User Manual - GENESYS SOFTWARE
Contents
1. A Security Note Make sure that the user has only read privileges 1 In the System tab open the User Authentication menu 2 In the LDAP Server Settings window enable the system by clicking Enable next to Status LDAP Type Choose the type of LDAP server to use The available choices are Microsoft Active Directory Novell eDirectory and OpenLDAP Unique User Attribute This attribute defines how users should be authenticated on the LDAP server The attributes available here depend on the type of LDAP server you are configuring If you wish to use a self defined attribute for authentication select Selfdefined here With the Microsoft Active Directory server you can also choose to authenticate by User Principle Name UPN or saMAccountName 87 Using the Security System 88 The Novell eDirectory and OpenLDAP servers allow authentication by the Common Name CN Surname SN and Unique Identifier UID attributes Attribute Name This en Status eo i LDAP Type Sigh Presse elect g try field is only shown if Se Ban a you have selected to au 4 a _s_a u thenticate by a Selfde fined attribute from the Unique User Attribute drop down menu Enter the attribute to use for authentication here IP Address Enter the IP address of the LDAP server TCP Port Enter the TCP port of the LDAP service By default this is set to 389 the standard port for LDAP Bind DN The value to enter here de2. 0 5 219 URL whitelist 218 SYN Rate Limiter 204 System Requirements administration PC 20 example configuration 20 Nardware sccsceseeseeeeees 19 System Time automatic synchronization manual configuration 46 System Up2Date installing scce 58 installing with HA solution ii dhaadas Laaa a D Puea TESDA 58 loading and installation Manual seeren 56 loading automatic 56 loading local nccc 57 Time Settings 45 Up2Date Service introduction seee 54 Pattern Up2Date 59 System Up2Date 55 Use external indicators 44 User filtering widen ceeaceteaedcness 116 User Authentication configuring LDAP 87 configuring MS Active Directory server 80 configuring Novell eDirectory Server 85 introduction sescca 71 LDAP advanced 89 LDAP Server eeseeeeeeee 78 Index Microsoft IAS RADIUS configuration 645 73 RADIUS emis ete clin 72 SAM aro oi aa aea 76 SAM NT 2000 XP configuration s 76 User Authentication configuring OpenLDAP Server verii iea sa anai 86 Users TIGEES erne enna eeren 116 introduction ccceeeeee 114 USERS ea i inaia 114 Validate Packet Length 206 WebAdmin 348 blocking protection for Loggin attempts 93 drop down MenusS 38 HTTPS niat ile eas 91 INFO BOX iryo eneen 35 kick anran e atten oes 43 StS raai dee eeri 39 MENUS 4
3. certificate signed by the CA 94 Using the Security System certificate which the system uses to authenticate itself to your browser These two certificates contain the company s data and the system s hostname Creating a Certificate for WebAdmin 1 Under the System tab open the WebAdmin Site Certificate menu In the Certificate Information menu enter the appropriate information for your firm Country Choose your country from the drop down menu State Choose the state or region where you are City Enter the company s name Organization Enter the company s name Section Enter the department E Mail Address Enter your e mail address In the field Firewall Hostname enter the host name or IP address of the firewall you use to access WebAdmin Example If you access WebAdmin through the URL https 192 168 10 1 enter 192 168 10 1 here Save your entries by clicking the Save button Installing a Certificate for WebAdmin 1 To install the CA Certificate in your browser click Import Certificate into Browser in the CA Certificate Installation window The next few steps depend on your browser For example with Microsoft Internet Explorer the File download dialog opens Save file to disk This option allows you to save the certificate to a local disk before installing it 95 Using the Security System 5 Open the file from current position This allows you to install the certificate dir
4. Astaro User Authentication OaE E ESAT 316 BIND name server 318 Boot messages 316 Configuration daemon 316 Content Filter 316 DHCP client 00008 316 DHCP server essees 316 Fallback archive 316 High Availability 317 HTTP daemon 5 317 HTTP Proxy sssecceenseenee 318 Intrusion Protection 317 IPSec VPN cecceeeeeees 317 K rne l nirani ranis 317 Local Login 00 317 LOGGING isnin eve tees 317 MiddleWare ccceeeees 317 Network accounting deamon cece cece eee 317 Packet Filter 00005 318 POP3 PrOXy cseeseeeeeeeee 318 Portscan Detection 318 PPPoE DSL dial up 318 PPTP VPN Access 318 Selfmonitor 0055 319 SMTP PrOxy eceeeeeeeeeee 319 SOCKS proxy eeseeeee eee 319 SSH remote login 319 System log messages 319 Up2Date Service messages schist a a age 320 Uplink Failover messages saa Gin debe wgarne taken acne 320 Virus Protection 317 WebAdmin access 317 WebAdmin usage 320 Log FTP Data Connections 206 Log Unique DNS Requests 206 Masquerading deleting rules 162 editing rules 065 162 Masquerading ecce 161 Index Masquerading defining rules 162 Microsoft Outlook creating rules 252 MS Explorer disabling proxy use 211 NAT defining rules 159 deleting rule
5. 10 collect them into a policy AES_PFS_COMP PFS deflate edit delete BLOWFISH none edit delate E TS cer 1 Policies are used to define NULL none edit delete New IPSec Policy IPSec connections and T ue contain the configuration of the selected key ex ISAKMP IKE Settings T na E change method IKE and Encryption Algorithm 3DES 16bit E the IPSec connection Authentication Algorithm MDS 128bit x IKE DH Group DH Graup ODPTE J The chosen key exchange EE E method defines how the aes keys for the connection are IPSec Mode Tinea E to be managed IPSec Protocol ESP z Encryption Algorithm 3DES CBC 168bit x Enforce Algorithms Off zl Authentication Algorithm MDS 128bit z SA Lifetime secs 3600 PFS PFS Group 5 MODP1536 Compression Off p The two exchange methods are e Manual Key Exchange e Internet Key Exchange IKE Because of the complexity of manual exchange this system only supports the IKE key exchange method Manual exchange is not allowed 277 Using the Security System Configuring an IPSec Policy 1 2 3 278 Under the IPSec VPN tab open the Policies menu Click New to open the New IPSec Policy menu In the Name field enter a name for the new policy Name Enter a name describing the policy It may be useful to include the encryption algorithm in the name The nam
6. Astaro Security Linux WebAdmin User Manual Astaro Security Linux VS Version 5 007 User Manual Release 3 0 Date 17 05 2004 The specifications and information in this document are subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted This document may not be copied or distributed by any means in whole or in part for any reason without the express written permission of Astaro AG Astaro AG All rights reserved Pfinztalstrasse 90 76227 Karlsruhe Germany http www astaro com Portions Kaspersky Labs Astaro Security Linux and WebAdmin are trademarks of Astaro AG Linux is a trademark of Linus Torvalds All further trademarks are the property of their respective owners Limited Warranty No guarantee is given for the correctness of the information contained in this document Please send any comments or corrections to documentation astaro com Table of Contents Contents Page 1 Welcome to Astaro cceceeeeeeeeeeeeeeeeeeeeeeeeeeneneeeeeees 9 2 Introduction to the Technology s cscseseeeeeeeeeees 10 3 Trnstallation cccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseoenees 18 3 1 System Requirement ccscseseeeeeeeeeeeeeeeeeeeneeeeaees 19 3 2 Installation Instructions cccceeeseeeeeeseeeeeeeeeeeees 22 3 2 1 Software Installation cscseseeeeeeeeeeeeeeeeeeeeeeeeeees 22 3 2 2 Configuring the Secur
7. For the bandwidth management Quality of Service QoS you must define the values for Uplink Bandwidth kbits and Downlink Bandwidth kbits These values are used as basis for the bandwidth management system incorrect values can lead to poor management of the data flow The Quality of Service QoS function is described in chapter 5 5 1 Uplink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the avail able bandwidth for the Uplink in full kilobits This value can be determined either from the values of the upstream interface or from the router On an interface to the Internet this value corresponds to the bandwidth of the Internet connection on an ADSL access the Uplink bandwidth amounts to 128 kBit s and on a 2 Megabit fixed connection to 2048 kBit s Downlink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the available bandwidth for the Downlink in full kilobits On an inter face to the Internet this value corresponds to the bandwidth of the Internet connection on an ADSL access the Uplink band width amounts to 768 kBit s and on a 2 Megabit fixed connection to 2048 kBit s MTU Size The MTU is the size in bytes of the largest transmittable packet MTU stands for Maximum Transfer Unit For connections using the TCP IP protocol the data will be subdivided into packets A maximum size will be defined for the
8. These Up2Date packages have not been installed yet In order to get further information touch the blue info button with the cursor If the info button is highlighted red there will be an automatic restart of the Security system after the installation of the System Up2Date package Note If you are using the High Availability HA system please note the special notes for the import and installation of the System Up2 Dates The HA system is described in chapter 5 1 10 on page 97 Individual Up2Date packages can be downloaded from http download astaro com ASL up2date and saved on your local computer 55 Using the Security System Manually downloading System Up2Dates 1 Open the Up2Date Service menu in the System tab 2 In the System Up2Date window click the Start button under Prefetch Up2Dates now The Unapplied Up2Dates table lists downloaded but not yet installed ax The system will now check if there are any new updates on the Update server and will download any updates found Details on the Up2 Date process can be found in the Log Window shown in real time left hand picture When the DONE message appears the process has completed successfully any updates that have been If you are using the HA system unapplied updates will be listed in the Unapplied Up2Dates Master window Automatic download of System Up2Dates 1 Open the Up2Date Service menu in the System tab 2 Click t
9. Current System NAT Rules As with the current filter rules Current NAT rules displays all user and system defined NAT rules Connection Tracking Table This menu shows a list of all current connections and the connection parameters 208 Using the Security System 5 6 Application Gateways Proxies While a Packet Filter filters packets at the network level Proxies also called Application Gateways offer control and security at the application level by preventing a direct connection between client and server Each Proxy can also provide further security services for its service Since each proxy knows the context of its service extensive security and protocol options are being offered This intensive protocol analysis is made possible by well defined and well supported protocol standards The proxies concentrate on the most essential information In the Proxies tab select the Proxies with the same name and configure the settings By default all proxies are disabled This security system contains proxies for HTTP Web DNS Name server SOCKS point to point connections POP3 SMTP e mail and Ident 209 Using the Security System 5 6 1 HTTP Surf Protection EEE The HTTP menu allows you Status eo _Disable_ 5 Operation Mode Standard to config ure the secu rity kiari Acera oy oniy z system as a HTTP Caching ee me Proxy This proxy can pro Allowed Networks Selected Available a R vide cach
10. Hostname 118 Using the Security System long as it online at least A mobile user for example can access his company network through Dynamic DNS even if the company only uses standard DSL connections with dynamic IP addresses In addition to VPN applications Dynamic DNS can also be used for remote maintenance and control Defining Dynamic DNS Servers 1 2 In the Network tab open the Hostname DynDNS menu Enable the function by clickin on the Enable button in the Status column The entry window will open Make the following settings Hostname In the entry field enter the hostname Username In the entry field enter the username Password In the entry field enter the password 5 3 2 Interfaces External Network Router rp Ie E Internet Internal Network t t m I _ ethi ry Firewall n n Network card 1 eth0 Web FTP E mail Network card 2 eth1 Server Server Server Network card 3 eth2 Save your settings by clicking on the Save button A firewall requires at least two network cards in order to securely connect an internal network LAN to an external one the Internet In our examples the Net work card ethO is always the interface connected to the internal network Net work card ethi is the interface connected to the external network e g to 119 Using the Security System the Internet These interfaces are a
11. In general times between 60 and 28800 seconds 1 min to 8 hours are allowed In the IPSec Settings window configure the settings for the IPSec connection IPSec Mode This system only supports tunnel mode IPSec Protocol This system only supports ESP Encryption Algorithm Choose the encryption algorithm to use here The IPSec VPN function of this security system supports 1DES 56bit 3DES 168bit AES Rijndael 128bit AES Rijndael 192bit AES Rijndael 256bit Blowfish Serpent 128bit and Twofish If you wish to create IPSec connections without encryption choose null here Enforce Algorithm If an IPSec Gateway makes a proposition with respect to an encryption algorithm and to the strength it might happen that the gateway of the receiver accepts this proposition even though the IPSec Policy does not correspond to it In order to avoid this Enforce Algorithm must be enabled Example The IPSec Policy requires AES 256 as encryption Whereas a road warrior with SSH Sentinel wants to connect with AES 128 Without Enforce Algorithm the connection will be admitted which constitutes a security risk Authentication Algorithm The MD5 128bit SHA1 160bit SHA2 256bit and SHA2 512bit algorithms are supported The algorithm used is determined by the remote endpoint of the IPSec connection 279 Using the Security System The SHA2 256bit and SHA2 512bit algorithms require a great Important Note deal of system resources SA Li
12. PPTP Address In PPTP connections also a static IP address can be assigned to a remote host instead of a dynamic address from a PPTP IP pool In order to define a static IP click on the field in the PPTP Address column and enter the address in the entry field Click the Save button to save your changes In order to interrupt this process click on the Cancel button For more information on PPTP VPN Access please refer to chapter 5 3 6 on page 169 Filters Local User Definitions lt vad fe The Filters function allows you to filter Users with spe cific attributes from the table This function considerably en hances the management of huge network configurations as users of a certain type can be presented in a concise way PPTP Address c HFP SMFP SOCKS WebAdmin L8tP4PSee PPFP from pool none Filtering users 1 Click on the Filters button The entry window will open 2 Enter the filter attributes in the fields listed You don t have to define all attributes Username If you want to filter the users by username enter the expression in the entry field Comment If you want to filter users by specific comments enter the expressions in this entry field 3 To start the filter click on the Apply Filters button 116 Using the Security System Only the filtered users will be displayed in the table Next time when you open the menu the complete user table will be displayed Further Functions Editing
13. Threshold One When Spam Level exceeds 03 aggressive do this Pass Threshold Two When Spam Level exceeds 05 reasonable do this Quarantine The first threshold implicates that e mails from level 3 on are filtered but allowed through With the help of the attached Header the e mail on the mail server or in the e mail program of the recipient can be sorted or filtered For the second threshold the e mail will be accepted but put into quarantine Basically the Threshold with the higher level is treated more severely do this 249 Using the Security System On busy systems the Spam Detection may require a large percent Important Note g age of system resources When Spam Level exceeds This drop down menu can be used to select the strategy to use in marking messages as spam The differ ence between the maximum values is defined through the probability that legitimates messages such as HTML Newsletters will be blocked It is possible to set a value between 1 and 15 in the drop down menu With level 1 the e mails are already treated with a low spam score The following Levels serve as clue Aggressive 03 This strategy will catch most spam messages It may also identify some legitimate messages for example HTML newsletters as spam Reasonable 05 This strategy is a compromise between Aggressive and Reasonable Conservative 08 This strategy will only catch messages that are highly likely to be spam
14. browser to access the server on the host The word Server is also 336 Glossary often used to refer to the computer on which the server software runs diluting the distinction between server and host in practice In telecommunications the host is the computer from which information such as FTP files news or WWW pages is retrieved On the Internet hosts are often also called nodes Using an Internet host as opposed to a Localhost for example with Telnet one can work from a distance Remote Access ICMP Next to the IP Protocol there is an option with specific functions The Internet Control Message Protocol ICMP is a special kind of IP protocol used to send and receive information about the network s status and other control information Many users are already familiar with ICMP echo requests type 8 and echo replies type 0 as these are used by the ping program When a computer receives an echo request its IP stack sends back an echo reply This is done with the ping program in order to determine whether another network component is reachable IP The Internet Protocol is the basic protocol of the Internet and has been used without change since it was first developed in 1974 It handles the basic transmission of data from one computer to another and serves as the basis for higher level protocols like TCP and UDP It handles the connection and error management Technologies like NAT and Masquerading allow large
15. firewall will forward Traceroute packets Click the Enable button to enable the function status light shows green Note These two functions Firewall is Traceroute visible and Firewall forwards Trace route are probably only useful when both are enabled Traceroute from Firewall The Traceroute command can be used on the firewall Click the Enable button to enable the function status light shows green 202 Using the Security System Ping Settings Ping settings This window contains con Firewall is Ping visible _ Disable a 2 ppe __ figuration options specific Firewall forwards Pings _Disable_ Ping from Firewall Disable to ICMP Ping Further information about Ping can be found in chapter 5 3 8 on page 177 Firewall is ping visible When this function is enabled the firewall will respond to Ping packets Click the Enable button to enable the function status light shows green Firewall forwards Ping When this function is enabled the firewall will forward Ping packets Click the Enable button to enable the function status light shows green Ping from Firewall The Ping command can be used on the firewall Click the Enable button to enable the function status light shows green 5 5 3 Advanced Connection Tracking Helpers SESS The Stateful Inspection saa Ee Packet Filter and the NAT function are provided by the iptables module in the Net filter sub system All connections ope
16. given order Use NTP Server In order to configure the system clock manually please ensure that No NTP Server is selected here In this case the Please select drop down menu will be displayed If a NTP Server is selected select No NTP Server from the drop down menu Time Zone Now select the time zone Note Changing the timezone will only change the current system time A if you are using an NTP server to control time settings Use slow adjustment When this function is selected the security system will attempt to minimize the time warp effects mentioned above 46 Using the Security System Note When resetting the system time will be adjusted to the newly set time in small steps When the time differences are large this adjustment process can last days or even weeks Set Time Enter the current date and time here Take note of the issue date of your License Key If this date is after the current date set on the security system the license will be deactivated Important Note The 30 day Evaluation License will not automatically activate 5 Click the Save button to save these settings The time settings of the security system will now be updated Synchronizing system time with NTP Server Before the system clock of the Internet security system can be synchronized with an external server this server must be defined as NTP Server The NTP Server will be defined as a network consisting of only one c
