The LAB NOTES on this page are provided by ICSA Labs IPSec analysts. The notes pertain to the specific product cited as tested against the ICSA Labs IPSec Certification Criteria Version 1.0B. The product was tested against the other certified products listed in the table below that inter-operate with each other and with other ICSA Labs Certified IPSec products.
Vendor:V-ONE Corporation
Product Name: SmartGuard 4000 Ver 4.2
Type of Product: Gateway
Underlying Operating System: Red Hat 7.1
Hardware Configuration:- Management station, Pentium system with 128MB RAM
- SmartGuard 4000
Software Configuration:
- SmartGuard 4000 V4.2
- SmartPass V4.2
- Management Station: Microsoft Windows NT 4.0 w/Internet Explorer
Documentation:
- SmartGuard Administrator's Guide
- SmartGuard and SmartPass Administrator's Guides
Customer Support:
- Phone number 888-220-8663 or 301-515-5260
- http://www.v-one.com/techsupport
- email address: customercare@v-one.com
Configuration Notes:
- Configured IAW documentation.
- Management performed using IE ver 5.5 and selecting one of the following selections
- Add a new IPSec tunnel
- Delete an existing IPSec tunnel
- Start or shutdown existing IPSec tunnel
- View/modify
- Additional changes (e.g. PFS, ESP-NULL, lifetimes) can be made on the SmartGuard unit, editing /usr/smartguard/ipsec_conn/remote.(endpoint name).conn file.
- Note: when configuring lifetimes manually, it may be necessary to include rekeymargin and rekeyfuzz values.
Criteria Directed Attestations:
- The following functionality was not exercised during certification testing, but the vendor, VONE Corporation, claims the product does support these features:
- IKE Phase I: MD5 authentication
- IKE Phase I: Diffie-Hellman Group1 key exchange
- IKE Phase II: ESP-NULL encryption with HMAC-MD5 authentication
Testing Observations/Notes:
- The SmartGuard has the capability to re-establish a tunnel in the event of a system reboot, e.g. power loss, administrative reconfiguration, etc.. After recycling, the SmartGuard will initiate an IKE Phase I negotiation to re-establish Security Associations.
- The SmartGuard drops duplicate packets, creating log entries:Kernel: Klips_debug:ipsec_rcv: duplicate frame from (ip address), packet dropped.
- During testing of replay protection, it was found that the SmartGuard appears to be using a window size of 31 packets instead of 32. There was also no apparent log entry of a duplicate packet event. This was corrected under smartguard_4.2_one_kernel_windows_fix-1.0-1.i386.rpm
- To see this level of detailed logging, it was necessary to edit configuration files on the SmartGuard device. Refer to VONE support for details.
- The original submitted version of SmartGuard did not support ESP-NULL. This was changed and SmartGuard supported NULL; however, during a phase 2 proposal SmartGuard would include 3DES first followed by NULL. When tested against another system sending similar multiple proposals, 3DES was always selected and NULL would not be recognized. VONE fixed this under smartguard-4.2-pluto_null_-1.0-1.i386.rpm. SmartGuard will now initiate and respond using NULL.
Cryptography:
- Statistical and analytical tests were conducted on several cipher texts. No patterns were observed. The cryptography used on the analyzed cipher texts meets the accepted standards for this level of encryption.
The SmartGuard 4000 Ver 4.2 was tested against the follwing ICSA Labs Certified IPSec Products: |
