76

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

6.6.3

Universal Plug and Play

To access the UPnP settings perform the following:

1. Click ‘Universal Plug and Play’ on the ‘Advanced’ screen of the management console. The Universal Plug and Play

settings screen will be displayed (see Figure 6.22).

2. Check the Allow other network users to control GlobeSurfer

®

II’s setwork features checkbox, to enable the UPnP feature.

This will enable you to define UPnP services on any of the LAN hosts.

Check the Enable automatic cleanup of old unused UPnP services checkbox, to enable automatic cleanup of invalid rules.

When enabled, this feature checks validity of all the UPnP services and rules every 5 minutes. Any UPnP defined service

that is found to be old and not in use, is removed, unless any user defined rule (see Security screen) depends on it. This

feature is disabled by default.

Since there is a limitation on the maximum number of UPnP defined services to 256, you should want to enable the

cleanup feature if you might exceed this limit.

In which case might the limit be exceeded UPnP services are not deleted when disconnecting a computer without proper

shutdown of the UpnP application

(e.g. messenger). Thus, if you are running a boingo, services may often not be deleted, and will eventually lead to

exhaustion of rules and services, and no new services could be defined. In this scenario the cleanup feature will find the

services that are no longer valid and will remove them, preventing services exhaustion.

Figure 6.22 UPnP

6.6.4

Scheduler Rules

Scheduler rules are used for limiting the activation of settings, such as firewall rules, to specific time periods, specified in days

of the week, and hours.

Figure 6.23 Scheduler rules

To define a Rule:

1.

Click ‘Scheduler rules’ on the ‘Advanced’ screen of the management console. The Scheduler rules screen will appear

(see Figure 6.23).

2.

Click the ‘New scheduler entry’ link. The Scheduler rule edit screen will appear (see Figure 6.24).

77

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

Figure 6.24 Edit scheduler rule

3.

Specify a name for the rule in the ‘Name’ field.

4.

Specify if the rule will be active/inactive during the designated time period, by selecting the appropriate ‘Rule activity

settings’ check box.

5.

Click the ‘New time segment’ entry link to define the time segment to which the rule will apply — the Time segment edit

screen will appear (see Figure 6.25).

Figure 6.25 Edit time segment

6.

Select active/inactive days of the week.

7.

Click the ‘New hours segment entry’ link to define an active/inactive hourly range.

8. Click OK.

Figure 6.26 Edit hour range

78

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

6.6.5

Certificates

6.6.5.1

Overview

Public-key cryptography uses a pair of keys: a public key and a corresponding private key. These keys can play

opposite roles, either encrypting or decrypting data. Your public key is made known to the world, while your private

key is kept secret.

The public and private keys are mathematically associated; however it is computationally infeasible to deduce the

private key from the public key. Anyone who has the public key can encrypt information that can only be decrypted

with the matching private key. Similarly, the person with the private key can encrypt information that can only be

decrypted with the matching public key.

Technically, both public and private keys are large numbers that work with cryptographic algorithms to produce

encrypted material. The primary benefit of public-key cryptography is that it allows people who have no preexisting

security arrangement to authenticate each other and exchange messages securely.

GlobeSurfer

®

II makes use of public-key cryptography to encrypt and authenticate keys for the encryption of

Wireless and VPN data communication, the Web Based Management (WBM) utility, and secured telnet.

6.6.5.2

Digital Certificates

When working with public-key cryptography, you should be careful and make sure that you are using the correct

person’s public key. Man-in-the-middle attacks pose a potential threat, where an ill-intending 3rd party posts a

phony key with the name and user ID of an intended recipient. Data transfer that is intercepted by the owner of the

counterfeit key can fall in the wrong hands. Digital certificates provide a means for establishing whether a public

key truly belongs to the supposed owner. It is a digital form of credential. It has information on it that identifies you,

and an authorized statement to the effect that someone else has confirmed your identity.

Digital certificates are used to foil attempts by an ill-intending party to use an unauthorized public key. A digital

certificate consists of the following:

A PUBLIC KEY

Certificate information

The “identity” of the user, such as name, user ID and so on.

Digital signatures

A statement stating that the information enclosed in the certificate has been vouched for by a Certificate Authority (CA).

Binding this information together, a certificate is a public key with identification forms attached, coupled with a

stamp of approval by a trusted party.