17. performance and security of relevant system parameters and remedies deviations exceeding given tolerances Subsequently a report will be sent to the competent administrator by e mail This Self monitoring of the security system ensures that central services such as the Syslog Daemon HTTP Proxy and Network Accounting are functioning properly Access rights to files are monitored as is the resource usage of individual processes This is designed to prevent an overload of the system Moreover the system administrator is informed in time on previsible resource bottlenecks if for example the available disk space is running short This allows for an early implementation of measures in favor of a system extension and or discharge SMTP proxy The activities of the SMTP proxy are recorded to these log files All ingoing e Mails will be listed there In addition all irregularities such as assigned Bounce conditions interruptions or blocked e mails will be logged SOCKS proxy The activities of the SOCKS proxy are recorded to these log files SSH remote login Information on the log in processes to the remote shell is recorded to these log files System log messages These Log Files record generic information about the daemon processes running on the system Among other things the access to the SNMP service and the activities of the Dynamic DNS function are recorded to these log files 319 Using the Security System Up2Date Servi
18. please check logfile partition mounted at var log is filling up please check storage application partition mounted at var storage is filling up please check Up2Date partition mounted at var up2date is filling up please check System Up2Date System Up2Date started Further information on the Up2Date Service can be found in chapters 5 1 3 on page 54 System Up2Date No new System Up2Date packages available System Up2Date succeeded Prefetched new System Up2Date package s For more Up2Date package information please see attachted Up2Date description file Further information on the System Up2Date can be found in chapters 5 1 3 on page 54 System Up2Date failed License is not valid System Up2Date Started System Up2Date install lation in HA Master Mode System Up2Date New System Up2Dates installed 321 Using the Security System 323 350 351 352 353 354 360 361 700 710 322 Further information on the Up2Date package s can be found in the notification e mail System Up2Date Started System Up2Date Instal lation Pattern Up2Date Started Pattern Up2Date Further information on the Up2Date Service can be found in chapters 5 1 3 on page 54 Pattern Up2Date No new pattern available for Virus Protection Pattern Up2Date No new pattern available for Intrusion Protection Pattern Up2Date Trying another pattern typ Pattern
19. solution the virus scanner on system 2 will be automatically synchronized with system 1 61 Using the Security System 5 1 4 Backup Redicraalbatu The Backup function allows you SE to save the settings of your Se TR curity system to a file on a local Kdvanced disk Encryption This backup file allows you to se install a known good configur E ation on a new or misconfigured E Mail Addresses o l security system This is espe co cially useful in case of hardware failure as it means replacement systems can be up and running within minutes Attention Version 5 0 of the security system can only load backups from version 4 021 or higher Install the License Key in the Licensing menu before loading the backup Without the appropriate license the system will only support three network cards under certain circumstances this can lead to WebAdmin not being reachable 62 Using the Security System Note After every system change be sure to make a backup This will ensure that the most current security system settings are always available Make sure that backups are kept securely as the backup contains all of the configuration options including certificates and keys After generating a backup file you should always check it for readability It is also a good idea to use an external MD5 program to generate checksums this will allow y
20. the proxy will use the Internet wide ROOT name servers If you or your ISP runs a name server that is closer you should enter its IP address here This means however that they are usually slower than closer name servers The ROOT name servers are an integral part of the Internet 15 ROOT name servers are distributed worldwide and are the basic instance for all secondary name servers Tip Even if you do not plan to use the DNS proxy you should enter the address of your provider s DNS server address as a forwarding server Those will be used by the firewall itself even if the proxy is disabled This contributes to the discharge of the root name server and the firewall produces only local queries which generally receive faster replies Configuring the DNS Proxy 1 Inthe Proxies tab open the DNS menu 2 Click the Enable button to start the proxy Another entry window will open 3 Make the following settings A description of how to use the selection field tool can be found in chapter 4 3 2 on page 36 Interfaces to listen on Select which network cards the DNS proxy server should be reachable on This should usually only be 228 Using the Security System the internal network cards Network cards are configured in the Network Interfaces menu Further information is available in chapter 5 3 2 on page 119 Allowed Networks Select which networks should have access to the proxy server A Security Note In the All
21. them The information can also be updated manually by clicking on the Reload button Don t use the Refresh button of the browser because this will configuration tool log you out of the WebAdmin 299 Using the Security System CPU Load Daily Graph This diagram shows the current utilization of the CPU Memory Usage Daily Graph The current RAM utilization statistics are shown here When more functions and subsystems are enabled on the firewall more RAM will be required to support them SWAP Usage Daily Graph This diagram shows the current amount of swap space being used Swap space is used to supplement RAM if your system is running out of available RAM you will see a sharp increase in swap usage 5 8 4 Network Report Network Usage Graphs Traffic lo Daily Graph Traffic lo Daily bot 4 i bits per second o 10 00 12 00 14 00 16 00 18 00 20 00 22 00 00 00 02 00 04 00 06 00 08 00 O Inbound current 42 31 k Average 12 51 k Maximum 28 81 k M Outbound Current 12 31 k Average 12 51 k Maximum 28 81 k Show all graphs for lo Traffic ethO Daily Graph Traffic eth0 Daily Se eo bits per second 40 00 12 00 14 00 16 00 18 00 20 00 22 00 00 00 02 00 04 00 06 00 08 00 E Inbound current 26 60 Average 113 07 Maximum 1 94 k 300 This menu shows current statistics relating to net work traffic These dia grams will not be useful unless the network card
22. 113 introduction sese 110 Service group defining 112 Services FILES oncion raea 113 SEIrVICES saai a aia 110 Settings sa nak oaar enasi 44 Shut OWN cccceeeee eee eees 102 Shut down Restart 102 SMTP block RCPT hacks 243 CONFIQUIE cece ee ee eee 239 DoS protection 239 encryption authentication PEA siete TES 241 Expression Filter 247 File Extension Filter 245 global whitelist 242 introduction s s s 238 MIME Error Checking 244 postmaster address 239 Realtime Blackhole Lists 248 Sender Address Verification swabvad nies aa aE aide 248 Sender Blacklist 243 Spam Protection 248 249 Virus Protection 246 Virus Protection Content Filter ceperan 243 SMTP Relay Virus Protection 246 SNMP Access authorizing access 69 SOCKS Proxy CONFIQUIING ee eee 230 SOCKS Proxy user authentication 230 Static Routing defining routes 156 introduction sss 155 Strict TCP Session Handling ana ap a eaa 205 Surf Protection assigning profiles 225 categories ssscsccrrerc 219 content removal 220 editing Surf Protection categories esses 216 Index enabling profiles adding E NTE 221 introduction sses 215 profile assignment table 223 profile functions 218 224 profiles editing 221 profiles table 045 217 URL blacklist
23. 255 255 Comment optional Enter a comment Confirm the entries by clicking Add Definition Under Packet Filter open the Rules menu and enter the following rule Source Any Service Any Destination Broadcast32 Action Drop Comment optional Enter a comment Confirm the entries by clicking Add Definition Using the Security System Segment wide Broadcast For each network card configured in the Interfaces menu the system automatically defines a network named NAME Broadcast For more information please see the Current Interface Status section of chapter 5 3 2 on page 119 1 Under Packet Filter open the Rules menu and enter the following rule Source Any Service Any Destination Select the broadcast network for the relevant interface here Example NAME Broadcast Action Drop Comment optional Enter a comment 2 Confirm the entries by clicking Add Definition 199 Using the Security System 5 5 2 ICMP ICMP Settings ICMP Settings This menu is used to config ee ure the settings for Inter Log ICMP Redirects tute net Control Message Pro tocol ICMP packets ICMP is used for testing network connectivity and troubleshooting network problems Note More information on ICMP can also be found in the Ping and i Traceroute sections ICMP on firewall and ICMP forwarding apply to all IP addresses Any When ICMP on firewall is activated green status
24. Address of interface Internal Te CSE CE ITE I CENCE EST SSE The network table contains Internal Network Interface up 192 168 5 0 24 Network on interface Internal static networks which have been pre defined By default the table contains next to the definitions for the internal network card ethO additional statically entered networks These statical networks cannot be edited or removed The hosts and networks can be grouped together These groups will be treated as individual hosts and networks and can belong to an upstream group The network types are represented by symbols The following pages contain a description of the different network types available and of how they are defined 103 Using the Security System The network types are represented by symbols The Symbols Icon JEL m Spalte Network type Network type Network type Network type Network type Network type Anzeige Einstellung Interface Host Server Network Network group DNS server IPSec user group Adding Host 1 2 3 4 5 Under the Definitions tab open the Networks menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a unique host name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and unde
25. Attributes every user account in the directory must be edited to define access rights This is done by setting a particular attribute for each user which either grants or denies access to a service o onsale Roct Active Direto d Computers LDAP exampleco pleco E 0x j j ange a The following example illus a m Gots e gt Be lui byes trates the configuration for a Tree Faves Te Te aie Console Root Guin bultinDomain r mmni Bons coe ee hypothetical small company post edt Zvevelcpenent Organizational EG fet Users and Corte E Domain Contr Organizational Default container for new raamat ctam Defaat carats example com e nt Organizational The user John Smith is in the Default container For upar pim Eme Trainees directory a DN cn john smith ou trainees dc example dc com l LogonName smith example com 80 Using the Security System This user can use his LogonName and password to log on to services like the SOCKS Proxy The security system checks the user s DN and password If there is only one DN that corresponds to smith example com and if the supplied password is valid the user will be allowed to use the SOCKS proxy If you wish to use Group Membership to control access rights complete the following steps to configure the Microsoft Active Directory Step 1 Creating a Security Group 1 In the Microsoft Management Conso
26. Comment 1 none DOB Marketing HTTP f Any amp Example rule 3 Make the following settings Position Define the line of the table in which the packet filter rule will be entered It is possible to change the sequence of the packet filter rules later By default the rule is placed at the end To Bottom of the rules table Group For a smooth management of the set of rules the packet filter rules can be grouped together in one group This does not influence the way in which a rule will be processed within the set of rules 190 Using the Security System For the first rule no group can be selected from the drop down menu yet New groups are defined in the set of rules table Source In the drop down menu select the source address of the data packets The Any setting applies to all IP addresses regardless of whether these are publicly assigned IP addresses or private IP addresses according to RFC1918 Service Use the drop down menu to select a service This list includes all the pre defined services included in the Security system as well as the ones that you defined yourself This allows you to define precisely which traffic should be allowed The Any setting represents here all combinations of protocols and source and or destination ports Destination In the drop down menu select the source address of the data packets The Any setting applies to all IP addresses regardless of whether these are pub
27. DNS servers in this selection field SMTP Servers Select the SMTP servers in this selection field SQL Servers Select the SQL servers in this selection field Telnet Servers Select the Telnet servers in this selection field 187 Using the Security System 5 5 Packet Filter The Packet Filter is the central part of the firewall In the Rules menu you define the allowed data traffic between the networks and hosts in the form of Packet filter rules You can also define specific packets which will never be allowed to pass through the firewall The packet filter management is done in the Rules table The tools in the ICMP menu allow you to check the network connections and functions of the security system The additional and reporting functions are available in the Advanced menu The Rules menu allows you sere aa to define packet filter sets of rules These rules are de ec fined with the help of the i o Sm A network and service defin itions Destination Any In general there are two basic kinds of packet filtering policy e Default allow the rules explicitly define which packets are blocked all others are allowed e Default deny the rules explicitly define which packets are allowed all others are dropped This security system uses a Block all packets policy as this policy is inherently much more secure This policy requires you to define explicitly which IP packets will be
28. Filter Type This drop down menu allows you to filter e mails that have been filtered by a specific function from the Content Filter Modules Sender This drop down menu allows you to filter e mails with a specific sender address Recipient s This drop down menu allows you to filter e mails with a specific recipient address 3 Click the Apply Filters button to start the filter In this case only the filtered e mails will be displayed in the table Once the menu has been left all protocols will be displayed again 259 Using the Security System 5 7 Virtual Private Networks cPSec VPN A Virtual Private Network VPN is a secure connection between two networks over an untrusted network such as the Internet VPNs are very useful when sensitive information must be transmitted or received over the Internet The VPN prevents third parties from reading or modifying the information in transit The connection is con trolled and secured by the software installed at the connection end points This software implements authentication key exchange and data encryption according to the open Internet Protocol Security IPSec standard Only authenticated computers can communicate through a VPN protected connection No other computer can transmit information over this connection VPN connections can be established between two hosts one host and one network or two networks When one endpoint is a single com puter the VPN connection w
29. IP address example 192 168 2 1 and the host network mask 255 255 255 255 7 Name Value value Any 0 0 0 0 0 30 Installation The internal network Internal Network consisting of the de fined IP address example 192 168 2 1 and the defined net work mask example 255 255 255 0 The broadcast network Internal Broadcast consisting of the broadcast address example 192 168 2 255 ad the host net work mask 255 255 255 255 Defining new Networks is described in chapter 5 2 1 on page 103 Configure the External Network Card In the Network tab open the Interfaces menu and configure the interface to be used to connect to the external network Internet The choice of interface and the required configuration depend on what kind of connection to the Internet you will be using The configuration of network cards and virtual interfaces is described in chapter 5 3 2 on page 119 Define Masquerading Rules If you wish to use private IP addresses for your internal network and wish to connect directly without proxies to the Internet you can now establish the relevant rules in the Network NAT Masquerading menu More information about DNAT SNAT and Masquerading can be found in chapter 5 3 4 on page 157 IP routing entries for networks directly connected to the security system s network cards Interface Routes will be added auto matically If required you can also define routing entries manually using the Routi
30. Internet connection on an ADSL access the Uplink band width amounts to 768 kBit s and on a 2 Megabit fixed connection to 2048 kBit s MTU Size The MTU is the size in bytes of the largest transmittable packet MTU stands for Maximum Transfer Unit For connections using the TCP IP protocol the data will be grouped into packets A maximum size will be defined for these packets Packets larger than this value will be considered too long for the connection and fragmented into smaller ones before transmission These data packets will be sent again However the performance can be limited if the upper value is too low The largest possible MTU for an Ethernet interface is 1500 Bytes The following values are the defaults for the Standard Ethernet Interface 1500 Byte 7 Confirm these settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red 8 Enable the interface by clicking the status light The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system 127 Using the Security System requires a short time to configure and load the settings When the message Up appears the interface is fully operational 5 3 2 2 Additional Address on Ethernet Interface MOM One netw
31. MTU 1500 Metric RX packets 57108 errors 0 dropped 0 overruns 0 frame 0 TX packets 110137 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 6549452 6 2 Mb TX bytes 18646106 17 7 Mb Interrupt 5 Base address 0x8800 Link encap Local Loopback inet addr 127 0 0 1 Mask 255 0 0 0 UP LOOPBACK RUNNING MTU 16436 Metric RX packets 6504559 errors 0 dropped 0 overruns 0 frame 0 TX packets 6504559 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 646581897 616 6 Mb TX bytes 646581897 616 6 Mb Interface Information All configured internal and external network cards are listed here 305 Using the Security System ARP Table This table displays the current ARP cache of the system It lists all known associations between IP addresses and hardware MAC addresses Local Network Connections Microsoft Internet Explorer Local Network Connec host domain com Local Network Connections m tions This table lists all Active Internet connections servers and established g Sa To oons Baaar o HSN current network connections En o 0 127 1 783 LISTEN e 8 po a to the firewall Connections 2S 6 ke E through the firewall are not AER r shown tep o 0 192 2172 443 TIME_WAIT tep o 0 127 1 16498 TIME_WAIT tcp o 0 127 6498 TIME_WAIT tep o 0 127 116498 TIME_WAIT tep 0 2824 192 2173 443 ESTABLISHED tep o 27 0 0 1 16498 WAIT er A nit n
32. Name Give the new attribute a clear label The name of the service this attribute controls would be a good choice Example Socks Unique X500 Object ID Enter the OID for this attribute in the entry field Syntax Chose Boolean Minimum Leave this field blank 83 Using the Security System 4 Maximum Leave this field blank Save your settings by clicking OK Step 3 Allocate a Class for the Attribute 1 2 Under Active Directory Schema left click Classes Right click Users A window named User Properties will open Click the Attributes tab and make the following settings Optional Use the drop down menu to select the attribute and click Add Save your settings by clicking OK In the Microsoft Management Console right click Active Directory Schema With the left mouse button click Reload the Schema Step 4 Setting the Attribute for Users 1 84 In the ADSI Edit window right click the user to edit Example John Smith in the Trainees directory Left click the Properties button A window named Properties will open In the Properties window click the Attributes tab Select which properties to view Choose Both Select a property to view Choose the attribute to set Example Socks Syntax This value was set while creating the attribute and cannot be changed From step 2 this should be Boolean Using the Security System Edit Attribute You can use this field to set the value
