Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

2019 Forcepoint Web Security Cloud Forcepoint IPsec Guide ©2019, Forcepoint All

2019 Forcepoint Web Security Cloud Forcepoint IPsec Guide ©2019, Forcepoint All rights reserved. 10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin TX 78759 This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine- readable form without prior consent in writing from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice. Trademarks Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners. Document updated: March 14, 2019 Forcepoint IPsec Guide i Contents Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Supported devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Chapter 2 Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Device authentication: digital certificate or PSK . . . . . . . . . . . . . . . . . . . . . . . . .7 Chapter 3 Configuration process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Configuration steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Setup process: flow chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Configuration checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Chapter 4 Next steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Chapter 5 Generating device certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Chapter 6 Using IPsec with the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Chapter 7 Recommendations and best practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Chapter 8 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Chapter 9 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 ii Forcepoint Web Security Cloud Contents 1 Forcepoint IPsec Guide  1 Introduction Forcepoint IPsec Guide | Forcepoint Web Security Cloud | March 2019 Forcepoint IPsec connectivity is used to securely forward traffic from your network’s edge devices to the cloud service over a virtual private network (VPN). This guide introduces the basics of Forcepoint’s IPsec solution, and provides information on planning and deploying IPsec in your network. Introduction to the Forcepoint IPsec solution Internet Protocol Security (IPsec) is an extension to the IP protocol that provides secure traffic tunneling by authenticating and encrypting information sent over a network. Forcepoint IPsec supports transparent end user identification via NTLM, allowing users to browse the Internet without explicitly providing logon credentials. IPsec uses Authentication Headers (AH) to provide data origin authentication, and Encapsulating Security Payload (ESP) to provide data confidentiality and integrity. Traffic to the Forcepoint IPsec service can be fully encapsulated in tunnel mode, providing complete traffic encryption. Typical uses for the IPsec service include providing Forcepoint Web Security Cloud protection for: ● Remote offices ● Guest Wi-Fi networks ● Organizations that want to secure traffic sent to the cloud service ● Organizations that have dynamic egress IPs (using IPsec with digital certificate authentication) ● Organizations that do not want a Group Policy Object (GPO) or browser configuration ● Organizations that are unable to or do not want to install an endpoint on client machines ● Organizations with a “bring your own device” policy. Introduction 2  Forcepoint Web Security Cloud A typical site-to-site IPsec tunneling deployment is shown in the following diagram. Benefits Using IPsec to forward traffic to the cloud service can provide a number of benefits. These include: ● There is no need to install endpoint software on client machines or deploy browser configuration PAC files through Group Policy Objects - ideal for BYOD or guest networks. ● Traffic inside the tunnel can be protected via encryption ● The decryption processing burden is offloaded from end-user devices to the IPsec tunneling infrastructure ● Your network’s internal IP addresses are available to the cloud service, so: ■ Policies can be created based on internal IP addresses or address ranges ■ Authentication bypass can be set based on IP addresses or address ranges ■ Reports can be created using internal IP addresses to identify individual users. Forcepoint IPsec Guide  3 Introduction Supported devices Forcepoint IPsec Guide | Forcepoint Web Security Cloud For the latest list of supported devices for use with the Forcepoint IPsec service, see the knowledge base article IPsec configuration settings. Only the devices listed have been tested and verified, but other devices that support Forcepoint’s recommended configuration settings for IPsec, and can forward port 80 and 443 traffic to the tunnel, can be used. Forcepoint recommends using the latest firmware for your device. Supported standards Forcepoint Web Security Cloud is compliant with the following drafts of Internet Key Exchange (IKEv1 and IKEv2): ● IKEv1 – RFC 2409/4109 (November 1998/May 2005), supported for PSK and certificate authentication. ● IKEv2 – RFC 5996 (September 2010), supported and recommended for PSK authentication. Note For detailed guidance on configuring Forcepoint NGFW, Cisco, Fortinet, Juniper, and Palo Alto devices for IPsec, please refer to the following articles in the Forcepoint Knowledge Base: ●Forcepoint NGFW ●Cisco ●Fortinet ●Juniper ●Palo Alto You must log in to My Account to access these articles. Introduction 4  Forcepoint Web Security Cloud 2 Forcepoint IPsec Guide  5 Getting started Forcepoint IPsec Guide | Forcepoint Web Security Cloud This chapter outlines the planning and configuration stages required when deploying Forcepoint IPsec connectivity. Capacity planning Forcepoint IPsec supports up to 20k connections and 200Mbps per tunnel. To scale beyond this, you will need to split traffic between multiple IPsec tunnels. For example: ● If your requirement is for 10k connections and 500Mbps, you will need 3 tunnels ● If your requirement is for 35k connections and 25Mbps, you will need 2 tunnels. Redundancy and failover Forcepoint strongly recommends configuring uploads/s1/ ipsec-guide.pdf