Alcatel-Lucent Security Management Server (SMS) Release 9.2 Administration Guide 260-100-017R9.2 Issue 4 September 2009 Alcatel, Lucent,Alcatel-Lucent and theAlcatel-Lucent logo are trademarks ofAlcatel-Lucent.All other trademarks are the property of their respective owners. The information presented is subject to change without notice.Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2009Alcatel-Lucent.All Rights Reserved. Contents About this information product Purpose .......................................................................................................................................................................................... xxiixx Reason for reissue .................................................................................................................................................................... xxiixx Who Should Read this Book? ............................................................................................................................................. xxiixx What is in this Book ................................................................................................................................................................ xxiixx What is Not in this Book ..................................................................................................................................................... xxxxiiii Supported Brick devices ....................................................................................................................................................... xxxxiiii Where to Find Technical Support .................................................................................................................................... xxxxiiiiii How to comment .................................................................................................................................................................... xxxxiiiiii 1 Getting Started Overview ...................................................................................................................................................................................... 11--11 To Log On and Off the SMS Server or Compute Server ........................................................................................ 11--22 To Use the Navigator Window ........................................................................................................................................... 11--77 To Operate the SMS ............................................................................................................................................................. 11--1100 Organizing the SMS Interface .......................................................................................................................................... 11--1177 Applying Changes .................................................................................................................................................................. 11--2200 Concurrency Control ............................................................................................................................................................. 11--2222 To Enable Concurrency Control ...................................................................................................................................... 11--2255 To Force a Logout of anAdministrator ........................................................................................................................ 11--2277 Basic Configuration Requirements ................................................................................................................................. 11--2299 ................................................................................................................................................................................................................................... 260-100-017R9.2 iii Issue4,September2009 Contents 2 SMS Redundancy Overview ...................................................................................................................................................................................... 22--11 SMS Redundancy Concepts ................................................................................................................................................. 22--22 How Redundancy Works ....................................................................................................................................................... 22--66 Redundant SMS Monitoring ................................................................................................................................................ 22--99 To Configure a Secondary SMS or Compute Server .............................................................................................. 22--1122 3 Configuring and Activating an Alcatel-Lucent VPN Firewall Brick® Security Appliance Overview ...................................................................................................................................................................................... 33--11 Deployment Considerations for a Brick Device .......................................................................................................... 33--22 To Configure a Brick Device on the SMS .................................................................................................................. 33--1144 Brick Device Failover .......................................................................................................................................................... 33--2288 To Set Up Brick Device Failover .................................................................................................................................... 33--3322 To Manually Initiate Failover ........................................................................................................................................... 33--3388 ToActivate a Brick Device ................................................................................................................................................ 33--4400 4 Configuring Alcatel-Lucent VPN Firewall Brick® Security Appliance Ports Overview ...................................................................................................................................................................................... 44--11 To Configure a Physical Port .............................................................................................................................................. 44--33 ToAssign a Security Policy to a Port .............................................................................................................................. 44--99 To Enable or Disable the BSR Voice Gateway (BVG) And/Or BSR Packet Gateway (BPG) Feature(s) .............................................................................................................................................................................................4-2144--2211 Static Routes ............................................................................................................................................................................ 44--3311 ToAdd a Static Route .......................................................................................................................................................... 44--3333 To Modify a Static Route ................................................................................................................................................... 44--3366 ToActivate or Deactivate a Static Route ..................................................................................................................... 44--3377 To Delete a Static Route ..................................................................................................................................................... 44--3388 ToActivate a Login Banner on the Brick Serial Port Console .......................................................................... 44--3399 ................................................................................................................................................................................................................................... iv 260-100-017R9.2 Issue4,September2009 Contents 5 Maintaining an Alcatel-Lucent VPN Firewall Brick® Security Appliance Configuration Overview ...................................................................................................................................................................................... 55--11 To View a Brick Snapshot .................................................................................................................................................... 55--33 To Modify a Brick .................................................................................................................................................................. 55--55 ToApply Changes to a Brick Device .............................................................................................................................. 55--66 To Delete a Brick Device ................................................................................................................................................... 55--1100 To Move a Brick Device ..................................................................................................................................................... 55--1111 To Reboot a Brick Device .................................................................................................................................................. 55--1122 To Reboot a Brick Device via the SMS ....................................................................................................................... 55--1133 To Refresh the MAC Table ................................................................................................................................................ 55--1155 ARP and MAC Handling in the Brick .......................................................................................................................... 55--1177 Static MAC andARPAssignments ................................................................................................................................ 