33. Netscape to communicate with the server SOCKS SOCKS is a proxy protocol that allows a point to point connection between an internal and an external computer SOCKS often called the Firewall Traversal Protocol is currently at version 5 and must be implemented in the client side program in order to function correctly 340 Glossary Subnet Mask The subnet mask also called netmask of a network together with the network address defines which addresses are part of the local network and which are not Individual computers will be assigned to a network on the basis of the definition UNC Path The Universal Naming Convention path is used primarily by computers running a Microsoft operating system to uniquely designate network resources UNC paths are usually of the form Server Resource 341 Index Index Accounting adding deleting a network CAN ie ETET 176 ACCOUNTING eceeeeee ener ees 175 Acoustic signals beep 5 times 102 Administrator e mail addresses I Gad city die E EE E 44 Backup editing e mail addresses 68 encryption of e mail backup HE anaa eaa 66 generating e mail backup file iaeaea saa 67 introduction cccceeeees 62 Kor a AE S 63 manual creation 64 Broadcast Internet wide 0008 198 segment wide 199 Certificate for WebAdmin installing soccer 95 Certificate for WebAdmin GREALING iaoea iranan 95 Connection Tracking Helpers introducti
34. POP3 Proxy _ Enable for incoming e mails The SMTP Proxy receives all e mails at the gateway and then forwards them to their destination Because there is no direct contact between internal and external machines only data is transferred and no protocol errors will propagate The SMTP proxy monitors the SMTP protocol on TCP port 25 Note In order to use the SMTP Proxy correctly a valid name server DNS must be activated System notifications are sent to the administrator even if the SMTP proxy is disabled 238 Using the Security System Configuring the SMTP Proxy 1 2 In the Proxies tab open the SMTP menu Click the Enable button next to Status to start the proxy In the Global Settings window configure the basic settings Hostname MX Enter the hostname here Important Note If you wish to use TLS encryption this hostname must be identical with the one listed in your DNS server s MX record Otherwise other mail servers using TLS will refuse to send incoming mails Postmaster Address Enter the e Mail address of the post master here Max message size Enter the maximum message size for in and out bound mail messages Normal values are 20 or 40 MB Please note that the encoding used to transmit e mails can make the size of the message larger than the files sent Save your settings by clicking Save Enable the DoS Protection by clicking the Enable button In order to protect the security system a
35. RBL Warning When the Realtime Blackhole Lists RBL function is enabled and the sending domain is listed in the Zones list this header will be added Note that this header will only be added if the RBL system is configured to Warn Creating rules in Microsoft Outlook 2000 MS Outlook allows you to sort those e mails which had been filtered and subsequently been allowed to pass through the Firewall provided that the Pass function in the Action drop down menu of the corresponding modules on the Firewall has been selected 1 2 3 4 Start MS Outlook Click on Inbox Open the menu Tools Rules Wizard Click on the button New The Rules Wizard opens in order to set new rules The Rules wizard now leads you step by step through the configuration Which type of rule do you want to create step 1 Select the rule Check messages when they arrive 252 Using the Security System Then click on the button Next Which condition s do you want to check step 2 In this window select the condition with specific words in the message header In the window Rule description click on the underlined portion of text and type the header s name into the input field Search text Example X Spam Score Then click on the button Next What do you want to do with message step 3 Define in this window what has to be done with the filtered e mail If for instance you want to move the filtered e mails to a specific folder select
36. Reset Password end kactory Revet The Password Reset function E allows you to set new pass words for the Security system E Enea br an ete Sano If you log in to the WebAdmin configuration tool for the first time after this action the Setting System Passwords window will be displayed This allows you to set optional passwords such as the Astaro Configuration Manager Password Halt System will shut down the Security system After the restart the Setting System Pass words window will be displayed at first 49 Using the Security System The Factory Reset function resets all configuration settings and op tions to their original state All data entered after the initial instal lation will be deleted including the HTTP Proxy Cache the entire E Mail Queue Accounting and Reporting data passwords and uninstalled Up2Dates The software version will not change That is all System Up2Dates and Pattern Up2Dates that have been installed will be retained 5 1 2 Licensing Some of the functions of the security system including the Up2Date Service High Availability HA Surf Pro tection Virus Protection ent yau eae as ae sted an d th e Support service from the Astaro partners can only be used with a valid EEE T License Key You can obtain Eee detailed information about licensing and the corres ponding licence keys at any certified Astaro Partner or from Astaro salesus astaro com America s and sales
37. System 286 Attention With a road warrior IPSec tunnel the Virtual IP Key function must be enabled if you wish to use the NAT Traversal function and the L2TP Encapsulation function is disabled The IP address entered here should not be used anywhere else and cannot be a part of a directly connected network Use the Key type drop down menu to select the IKE authenti cation method Further options are available depending on the chosen Key type PSK The firewall only supports using IPv4 Addresses as VPN Identifiers during the key exchange phase of IKE Main Mode Enter the shared password in the Preshared Key field If you wish to configure many road warrior connections you only need one PSK for all connections A Security Note Use a secure password Your name spelled backwards is for example not a secure password while something like xfT35 4 would be Make certain that this password does not fall into the wrong hands With this password an attacker can build a VPN connection to the internal network We recommend changing this password at regular intervals RSA The key pair consists of a private key and a public key In order for the endpoints to communicate they must exchange their public keys Public keys can be exchanged via e mail In the VPN Identifier drop down menu choose the VPN ID type of the endpoint If you select E Mail Address Full qualified domain name or IP Address you must enter the address or name
38. The HTTP Proxy Cache proxy stores a copy of often visited pages locally reducing load times By clicking the Start button the cache will be cleared and any new accesses will be loaded from the remote Internet site 5 6 2 DNS The DNS Proxy service al Status eo _Disable_ eae lows you to provide internal clients with a secure and Select io append F efficient name server ser ae a E vice If you select multiple Cera eres z remote name servers they oaao em ose ey will be queried in the order they are entered The DNS entries in network definitions are resolved every minute by the DNS Resolver If now a DNS entry refers to a Round Robin DNS the definition can be actualized every minute The Round Robin DNS process offers an easy opportunity to distribute user requests to individual servers such as to a server farm With the Round Robin DNS the IP addresses of all servers of the server farm are assigned to a hostname in the Domain Name Service DNS If clients now 227 Using the Security System request the IP address of this hostname there the DNS sequentially reports these IP addresses back Thus a distribution of the client requests to the respective servers is achieved The disadvantage of the Round Robin process is that neither a failure nor the utilization of the individual servers is accounted for If no name servers are entered in the Forwarding Name Servers menu
39. This header is set to Yes when the proxy classifies a message as spam 235 Using the Security System e X Spam Report The proxy identified a message as spam The added Multiline Header contains a readable and accessible anti spam report Spam Sender Whitelist This control list can only be defined for the Spam Protection option Enter the e mail addresses of those senders into the list whose messages you wish to allow through File Extension Filter The firewall filters attachments with the ex tensions from the control list Expressions Filter This function allows to filter all e mail texts and attached text files that pass through the POP3 proxy by specific expressions The expressions are defined in the check list in the form of Perl Compatible Regular Expressions 236 Using the Security System 5 6 5 Ident TATRA The Ident protocol allows Status eo Disable ETE oe me external servers to asso ciate a username with given TCP connections While this connection is not encrypted it is nevertheless necessary for many services Default Response Riaemon Save If you enable the Ident function the security system supports Ident queries The system will always reply with the string that you define as Default Response irrespective from which local service the connection will be started Forward Connections Ident queries cannot be answered through Connection Tracking You can get around this di
40. Trusted Domains In the ordered list a Global Whitelist can be defined with a reliable Domain name A Security Note This function should only be used carefully since sender ad dresses can easily be falsified 242 Using the Security System 5 6 6 1 Virus Protection Content Filter Block RCPT Hacks When this function is enabled the proxy will reject e mails with a sender address containing the characters or In addition addresses with an extra symbol or which begin with a dot will also be blocked Sender Blacklist This function allows you to create a list of sender addresses for example those of known spam senders The proxy will then reject all messages with these addresses in either the From or Reply To headers Enter the e mail addresses according to the following description into the Patterns control list e To block e mails from a certain address Entry user domain com e To block all e mails from a certain domain Example domain com e To block all e mails from a certain user no matter what domain is used to send the message Example user The function of the Control List is identical to the Ordered List and described in chapter 4 3 4 on page 39 If the firewall receives an e mail from a blocked address a 5xx error code will be issued with the message Your address envelope or header is blacklisted at this site 243 Using the Security System MIME Error Checking The MIME E
41. activate a rule click the status light once the status light will turn green Please note that because the security system uses Stateful 14 15 Installation Inspection only the connection building packets need be specified All response packets will automatically be recognized and accepted Configuring the Packet Filter is described in chapter 5 5 on page 188 Debug Packet Filter Rules With the Packet Filter Live Log function In the Packet Filter Advanced menu you can see which packets the packet filter is filtering If you have problems after installing your security system this information can be helpful in debugging your filtering rules The Packet Filter Live Log function is described in chapter 5 5 3 on page 203 Install System and Virus Scanner Updates You should download and install the latest System Up2Dates as soon as possible If you have a license for the Virus Protection module you should also run the Pattern Up2Date system The Up2Date Service option is described in chapter 5 1 3 on page 54 When you ve completed these steps the initial configuration of your security system is complete Click the Exit tab to leave WebAdmin Problems If you have problems completing these steps please contact the support department of your security system supplier or visit the Astaro Bulletin Board at http www astaro org 33 WebAdmin 4 WebAdmin The WebAdmin tool allows you to configure eve
42. admin Please remember that the goal in configuring a security system like this should be to enable only the features necessary for correct functionality In general you should restrict in and outbound con nections to those explicitly required Tip Draw up a plan of your network and determine which computer is to have access to which services before configuring the security system This will simplify the configuration process and save you a lot of time Configure the system as follows 1 Define all the required networks and hosts 2 Define the necessary services 3 Define the system rules and proxies 42 Using the Security System Starting WebAdmin 1 Start your browser and enter the address of the Security system i e the address of the ethO interface as follows https IP Address In our example from step 6 of the installation instructions in chapter 3 2 this would be https 192 168 2 100 If you have not yet generated a Certificate for your WebAdmin site a Security notice will appear More information on how to install a certificate is available in chapter on page 94 Click the Yes button on the security notice to continue Log in to WebAdmin Login to WebAdmin User admin Username admin ies Password the password of the WebAdmin user Both entries are case sensitive Click Login Another administrator is already logged in eS If another administrator
43. astaro com Europe Asia Pacific and Africa a AStTARO Onine Demo Downloads Sign in to MyAstaro What is your e mail address My e mail address is First you need the Activation Key With this Activation Key you enable the License Key in MyAstaro This allows you to select the licensing period of the Internet security system yourself You can thus first install the software and then register your licence in the licence portal only from this moment of time on starts the time period for the acquired options 50 Using the Security System Note te Activation Keys cannot be used directly in the WebAdmin configuration tool Please register at MyAstaro first Creating an User Account 1 2 Open your browser and go to the site https my astaro com Log in under MyAstaro What is your e mail address The e mail address is used for the authentication As new cus tomer enter the e mail address into this entry field If you have already used the Registration Portal for Astaro Security Linux V4 enter the e mail address that you have used for this registration into the entry field If you don t remember the e mail address that you used you can request it under the Returning Registration Portal users dialogue You ll need your Username and the Password Do you have a MyAstaro password If you log in for the first time under MyAstaro click on the No I am a new user check box If you are already a u
44. can configure a standby connection through a second inter face If the primary connection fails the uplink will automatically be set up through the second interface Note You need two separate Internet accesses and one additional network card for the Uplink Failover on Interface function Please note that the Security system only supports one DSL connection A standby connection for accessing the Internet can therefore only consist for example of a fixed connection and a DSL access Uplink Failover on Interface is by default disabled Off If you wish to use this virtual interface as primary connection select Primary Interface from the drop down menu If this interface shall contain the standby connection select the Backup Interface configuration Uplink Failover check IP Once the Uplink Failover on Interface function has been enabled this entry field will be displayed Enter the IP address of a host that replies to ICMP ping requests e g the DNS server of your ISP The security system will send ping requests to this host if no answer is received the backup interface will be enabled by the failover In this entry field there must always be an IP address for the failover QoS Status In order to use Quality of Service QoS bandwidth management on an interface enable this option To enable the Quality of Service QoS module select On from the drop down menu 147 Using the Security System 148 Important Note
45. connected to the security system must also be configured as an untagged port Most VLAN compatible switches can be configured by using a terminal program over a serial interface 140 Using the Security System Example configuration The graphic at left shows an office where computers are distrib uted across two floors Each floor has a separate switch and the each com puter is connected to the switch on its floor In this configuration PC1 and PC2 on the first floor and PC4 on the second floor will be connected together on VLAN 10 PC3 PC5 and PC6 will be connected together on VLAN 20 SS gt gt gt a d tagged The two switches must be configured as follows Switch a Switch b Port VLAN Tag tagged untagged 1 10 20 T 2 PC4 10 U 3 PC5 20 U 4 PC6 20 U In this configuration it seems to PC3 as though it were connected through a single switch to PC5 and PC6 In order to connect the computers to an external network e g the Internet the interface on the security system in the example this is eth2 must be configured to support the VLANs 141 Using the Security System In order to configure a Virtual LAN interface you will need a Attention network card with a tag capable driver The hardware supported by the security system is listed in the Hardware Compatibility List for Astaro Security Linux available at http docs astaro org Configuring a Virtual LAN 1
46. deci cadet ceedagerte 36 online help eeee 40 refreSh ccecceeeeeeeeeeeeeees 41 selection fields 36 Startihg sa imeen iosas 43 status light cec 36 tab liStsvc cca viee cess 35 WebAdmin Site Certificate 94 OW AN ji01 ale ANE www astaro com
47. deletes or sends them On the right side next to the status symbol for those e mails which are kept in quarantine it is displayed which function blocked the message SP Spam Protection VP Virus Protection Filter File Extention Filter EXP Expression Filter MIME MIME Error Checking e permanent error andauernder Fehler B The e mail con tains a permanent error Sender The sender of an e mail is displayed in this column For the SMTP type this is the sender address on the enveloppe 256 Using the Security System For the POP3 type this is the address of the From header of an e mail If no sender address is displayed the e mail contains the additional status Bounce Recipient s The recipient of an e mail is displayed in this column For the SMTP type this is the recipient s address on the enveloppe For e mails with the deferred status the delivery status will be displayed separately for each recipient Deferred or permanent error The drop down menu at the bottom of the table shows further functions to manage single e mails Click the selection box next to an e mail to manage it The following functions are available Delete All chosen e mails will be deleted Force delivery All chosen e mails will be forwarded to the recipient addresses even those having a quarantined status For e mails with a deferred or permanent error status it is being tried again to deliver the message If th
48. easy to configure if the network already has a Primary Domain Controller PDC or if a server with a user database is running The drawback however is that this system does not distinguish between different user groups You can either allow all users in an SAM database access to a proxy or none of them Configuring SAM NT 2000 XP SAM NT 2000 XP Server Settings In order to use this authenti cation method you will need to have a Microsoft Windows NT or 2000 server on your network that contains the user infor mation This can be either a Primary Domain Controller PDC or a standalone server Note that Windows servers have a NetBIOS name the NT 2000 server name as well as an IP address 1 Inthe System tab open the User Authentication menu 76 Using the Security System In the SAM NT 2000 XP Server Settings window click the Enable button next to Status PDC Name Enter the name of the Domain Controller in this entry field Since beginning with Windows 2000 these names are also official DNS names only names consisting of alphanumeric minus and period characters are allowed Other characters for example _ are not allowed PDC Address Enter the IP address of the Domain Controller BDC Name If you have a Backup Domain Controller enter its name in this entry field If you do not use a BDC enter the name of the PDC here BDC Address If you have a Backup Domain Controllers e
49. for HTTPS connections Content Removal In the access control list enter those expres sions that should be deleted from the Web pages Make the settings for the Content Filter functional group Embedded Object Filter Clicking on the symbol enables ce and disables GaP the filter A Security Note Enable the Embedded Object Filter function only if high security demands apply to your network S cript Content Filter Clicking on the symbol enables and disables the function A Security Note Enable the Embedded Object Filter function only if high security demands apply to your network Virus Protection Clicking on the symbol enables and disables the function Surf Protection Profile is now edited Now assign the profile in the Profile Assignment table to a Network or to a Local User 222 Using the Security System The Profile Assignment Table The Surf Protection Profiles from the Profiles table are assigned to Local Users or Networks in the Profile Assignment table To assign a Surf Protection Profile to a local user the HTTP proxy must be used in the User Authentication Mode The assignment of Profiles to a network is possible in every operation mode If you are simultaneously assigning a Profile to a local user and to a network this Profile will only take effect if the user accesses the HTTP proxy from the configured network Only one Surf Protec tion Profile can be config
