Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual

Also see for CyberSWITCH 5500: Quick start Manual

Contents

Central Site Remote Access Switch 239C ONFIGURING ENCRYPTIONEncryption Background InformationA UTOMATED KEY E XCHANGEThe CyberSWITCH’s automated key exchange uses a proprietary protocol defined for use withCabletron remote access products. This proprietary protocol exchanges information during ECP(Encryption Control Protocol) negotiation to produce proper keys.To use automated key exchange, the feature must be enabled for each device, and the DES/RSAresource must be properly configured and installed on the CyberSWITCH.When a PPP call to a particular device is initiated or received, the CyberSWITCH will attempt touse ECP to negotiate encryption (if it is enabled for this device). If ECP negotiation succeeds, thendata transmitted over the PPP link will be encrypted using 56-bit session keys. The CyberSWITCHwill encrypt outgoing plain text using the encryption key, and decrypt incoming enciphered datausing the decryption key. If ECP negotiation fails, then the CyberSWITCH will bring down the call.When encryption is enabled, an unsecure PPP session will not be allowed.I NTERACTION WITH O THER F EATURESIP FILTERSYou can use IP Filters to automatically discard or forward IP datagrams based on the contents ofvarious fields within the IP datagram. You can also use ESP Tunnel Mode to allow IP datagrams totunnel through IP filters. To assure the proper filtering, you must understand whether an IP filteris applied to the encapsulated datagram or the unencapsulated datagram.When an ESP datagram is simply passing through a node to be routed from a previous hop to thenext hop, any IP filters will be applied only to the encapsulated datagram. The original source anddestination, protocol, and any other information from the original datagram will not be used in anyfiltering logic.On the source gateway, the original datagram will tunnel through any output filters. However, onthe destination gateway, input filters will be applied first to the ESP and then to the originaldatagram. The ESP datagram will be filtered by an output filter on the source gateway and an inputfilter on the destination gateway. Global filters on both gateways apply to both the ESP and theoriginal datagram.The following tables list which filters are applicable to the different datagrams:Original Datagram Input filters Global filters Output filterssource gateway no yes nointermediate node no no nodestination gateway yes yes noESP Datagram Input filters Global filters Output filterssource gateway no yes yesintermediate node yes yes yesdestination gateway yes yes no