VPN
Management ChallengesThe CryptoConsole Revolution
Unlike other solutions, where management has been designed as an afterthought, the CryptoConsole management
software was created by Nokia to work as the very heart of the system, acting as "overseer" of the
entire VPN architecture. All of the elements in the Nokia VPN architecture are easily and visually managed
via the CryptoConsole software that performs configuration, monitoring, and diagnosis of all tunnels in the
cluster. This easy-to-use and comprehensive management tool currently runs on a software platform of
Microsoft Windows 95, 98 or NT. It is a full Java application allowing for GUI-based generation and
examination of security and/or layer-2 tunnel policy and activity. Because the CryptoCluster gateways are
managed as single devices, no matter how many nodes comprise the cluster, configuration and maintenance
overhead is greatly reduced. CryptoConsole software keeps track of the latest policies configured by the
network or security administrator, thus ensuring that all nodes in the cluster are synchronized and their
configurations symmetric and up to date.
Centralized Management and Setup
The CryptoConsole software handles all of the VPN set-up. It is the one place administrators go to add new
devices or new users of all types to a VPN. In order to add new nodes into an existing cluster, or to create
a completely new cluster, the administrator simply runs the Install Gateway wizard from the PC or laptop
running the management software. The CryptoConsole software will inform the administrator of a very short
list of information that needs to be typed into the serial console of this new cluster node. For security
purposes, this information will include a time-limited security token for access into the cluster. This is
all the console configuration ever needed to perform on any physical node. This gives administrators the
option of staging the new hardware at a central location by entering this required security information into
the new node before deployment. Then, installation can be performed by any personnel, without concern for
potential security compromise. Less experienced employees can be employed to physically plug nodes into the
network. The remainder of the required configuration information will be given to the new cluster node from
either another cluster member or directly from the PC or laptop running the CryptoConsole management
software. Since the configuration is centrally created, managed, monitored and changed, all elements work
together seamlessly. Built-in policy testing ensures that logical and correct security policies are in
place.
Multi-level, Simultaneous Administration
CryptoConsole management software has two levels of access to enable administrators with varying degrees of
authority to manage different subsets of the overall VPN policy. The administrators are grouped into two
privilege levels. Security: administrators can manage every portion of VPN configuration, including critical
IPSec policy. They can also construct new usernames, passwords and layer 2 tunneling parameters. Monitoring:
administrators are allowed access only to view statistics and information about the configuration and
operation of the system, not to make changes. Both levels can view statistics on performance of clusters,
nodes, CPUs, and cryptographic co-processors as well as user and tunnel statistics.
Complete Security & Remote Access Configuration
CryptoConsole software communicates securely with each cluster using Secure Sockets Layer (SSL). Any PC with
CryptoConsole software and access to the fileserver holding the configuration files can monitor and
administer the VPNs. Administrators can use the GUI-based tool to view statuses and make any necessary
changes at home as easily as when they are at the office. Monitoring of remote clusters is also possible.
Since each configuration profile is held in a separate file and is only accessed on demand, the only
constraint on number of managed elements is disk space. Hence, a single console can manage a virtually
unlimited number of clusters. And CryptoCluster gateways are compliant with SNMPv1 MIB II and SNMPv2c.
Built-in Certification Authority for IPSec
In order to help speed deployment and ease the configuration overhead involved with deploying IPSec, a
built-in certification authority is included in each CryptoCluster gateway. This allows the cluster to issue
and sign certificates for CryptoCluster gateways as well as our IPSec client. CryptoConsole management
software is also able to revoke certificates.
Management Benefits
Having all of this contained in one management and configuration PC or laptop creates a single location for
all relevant VPN information to be stored and accessed. This makes administration remarkably simple. Even
intensely complex IPSec policy can be confidently and understandably managed with this tool. CryptoConsole
software is much more than an add-on to the security solution; it is truly the heart of it. With this tool
administrators can tackle the task of securing communication adequately, in varying levels, and be assured
that they are doing it correctly and efficiently. And on-call staff can view status without fear that errors
might effect corporate security.
Powerful.
Comprehensive Policy Management…
This remarkable tool allows the many complex aspects of security to be managed with ease and confidence.
More than a mere add-on to the security solution, it provides a central point of control and monitoring for
all components of the VPN. Using CryptoConsole™ software, administrators can accomplish the task of
securing communications at any and all levels and be assured that they are doing it correctly and
efficiently.
Far Reaching.
Global Control…
Because resources and end users may be dispersed across vast distances, it is crucial that network
administrators have a tool that can give them truly far reaching control. The CryptoConsole can manage
single servers, clusters, multiple clusters, client software policies no matter where they are – all from
a single interface.
Informative.
Comprehensive Monitoring…
CryptoConsole™ software provides a complete set of tools that allow clusters or individual members to
be monitored for status and performance.
Functions Performed by the CryptoConsole management software:
Managing tunnels
Deploying security policy
Configuring client stations
Configuring sever clusters
Managing certificates
Monitoring VPN status
Viewing status/ performance of cluster nodes
Adding/ managing users
Built-in policy checking
Statistics Viewable from the CryptoConsole management software
Cluster-wide Statistics and Node Statistics
Versions:
Cluster Kernel Version
Cluster Configuration Version
Aggregate Monitoring:
Cluster-wide Log events
Cluster-wide Audit events
Hardware Statistics by Node:
Primary CPU -- Usage and History
Secondary CPU -- Usage and History
Cryptographic Processor -- Usage and History
Memory -- Usage and History
Input/Output Load
IKE and IPSec Security Associations:
Outbound associations
Inbound associations
Expired associations
Pending associations
IPSec Tunnels:
ESP packets sent
ESP packets received
AH packets sent
AH packets received
ESP lookup failures
AH lookup failures
Replay Statistics
Advanced Protocol Statistics:
UDP Protocol Statistics
TCP Protocol Statistics
ICMP Protocol Statistics
AH Protocol Statistics
ESP Protocol Statistics
GRE Protocol Statistic
Requirements
128 MB RAM recommended and 20 MB disk space
Windows NT (running 4.0 or greater), Windows 98, Windows 95