Network Configurations

This guide outlines the steps required to establish a secure IPsec connection between Timus and Meter. Follow the configurations below to ensure a successful connection.

Timus Configuration:

Follow the guide below for an example setup. Configure the following settings:

Phase 1 (Parameters):
 

Here is how you can configure Parameters for Phase 1 configurations on Timus
 

• Local Peer Identifier: Timus_Gateway_Public_IP
• Remote Peer Identifier: Meter_Public_IP
• Key Exchange Type: IKEv2
• Preshared Key: Your Preshared Key
• Authentication Algorithm: SHA256
• Encryption Algorithm: AES256
• DH Group: modp2048(14)
• Mode: Main
   

Phase 1 (Miscellaneous):

Here is how you can configure Miscellaneous for Phase 1 configurations on Timus


 

• Responder Only: False
• Margin Time: 60 seconds
• Lifetime: 28800 seconds
• Dead Peer Detection (DPD): Disabled
  • DPD Delay: 10 seconds
  • DPD Max Failure: 5
• NAT Traversal: Disabled

Phase 2 for Timus:

Refer to to the below image for Phase 2 setup. Use these configurations:

• Authentication Algorithm: SHA256
• Encryption Algorithm: AES256
• Protocol: ESP
• Perfect Forward Secrecy (PFS): Enabled
  • PFS Group: modp2048(14)
• Lifetime: 3600 seconds
• Tunnel Protocol: ALL

Meter Configuration:

To add an IPsec VPN tunnel, log into the Dashboard and click Secure Tunnels > IPSec > ‘Add IPSec Tunnel’.
 

Meter provides Phase 1 and Phase 2 configurations into a single panel.

• Local IP or FQDN: Meter WAN Public IP
• Remote IP or FQDN: Timus Gateway Public IP
• Initiator: Timus Gateway Public IP
• Authentication Algorithm: SHA2_256_128 HMAC (128 bit)
• Encryption Algorithm: 256 bit AES-COUNTER
• DH Group: 14
• Preshared Key: Your Preshared Key
• Remote Networks: Add the subnets from Timus. (In this case, 192.168.249.0/24)
• Local Networks: Specify the Meter local subnets.
• Bound WAN Port: Your ISP

Once all configurations are applied, the IPsec connection between Timus and Meter should be successfully established. Follow this guide step by step, referencing the provided images as needed.

Note on Static Routing and Firewall Rules

Static routing rules and firewall access rules are automatically configured by default. However, if this option is not enabled or does not occur automatically, these rules must be created manually to ensure proper communication between Timus and Meter.

• To view the site details, go to Timus Manager and click on the Sites page.
• Find the site whose details you want to view and click on the ellipsis icon in the corresponding row.
• Select "View" to access the page with site details.
• This page contains a summary table titled "Connectivity." The table provides information on three parameters: Connection Health: indicates the overall status and reliability of the connections Throughput: refers to the amount of data that can be transmitted through the network within a given time frame, indicating the network's capacity. Efficiency: measures how effectively the network utilizes its resources to transmit data.

This Connectivity section helps you make informed decisions or take necessary actions to optimize network connectivity.

• The Network Statistics graph shows the Health or Throughput data for the Primary WAN over the Last 7/15 Days, Last Month, or Custom date range.

• List of the networks of the site.
• Site information widget shows the most important details about the site and has the ability to configure the site with the Edit feature at the upper right of the widget.

• Source: This is where the tag is coming from.
• Type: This is if it is a static tag or dynamic tag.
• Users: This field will show how many users have been assigned to the Tag.
• Teams: This field will show how many teams have been assigned to the Tag.
• Devices: This field will show how many teams have been assigned to the Tag.
• References: This field will show how many Firewall rules have been assigned to the Tag.

Once you click on Create New, you will be able to see the fields below and the Type is selected as Static by default. You can select either Static or Dynamic.

Static Tagging:

• Title: This field is required. You can name your Tag by using this field.
• Description: This field is not required.
• Assign to: You can select User, Team and Device here to assign the Tag, which you are creating.

Once you edit the Static Tag(s), you will be able to see where they have been used.

Dynamic Tagging:

You can assign either Users or Devices.

• Once you assign to Users and you select the Type as User under the Condition, you will be able to select the Attribute as 2FA Setup. The Operator will be selected as "is equal to" and the Value will be selected as Done or Not Done. This data is fetched by the Timus Manager -> Users & Teams -> Users.
• Once you assign to Users and you select the Type as Team under the Condition, you will be able to select the Attribute as Title. The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as the title(s) of the teams, which you have created. Plus, a quick reminder that some Teams are created automatically if there is an IdP like Microsoft Entra.
• Once you assign to Users and you select the Type as Device under the Condition, you will be able to select the Attribute as "Timus Connect - Operating Systems". The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as Windows, macOS, iOS or Android.
• Once you assign to Devices and you select the Type as Device Posture Check under the Condition, you will be able to select the Attribute as follows:
  • BitDefender - Agent Outdated
  • BitDefender - Agent Product Update Disabled
  • BitDefender - Antivirus Agent Signature Update Disabled
  • BitDefender - Antivirus Agent Signature Outdated
  • BitDefender - Device Infected
  • BitDefender - Malware Detected
  • BitDefender - Disc Encryption
  • BitDefender - Risk Score
  • BitDefender - Agent Installed
  • BitDefender - Operating System
  • Microsoft Defender - Antivirus Engine Updated
  • Microsoft Defender - Antivirus Platform Updated
  • Microsoft Defender - Antivirus Signature Updated
  • Microsoft Defender - Risk Score
  • Microsoft Defender - Exposure Level
  • Microsoft Defender - Antivirus Mode
  • Microsoft Defender - Agent Installed
  • Microsoft Defender - Operating System
  • SentinelOne - Agent Outdated
  • SentinelOne - Device Infected
  • SentinelOne - Disc Encryption
  • SentinelOne - Agent Installed
  • SentinelOne - Operating System

