All remote management of Clavister Firewalls, including configuration, monitoring and even complete upgrades is secured through 128-bit encryption and authentication. The protocol used for the remote management is called NetCon, and is based on the CAST128 encryption algorithm. The NetCon protocol uses TCP and UDP as transport protocol, destination port 999.
NetCon uses a pair of pre-shared keys for authentication. These Remote Management Keys are unique for each firewall, and are generated using a strong cryptographic number generator when new firewalls are created in the Security Editor. The remote management keys are stored in the management data source.
A Clavister Firewall Appliance product is using default remote management keys during the initial setup. When Clavister Firewall Manager has succeeded connecting to the firewall appliance, the keys will automatically be exchanged.
To gain permission to remotely administer a Clavister Firewall, three requirements have to be met:
The Remote Management Keys of the firewall have to be known.
The computer running Clavister Firewall Manager has to belong to a network that has been granted administration rights.
The NetCon connections from Clavister Firewall Manager to Clavister Firewall have to be received on a specific interface in the firewall.
Use the Remotes configuration section to specify permissions for remote management of the firewall.
Clavister Firewall Manager uses NetCon to periodically contact all active firewalls in order to retrieve status information. Please see the section Monitoring firewall status for more information about this.
A number of user-initiated operations, such as configuration uploads and downloads are using the NetCon protocol. These operations are described in more detail in the section Uploading and downloading configurations.
Complete firewall upgrades, including upgrading the firewall firmware, can also be performed remotely using NetCon. For more information about upgrading, please see the section Upgrading Clavister Firewall.