55--1199 To Initiate a Ping or Traceroute from a Brick Device ........................................................................................... 55--2211 To Download Software to a Standalone Brick .......................................................................................................... 55--2233 To Download Software to a Failover Brick ................................................................................................................ 55--2255 To Download Software to Multiple Bricks ................................................................................................................ 55--2266 To Configure Intelligent Cache Management ............................................................................................................. 55--2288 6 Configuring VLANs on Alcatel-Lucent VPN Firewall Brick® Security Appliances Overview ...................................................................................................................................................................................... 66--11 What is a VLAN? ..................................................................................................................................................................... 66--22 Why Build VLANs? ................................................................................................................................................................ 66--44 Forwarding Packets and VLAN Boundaries ................................................................................................................. 66--55 To Configure andActivate the Brick .............................................................................................................................. 66--66 To Configure the Brick Physical Ports for VLAN-Tagged Traffic ...................................................................... 66--77 ToAssign a Policy to the Ports ........................................................................................................................................ 66--1122 ToAssociate a Network with a VLAN ......................................................................................................................... 66--1166 What are VLAN Bridge Groups? .................................................................................................................................... 66--1199 ................................................................................................................................................................................................................................... 260-100-017R9.2 v Issue4,September2009 Contents To Enable a Brick to Support VLAN Bridge Groups ............................................................................................ 66--2200 Configuring Bridging Between Specific VLANs ..................................................................................................... 66--2211 Save andApply the VLAN Configuration .................................................................................................................. 66--2222 7 Configuring Alcatel-Lucent VPN Firewall Brick® Security Appliance Partitions Overview ...................................................................................................................................................................................... 77--11 What are Brick Partitions? .................................................................................................................................................... 77--33 Configure Brick Partitions .................................................................................................................................................... 77--44 Use Static Routes with Partitions ...................................................................................................................................... 77--66 Allow Partitions to Intercommunicate with Static Routes ...................................................................................... 77--77 Save andApply the Brick Configuration ..................................................................................................................... 77--1100 Interpreting IPAddresses When Brick PartitionsAre Configured .................................................................... 77--1111 8 Creating SMS Groups and Administrators Overview ...................................................................................................................................................................................... 88--11 What is a Group? ...................................................................................................................................................................... 88--22 To Create a Group .................................................................................................................................................................... 88--55 To Maintain Groups ................................................................................................................................................................. 88--77 SMS and GroupAdministrators ......................................................................................................................................... 88--99 To CreateAdministratorAccounts .................................................................................................................................. 88--1100 ToAssign Groups and Privileges .................................................................................................................................... 88--1177 To MaintainAdministratorAccounts ............................................................................................................................. 88--2211 To Use the SMS Messenger .............................................................................................................................................. 88--2255 9 Compute Servers Overview ...................................................................................................................................................................................... 99--11 What is a Compute Server? ................................................................................................................................................. 99--22 To Configure a Compute Server ........................................................................................................................................ 99--55 ................................................................................................................................................................................................................................... vi 260-100-017R9.2 Issue4,September2009 Contents 10 Remote Administration Overview .................................................................................................................................................................................... 1100--11 The SMS Remote Navigator ............................................................................................................................................. 1100--22 To Install the Remote Navigator on Microsoft®Windows® or Vista™ ............................................................. 1100--33 To Install the Remote Navigator on Solaris® ............................................................................................................ 1100--66 Permitting RemoteAdministration on the SMS ........................................................................................................ 1100--99 To Create the Host Group ................................................................................................................................................ 1100--1100 To Create the Security Rules .......................................................................................................................................... 1100--1111 To Log in from a Remote Host ..................................................................................................................................... 1100--1144 RemoteAdministrator Capabilities ............................................................................................................................... 1100--1177 11 Using the Configuration Assistant Overview .................................................................................................................................................................................... 1111--11 The SMS ConfigurationAssistant ................................................................................................................................... 1111--33 Alarms ......................................................................................................................................................................................... 1111--99 Detailed PolicyAudit ......................................................................................................................................................... 1111--1111 Direct Paging ......................................................................................................................................................................... 1111--1122 FIPS ........................................................................................................................................................................................... 1111--1144 GUI and Status Monitor Parameters ............................................................................................................................ 1111--1166 Log Files .................................................................................................................................................................................. 1111--1188 Log Transfer ........................................................................................................................................................................... 1111--2211 Login Banner ......................................................................................................................................................................... 