The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as follows:

• • Other
  • Active
  • Passive
  • Disabled
  • EDRBlocked
  • PassiveAudit
• Once you assign to Devices and you select the Type as Team under the Condition, you will be able to select the Attribute as Title. The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as the title(s) of the teams, which you have created. Plus, a quick reminder that some Teams are created automatically if there is an IdP like Microsoft Entra.
• Once you assign to Devices and you select the Type as Device under the Condition, you will be able to select the Attribute as "Timus Connect - Operating Systems". The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as Windows, macOS, iOS or Android.
• Conditional Tag Assignment: Unlike static tags which are manually assigned and remain constant, dynamic tags are assigned based on predefined conditions. Various attributes of the tagged entities are checked to assess whether these conditions are met. Examples of such attributes could be:
  • Device attributes: Operating system type (Windows, macOS, etc.), Team and Device Posture Check attributes
  • User attributes: 2FA Setup, Team, and Operating system type (Windows, macOS, etc.)
• Continuous Evaluation: Timus employs a continuous evaluation that constantly monitors the assets against the predefined conditions associated with dynamic tags. This ensures that the tags accurately reflect the current state of the assets.

Benefits of Dynamic Tagging:

• Automated Access Control: Dynamic tags automate access control decisions based on real-time asset conditions. This eliminates the need for manual configuration changes and reduces the risk of human error.
• Micro-segmentation: By dynamically assigning tags based on granular asset attributes, Timus facilitates micro-segmentation of the network. This allows for more precise control over user and device access to specific resources.
• Enhanced Security: The continuous evaluation and dynamic adjustment of access controls based on asset conditions strengthens the overall security posture of the network.

Conceptual usage scenarios:

1- Device attribute-based segmentation:

• Scenario: An organization wants to segment its network based on device operating system type to enforce different security policies.
• Implementation: Dynamic tagging automatically assigns tags to devices based on their operating system type (e.g. Windows, MacOS,).
• Result: The result is the creation of dynamic micro-segments that group devices with similar operating systems, allowing the organization to apply tailored security policies and controls to each segment.

2- User behavior-based segmentation:

• Scenario: An organization wants to segment its network based on user behavior to mitigate the risk of insider threats.
• Implementation: Dynamic tagging evaluates user behavior such as authentication patterns, access frequency, and file usage
• Outcome: By dynamically assigning tags based on user behavior, the organization can create micro-segments of users with similar behavior profiles. This enables the implementation of access controls and monitoring mechanisms tailored to the risk profile of each user segment.

3- Access privilege-based segmentation:

• Scenario: A healthcare provider needs to segment its network based on user access privileges to protect sensitive patient data.
• Implementation: Dynamic tagging evaluates user roles, permissions, and access levels within the organization's systems and applications.
• Outcome: By dynamically assigning tags based on access privileges, the organization can create micro-segments for different user roles (e.g. physicians, nurses, administrative staff). This enables the implementation of role-based access control (RBAC) and ensures that users only have access to the resources required for their role.

Example scenario:

Leveraging Device Posture Check Conditions:

• Scenario: An organization seeks to enforce security policies based on the risk status of devices seeking access to the network.
• Dynamic Tagging Implementation:
  • Criteria: Device attribute: “Bitdefender - Risk Score”
  •  Condition: If the Risk score is "High
  • Tag Title: "Risky Device"
  • Outcome: Devices with a high-risk status are automatically tagged with the 'Risky Device' tag, triggering actions such as network quarantine or remediation. This action may include the application of predefined firewall rules that restrict the device's access to network resources to effectively mitigate potential threats.

Real-world use cases:

• Scenario: A hospital leverages dynamic tagging to segment its network based on user roles and patient data access requirements.
• Outcome: Granular access controls ensure that only authorized healthcare professionals can access patient records, mitigating the risk of data breaches and ensuring compliance with healthcare regulations.

Financial Services Industry:

• Scenario: A financial institution employs dynamic tagging to segment its network according to user privileges and transaction types.
• Outcome: By dynamically adjusting access privileges based on transaction risk levels, the organization fortifies its security posture and safeguards sensitive financial data from unauthorized access or fraudulent activities.

