Add Security to PacketWise

Procedures to allow or disallow access to PacketWise

PacketWise offers a variety of methods to make itself and its user interfaces secure. The methods range in complexity, security level, and requirements for third-party products. Of course, if your LAN is protected by a firewall, then the unit is protected to the same extent that the rest of your hosts are protected. In addition, you can choose any of these additional methods:

• Look and Touch Passwords
  
  
• Access Lists
  
  
• Access Control Lists
  
  
• SSL Access
  
  
• Outside Interface Secure
  
  
• Invisible IP Address
  
  
• Virtual, Non-Routable IP Address
  
  
• RADIUS Authentication
  

Note that you can use PolicyCenter to achieve economies of scale in large multi-unit deployments with all security methods described here except one. The settings and policies included in each method can be set with PolicyCenter and shared among units to make security tasks easier and shorter. But to set each unit to a non-routable IP address would require touching each unit's user interface.

Look and Touch Passwords

The most basic level of secure access is afforded by two passwords, one for look (read-only access) and one for touch (read-write access). Whoever has the passwords, has access. To change the passwords, modify the security settings.

Access Lists

You can specify a list of hosts or subnets that are approved for PacketWise access. If users from hosts that aren't on the approved list attempt to access PacketWise, they're blocked. To specify a list, modify the security settings. Choose the list option from the Outside Interfaces field and then specify the IP addresses of the approved hosts.

Access Control Lists

Packeteer’s localhost class manages traffic passing between the PacketShaper itself and the outside world.  By creating subclasses underneath the localhost class using standard PacketShaper policies, you can define very granular policies controlling the traffic accessing the box.  For example, it might be wise to assign a high priority to traffic coming from your remote PolicyCenter server.  Or you might want to assign high priority to traffic coming from the management subnet.  Or you might want to block all of the ICMP traffic coming from a network discovery server not associated with this installation. 

The localhost class is also useful for monitoring the traffic load that network management traffic puts on the network — you can see things like the number of TCP connections generated by various management applications, the number of failed connections, the amount of bandwidth being consumed by SNMP queries, how often they are occurring, and so forth.  One easy way to do this is to turn on traffic discovery for a class, which will automatically discover and track all of the different protocols being used to manage the PacketShaper.

SSL Access

Use the industry-standard SSL (Secure Sockets Layer) protocol to secure your management sessions with PacketWise using either the browser interface or the command-line interface (CLI). The browser interface uses HTTPS (HTTP over Secure Sockets Layer) protocol and the CLI uses SSH (Secure Shell) protocol.

PacketWise accepts both secure and clear-text protocols: httpd, httpsd, telnetd, sshd, ftpd, snmpd, tcpechod, ldap client, ssl ldap client, ftp client, and so on. Use of a secure protocol for management sessions is optional.

You can change the port numbers and/or security certificates used by PacketWise for SSH and HTTPS, as well as display the status of each of these protocols.

Outside Interface Secure

You can prevent access from any host on PacketWise's outside interface (usually the Internet). Modify the security settings, choosing the secure option from the Outside Interfaces field.

Note that you can also block access from any inside host on your own LAN. But users most frequently choose that option by mistake and then are unable to change it because they have blocked their own access. If you do this by mistake, you'll need to use PacketWise's command-line interface via a cable connected to the unit's CONSOLE port to fix the problem.

Invisible IP Address

PacketWise units are transparent in the network and do not appear in routing tables or as a traceroute hop, so their IP addresses are hidden. A malicious attempt at intrusion would find it much more difficult to guess or discover a PacketWise unit than a typical router. You need not take any action to gain this type of security.

Virtual, Non-Routable IP Address

If the combination of your firewall, the outside secure setting, and passwords are not sufficient security, you can assign your PacketWise unit a non-routable virtual IP address. This is a made-up address that is not part of your normal, routable IP address ranges. A PacketWise unit can recognize its own IP address as traffic passes, even if that address is not a member of the physical subnet where it resides. To change your PacketWise IP address, reconfigure the basic settings.

RADIUS Authentication

If you want to take advantage of your RADIUS (third-party software) user authentication, login, and accounting features, you can integrate PacketWise and RADIUS. PacketWise offers one touch (read-write) and one look (read-only) password for all users. RADIUS allows you to assign different logins/passwords to each user.

Steps:

1. First, configure the RADIUS server with Packeteer-specific attributes.
   
   
2. Configure the RADIUS authentication service in PacketWise.
   
   
3. Configure the RADIUS accounting service in PacketWise to have an audit trail of user logins.
   
   
4. Log into PacketWise using RADIUS.
   
   Note: If you are unable to log in, see RADIUS Authentication Troubleshooting.

   To see a list of current RADIUS user sessions and detailed information about each session, use the command-line radius session command.