50. from the drop down menu Month This drop down menu allows you to filter log files by a given month Type This drop down menu allows you to filter log files by a specific type To start the filter click on the Apply Filters button Only the filtered log files will be displayed in the table Next time when you open the menu the complete log file table will be displayed 315 Using the Security System 5 9 3 1 Log Files This chapter contains all available logs These log files will only be displayed in the Browse menu if the correspondent processes have been recorded by the System The following Accounting data log file for example will only be displayed once the Accounting func tion has been enabled in the Network Accounting menu Accounting data These log files contain all Accounting logs archived by the system The Reporting Accounting menu allows you to view the current logs Astaro Configuration Manager If the Internet security system is configured remotely via the Astaro Configuration Manager the correspondent processes will be logged to these log files Astaro User Authentication The activities of the AUA Daemon are logged to these log files AUA is used as the central authentication daemon for various services Boot messages The boot messages are recorded to these log files Configuration daemon The activities of the AUA Daemon are logged to these log files The log files belong to the support logs and w
51. host and user certificate of incoming IPSec connections this type of CA is called a Verification CA If a CA saves its private key it can be used to sign certificate queries in order to produce a valid certificate This CA is called a Signing CA The system can contain a number of Verification CAs but only one Signing CA Host CSR Certificate Signing Request This is a request to have a certain certificate signed When it is given to a Signing CA and the CA verifies the identity of the owner the CA sends back a fully formed and signed Host Certificate 290 Using the Security System Host Certificate This certificate contains the public key of the host as well as identifying information about the host such as IP address or owner The certificate is also signed by a CA verifying that the key does indeed belong to the entity named in the identification information These valid certificates are used to authenticate remote IPSec hosts user endpoints Certificate Auth The drop down menu at the bottom of the table allows you to download certificates in various for mats or to delete certifi cates from the system PEM A format encoding the certificate in ASCII code The certificate request and private key are stored in separate files DER A binary format for encoding certificates The certificate re quest and private key are stored in separate files PKCS 12 A container file One file can conta
52. in the entry field below X509 Use the VPN Identifier drop down menu to select the kind of VPN ID to use If you select E Mail Address Full Using the Security System qualified domain name or IP Address you must enter the address or name in the entry field below In order to use a Distinguished Name as an ID you will need the following information from the X 509 index Country C State ST Local L Organization O Unit UO Common Name CN und E Mail Address E Mai 4 To save the new IPSec remote key object click Add The new remote key object will appear in the Remote Keys table CA Management Remote Keys are shown in a separate table 287 Using the Security System 5 7 5 L2TP over IPSec L2TP over IPSec is a combination of the Layer 2 Tunneling Protocol and of the IPSec standard protocol L2TP over IPSec allows you while providing the same functions as PPTP to give individual hosts access to your network through an encrypted IPSec tunnel On Microsoft Windows systems L2TP over IPSec is easy to set up and requires no special client software For the MS Windows systems 98 ME and NT Workstation 4 0 Microsoft L2TP IPSec VPN Client must first be installed This client is available from Microsoft at http www microsoft com windows2000 server evaluation news bull etins I2tpclient asp L2TP over IPSec Settings LAP creme Saito Authentication Use this rare drop down menu to con figure the authentic
53. is configured in the Proxies DNS menu Please see chapter 5 6 2 on page 227 for a description of how to use the DNS proxy NetBIOS networks can also use a WINS server for name resolution WINS stands for Windows Internet Name Service WINS servers are MS Windows NT servers with both the Microsoft TCP IP stack and the WINS server software installed These servers act as a database matching computer names with IP addresses thus allowing com puters using NetBIOS networking to take advantage of the TCP IP network 1 Inthe Network tab open the DHCP Server menu 2 In the entry fields DNS Server 1 IP and DNS Server 2 IP enter the IP address of your name servers 3 In the Gateway IP entry field enter the IP address of the default gateway 4 If you wish to assign a WINS server configure the following two settings WINS Server IP Enter the IP address of the WINS server here 166 Using the Security System WINS Node Type Use the drop down menu to choose which kind of name resolution clients should use If you choose Do not set node type the client will choose by itself which to use 5 Save your configuration by clicking Save Configuring Static Mappings This function allows you to ensure that specific computers are always assigned the same IP address To configure this function you will need to know the MAC hardware address of the client s network card Determining the MAC addresses of network cards is described on
54. list will show you a maximum of events A complete event history has been stored in the Intrusion Protection log files Using the Security System 5 10 Online Help The Help menu contains further functions for use with the Online Help system Search This function allows you to search WebAdmin s Online Help system for a particular term Results will appear in a separate window Starting a search 1 Under the Online Help tab open the Search menu 2 Enter your search term in the Search term field 3 Begin the search by clicking seek If the term is found in either WebAdmin or the Online Help system the following results will be returned e path to the relevant function in WebAdmin e link to the relevant Online Help page e Information on the function or texts of the Online help with the expression searched for Glossary The glossary explains the concepts and terms used in WebAdmin Click a term to see a short explanation 333 Using the Security System 5 11 Exiting the Security Solution If you close a browser running a WebAdmin session without using the Exit function the session will remain active until the timeout is reached In such a case you can again log in to WebAdmin A screen will be displayed informing you that already another user is logged in To log in again first end the other session by clicking the Kick button If you wish to end another administrator s active session you can type a mes
55. menu to select Load Balancing 163 Using the Security System 5 In the Pre Balancing Target window select the original destination address and service Address or Hostname Select the original destination address here This should usually be the external address of the security system Service Select the destination port service to be balanced 6 In the Post Balancing Target Group drop down menu select the new address This will usually be a network group composed of single hosts When the load balancing rule has been defined and saved it will appear in the NAT rules table The further functions in the NAT table can now be used for further customization Editing Load Balancing rules Click edit to load the rule into the Edit NAT Rule window The rule can now be changed as desired Deleting Load Balancing rules Click delete to remove a rule from the list 164 Using the Security System 5 3 5 DHCP Server CREEKS 3 The Dynamic Host Con oo lt figuration Protocol DHCP Range sters fast oo automatically distributes ad RS A dresses from a defined IP ad e dress pool to client com oo puters It is designed to sim WINS Server 12 plify network configuration on Sec aaa large networks and to pre Static Mappings MAC Address IP Address Comment vent address conflicts DHCP distributes IP addresses de fault gateway information and DNS configuration infor mation to it
56. needed This allows for the use of Path MTU Discovery IKE debug Flags This selection field allows you to configure the scope of IKE debugging logs The IKE Debugging function must be enabled in the IPSec VPN Connections menu The following flags can be logged e State Control control messages on the IKE status e Encryption Encryption and decryption operations e Outgoing IKE Content of outgoing IKE messages e Incoming IKE Content of incoming IKE messages e Raw Packets message in unprocessed bytes MTU Enter a the MTU value in this entry field By default the MTU value is already defined 1420 Byte 297 Using the Security System 5 8 System Management Reporting The Reporting function provides current information about the sys tem the state of various subsystems and real time information about various reporting functions The displayed values are updated every five minutes The diagrams shown on the first page of the Reporting menus show an overview of the current day s activity By clicking the Show all button you can open a page containing graphics built from weekly monthly and yearly statistics 5 8 1 Administration Report Administrative Statistics Th e Ad m i n istration menu CSS IT SUES TSU contains an overview of the Lae logins ss oe administrative events of the Up2Date Virus Protection success failed a st 3 0 d ays A Config changes total System restarts total Uplink fail
57. network through the Internet Then click on the Next button 4 If you have a permanent connection to the Internet select the following option Do not dial the initial connection Then click on the Next button Otherwise select the Dial other connections first option and select your provider from the selection menu These settings can be changed later in the Properties dialog box 5 In the Destination address entry field enter the IP address of the server Then click on the Next button 6 In the Connection Availability window select whether the connection should be available to all local users or just this account Then click on the Next button 173 Using the Security System In the next text entry field enter a descriptive name for this PPTP connection Then click on the Next button In the Start Settings Network and Dialup Connections a right click on the new icon will allow you to open the Properties window and configure further options General This allows you to change the hostname or destination address of the connection In the Connect First window select any network connections that need to be established before setting up the PPTP session Options The dial and redial options can be defined here Security Choose the Advanced Custom Settings option Next click the Settings button Leave these settings as they are Network In the Type of VPN Server I am calling menu select the Point to Point Tunnel
58. network to each security system within the HA device group The IPs must be within an address range and may only be used once within a given device group Example The Device IP 10 0 0 1 is assigned to the Internet security system 1 and the Device IP 10 0 0 2 to security system 2 Encryption Key Enter a password here A Security Note Use a secure password Your name spelled backwards is for example not a secure password while something like xfT35 4 would be Network Interface Card Select a network card to be used for the data transfer connection When an interface is selected for HA mode it cannot be used in any of the other configuration menus Important Note The network cards used for the connection must have the same Sys ID e g eth3 on both systems If you wish to use heartbeat monitoring use this menu to choose network cards on both the normal and standby systems which support link beat Transfer Network Enter the Network Address for the data transfer connection here Note Note The data transfer connection must use a Class C network A that is a network with mask 255 255 255 0 The bitmask form cannot be used The data transfer network cannot be used for anything other than data transfer 99 Using the Security System The entry fields contain suggestions generated by the system You do not need to accept the default values Serial Interface optional In addition to watching the data conn
59. offers the platform indepen _ _ _Tr_ cen_ dent flexibility to define enable and disable all necessary services The Proxies incorporated into this security system transform it into an Application Gateway capable of securing vital services such as HTTP Mail and DNS Further the SOCKS proxy enables generic circuit level proxying for all proxy aware applications VPN SNAT DNAT Masquerading and static routing capabilities make the firewall a powerful connection and control point on your network 17 Installation 3 Installation The installation of this Internet security solution proceeds in two main steps loading the software and configuring the system parameters The initial configuration required for loading the software is performed through the console based Installation Menu while the final con figuration and customization can be performed from your manage ment workstation through the web based WebAdmin interface ga While configuring your sys 4 tem please note that the WebAdmin system pro vides additional information and help through its Online Help system To access this system simply click the button marked The following pages contain a configuration worksheets where you can enter the data such as default gateways and IP addresses you use to set up your system We recommend you fill these out as you configure the syste
60. only for high risk levels e None No warning will be sent 181 Using the Security System 5 4 2 Rules The Rules menu contains the Intrusion Protection System set of rules IPS The already existing base set of rules with the IPS attack signatures can be updated through the Pattern Up2Date function if desired New IPS attack signatures will automatically be imported as IPS rule to the IPS rules table The Pattern Up2Date function is described in further detail in chapter 5 1 3 on page 54 IPS Rules Overview The overview contains all IPS sets of rules z DO z gt f attack responses O Recognition of successful attacks BO p gt P backdoor 0 Rules for backdoor software BU Ge P bad traffic 0 Recognizes traffic that should never occur BO pe B chat 0 Recognition of messaging and chat traffic DO p DB ddos O Rules for Distributed Denial of Service BO p BB dns 0 Rules for DNS protocol BU pe BD dos 0 Denial of Service attacks BO p exploit 0 Well known exploits of specific software BU z gt P finger 0 Rules for finger protocol O Ge B ftp O Rules for FTP protocol BO pe M icmp QO Rules for ICMP protocol BO ke P icmp info 0 Recognition of assumingly harmless ICMP traffic The functions in the overview from the left to the right BOA Clicking on the status light enables the IPS set of rules tr 9 The IPS rule can be configured as alarm rule Intrusion Detection or as blocking rul
61. page 39 to learn more about the functions of the ordered list Important Note Notification E Mails can only be sent to the administrator when the DNS Proxy is enabled and configured chapter 5 6 2 on page 227 or when the SMTP menu chapter 5 6 6 on page 238 has been configured with a route for incoming e mails Use external Indicators This option is only available on appliance systems with an attached LCD indicator This option allows you to turn the LCD display on or off 44 Using the Security System Time Settings uakai This menu can be used to set ae TEE the time and date of the secur set Tine mora oes 1 ity system The date and time Meee cae Can be set manually with the help of the drop down menu or can be automatically synchronized using the NTP server Network Time Protocol Please note that important changes in the time setting will appear as gaps in the Reporting and Logging We do not recommend changing the system time for daylight savings time Instead we recommend setting the system clock to Central European Time CET In summer this corresponds to a deviation of less than one hour Important Note When system time settings are changed the following time warp effects may be noticeable Moving forward e g standard time to daylight saving time e The timeout for WebAdmin will expire and your session will no longer be valid Time base
62. some data in particular streaming video and audio over a port other than 80 These requests will not be noticed when the proxy is in Transparent mode to support such requests you must either use a different mode or enter an explicit rule in the Packet Filter Rules allowing them Example Source a local network Service service with target address the service must first be defined in the Definitions Services menu Destination IP address of the web server or Any Action Allow HTTPS TCP IP Port 443 data is passed directly through the security system without processing Note In order to use the Proxy in Standard mode the client Browser must be configured with the TCP IP Address of the security system and the proxy port configured in the Proxies HTTP menu In addition the HTTP proxy service requires a valid Name server DNS Without configuring the client browser the Proxy can only be used in Transparent mode 211 Using the Security System Global Settings Operation Modes Standard In this mode you must select all networks which should be allowed to use the HTTP proxy service If a browser on a non configured network is configured to use the proxy it will have no access to HTTP services If a browser on a non proxied network is not configured to use the proxy an appropriate packet filter rule can allow un proxied access to HTTP services Example Source IP address of a local client Service HTTP Destina
63. system and an external computer Proxies exclusively operation the application level Proxies based firewalls use a Dual Homed Gateway that does not forward IP packets Proxies operated as specialized programs on the gateway can now receive connections for a specific protocol treat the transmitted traffic on the application level and forward it afterwards 339 Glossary RADIUS RADIUS stands for Remote Authentication Dial In User Service It is a protocol designed to allow network devices such as routers to authenticate users against a central database Router Gateway A router is a network device that is designed to forward packets to their destination along the most efficient path Strictly speaking a gateway is not always a router it could be an application gateway or proxy though a router is a kind of circuit level gateway When a computer wants to communicate with a server not on the local network it must pass the data to a router in order for the packets to be forwarded to their destination By convention the highest or lowest address in the network range is used for the router for example in the network 192 168 179 0 24 the router will normally be at either 192 168 179 254 or 192 168 179 1 Server A server is a network connected computer that offers services to client computers Standard services include WWW FTP news and so on In order to make use of these services the user will need a client program e g
64. that network will be used one after another Change Source to SNAT Choose a new source address for the translated packets This can be either a single host or an entire network Service source This drop down menu will only be shown when you have chosen an address in the Change source to menu Only services with one source port can be used here Change Destination to DNAT Choose a new destination address here This can be either a single host or an entire network Service destination This drop down menu will only be shown when you have chosen an address in the Change destination to menu Save the settings by clicking Add Using the Security System After successfully defining a rule it will appear in the NAT Rules table list The further functions in the NAT table can now be used for further customization Further Functions Edit rule Click edit to load the rule into the Edit NAT Rule window The rule can now be changed as desired Delete rule Click Delete to remove a rule from the list 5 3 4 2 Masquerading AdEREN AGEL Masquerading is a special Name masa aren eee z case of SNAT which allows enoi To natch E you to associate many intern pees Pres eent al private addresses with De aa ene eee one external public ad i dress This allows you to hide internal IP addresses and network information from the outside network The differences between Masquerading and SNAT are e Mas
65. the conditional GET type the request of data depends on certain conditions The detail of these conditions is stored in the header field Conditional Often used conditions are for example If Modified Since If Unmodified Since or If Match This condition helps to considerably reduce network utilization since only the necessary data are forwarded In practice proxy servers for example use this function to prevent that data that are already stored in cache are forwarded several times Also the partial GET method has the same purpose It uses the range header field that only forwards parts of the data which however cannot be processed by the client yet This technique is used for the resumption of an interrupted data transfer The PUT method allows for a modification of existing sources and or for the creation of new data on the server In contrast to the POST 226 Using the Security System method the URL in the PUT request identifies the data sent with the request and not the source Clicking on the Enable button enables the function status light is green Allowed Target Services Use the Allowed target services selection menu to choose services that the HTTP proxy should be allowed to access By default the services with the ports are already available to which a connection is considered as being safe TCP Port Enter the TCP IP Port in the entry field By default this is set to the TCP IP Port 8080 Clear HTTP Proxy Cache