1111--2244 SMS Web Server .................................................................................................................................................................. 1111--2266 Reports ..................................................................................................................................................................................... 1111--2288 SNMPAgent .......................................................................................................................................................................... 1111--3300 Software Download ............................................................................................................................................................. 1111--3322 Strong Passwords ................................................................................................................................................................. 1111--3388 TL1Alarms ............................................................................................................................................................................ 1111--4400 ................................................................................................................................................................................................................................... 260-100-017R9.2 vii Issue4,September2009 Contents Tunable Parameters ............................................................................................................................................................. 1111--4422 UserAuthentication ............................................................................................................................................................. 1111--4444 12 Backing Up and Restoring Data Overview .................................................................................................................................................................................... 1122--11 Automatic Backup ................................................................................................................................................................. 1122--22 Manual Backup ....................................................................................................................................................................... 1122--33 Scheduled Backups ................................................................................................................................................................ 1122--66 To Restore SMS Data on a Primary SMS ................................................................................................................... 1122--77 To Restore SMS Data on a Secondary SMS .............................................................................................................. 1122--99 Restore Scenarios on Redundant SMSs ...................................................................................................................... 1122--1111 Other Restore Scenarios .................................................................................................................................................... 1122--1122 13 Task Scheduler Overview .................................................................................................................................................................................... 1133--11 What is the Task Scheduler? ............................................................................................................................................. 1133--22 Schedule Editor ....................................................................................................................................................................... 1133--33 14 Using the Status Monitor Overview .................................................................................................................................................................................... 1144--11 ToAccess the Status Monitor ........................................................................................................................................... 1144--22 How to Interpret the Status Monitor .............................................................................................................................. 1144--33 Status Overview Window ................................................................................................................................................... 1144--66 Administrators Window .................................................................................................................................................... 1144--1133 SMS/CS and Bricks Status Window ............................................................................................................................ 1144--1155 Brick Status Windows ........................................................................................................................................................ 1144--1188 ConsoleAlarms Window .................................................................................................................................................. 1144--3322 ................................................................................................................................................................................................................................... viii 260-100-017R9.2 Issue4,September2009 Contents A Administer an Alcatel-Lucent VPN Firewall Brick® Security Appliance Over the Internet from an Unregistered SMS Overview ..................................................................................................................................................................................... AA--11 Background ................................................................................................................................................................................ AA--22 To Configure the Brick ......................................................................................................................................................... AA--33 ToAssign theAdministrative Zone and Enter a VBA ............................................................................................ AA--44 ToAdd NAT Rules to the administrativezone Ruleset ............................................................................................ AA--55 ToActivate the Remote Brick ............................................................................................................................................ AA--88 B Sizing Guidelines Overview ..................................................................................................................................................................................... BB--11 Sizing Tool .................................................................................................................................................................................. BB--22 Determine CPU Capacity ..................................................................................................................................................... BB--44 Memory Utilization ................................................................................................................................................................. BB--66 Disk Capacity for Log Files ................................................................................................................................................ BB--77 Disk Configuration .................................................................................................................................................................. BB--88 C Changing the IP Address of the SMS Overview ..................................................................................................................................................................................... CC--11 To Change the IPAddress of a Primary LSMS .......................................................................................................... CC--22 To Change the IPAddresses of a Primary SMS and Secondary SMS in a Redundant Pair ................... CC--44 After the Update ....................................................................................................................................................................... CC--66 D Support for Non-IP Protocols Overview ..................................................................................................................................................................................... DD--11 Ethertype and DSAP Files ................................................................................................................................................... DD--22 Procedure for Passing Non-IP Packets ........................................................................................................................... DD--33 E VPN Firewall Solution Ports Overview ...................................................................................................................................................................................... EE--11 ................................................................................................................................................................................................................................... 260-100-017R9.2 ix Issue4,September2009 Contents F New Feature Setup Overview ...................................................................................................................................................................................... FF--11 Determining Current SMS Feature Setup ...................................................................................................................... FF--22 To Use the New Feature Setup Utility ............................................................................................................................ FF--33 Index ................................................................................................................................................................................................................................... x 260-100-017R9.2 Issue4,September2009