Educational Institutions:

• Scenario: A university utilizes dynamic tagging to segment its network based on student, faculty, and administrative roles.
• Outcome: Micro-segmentation facilitated by dynamic tagging enables the university to enforce role-based access controls, ensuring that academic resources are accessed only by authorized users while minimizing the risk of data breaches or cyberattacks targeting sensitive research data.

• You can go to the Timus Manager -> Settings -> Configuration -> Trusted Network.

• Once you click on Create New, you will be able to see the configuration page of the Trusted Network.

• You can select the Network Type either Wired or Wireless.

• Once you select the Network Type as Wired, you need to set the Source MAC address.

• When you select the Network Type as Wireless, you need to set the BSSID.

• To be able to find the MAC addresses, you can use the scripts on both Windows or macOS.

Windows (The script must be run over PowerShell as administrator):

$string = (Get-NetAdapter | Select-Object InterfaceDescription, MediaType, ifIndex, Status | Where-Object { $_.Status -eq "Up" }| Sort-Object -Property ifIndex | Select -First 1).MediaType
if ($string -like "*.11*") { 
$bssidOutput = netsh wlan show interfaces | Select-String "BSSID"
if ($bssidOutput.Count -gt 0){
$address=[regex]::Match($bssidOutput, '([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}').Value
Write-Host("wireless",$address)
}else{
Write-Host("Error","Interface details not found for Wifi adaptor.")
}
}else{
$gateways = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true } | Select-Object -ExpandProperty DefaultIPGateway)
$arpOutput = 0
if ($gateways.Count -eq 1) {
$arpOutput = arp -a | Select-String -Pattern "^\s*$gateways\s+([0-9A-Fa-f]{2}-){5}[0-9A-Fa-f]{2}"
} elseif ($gateways.Count -gt 1) {
$gateway=$gateways[0]
$arpOutput = arp -a | Select-String -Pattern "^\s*$gateway\s+([0-9A-Fa-f]{2}-){5}[0-9A-Fa-f]{2}"
}
else {
Write-Host("Error","Gateways not found")
}
if ($arpOutput -ne 0){
if ($arpOutput.Count -eq 1) {
$address=[regex]::Match($arpOutput[0].ToString().Trim(), '([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}').Value
Write-Host("wired",$address)
} elseif($arpOutput.Count -gt 1) {
$address=[regex]::Match($arpOutput[1].ToString().Trim(), '([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}').Value
Write-Host("wired",$address)
} else {
Write-Host("Error","ARP details not found for the gateway.")
}
}
}

macOS (the script must be run over Terminal):

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' 
| while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/BSSID/{print $2}')
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

• on macOS devices, sometimes, the script above may not work as expected and the result may be empty, this can be about EPP or AV. Therefore, you may consider using 2 different alternative scripts, which must be run over Terminal as well, below:

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' | while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/BSSID/{print $2}')
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' | while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo ioreg -l -n AirPortDriver | grep -o 'IO80211BSSID.*<[0-9a-fA-F]*>' | awk -F '<|>' '{print $2}' | fold -w2 | paste -sd: -)
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

• Once you run one of the scripts above you will find the MAC address, which you need,

  

• You need to enter it to the related field on the Trusted Network. Then, hit the Save button. enter the MAC address to the related field on the Trusted Network. Then, hit the Save button.
  
  
• As a final step, You need to enable the Trusted Network feature on the Agent Profiles as shown in the image below and click Confirm. Please note that this feature can be enabled on both Windows and macOS.
  
   
• If you created a new agent profile, It's important to note that when a new agent profile is created, the agent profile needs to be manually reordered and applied (dragged and dropped) in the hierarchy to ensure the new agent profile is applied.
  

Note: As part of the recent changes in macOS Sonoma, Apple has restricted access to the BSSID necessary for defining Wireless Trusted Networks. The Sonoma update now requires Location Services to be enabled to access BSSID information. This change has impacted how Trusted Networks are managed on macOS devices.

Consequently, for macOS Sonoma and later versions, the Trusted Network feature in Timus Connect will now utilize the SSID instead of BSSID. This change ensures compliance with Apple's updated privacy and security guidelines.

We recommend all macOS users and administrators to update their settings to use SSID for defining Trusted Networks. Although it is technically possible to enable Location Services to access BSSID, we are currently evaluating the potential legal and privacy implications of requesting such permissions.

For more details on how Apple's changes affect network management, please refer to discussions in the Apple Developer Forums, where even Apple engineers have acknowledged these changes.

You can find more details here: Apple Developer Forums.

• To be able to manage and configure the Web Filter Ports, you need to go to the Timus Manager -> Sites -> hit the 3 dots at the end of the Gateway, of which web filter port numbers you would like to change.

• Once you click on 3 dots, you will be able to see the View page of the gateway, and you need to click on 3 dots at the right top of the page and follow the Custom Ports in order to manage the Web Filter ports.

• The Protocol can be either Custom HTTP or Custom HTTPS. By default, the HTTP port is 80 TCP and HTTPS port is 443 TCP.
• You are not allowed to delete the default ports, 80 TCP and 443 TCP, running over the Web Filter. However, you are fully allowed to customize and add more port numbers for both HTTP and HTTPS.