66. the gateway is at 192 168 2 1 Gateway 192 168 2 1 If the administration computer is on the same subnet as the internal network card in our example if its address is 192 168 2 x it does not need a gateway In this case enter the following value here Gateway none Confirm your entries with the Enter key Installation Final Notes Step 7 Attention Please read the notes and warnings presented during the installation carefully After confirming them all existing data on the PC will be destroyed If you wish to change your entries press F12 to return to Step 1 Otherwise start the installation process by pressing the Enter key Installing the Software Step 8 The software installation process can take up to a couple of minutes You can follow the progress of the installation using the four monitoring consoles There are four consoles available Main Installation Alt F1 Interactive bash Shell 1 Alt F2 Installation Log Alt F3 Kernel Log Alt F4 When the installation process completes remove the CD ROM from the drive and connect the ethO network card to the internal network Except for the internal Network card ethO the sequence of network cards normally will be determined by PCI ID and by the Kernel drivers The sequence of network card names may also change if the hardware configuration is changed especially if network cards are removed or added 25 Installation 9 Reboot the S
67. the internal client is available Allow Authorization Cache Control Content Encoding Content Length Content Type Date Expires Host If Modified Since Last Modified Location Pragma Accept Accept Language Content Language Mime Version Retry After Title Connection Proxy Connection and User Agent Note In Standard and Paranoid modes the proxy blocks all cookies If you wish to use cookies you should use the none mode 7 Use the Allowed networks selection menu to select which networks should be allowed to use the proxy A description of how to use the selection field tool can be found in chapter 4 3 2 on page 36 All settings take effect immediately and will be saved if you leave this menu Only the HTTP proxy can be accessed from the allowed networks See also the functions in the Advanced window 214 Using the Security System Surf Protection Content Filter Sui Pencalonan 3 The Surf Protection Pro eet files function allows you to Gobion fame produce profiles which pre g vent access to certain web sites These profiles can a ae is Sees then be associated with arenes z certain users or networks thus allowing control over which sites users may access The categories are based on the URL data base from Cobion Security Technologies and can be edited in the Surf Protection Categories table Each Surf Protection Profile additionally contains a Content Filter with protection m
68. the settings When the message Up appears the interface is fully operational Target Please select Kernel Routing Table View raw Kernel Routing Table 5 3 3 Routing Every network connected computer uses a routing table to determine where outbound packets should be sent The routing table contains the information necessary to determine for instance if the destin ation address is on the local network or if traffic must be sent via a router and if a router is to be used the table details which router is to be used for which network Static Routes The security system will install static routing entries for directly connected networks by itself Further routes however must be manually entered This is the case for instance when the local network includes a router to be used for access to a specific network These routes called static routes contain information about how to contact a non directly connected network This menu allows you to define which network card or router should be used to contact various external networks 155 Using the Security System Defining Static Routes 1 Under the Network tab open the Routing menu 2 Click on the New button The Add Static Route window will open 3 In the Network drop down menu choose the network you wish to define a route for The Network drop down menu contains all static networks as well as those you have defined in the Networks and
69. the table Step 4 Download the Certificate 1 2 3 You In the Host CSRs and Certificates select the new certificate Use the drop down menu at the bottom of the table to select a download format DER In the Passphrase field you must enter the password of the Private Key PEM No password is necessary PKCS 12 Enter the password of the Private Key in the Passphrase field In the Export Pass field enter a different password This password will be required to install the certificate on the client computer Click Start must now install the certificate on the remote computer The installation process depends on the IPSec software on that computer 294 Using the Security System 5 7 7 Advanced Advanced IPSec Settings NAT Traversal _ Disable Copy TOS Flag Enable Send ICMP Messages _ Disable Automatic CRL Fetching Enable Strict CRL Policy oe IKE Debug Flags Selected State Control Outgoing IKE Incoming IKE Available a Ererspton Ls raw Packets Lel This menu allows you to make additional settings for the IPSec VPN option This should however only be done by experienced users When enabled NAT Traversal allows hosts to establish an NAT Traversal IPSec tunnel through NAT devices This module attempts to detect if NAT firewalls are being used between the server and client if so the system will use UDP packets to communi
70. the table for instance to sort the rules by sender address click 194 Using the Security System Source To return to the precedence based sorting Matching click the column with the position numbers Filters The Filters function allows you to filter Packet Filter Rules by specific attributes This function enhances the management of huge networks with extensive sets of rules since rules of a specific type can be presented in a concise way Filtering rules 1 2 Click on the Filters button The entry window will open Enter the filter attributes in the fields Not all attributes must be defined Group If you want to filter the rules of a specific group select them from the drop down menu State This drop down menu allows you to filter rules by a specific status Source This drop down menu allows you to filter rules by a specific source address Service If you want to filter rules by a specific service select it from the drop down menu Action This drop down menu allows you to filter rules by a specific action Destination Port This drop down menu allows you to filter rules by a specific destination address Log This drop down menu allows you to filter logged rules Comment If you want to filter services by specific comments enter the expressions in the entry menu To start the filter click on the Apply Filters button 195 Using the Security System Only the filtered packet filter rules will be d
71. these services Network services using the TCP and UDP Internet protocols can be accessed via special ports and this port assignment is generally known for example the SMTP service is generally assigned to the TCP Port 25 The ports used by the services are referred to as open since it is possible to establish a connection to them Whereas unused ports are referred to as closed every attempt to connect with them fails The attacker tries to find the open ports with the help of a particular software tool i e the Port Scanner This program tries to connect with several ports on the destination computer If it is successful the tool displays the relevant ports as open and the attacker has the necessary information showing him which network services are available on the destination computer The following is an example of the information returned by a port scanner Interesting ports on 10 250 0 114 The 1538 ports scanned but not shown below are in state closed Port State Service 25 tcp opensmtp 135 tcp open loc serve 139 tcp filtered netbios ssn 445 tcp openMicrosoft ds 1032 tcp openiad3 Since 65535 ports are available for the TCP and UDP Internet protocols the ports are scanned at very short intervals When the firewall detects an unusually large number of attempts to connect to services especially when these attempts come from the same source address this is almost certainly due to a portscan PSD watches for such sca
72. will be collected and sent to you when the collection period has expired If more events occur this period will be increased Further information on the Intrusion Prevention event can be found in the notification e mail Portscan detected A portscan was detected The originating host was lt IP gt A portscan from the given IP address was de tected The Portscan Detection Module is de scribed in chapter 5 4 1 on page 179 For more information see WebAdmin gt Local Logs Browse Portscan 323 Using the Security System 856 999 324 search with whois to know who the source IP belongs to gt RIPE NCC http www ripe net perl whois query SHOST gt ARIN http www arin net cgi bin whois pl queryinput HOST gt APNIC http cgi apnic net apnic bin whois pl search SHOST use traceroute from gt UC Berkeley http www net berkeley edu cgi bin traceroute HOST Attention source IP addresses can easily be forged by attackers Portscan detected Event buffering activated A portscan was detected The originating host was lt IP gt A portscan from the given IP address was de tected The Portscan Detection Module is de scribed in chapter 5 4 1 on page 179 Event buffering has been activated Further Intrusion Protection events will be collected and sent to you when the collection period has expired If more events occur this period will be increased
73. 00 00 300 _ usr bin perl usr local bi vo 3064 gt 00 00 0 00 2 use bin perl ust local bin i zoot 7550 0 0 2 1 7156 5416 00 00 0700 AEEA ENEA rene Toso 0 0 Get massae omo goo aeee aeea Internet security system root 7552 0 0 11 A752 3068 5 00 00 E E RTEA E root 7553 0 0 1 1 4744 3048 s 00 00 00 usr bin perl usr local bin foot 7584 0 0 13 S196 3512 00 00 0701 C use bin perl use locel bin t zoot 7585 0 0 13 4904 3416 00 00 0700 usr bin perl use locel bin t zoot 7586 0 0 2 2 7380 S052 00 00 0 00 e AEN E root 404 0 0 O12 1996 596 2 apeoll 0 00 use abin ston root 503 0 0 0 3 4040 952 s Aprol 300 usr sbin sshd 4 f etc ssh sshc foot 640 0 0 0 9 5300 2392 gt S fpcOl 0 01 fusr sbin hatpd evo ncrpa n Zee OED Gl Gn Se 5 Ae ten qo EO einen oy mes cowrun 15600 0 0 0 9 5300 2996 5 es Gun CRTE Eae A e werrun 25374 012 6 723056 174002 3 09 46 D01 l var efe indet fpi wwerun 24473 0 0 1 1 5700 2944 s 09 17 300 _ usr sbin httpd f etc httpd wwwrun 25893 0 0 3 2 12724 8240 R 10 00 0 00 _ var wfe syscall pl wwwrun 25894 0 0 0 2 2556 720 R 10 00 oo _ bin ps auwxt ees Hes ap 2504 EA asco A examen a ios 2 E T E E Gee ao 0 2050 gt A Tin EE E RE root 790 0 0 2168 5 Aprol 0 var aua aua bin etc wfe cont aue etho Link encap Ethernet HWaddr 00 0C 6E B6 23 F3 inet addr 192 168 5 217 Bcast 192 168 5 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST
74. 110 UDP iapa sean 110 Proxy DNS anesan iain 227 HTTP sesdoctsaleuvsative coe 210 Ident marne 237 introduction sss 209 POPS iieiaei 232 Proxy Content Manager 255 SMTP aatri 238 SOCKS iiia heukics 229 Proxy Content Manager AGG E AT 256 deferred cccceeeeeeee es 256 FITCFING eiiiai 258 fiter Sona ey seks Sees 258 global actions 258 Mail ID srira oies 255 permanent error 256 quarantined 256 Recipient s ccce 257 346 Sender sidiria evita res 256 SMtP_QUEUE e cesses 256 Proxy disable Netscape ceeeeeeeeeeee es 210 Quality of Service QoS 196 Reporting ACCOUNTING eeseeeee eee 303 administration 298 Content Filter 301 current report 06 303 daily executive report by e Malls ivesdectstieiadcceale 302 DN Seeria siete 302 executive report 302 hardware 299 HTTP proxy usage 302 Intrusion Protection 302 NCCWOFK ove cceeetecceer ence 300 Packet Filter 301 PPTP IPSec VPN 302 system information 305 VIFUS eisena sirai saias 299 Reporting Accounting Configuring soccer 304 Restaft apisarto revii avat 102 Routing introduction seee 155 kernel routing table 156 Search starting a search 333 S ArCh sisisi dinates 333 Secure Shell 48 49 Service adding eeeeeeeee eee 111 deleting isesi isinisisi 114 editing i caesveriavsvseias neds 114 FIICETING sais diiran
75. 13 113 5 1164 gt 192 168 5 217 443 13 25 54 ACCEPT 10 113 113 5 1165 gt 192 168 5 217 443 13 25 54 ACCEPT 10 113 113 5 1166 gt 192 168 5 217 443 13 25 54 ACCEPT 10 113 113 5 1167 gt 192 168 5 217 443 13 25 54 ACCEPT 10 113 113 5 1168 gt 192 168 5 217 443 13 25 54 ACCEPT 10 113 113 5 1169 gt 192 168 5 217 443 43 25 55 ACCEPT 10 113 113 5 1170 gt 192 166 5 217 1443 13 25 56 ACCEPT 10 113 413 5 1171 gt 192 168 5 217 443 19 26 00 ACCEPT 10 113 113 5 1172 gt 192 168 5 217 443 19 26 04 ACCEPT 10 113 113 5 1173 gt 192 168 5 217 443 19 26 07 ACCEPT 10 113 113 5 1174 gt 192 168 5 217 443 19 26 11 ACCEPT 10 113 113 5 1175 gt 192 168 5 217 443 13 26 13 ACCEPT 10 113 113 5 1176 gt 192 168 5 217 443 start Livelog display of packets that have been dropped by the security system By clicking Show button a new window will appear This window shows a real time Click the stop Live Log start Live Log button to pause or unpause the real time display Note Please note that only those processed rules will be filed in a protocol for which the Log function has been enabled under Packet Filter Rules 207 Using the Security System Current System Packet Filter Rules The Current Packet Filter rules window provides detailed information for expert administrators The table shows all rules in real time including system generated ones and is taken directly from the operating system kernel
76. 2 142 In the Network tab open the Interfaces menu Click on the New button The Add Interface window will open In the Name entry field enter a descriptive name for the interface Use the Hardware drop down menu to select a network card Use the drop down menu Type to select VLAN Ethernet interface Fill in the required settings for the VLAN Ethernet Interface type of interface Address Assign an IP address for the virtual interface If you wish to use a static IP address for this interface select Static from the drop down menu and enter the address to use in the entry field If you wish to have a gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Netmask If you wish to use a statically defined network mask for this interface use the drop down menu to select Static and enter the netmask to use in the entry field If you wish to have a netmask dynamically assigned via DHCP select Assign by DHCP from the drop down menu Using the Security System Default Gateway If you wish to use a statically defined default gateway use the drop down menu to select Static and enter the address of the gateway in the entry field If you wish to have a gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Otherwise select None VLAN Tag Enter the VLAN tag to use for this interface Uplink Failover on Interface this function will only be dis played if the Assign by D
77. 3 8 on page 177 Log ICMP Redirects ICMP Redirects are sent from one router to the other in order to find a better route for a destination Router then change their routing tables and forward the following packets to the same destination on the supposed better route This function logs the ICMP Redirects Clicking on the Enable button enables the function status light is green Traceroute Settings Traceroute is a tool used to E mh Nicaea check and troubleshoot net Traceroute from firewall Lente work routing This tool can resolve the path to an IP address Traceroute lists the IP addresses of the routers that had been used to transport the sent packet Should the packet path not be reported within a certain time interval traceroute will report a star instead of the IP address After a certain number of failures the 201 Firewall is Traceroute visible Using the Security System test will end An interruption of the test can have any number of causes notably a packet filter along the network path that blocks traceroute packets This window shows advanced options related to ICMP Traceroute The settings here can also open the UDP ports UNIX Traceroute uses Firewall is Traceroute visible When this function is enabled the firewall will respond to Traceroute packets Click the Enable button to enable the function status light shows green Firewall forwards Traceroute When this function is enabled the
78. 326 link beat monitoring system please check that the network cards support link beat and that they are supported by the security system Also check to make sure that the link beat capable cards have been chosen for the data transfer connection The installation and management of the HA system is described in chapter 5 1 10 on page 97 Log file s have been deleted The log file partition usag reached th specified value in percent Log Files have been deleted To make sure you don t lose more log file s please check the WebAdmin settings and or remove old log files manually The deleted files and or directories are listed in the attachment Remote log file storage failed a he daily log file archive could not be stored on the configured remot server Pleas check the WebAdmin settings for Local Logs Settings Remote log file archive n The archive file will be automatically re transfered with the next daily log file archive Intrusion Protection Event A packet was identified that may be part of an intrusion The matching rule classified this as medium priority level Further information on the Intrusion Prevention event can be found in the notification e mail Intrusion Protection Event Event buffering activated CRIT 301 302 305 306 Using the Security System A packet was identified that may be part of an intrusion The matching rule classi
79. 35 e TTT T ATAT 342 Welcome to Astaro 1 Welcome to Astaro Congratulations on your purchase of the Internet Security Solution Astaro Security Linux V5 and welcome to the Astaro family This manual will take you step by step through the installation pro cess will explain the web based WebAdmin configuration tool and can be used to document your configuration The most recent version of this document is always available at the following address http docs astaro org In order to provide you with the most up to date information pos sible this document makes occaisonal reference to other documents available at the web sites of Astaro and other organizations Please note that these addresses may change over time and that documents hosted by other organizations may even be removed entirely If you have further questions or notice any mistakes in this manual please do not hesitate to contact us at documentation astaro com For further support please visit our user support forum at http www astaro org or make use of the Astaro Support Program Introduction to the Technology 2 Introduction to the Technology Before exploring the Astaro Security Linux Security Solution in detail it may be helpful to take an overview of network and security tech nology in general In particular it is important to understand the serious risks that unprotected systems face as well as where and how to deploy this security system to mi
80. 40 bit key enter a string with 5 hexadecimal digits separated by colons In order to use a 104 bit key enter a string 135 Using the Security System 136 of 13 hexadecimal digits separated by colons The string must consist of hexadecimal digits Please note that a hexadecimal number is two characters each either a number 0 9 or a letter A F Example of a 40 bit key 17 A5 6B 45 23 Default WEP Key Use the drop down menu to choose one of the defined WEP Keys 0 3 which should be used as the default key This key will be used as the current key which all the other nodes must use to access the wireless network Access Mode Choose the filter mode for the wireless LAN If all nodes should be allowed access subject of course to WEP restrictions select All stations can get access If you wish to configure a positive filter select Stations in Allowed MAC addrs can get access To use a negative filter choose Stations in Denied MAC addrs can not get access Allowed MAC addrs If you have chosen to use a positive filter enter the MAC addresses of nodes allowed to access the wireless network in the access control list The access control list function is identical to the ordered list and is described in chapter 4 3 4 on page 39 Denied MAC addrs If you have chosen to use a negative filter enter the MAC addresses of nodes explicitly not allowed to access the network in the access control list The access control list function is i