6.6.5.3

X.509 Certificate Format

GlobeSurfer

®

II supports X.509 certificates that comply with the ITU-T X.509 international standard. An X.509

certificate is a collection of a standard set of fields containing information about a user or device and their

corresponding public key. The X.509 standard defines what information goes into the certificate, and describes

how to encode it (the data format). All X.509 certificates have the following data:

The certificate holder’s public key

The public key of the certificate holder, together with an algorithm identifier that specifies which cryptosystem the

key belongs to and any associated key parameters.

The serial number of the certificate

The entity (application or person) that created the certificate is responsible for assigning it a unique serial number

to distinguish it from other certificates it issues. This information is used in numerous ways; for example when a

certificate is revoked, its serial number is placed on a Certificate Revocation List (CRL).

The certificate holder’s unique identifier

This name is intended to be unique across the Internet. A DN consists of multiple subsections and may look

something like this: CN=Option Wireless Sweden AB, [email protected], OU=Development Department,

O=Option Wireless Sweden AB, C=SE (These refer to the subject’s Common Name, Organizational Unit,

79

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

Organization, and Country.)

The certificate’s validity period

The certificate’s start date/time and expiration date/time; indicates when the certificate will expire.

The unique name of the certificate issuer

The unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies

trusting the entity that signed this certificate. (Note that in some cases, such as root or top-level CA certificates,

the issuer signs its own certificate.) The digital signature of the issuer the signature using the private key of the

entity that issued the certificate.

The signature algorithm identifier

Identifies the algorithm used by the CA to sign the certificate.

6.6.5.4

GlobeSurfer

®

II Certificate Stores

GlobeSurfer

®

II maintains two certificate stores:

1.

GlobeSurfer

®

II Local Store This store contains a list of approved certificates that are used to identify

GlobeSurfer

®

II to its clients. The list also includes certificate requests that are pending a CA’s endorsement.

You can obtain certificates for GlobeSurfer

®

II using the following methods:

•

Requesting an X509 Certificate

This method creates both a private and a matching public key. The public key is then sent to the CA to be

certified.

•

Creating a Self-Signed Certificate

This method is the same as requesting a certificate, only the authentication of the public key does not

require a CA. This is mainly intended for use within small organizations.

•

Loading a PKCS#12

Format Certificate This method loads a certificate using an already available and certified set of private

and public keys.

2. Certificate Authority (CA) Store This store contains a list of the trusted certificate authorities, which is used

to check certificates presented by GlobeSurfer

®

II clients.

6.6.5.4.1

Requesting an X509 Certificate

To obtain an X509 certificate, you must ask a CA to issue you one. You provide your public key, proof

that you possess the corresponding private key, and some specific information about yourself. You

then digitally sign the information and send the whole package – the certificate request – to the CA.

The CA then performs some due diligence in verifying that the information you provided is correct

and, if so, generates the certificate and returns it.

You might think of an X509 certificate as looking like a standard paper certificate with a public key

taped to it. It has your name and some information about you on it, plus the signature of the person

who issued it to you.

1.

Click the ’Certificates’ icon in the ’Advanced’ screen of the Web-base Management. The

’Certificates’ screen will appear (see figure Error! Hyperlink reference not valid.

Figure 6.27 Certificates

80

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

2.

Click the ’GlobeSurfer

®

II’s local’ certificates tab.

3.

Click the ’Create Certificate Request’ button. The ’Create X509 Request’ screen will appear (see

Figure 6.28).

4.

Enter the following certification request parameters:

1. Certificate Name

2. Subject

3. Organizatin

4. State

5. Country

5.

Click the ’Generate’ button. A screen will appear stating that the certification request is being

generated (see Figure 6.29).

Figure 6.28 Create X509 request

Figure 6.29 New X509 request

6.

After a short while, press the ’Refresh’ button, until the ’Save Certificate Request’ screen appears

(see Figure 6.30).

Click the ’Save Certificate Request’ button and save the request to a file.

7.

Click the ’Close’ button. The main certificate management screen will reappear, listing your

certificate as “Unsigned” (see Figure 6.31). In this state, the request file may be opened at any time

by pressing the ’save’ icon under the ’Action’ column and then ’Open’ in the dialogue box (Windows

only).

9.

After receiving a reply from the CA in form of a ’.pem’ file, click the ’Load Certificate’ link. The

’Load GlobeSurfer

®

II’s Local Certificate’ screen will appear (see Figure 6.32).

Figure 6.30 Save certificate request