DPD (Dead Peer Detection)

NAT-Traversal (NAT-T)

IPsec modes: Tunnel Mode, Transport Mode

Seamless Rekeying;

PFS (Perfect Forward Secrecy)

Automatic Return Route Determination (ARRD)

Support for Seamless Roaming in NCP Secure Enterprise Clients

Internet Society RFCs and Drafts

RFC 2401–2409 (IPsec)

RFC 3947 (NAT-T negotiations)

RFC 3948 (UDP encapsulation)

RFC 4306/5996 (IKEv2)

RFC 4555 (MOBIKE)

IP Security Architecture

ESP

ISAKMP/Oakley

IKE (v1)

XAUTH IKECFG

DPD

IPCOMP IKEv2 including MobIKE.

EAP protocols supported:

EAP-PAP

EAP-MD5-Challenge

EAP-MSCHAP-V2

EAP-TLS

IKECFG

FIPS Inside



page 23 of 26

Release Notes

The Secure Enterprise VPN Server incorporates cryptographic algorithms conformant to the FIPS

standard. The embedded cryptographic module incorporating these algorithms has been validated as conformant to FIPS 140-2 (certificate #1051).

FIPS conformance will always be maintained when any of the following algorithms are used for establishment and encryption of the IPsec connection:

Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 Bit)

Hash Algorithms: SHA1, SHA 256, SHA 384, or SHA 512 Bit

Encryption Algorithms: AES with 128, 192 or 256 Bit or Triple DES

Encryption

Symmetric processes:

DES; Triple-DES 112,168 bits; Blowfish 128,448 bits; - IKEv1 & IKEv2 & IPsec AES 128,192,256 bits - IKEv1 & IKEv2 & IPsec

AES-CTR 128, 192, 256 - IKEv2 and IPsec

Dynamic processes for key exchange: RSA to 4096 bits;

Diffie-Hellman Groups: 1, 2, 5, 14-18 - IKE, IKEv2 and IPsec

19-21, 25-26 (using Elliptical Curve Cryptography), - IKEv2 and IPsec

Hash Algorithms

MD5, SHA1, SHA 256, SHA 384, SHA 512

IKEv2 Pseudo Random Functions HMAC MD5, HMAC SHA1, HMAC SHA2-256, HMAC SHA2-384, HMAC SHA2-512

Firewall Stateful Packet Inspection

IP-NAT (Network Address Translation)

Port filtering

LAN adapter protection

VPN Path Finder NCP Path Finder Technology: Fallback IPsec/ HTTPS (port 443) if port 500 respectively UDP

encapsulation is not possible.

Authentication Processes

IKEv1 (Aggressive and Main Mode), Quick Mode

IKEv2

XAUTH for extended user authentication

Support for certificates in a PKI: Soft certificates, smart cards, and USB tokens

Pre-shared keys

One-time passwords, and challenge response systems

RSA SecurID ready.

IP Address Allocation



page 24 of 26

Release Notes

DHCP (Dynamic Host Control Protocol) over IPsec;

DNS: Selection of the central gateway with changing public IP address by querying the IP address

via a DNS server;

IKE config mode for dynamic assignment of a virtual address to clients from the internal address

range (private IP), or IP address assignment by DHCP

Data Compression IPCOMP (lzs), Deflate

Other Features

VPN via L2TP over IPsec for Android and IPsec for Apple iOS

SSL VPN

Protocols

SSLv1,

SSLv2,

TLSv1 (Application Layer Tunneling)

Web Proxy (Web Applications)

Access to internal web applications and Microsoft network drives via a web interface.

Prerequisites for the end device:

SSL-capable web browser with Java Script functionality

Single Sign-on (SSO) for SSL VPN

Support for SSO in Web Proxy (Web Applications).

Single Sign-on authentication:

Web server application must require the same access data as the SSL VPN client; usernames and

passwords can then be centrally managed by Active Directory, RADIUS or LDAP. Support for HTTP Authentication protocols (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM

(Microsoft)), or using the Post Form Method.

Supported web applications:

Predefined SSO configuration files for Outlook Web Access (OWA) 2003, 2007 and 2010, and

CITRIX Webinterface 4.5 and 5.1. Customer specific application configurations.

Secure Remote File Access (Network Sharings) Upload and download, creation and deletion of directories, corresponds approximately to the

functionalities of the Windows Explorer under Windows.

Prerequisites for the end device: See Web Proxy

SSO functionality – Network Sharing username and password can be instantiated from SSL username

and password



page 25 of 26

Release Notes

Port Forwarding

Access to client/server applications (TCP/IP), including web applications.

Support for Port Forwarding under Mac OS X

SSO Support – application dependent. Support only for applications, such as RDP, which take username/password as command parameter.


SSL-capable web-browser with Java Script support,

Java Runtime Environment (>= V5.0) or ActiveX,

SSL Thin Client for Windows 8, 7, Vista or XP (32/64 bit)

NOTE: Not supported using Microsoft Windows Internet Explorer 11 - please discuss specific requirements with NCP support

PortableLAN

Transparent access to corporate network


SSL-capable web-browser with Java Script support,

Java Runtime Environment (>= V5.0) or ActiveX control,

PortableLAN Client for Windows 8, 7, Vista or XP (32/64 bit)

Virtual Private Desktop Work area (sandbox), decoupled from the underlying operating system and made available to the

user by means of the SSL VPN session.


Applications tested under Virtual Private Desktop: Microsoft Word, Excel, Powerpoint, Outlook and

Outlook Web Access, Adobe Acrobat Reader and Flashplayer, Foxit Reader, SSH (putty) and

WinZip. Detailed OS / application support matrix available on request. Microsoft Windows 8, 7, Vista or XP (32/64 bit)

NOTE: Not supported using Microsoft Windows Internet Explorer 11 - please discuss specific

requirements with NCP support

Cache Protection for Internet Explorer V.6, 7, 8, 9, 10 and 11

Required when using Internet Explorers. All transmitted data on the end device will be deleted automatically after the connection is disconnected.


SSL-capable web-browser with Java Script support

Java Runtime Environment (>= V5.0),

SSL Thin Client for Windows 8, 7, Vista or XP (32/64 bit)

Security Features Restriction of the Cipher Suite (only AES256-SHA or DES-CBC3-SHA or AES128-SHA)

Prevention of Cross Site Scripting

Other Features

Extended SSL VPN Support for mobile end-user devices



page 26 of 26

Release Notes

Configuration and User Interface (SSL VPN Start Page) The SSL service start page can be customized with company specific text and graphics

Placeholders (%SSLVPNPARAMn%) simplify the customization of complex configurations

ncp secure enterprise server · ncp_rn_secure_enterprise_vpn_server_8_11_linux ... page 1 of 26...

Documents