81. 509 IPSec key exchanges 282 Using the Security System RSA Authentication RSA authentication requires a Local IPSec Identifier and a Local RSA Key Note Depending on the selected key length and the processor of the i security solution the generation of RSA keys can take several minutes 1 In the Local IPSec RSA Key window define a unique VPN Identifier IPv4 Address For static IP addresses Hostname For VPN security gateways with dynamic addresses E Mail Address For mobile road warrior connections Save the settings by clicking Save Generate a new RSA Key in the Local RSA Key window by selecting the key length from the RSA Key length drop down menu When you click Save the system will begin generating a new RSA key pair After generation the active Local RSA Key and its name will be displayed When a new key is generated the old key will be replaced 283 Using the Security System PSK Authentication For authentication through Preshared Keys PSK no additional configuration of local keys is required During the key exchange using IKE Main Mode only IPv4 Ad dresses are supported as IPSec identifiers The IPSec identifier in the IKE Main Mode is automatically encrypted with the PSK and so PSK cannot be used for authentication The IP addresses of IKE connections are automatically used as IPSec identifiers The PSK Key is entered in the IPSec Policies Remote Keys menu It will automatically
82. BD info Informational messages o Ga local Locally generated rules GU pr misc Miscellaneous rules DO p gt multimedia Recognition of multimedia streaming software Group Hits Info U pr local 0 Locally generated rules 80 pr local 0 B example ID 10000 185 Using the Security System 5 4 3 Advanced Policy and Exclusions This menu allows you to Policy Drop silently a Oar EEA configure additional settings Fels See Slee Sells Total 0 entries E New Excusion for the Intrusion Protec HTTP Service Please select tion System IPS a Th IS HTTP Servers Selected Available should however only be Empty list Performance Tuning Internal Address Internal roadcee done by experienced users Internal Network PPTP Pool DNS Servers Selected Available Empty list Any Internal Address Internal Broadcast gt Internal Network PPTP Pool SMTP Servers Selected Available Empty list Internal Address Internal Broadcast Internal Network PPTP Pool Policy and Exclusions Policy From this drop down menu select the security policy that the Intrusion Protection System should use if a blocking rule detects an IPS attack signature e Drop silently The data packet will only be blocked e Terminate connection A TCP Reset and or ICMP Unreachable for UDP packet will be sent to both communication partners and the connection wil
83. DNS names 335 Glossary and IP numbers Every top level domain also has name servers which contain information about their subordinate servers The DNS system is thus a distributed hierarchical database DNS resolution is normally handled by network applications rather than by the user him or herself Dual Homed Gateway A dual homed gateway is a computer that is directly connected to two networks i e it has two network cards each connected to a different network and which forwards information from one network to the other Due to the fact that there is no IP forwarding all connections must be forwarded through this Dual Homed Gateway Firewall A firewall protects one network or subnet e g an internal LAN from another network e g the public Internet All traffic between the two passes through the firewall where it is controlled and monitored Header In general the header is the information contained at the top of a file or message and consists of low level data regarding the status and handling of the file or message In particular the header of an e mail or Usenet message contains information such as the sender recipient and date Host In a client server architecture the host is the computer which runs the server software One host can have multiple server programs running on it that is an FTP server mail server and web server can all run on the same host A user uses a client program for instance a
84. Further information on the Intru sion Prevention event can be found in the noti fication e mail File transfer request This is the file you requested WARN 001 005 080 081 Using the Security System A feature will expire The featur a gt cs tame limited and will expire in Please contact your local Astaro partner or an Astaro sales representative to obtain a license update E Mail addresses America s mailto salesus astaro com Europe Asia Pacific and Africa mailto sales astaro com For technical questions pleas feel fr to visit our user bulletin board at http www astaro org or our documentation ressources at http docs astaro org Failed login attempt from IP at time with username HA check no link beat on interface retrying The link beat monitoring system on the firewall failed Th system will now try again If the system continues to fail the administrator will receive message WAR 081 If you do not wish to use this monitoring function no further action is required After the system sends the WAR 081 message it will not try to start the link beat monitoring system again HA check interface does not support link beat check The link beat monitoring system failed after multiple attempts If you have recently in stalled the HA system and you intend to use the 325 Using the Security System TLL 715 850 851
85. HCP or Static is selected in the Default Gateway drop down menu You can configure a standby connection through a second inter face If the primary connection fails the uplink will automatically be set up through the second interface Uplink Failover on Interface is by default disabled Off If you wish to use this virtual interface as primary connection se lect Primary Interface from the drop down menu If this inter face shall contain the standby connection select the Backup Interface configuration Uplink Failover check IP Once the Uplink Failover on Interface function has been enabled this entry field will be displayed Enter the IP address of a host that replies to ICMP ping requests The security system will send ping requests to this host if no answer is received the backup interface will be enabled by the failover In this entry field there must always be an IP address for the failover QoS Status In order to use Quality of Service QoS band width management on an interface enable this option To enable the Quality of Service QoS module select On from the drop down menu 143 Using the Security System 144 Important Note For the bandwidth management Quality of Service QoS you must define the values for Uplink Bandwidth kbits and Downlink Bandwidth kbits These values are used as basis for the bandwidth management system incorrect values can lead to poor management of the data flow The Quality of S
86. HTTP Proxy Usage The access to the HTTP Proxy is recorded in this menu 5 8 11 Executive Report In the Executive Report menu a complete report is created from the individual reports in the Reporting tab Daily Executive Report by E Mail Daily Executive Report by E Mail Once a day an u pdated E Mail Addresses complete report is sent to the e mail addresses en tered into the ordered list The function is automatically enabled once an address has been entered into the field New e mail addresses are taken over to the ordered list by the entry field by clicking on the Add button Ordered Lists are described in chapter 4 3 4 on page 39 302 Using the Security System Current Report Current Report Clicking on the Show Aas button opens a window in Prt ts Report which the current complete Wc I report is displayed This A i i j i report can be printed out by CPU load Daily Graph CPU Toad Daily clicking on the Print this Report button Memory usage Daily Graph Henory usage Daily il 5 8 12 Accounting Generate Accounting Reports The Accounti ng function Status eo _ Disable _ 3 monitors all IP packets Accounting Report Type Full Queried Networks Selected Available transmitted over the various Internal Network Any Bookkeeping Development network cards and once a I
87. HTTP request starts to the Internet its IP address will be replaced by the IP address of the external network card The data traffic for the external network Internet thus does not contain internal information The answer to the request will be recognized by the firewall and forwarded to the requesting computer 338 Glossary nslookup Nslookup is originally a UNIX program designed to query name servers The main application is the display of IP names in the case of a given IP number and vice versa Moreover also additional functions such as aliases can be displayed Port While at the IP level only sender and destination addresses are important the TCP and UDP protocols both include the concept of ports A port is an additional identifier in the cases of TCP and UDP a number between 0 and 65535 that allows a computer to distinguish between multiple concurrent connections between the same two computers TCP and UDP packets have both a sending port and a destination port Protocol A protocol is a well defined and standardized set of rules that govern how a client and server interact Some well known protocols and their associated services include HTTP WWW FTP FTP and NNTP news Proxy Application Gateway Proxies often called application gateways separate two networks at the network IP or TCP UDP level while still allowing certain kinds of communication There can be no direct connection between an internal
88. Interfaces menus 4 In the Target drop down menu select the destination to which packets should be forwarded Names in brackets are interfaces while names without are hosts or routers Names without brackets are either hosts or routers 5 Save your changes by clicking Save When a new route has been defined and saved it will appear in the Static Routes table To remove an entry click delete Kernel Routing Table Tf The Kernel Routing Table D Seen Will be displayed in a se cy ke j es lt Jaweraw Kemal Rung Tele son parate window This window F host domain com View raw Kernel Routing Table Microsoft Internet ENNI shows all on the system host domain com View raw Kernel Routing TA Table currently active routes The RE caine system will check each rule ee an a eeu sates Seon in th d f the i E eee pene eee seep ant AI a7 in the order of the list using mA Gone e a Bm ean the first applicable route By default the default routes 156 Using the Security System associated with network cards are already entered and are not editable Clicking on the Show button opens the Kernel Routing Table window 5 3 4 NAT Masquerading 5 3 4 1 NAT Ade RENE The Network Address S Translation NAT func tion translates one set of IP ects pestnalon anes eared addresses usually private armas arora Sadi ones to addresses in an ater Neches a other set usually public E te change M NAT makes it pos
89. Legitimate messages are unlikely to be caught do this This drop down menu allows you to select the action the proxy should take upon finding a message with a filtered string The following actions are possible Reject The message will be bounced back to the sender with a 5xx error message The bounce message sent to the sender will also contain an explanation of why the message was blocked Blackhole The e mail will be accepted and silently dropped Do not use this action unless you are absolutely certain no legitimate e mails will be lost Quarantine The e mail will be accepted but kept in quarantine The Proxy Content Manager menu will list this e mail with status 250 Using the Security System Quarantine This menu presents further options including options to read or to send the message e Pass The e mail will be treated by the filter but allowed to pass A Header will be added to the e mail by which it can be sorted or filtered on the mail server or in the e Mail programs of the recipient In addition the word SPAM will be added to the message subject line For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 Spam Sender Whitelist This control list is defined for the Spam Protection function Enter the e mail addresses of those senders into the list whose messages you wish to allow through The function of the Control List is identical to the Ordered List and described i
90. Local Users Click on the settings in the Name Password PPTP Address and Comment columns in order to open an editing window You can then edit the entries Deleting Local Users Clicking on the symbol of the trash can will delete the definition from the table 117 Using the Security System 5 3 Network Settings Network The Network tab contains menus which allow you to configure net work cards and virtual interfaces as well as to perform network specific configuration and management tasks 5 3 1 Hostname DynDNS Firewall Hostname Firewall Hostname Hostname Enter the host Hostname fost domain com L save 7 name for the security sys tem in this entry field Example FIREWALL mydomain com A Hostname or domain name may contain alphanumeric period and minus characters At the end there must be an alphabetic designator such as com de or org The Hostname will appear in the subject line of all Notification E Mails Save your entries by clicking the Save button Note The Hostname will appear in the subject line of all Notification E Mails to the Administrator Dynamic DNS Dynamic DNS Dynamic DNS addresses Status U Disable a device or a VPN receiver eme through a DNS decryptable Password name The respective applicable IP address is stored for each name to a public DNS server in the Internet at each connection The device can always be reached through this name as
91. MAC address of a computer is described in the next section 132 Using the Security System Determining the MAC address If you have not yet installed your network card you can simply examine it to determine its MAC address the unique MAC address is usually printed on the card itself If the wireless LAN is already being used and you wish to install a new MAC filter you can use the following commands on the mobile nodes to determine the MAC address If you are configuring a small wireless LAN the mobile computers are MS Windows computers and you have physical access to them follow these steps 1 Open the Command Prompt 2 The Command Prompt can be found in the Start menu under Programs Accessories Command Prompt 3 Enter the following command at the prompt ipconfig all 4 Press the Enter key The Physical Address row contains the MAC address for example 00 04 76 26 65 4C 5 Close the command prompt If you have a larger network you can use the ping program under MS Windows to determine the MAC addresses of remote nodes 1 Make sure that the remote computer whose MAC address you wish to check is turned on and connected to the network 2 Open the Command Prompt The Command Prompt can be found in the Start menu under Programs Accessories Command Prompt 3 Ping the destination computer by using the following command ping IP Address e g ping 192 168 2 15 4 Press the Enter key 133 Using the S
92. S authenti cation here as well The configuration of the Microsoft IAS RADIUS server and the configuration of RADIUS within WebAdmin is described in chapter 5 1 7 on page 71 The PPTP Live Log provides a list of important events including error messages related to the PPTP service The Logging menu can be used to select which events are logged PPTP IP Pool BPU This menu is used to define cae a which IP addresses PPTP Encryption Svona 28 BD z hosts should be assigned C cana 5 The default settings assign addresses from the private IP space 10 x x x This network is called the PPTP Pool and can be used in all of the other security system configuration options If you wish to use a different network simply change the definition of the PPTP Pool or assign another defined network as PPTP Pool here Logging Normal PPTP users are defined in the Definitions Users menu It is also possible to assign specific users to specific IP addresses These addresses do not need to be part of the defined PPTP pool To use 170 Using the Security System these addresses in other parts of the system configuration such as the packet filter they must be defined as single hosts i e networks with netmask 255 255 255 255 or as a part of a larger network Note If you use private IP addresses for the PPTP pool and you wish PPTP connected computers to be allowed to access the Internet appropriate Masqu
93. SSH Client Access through SSH is encrypted and cannot be read by eavesdroppers SSH Shell Access Settings The Shell Access function is enabled by default once you have entered a password for the configuration through the Astaro Con figuration Manager in the Setting System Passwords window If you wish to access the security system through SSH the SSH Status light must be enabled status light shows green 48 Using the Security System The SSH protocol uses name resolution valid name server if no valid name servers are found SSH access attempts will time out The time out takes about a minute During which time the connection seems to be frozen or failed Once the time out has expired the con nection process continues without further delay You must also add the networks allowed to access the SSH service in the Allowed Networks selection field In order to ensure a seamless installation process the Allowed networks field contains the Any option by default this means that any computer can access the SSH service Networks can be defined in the Definitions Networks menu A Security Note By default anyone has access to the SSH service The Allowed Networks field contains the Any option For increased security we recommend that access to the SSH service be limited All other networks should be removed We recommend that the SSH service be disabled when not in active use Password and Factory
94. System This system supports three kinds of authentication for IKE e IKE with Preshared Keys PSK e IKE with RSA Keys RSA e IKE with X 509v3 Certificates X 509 Authentication with Preshared Keys PSK uses secret passwords as keys these passwords must be distributed to the endpoints before the connection is built When a new VPN tunnel is built each side checks that the other knows the secret password The security of such PSKs depends on how good the passwords used are common words and phrases are subject to dictionary attacks Permanent or long term IPSec connections should use certificates or RSA keys instead Authentication via RSA Keys is much more sophisticated In this scheme each side of the connection generates a key pair consisting of a Public Key and a Private Key The private key is necessary for the encryption and authentication during the Key Exchange Both keys are mathematically independent from each other and are in a unique relation to each other Data encrypted with one key can only be decrypted with the other The Private Key cannot be deducted with maintainable work from the Public Key Both receivers of an IPSec VPN connection require in this authenti cation method their own Public Key and Private Key Similarly the X 509 Certificate authentication scheme uses public keys and private keys An X 509 certificate contains the public key together with information identifying the owner of the key Such ce
95. TP Remote Access A Security Note Normally only the admin user has access to WebAdmin The password to WebAdmin should be changed at regular intervals 114 Using the Security System Add Local Users 1 2 Under the Definitions tab open the Users menu Click on the New Definition button The entry window will open Make the following settings Username In the entry field enter a unique username for the local user This username will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and underscore _ Names may be up to 39 characters long Password Enter a password here A Security Note Use a secure password Your name spelled backwards is for example not a secure password while something like xfT35 4 would be Comment You can enter a local user description in this entry field Save the Local User by clicking on the Add Definition button The new User will then be displayed in the table In the table enable the services for the Local User Ar the beginning no services are enabled for the user Enable the services by clicking on the corresponding term Example HAP the HTTP Proxy is not enabled HTTP the HTTP Proxy is enabled The available services are HTTP Proxy SMTP Proxy SOCKS Proxy WebAdmin L2TP over IPSec and PPTP Remote Access 115 Using the Security System
96. Up2Date succeeded Updated new Intrusion Protection patterns For more information please see the notification e mail Further information on the System Up2 Date can be found in chapters 5 1 3 on page 54 Virus Pattern Up2Date No pattern installation for Virus pattern needed Virus Pattern Up2Date succeeded Installed new Virus Pattern For more information please see the notification e mail Daily log file archive This is an archive file containing the log files The date of these log files is specified in the notification Log file partition is filling up 850 851 855 Using the Security System The log file partition usag reached th specified value in percent Depending on your configuration the system will automatically take measures if the usage continues to grow To make sure you don t lose any important log files please check the WebAdmin settings and or remove old log files manually Intrusion Protection Event A packet was identified that may be part of an intrusion The matching rule classified this as low priority level Further information on the Intrusion Prevention event can be found in the notification e mail Intrusion Protection Event Event buffering activated A packet was identified that may be part of an intrusion The matching rule classified this as low priority level Event buffering has been activated Further Intrusion Protection events
97. Using the Security System The following actions are preset Quarantine The e mail will be accepted but kept in quarantine The Proxy Content Manager menu will list this e mail with status Quarantine This menu presents further options including options to read or to send the message Pass The proxy will add a Header to the message noting that it has found a potentially dangerous string but will then allow the message to pass A Header will be added to the e mail by which it can be sorted or filtered on the mail server or in the e mail program of the recipient In addition the word SPAM will be added to the message subject line For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 The Header Many of the SMTP proxy functions will add headers to the messages scanned The Header will inform the user on specific characteristics of a message If you select the Pass action recipients can configure their e mail programs to filter messages with high spam scores The following list contains all possible Headers X Spam Score This header is added by the Spam Detection module It contains a score consisting of a numerical value and of a number of minus and plus characters The higher the value the more likely it is that the message is spam If you select the Pass action under Spam Protection recipients can configure their e mail programs to filter messages with high spam scores X Spam Flag
98. ail should be proxied A Security Note Messages sent from those networks will never be scanned by Spam Detection Use Smarthost If you wish to use an Upstream Smarthost to deliver messages enable this function and enter the IP address of the smarthost here In this case the proxy will not attempt to deliver messages itself but will instead forward them to the smarthost The proxy will however deliver messages locally to domains defined in the Incoming Mail window For the Smarthost the Username and Password can optionally be defined Using the Security System Encryption Authentication Eac The TLS Transaction En sence Dia cryption function allows you to automatically encrypt in and out going e mails at the transport layer You must first confirm that the remote host supports this function TLS is used for encryption not just authentication SMTP is generally not encrypted and can easily be read by third persons The function should therefore be enabled Important Note Some mail servers such as Lotus Domino use non standard implementations of TLS While these servers claim to support TLS during connection negotiation they cannot establish a TLS full session If TLS is enabled it will not be possible to send messages to these servers In such situations please contact the administrator of the mail server If the TLS Transaction Encryption function is activated you can also use SMTP Authentication Thi
99. allowed to pass the filter All other packets will be blocked and depending on the action chosen displayed in the Packet Filter Live Log The Packet Filter Live Log is contained in the menu Packet Filter Advanced 188 Using the Security System Example Network A is a subset of network B Rule 1 allows SMTP traffic destined for Network A Rule 2 blocks SMTP for network B Result Only SMTP traffic for network A will be allowed SMTP packets from the rest of network B IP addresses will be blocked A packet filter rule is defined by the source address Source a service Service the destination address Destination and a Response Action The following values can be chosen as source and target addresses Please see the corresponding chapters of this for a more detailed explanation of how to configure and manage these targets e A Network networks are defined in the Definitions Networks menu e A Network Group network groups are defined in the Defin itions Network menu e An Interface network logical networks are defined automatically by the system when configuring a new network card or interface Interfaces can be configured in the Network Interfaces menu e An IPSec Remote Key Object IPSec User Group the IPSec User groups are defined in the Definitions Networks menu This address or port range is required when configuring packet filter rules for IPSec Road Warrior Endpoints A new defined packet filter rule
100. arios where VPNs can be used 261 Using the Security System 1 Net to Net Connection Office New York Office Berlin Internet LAN Firewall See enchypted unencrypted In this scenario one network communicates with another Two remote offices can use a VPN tunnel to communicate with each other as though they were on a single network This kind of connection can also be used to allow trusted third com panies e g consultants and partner firms access to internal resources 262 Using the Security System 2 Host to Net Connection Host Office Berlin Internet rr R io zz Laptop field representative a Firewall See enchy pted unencrypted In this scenario a single computer communicates with a network Telecommuters can use VPN to communicate with the main office securely 3 Host to Host Connection Host Host Internet Lra tale ee LS a gt encrypted In this scenario one computer communicates with another computer Two computers can use a VPN tunnel to communicate securely over 263 Using the Security System an untrusted network A VPN server is a cost effective and secure solution for transferring sensitive data and can replace existing expensive direct connections and private lines The IPSec Concept IP Security IPSec is a suite of protocols designed for crypto graphically secure communication at the IP layer layer 3 see a
101. associated object ID or OID Object ID numbers are designed to be unique across the entire Internet in order to manage this the Internet Assigned Numbers Authority IANA has been charged with assigning OID prefixes to organizations For example the OID prefix for Astaro AG is 1 3 6 1 4 1 9789 If your organization does not yet have an official OID space you can request an OID prefix from the IANA at www iana org Once you have an OID space you should consider how best to use it to describe your network structure Remember that each user attribute will require a unique OID 82 Using the Security System In order to configure user attributes the Microsoft Management Console must be used to modify the Active Directory Schema In order to do this you must first mark the schema as editable Step 1 Enable Editing of the Active Directory Schema 1 In the Microsoft Management Console right click Active Directory Schema Use the left mouse button to click Operations Master The Change Schema Master window will open Check the option The Schema may be modified on this Domain Controller Save your changes by clicking OK The Active Directory Schema can now be edited Step 2 Add New Attributes 1 2 Under Active Directory Schema right click Attribute Use the left mouse button to click New In the Create New Attribute window define the new attribute Common Name Enter a CN for this attribute LDAP Display
102. ated into multiple Bre ss smaller network segments at feta the Ethernet level layer 2 This can be useful for in ie stance when security con Qos Status siderations require that cer He tain clients only be allowed to communicate with certain other ones In large networks this can also be useful to connect physically separate clients on the same logical network segment Hardware etht Realtek RT8139 Default Gateway A VLAN capable switch can assign ports to distinct groups For example a 20 port switch could assign ports 1 through 10 to VLAN 1 and ports 11 through 20 to VLAN 2 With such a configuration a computer on port 1 would not be able to communicate with a computer on port 11 The technology essentially allows one physical switch to be divided into two logical ones In order to connect the security system to the virtual LANs the system requires a network card with a tag capable driver A tag is a 4 byte header attached to packets as part of the Ethernet header The tag contains the number of the VLAN that the packet should be sent to the VLAN number is a 12 bit number allowing up to 4095 virtual LANs The WebAdmin tool refers to this number as the VLAN Tag The tagged packets are only used to communicate between the VLAN compatible switch and the security system the other computers on the network do not need to have tag compatible network cards The port on the switch
103. ates will appear in the Unapplied Up2Dates window with the version number and the file name Further information is available by clicking the Info button Note that the Unapplied Up2Dates in the table have not yet been installed yet 57 Using the Security System If you are using the HA system unapplied updates will be listed in the Unapplied Up2Dates Master window 5 Repeat steps 2 through 4 until all Up2Date packages have been imported Installing System Up2Dates without the HA Solution 1 Open the Up2Date Service menu in the System tab 2 In the Unapplied Up2Dates table choose the Up2Date updates to install Note If more than one System Up2Date file is listed in the table start the highest version The smaller versions will be installed automatically 3 Inthe Actions column click Install The progress of the Up2Date installation on system 1 will be displayed in real time in the Log Window When the DONE message appears the process has completed successfully Installing System Up2Date with the HA solution 1 Open the Up2Date Service menu in the System tab 2 Inthe Unapplied Up2Dates Master table choose the Up2Date updates to install Note If more than one System Up2Date file is listed start with the smallest version Only one package can be installed with the HA system 4 Inthe Actions column click Install 58 Using the Security System The progress of the Up2Date installation on system 1 w
104. ation cccccceeeeeeseeeeeeeeeeeeeeeeeeenenans 71 5 1 7 1 RADIUS 20 cccceeeeeeeeeeeeee sees eeeeeeeeeaeeeaseeasaeeseeeeeeeeeneens 72 Table of Contents Contents 5 1 7 2 5 1 7 3 5 1 8 5 1 9 5 1 10 5 1 11 5 2 5 2 1 5 2 2 5 2 3 5 3 5 3 1 5 3 2 5 3 2 1 5 3 2 2 5 3 2 3 5 3 2 4 5 3 2 5 5 3 2 6 5 3 3 5 3 4 5 3 4 1 5 3 4 2 5 3 4 3 5 3 5 5 3 6 5 3 7 5 3 8 Page SAM NT 2000 XP ccecsceeeeneeeneeeeeneeeeeeeesneeeasenees 76 LDAP Serve ccccceceeeeeneeneeeeeeeeeeeeeeeeeeeeeaeeaneaneeaeenes 78 WebAdmin Settings c ccsceseeseeeeeeeeeeeeeeeeeeeeenenenae 91 WebAdmin Site Certificate csccscsseeeeeeeeeeeeeeeees 94 High Availability ssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 97 Shut down Restart sssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 102 Networks and Services Definitions s0000 103 NetWOrKS aerieni aaea aoni aa 103 Services iciieadicieiactseaiaiecsieteaateaaeveadsacaeetcesiaeecsaeten 110 USETrS sssssssnsnnnssnnsssssssnsnsnnnnnnnnnannnnnnnnnnnnnnnnnnnnnnnnnnn 114 Network Settings Network cscssseseeeseeeeeeeeaes 118 Hostname DynDNs cceceeeeeeeeeeeeeeeeeeeeeeeenenenaes 118 Interfaces eaaa rea dacaceaetacecescaceavocessccdeacuaass 119 Standard Ethernet Interface scscsseeeseeeeeeeneees 124 Additional Address on Ethernet Interface 128 Wireless LAN ccccsccesccesenesseeeeseneeeeeenseeesseeeeseneene 130 Virtual LAN ccc
105. ation method If you have defined a RADIUS server in the System User Authentication menu you can use it here as well The configuration of the Microsoft IAS RADIUS server and the configuration of RADIUS within WebAdmin is described in chapter 5 1 7 on page 71 Debugging Enable Debugging This function allows you to check the L2TP over IPSec connection Detailed information is logged to the IPSec logs These protocols can be displayed in real time in the Local Log Browse menu or downloaded to your local computer Further information about the Local Logs menu can be found in chapter 5 9 on page 307 288 Using the Security System L2TP over IPSec IP Pool L2TP over IPSec IP Pool This menu is used to de Network IPSEC Pool TETOR Rear fine which IP addresses Subnet Mask 255 255 255 0 PPTP hosts should be as esl daar ee signed to By default a network from the private IP range 10 x x x will be selected when the L2TP over IPSec function is enabled for the first time This network is referred to as IPSec Pool and can also be used for all other functions of the Security system using network definitions If you wish to use a different network simply change the definition of the IPSec Pool or assign another defined network as IPSec Poo here Note If you use private IP addresses for your IPSec Pool such as the pre defined network and you wish IPSec hosts to be allowed to access the Internet appropriate Masque
106. ation PC e Correct configuration of the Default Gateway IP Address and Subnet Mask e An HTTPS compliant browser Microsoft Explorer 5 0 or newer Netscape Communicator 6 1 or newer or Mozilla 1 6 JavaScript and Cascading Style Sheets must be activated In the browser configuration no proxies should be configured for the IP address of the ethO interface on the firewall Example Configuration External Network As in the diagram on the CE mi left the security system gt 22 should be the only link a between the internal and Internal Network external networks SSS gt Firewall Network card 1 eth0O Web FTP E Mail Network card 2 eth1 Server Server Server Network card 3 eth2 20 Installation Address Table ae IP Address Network Mask Default Gateway Internal network interface External network interface network interface Network interface for the HA system 2 1 The third and further network cards are optional 2 Network interface for the High Availability system 21 Installation 3 2 Installation Instructions What follows is a step by step guide to the installation process Attention The installation process will destroy all existing data on the hard disc Preparation Before installation please make sure you have the following items ready e The security system CD ROM e The Address Table with all IP Addresses Netmasks and Defaul
107. be changed WebAdmin user access to WebAdmin This user is called admin Shell Login user access to SSH This user is called loginuser Shell Administrator user administrator privileges in the entire security system This user is called root A Security Note Use different passwords for the Shell Login and Shell Administrator users Astaro Configuration Manager User optional You need this password if you wish to configure the Security system with the Astaro Configuration Manager Boot Manager optional If set the password will prevent un authorized users from changing boot time parameters Confirm the entered passwords by clicking Save Installation Log in to WebAdmin User admin Password Password of the WebAdmin user Please note that passwords are case sensitive Click Login Note Please follow steps 5 through 15 in the order listed below Configure Basic Settings In the System tab open the Settings menu and enter the fol lowing setting Administrator E Mail Addresses Enter the e mail address of the administrator here You can find further information about these functions in chapter 5 1 1 on page 44 In the Network tab open the Hostname DynDNS menu and enter the following settings in the General System Settings window Hostname Enter the Hostname for this security system A domain name may contain alphanumeric characters periods and hyphens The end of the name must be a valid top lev
108. be used as the Local PSK Key as well 284 Using the Security System 5 7 4 Remote Keys Senin alc IPSec remote key objects Name can be defined in the Virtual IP optional A r Remote Keys menu An IPSec Remote Key Object represents an IPSec re ceiver This receiver can either be a security gate way a host or also a road warrior with dynamic IP address Remote Keys CA Management Remote Key i No host certificates defined in CA Management An IPSec remote key object is defined by three parameters e The IKE authentication method PSK RSA X 509 e The IPSec ID of the remote endpoint IP Hostname E Mail Ad dress Certificate e The authentication data Shared secret for PSK public key for RSA X 509 certificate Every IPSec remote endpoint must have an associated IPSec remote key object defined Defining IPSec Remote Keys 1 Under the IPSec VPN tab open the Remote Keys menu The New Remote IPSec Key will immediately be displayed 2 Inthe Name field enter a name for the new Remote Key Virtual IP Key If you wish to use the IPSec Remote Key for a standard connection continue with step 3 Virtual IP Key optional This function allows you to assign a virtual IP address to the road warrior This is the only way to manually set IP addresses for such connections If you enter an IP address here it must also be configured on the road warrior system 285 Using the Security
109. ber into the Protocol Number entry field Comment You can enter a service description in this entry field Save the Services by clicking on the Add Definition button After successful definition the new service will appear in the service table Defining Service Group 1 2 112 Under the Definitions tab open the Service menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a unique Service Group name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and underscore _ Names may be up to 39 characters long Type Select Service Group from the drop down menu Using the Security System Initial Members From the selection field select the services by pressing the Ctrl key on the keyboard and selecting the name with the mouse Save the Service Group by clicking on the Add Definition button After successful definition the new service group will appear in the service table Filters The Filters function allows you to filter Services with specific attributes from the table This function considerably enhances the management of networks with many services as services of a certain type can be presented in a concise way Filtering services 1 Click on the Filters button The entry window will open En
110. cate with the remote host Please note that both IPSec nodes must support NAT traversal and that road warrior nodes must be configured with a virtual IP address In addition IPSec passthrough must be turned off on the NAT device s as this can break NAT traversal You cannot use local IP addresses for the Virtual IP address because the security system does not answer ARP requests for these I Important Note Copy TOS Flag Type of Service Bits TOS are several four Bit flags in the IP header The Bits are referred to as Type of Service Bits as they allow the transferring application to tell the network which type of service quality is necessary The available service quality classes are minimum delay maximum throughput maximum reliability and minimum cost This function copies the content of the Type of Service field in the encrypted data packet so that the IPSec data traffic can be routed according to its priority Enable the Copy TOS Flag function by clicking on the Enable button 295 Using the Security System Send ICMP Messages If a data packet overwrites the configured MTU value the system will send an ICMP message to the source address Destination unreachable fragmentation needed This allows for using Path MTU Discovery Automatic CRL Fetching There might be situations in which the provider of a certificate attempts to revoke the confirmation awarded with still valid certificates for example if it ha
111. ccceseeeeseeeeseeeeeeneeseneeeeeeeseneeeeeeeoees 140 PPPOE DSL Connection cscseseeseeneeeeeeeeeneeeeeeenes 145 PPTPOE PPPOA DSL Connections sssseeseeeeeeeees 150 ROUTING TT 155 NAT Masquerading cceseeeeeeeeeeeeeeeeeeeeeeeeeenenenaes 157 NA Dis ccsetsicceressiceccaietecaceacsccacsasscvedessadecasacdsasseasacaee 157 Masquerading csccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenenenaes 161 Load Balancing cccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenenenaes 163 DHCP Server cccceneeeeeneeseeeeeeneeeeeeeeeeeaeeaeeeeeaneeaeen 165 PPTP VPNiviccccisscesccccsdasevacecivectsadeersdanvasensacdeivaeeds 169 ACCOUNTING wa ce ceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeueeaueeeeeeaeaees 175 PING CHECK ccscscscececeeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeeeuas 177 Contents 5 4 5 4 1 5 4 2 5 4 3 5 5 5 5 1 5 5 2 5 5 3 5 6 5 6 1 5 6 2 5 6 3 5 6 4 5 6 5 5 6 6 5 6 6 1 5 6 6 2 5 6 7 5 7 5 7 1 5 7 2 5 7 3 5 7 4 5 7 5 5 7 6 5 7 7 Table of Contents Page Intrusion Protection csccecsceeeeeeeeeeeeeeeesenseeeeeeees 179 Settings ccceceeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeueeeseeeeaees 179 RUIS ssiitcee si accisetescectccievarecssceesacdarsdaetasectsascresaads 182 Advanced 2 ceceneeeeceeeeeeeeeseeeeseeeeseeeeseeaseeeeseeeaseaees 186 Packet Filter siicicecisccccveacisiavatsacdeccssdeuanstentievesccatan 188 00 eee E esaat orota aaee aoaaa aeaa reece re rer 188 ICMP woe ecccecee cece esse eeeeeeee
112. ce messages The activities of the Up2Date Service are recorded to these log files This comprises also the System Up2Date and Pattern Up2Date processes Uplink Failover messages The activities of the configured failovers are recorded to these log files WebAdmin usage The use of the WebAdmin configuration tool is recorded to these log files The logs contain the configuration changes implemented by the configuration tool and also the log in and log out processes 5 9 3 2 Error Codes The following is a list of all error warning and information codes with their meanings INFO 000 System was restarted System was restarted 010 Backup file A system backup file was generated automatically and sent via e mail to the Administrator 105 Astaro User Authenticator AUA not running restarted 106 Cron Task Scheduler not running restarted 107 WebAdmin webserver not running restarted 108 ssh server not running restarted 109 license server not running restarted 110 configuration database server not running restarted 111 syslog server not running restarted 320 112 150 151 152 153 154 155 300 302 303 320 321 322 Using the Security System middleware not running restarted Root partition mounted at is filling up please check tmpfs partition mounted at opt tmpfs is filling up please check secure application partition mounted at var sec is filling up
113. ch of these approaches has advantages and disadvantages which must be balanced according to cost and security requirements 15 Introduction to the Technology Internet VPN client for remote access Firewall EES F Server Server e555 gt Virtual Private Networks VPN provide a cost effective solution to this problem they can connect LANs over the Internet using en crypted connections thus enabling secure transparent end to end communication without the need for leased lines This is especially useful when an organization has many branch offices connected to the Internet IPSec technology provides a standard model for these secure connections These secure connections can be used automatically independent of the data being transferred this protects the data without requiring extra configuration or passwords on the client systems 16 Introduction to the Technology At the other end of the connec ISO OSI TCP IP tion the data is transparently de Aygeiiectiton Level coded and forwarded to the recipi 7 Application Layer 3 Ble STRE mall ent in its original form 6 Presentation Layer The Firewall component of this 5 Session Layer security system is a hybrid of the EET Transmission Level preceding protection mechanisms TCP UDP _ combining the advantages of 3 Netwerk Layer Internet Level IP ICMP each i Network Level 5 Z Deta Lak Lener Ethernet The Stateful Inspection Packet 1 Physical Layer Filter
114. connection time The DSL Network guidebook is available at http docs astaro org 145 Using the Security System Configuring PPP over Ethernet PPPoE DSL 1 2 146 In the Network tab open the Interfaces menu Click on the New button The Add Interface window will open In the Name entry field enter a descriptive name for the interface Use the Hardware drop down menu to select a network card Tip For an external connection e g to the Internet choose the card with Sys ID eth1 You cannot choose a network card that has already been configured with a primary network address Use the Type drop down menu to select the PPP over Ethernet PPPoE DSL connection interface type You will need the connection settings provided by your ISP to configure the following settings Address If you have not been assigned a static IP address by your provider keep the default Assigned by remote setting here If you have a static IP address choose Static from the drop down menu and enter the address in the entry field Default Gateway You should probably keep the default setting Assigned by remote Other possible values are Static and None Username Enter the username provided by your ISP Password Enter the password provided by your ISP Uplink Failover on Interface this function will only be displayed if the Assign by DHCP or Static is selected in the Default Gateway drop down menu Using the Security System You
115. correctly report that the connection has been established Authentication Use the drop down menu to select a service Now define which IP addresses should be assigned to the hosts when connecting In the PPTP IP Pool window use the Net work drop down menu to select a network The chosen network will be used immediately The PPTP Pool network is selected by default The IP address network mask and number of free addresses will appear below the drop down box Users will be assigned an address from this range automatically In the PPTP Client Parameters window DNS and WINS servers for PPTP clients can be defined Two servers may be defined for each Client DNS servers Enter the IP addresses of the DNS servers to use Client WINS Servers Enter the IP addresses of the Windows name servers to use Using the Security System Client domain Enter the DNS domain that the client should append to DNS requests 6 Save your configuration by clicking Save The rest of the configuration takes place on the user s machine This will require the IP address of the server as well as a valid username and password These should be supplied by the security system administrator 1 In Microsoft Windows 2000 open the Start Settings Network and Dialup Connections menu N Click the Make New Connection icon The Network Connection Wizard will open Then click on the Next button 3 Select the following option Connect to a private
116. cture at right This can help to navigate quickly between pages The second row contains tools to control the display of the list Note that these do not change the configuration information but rather the way in which these entries are displayed within WebAdmin In cases where order is important only the order indicated by the numbers next to entries has an effect on the configuration of the function The buttons and in the left hand column display the list in ascending and descending numerical order respectively while the and buttons in the middle column display the list in ascending or descending alphabetical order 39 WebAdmin The functional order as indicated by the numbers to the left of each entry can be adjusted using the buttons in the right hand column A click on the or button in this column will move the entry one row up i e towards 1 or down towards the end of the list respectively Similarly you can move an entry to the very beginning or end of the list by clicking the or buttons in this column respectively Add entry Type a value in the text entry field and click Add The new value will appear in the last row of the table Delete entry By double clicking an entry you can remove it from the list Edit entry If you click an entry once it will appear in the entry field Edit the entry as desired and click the Replace button to put it back into the list 4 4 Online Help Ev
117. d but kept in quarantine The Proxy Content Manager menu will list this e mail with status Quarantine This menu presents further options including options to read or to send the message Pass The e mail will be treated by the filter but allowed to pass A Header will be added to the e mail by which it can be sorted or 245 Using the Security System filtered on the mail server or in the e Mail programs of the recipient For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 Extensions Enter the file extensions e g exe that the firewall should filter The function of the Control List is identical to the Ordered List and described in chapter 4 3 4 on page 39 Virus Protection The Virus Protection function allows you to check e mails and attachments for dangerous contents such as viruses Trojan horses and so on The results of the scan are inserted into a header of the message If the Virus Protection discovers an infected e Mail the message will be filtered by the firewall The further handling will be according to the setting configured in the Action drop down menu Action This drop down menu allows you to select the action the proxy should take upon finding a message with a filtered string The following actions are possible e Reject The message will be bounced back to the sender with a 5xx error message The bounce message sent to the sender will also contain an explanati
118. d reports will have no data for the skipped hour In most graphs this time period will appear as a straight line in the amount of the old value e Accounting reports will contain values of 0 for all variables during this time Moving backward e g daylight saving time to standard time e There are already log data for the corresponding span of time in the time based reports that for system purposes come from the future These data will not be overwritten e Log data will be written as normal when the time point before the reset is reached again 45 Using the Security System e Most diagrams will display the values recorded during this period as compressed e Accounting reports will retain the values recorded from the future Once the time point of the reset is re reached the ac counting files will be written again as normal Because of these difficulties we recommend that the time be set only during the first configuration and that only minor adjustments be made later We recommend setting the system clock to Central European Time CET This is the original time The system then runs always in CET not in in CEST Central European Summer Time We recommend not to change the time for summer especially not when the collected reporting and accounting data are treated Manual configuration of system time 1 Open the Settings menu in the System tab 2 In the Time Settings window make the following settings in the
119. ddress host on the IP level Please note that these tools require that the ICMP on firewall option under the Packet Filter ICMP menu be enabled Ping sends an ICMP Echo Packet to the remote machine When this packet is received by the remote machine its TCP IP stack will generate an ICMP Reply Packet and send it back This allows you to test that IP level connectivity with the remote machine Ping Check also allows you to check the connection with a host by entering the DNS hostname In order to do that DNS Proxy must be enabled in the Proxies DNS menu Note e Ping will not work unless ICMP on firewall in the Packet Filter ICMP menu is activated e Name Resolution will not work unless DNS Proxy in the Proxies DNS menu is activated 177 Using the Security System Using Ping 1 Under the Network tab open the Ping Check menu 2 Use the Ping Host drop down menu to select a network card If this is an interface with a host configured in one of the menus Interfaces or Networks you can select it directly from the drop down menu Example Internal Address for the internal network card on the security system For another host in the network select the setting Custom Hostname IP Address from the drop down menu 3 Inthe Hostname IP Address entry field enter the IP address or hostname 4 Click Start to begin the test connection 178 Using the Security System 5 4 Intrusion Protection The Intrusi
120. de to use Note again that some modes require client side configuration The modes are described in chapter Operation Modes Having set the Standard or Transparent mode continue with step 5 If you have selected the User Authentication mode in the Operation mode drop down menu define the method of user authentication to use here Authentication Methods Only those authentication methods that you have configured in the Settings User Authentication menu are available here If you have configured the Local Users method use the Allowed users selection menu to choose users allowed to use the proxy Local users are defined in the Definitions Users menu In the Log level drop down menu choose the appropriate level of logging Full All relevant information is recorded 213 Using the Security System Access Log only The log only records access information for example URL accessed and username IP address of the client None No information about the proxy use is recorded 6 The Anonymity drop down menu allows you to choose how much information about the client is passed on to the remote server in HTTP Request Headers Standard The following headers are blocked Accept Encoding From Referrer Server WWW Authenticate and Link None Client headers are not changed at all Paranoid All headers except those listed below are blocked Additionally the User Agent field will be changed so that no information about
121. dentical to the ordered list and is described in chapter 4 3 4 on page 39 Confirm these settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red Enable the interface by clicking the status light Using the Security System The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system requires a short time to configure and load the settings When the message Up appears the interface is fully operational Configuring a Wireless LAN Station 1 2 In the Network tab open the Interfaces menu Click on the New button The Add Interface window will open In the Name entry field enter a descriptive name for the interface Use the Hardware drop down menu to select the Wireless LAN network card Use the Type drop down menu to select the Wireless LAN Station interface type Fill in the required settings for the Wireless LAN Station Address Assign an IP address for the station If you wish to use a static IP address for this interface select Static from the drop down menu and enter the address to use in the entry field If you wish to have a gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Netmask If you wish to use a staticall
122. ders ii 251 High Availability 97 High Availability System installing soccer 98 Host addiNG siiis itiwana 104 Celeting cceeeeeeees 109 EditiNg sieves ethos 109 HOSKNAME 2 ees eeee seen eee e ees 118 HTTP Surf Protection categories seit Sdwoke See ee reas Deena es 216 HTTP Proxy enabling the HTTP proxy aa tb ad snaicd expects banana ele 213 operation modes 212 user authentication mode AE EEEE ddan 212 HTTP Proxy advanced cece eee eee 226 global settings 212 standard mode 212 transparent mode 212 ICMP firewall forwards ping 203 firewall forwards traceroute firewall is ping visible 203 firewall is traceroute visible E EET 202 ICMP Forwarding 200 ICMP on firewall 201 introduction scce 200 Log ICMP Redirects 201 ping on firewall 203 ping Settings 203 traceroute from firewall 202 traceroute settings 201 Ident forward connections 237 introduction c0000e 237 Installation configuration esee 27 INSCFUCTIONS 00cceeee eee 22 preparation ssec 22 SOFCWALE cc cece eeeeeeeeaeees 22 Interfaces adding additional addresses Maing A aE a Mie AANT 128 additional address on Ethernet interface 128 configuring a Virtual LAN configuring PPPoA DSL 151 configuring PPPoE DSL 146 current status 5 121 downlink bandwidth kbits riduan 127 144 148 154 Ethernet
123. e Active or in the Passive mode are recorded to the Packet Filter log file with the annotation FTP_DATA The log files are administered in the Local Logs Browse menu 206 Using the Security System System Information Sree Packet Filter Live Log The Packet Filter Live Log Bie oO eis Packet Filter Live Log Cenc STATI monitors the packet filter iar eee and NAT rules in place on the Security system The window provides a real time display of packets intercepted by the packet filter This is especially useful in troubleshooting and debugging packet filter rules If after the security system starts a networked application such as online banking is not accessible the Packet Filter Live Log can help you reconstruct which packets are being blocked by the packet filter Connection Tracking Table The Current Packet Filter rules and Current NAT rules editing fields show all current rules in place in the firewall kernel De jon sowe Action IP Address Port ip address Port 13 25 52 ACCEPT 10 113 113 5 1157 gt 192 168 5 217 443 19 25 53 ACCEPT 40 113 113 5 1158 gt 192 168 5 217 443 13 25 53 ACCEPT 10 113 113 5 1159 gt 192 168 5 217 443 13 25 53 ACCEPT 10 113 119 5 1160 gt 192 168 5 217 443 13 25 53 ACCEPT 10 119 113 5 1161 gt 192 168 5 217 443 19 25 53 ACCEPT 10 113 113 5 1162 gt 192 168 5 217 443 13 25 53 ACCEPT 10 113 113 5 1163 gt 192 168 5 217 443 13 25 54 ACCEPT 10 1
124. e Intrusion Prevention Clicking on the icon switches the application of the IPS rules in this group Clicking on the folder icon opens the sub tab with all protocols of this group By clicking again on the icon you will get back to the overview The 182 Using the Security System additional functions in the sub tab are described in the IPS Rules Sub tab section Group The name of the IPS group of rules is displayed in this column The groups are put in alphabetical order according to this name Clicking in the header automatically displays the groups in de or increasing alphabetical order Hits This column displays how often a rule from the group became active Info This column provides short information on this IPS rule group The IPS Rule Sub tab All IPS rules of a group are listed in this sub tab The sub group can be opened in the overview by clicking on the folder icon B U pr ddos 0 Rules for Distributed Denial of Service Bo pr dns 0 Rules for DNS protocol QU pre dos 0 Denial of Service attacks 0 BO p exploit Well known exploits of specific software Intrusion Protection ot 2 entries 1992 p Hits Info BU z P dns 0 Rules for DNS protocol 0 pr dns 0 DNS EXPLOIT named overflow ADMROCKS ID 260 GU 39 dns o pB DNS EXPLOIT x86 Linux overflow attempt ID 262 80 pr dns 0 D DNS Zone transfer TCP ID 255 BU 3G dns o p DNS EXPLOIT x86 Linux overflow a
125. e internal or DMZ servers avail able to the outside network for specific services LAN 1 1 1 1 88 R Request DMZ Example An external user see graphic on left with the IP address 5 4 3 2 sends a re Web TS quest from port 1111 to the Server Firewall web server in the DMZ The 1O10 OSE user knows only the external IP and port 1 1 1 1 port 88 Using DNAT the firewall changes the destination address of the o O O n 14 Introduction to the Technology request to the internal address of the web server 10 10 10 99 port 80 and sends it to the web server The web server then responds using its own internal IP address 10 10 10 99 and sends the reply back to the user The firewall recognizes the packet from the user s address and changes the source address of the reply from the web server s address to its own external address 1 1 1 1 port 88 Another advanced protection mechanism supported by this system is VPN technology To meet the demands of modern business IT infrastructures must offer real time communication and allow close cooperation between business partners consultants and branch offices Increasingly these demands are being met through the use of extranets which usually operate either e via dedicated lines or e unencrypted over the Internet Ea
126. e ID This ID is contained in the header of the message and is used by the system to identify messages in the log files The ID will be displayed when you touch the entry in the Type field with the mouse Type Proxy Content Manager distinguishes between the POP3 and SMTP types of filtered e mail If you touch the entry with the mouse the Mail ID will be displayed Clicking on the entry opens a window with the content of the message Thus you can safely read important 255 Using the Security System messages Messages of a length of up to 500 lines will be displayed completely Age This column displays the age of an e mail i e the period of time since when the e mail has arrived to the Internet security system Status The states of the e mails are displayed in the Proxy Content Manager through symbols e deferred The e mail will be sent to the intended recipient Normally messages of this type are forwarded soon after the proxy receives them If however temporary problems delivering the message are encountered it may remain in the queue with this status for a short while Such messages will be delivered as soon as the destination host can be contacted e Quarantined The e mail will be quarantined due to the Quarantine configuration to one of the Content Filter Modules Unwanted or dangerous content such as a virus have been dis covered in the message Such messages will remain in the table until an administrator
127. e Internet addresses one beneath the other into the entry field e g www astaro org Comments must be identified with a sign at the beginning of each H line Save your changes by Cancel Save clicking on the Save button To keep an entry click cancel URL Blacklist This is an additional function of the Surf Protection Categories With this access control list you can forbid the access to specific Websites with a content that doesn t match the subjects in the Surf Protection Categories Open the access control list by clicking on the field with the entry e g O entries Enter the Internet addresses one beneath the other Comments must be identified with a sign at the beginning of each line Save your changes by clicking on the Save button To keep an entry click cancel Surf Protection Categories In this field choose the kinds of websites to which access should not be allowed Open the access control list by clicking on the field with the entry e g 0 entries The Surf Protection option contains 17 defined Surf Protection Categories Those 17 categories are administered and edited in the same table The administration of the Surf Protection Categories is described on page 216 219 Using the Security System Embedded Object Filter This function deletes embedded objects such as ActiveX Flash or Java from the incoming HTTP traffic A Security Note Enable this function only if high securi
128. e can also be defined as the last step in creating the policy Key Exchange Only IKE is supported In the ISAKMP IKE Settings window configure the settings for IKE IKE Mode The IKE mode is used to support key exchange At the moment only the Main Mode is supported Encryption Algorithm The encryption algorithm is the algo rithm used to encrypt IKE connections The IPSec VPN function of this security system supports 1DES 56bit 3DES 168bit AES Rijndael 128bit AES Rijndael 192bit AES Rijndael 256bit Blowfish Serpent 128bit and Twofish Authentication Algorithm The hashing algorithm ensures the integrity of the IKE messages The MD5 128bit SHA1 160bit SHA2 256bit and SHA2 512bit algorithms are supported The algorithm used is determined by the remote endpoint of the IPSec connection Important Note The SHA2 256bit and SHA2 512bit algorithms require a great deal of system resources IKE DH Group The IKE group Diffie Hellmann group describes the kind of asymmetric encryption used during key exchange The IPSec VPN system on this security system supports the Group 1 MODP768 Group 2 MODP 1024 Group 5 MODP 1536 Group X MODP 2048 Group X Using the Security System MODP 3072 and Group X MODP 4096 protocols The group used is determined by the remote endpoint SA lifetime secs This option allows you to set the lifetime of IKE sessions in seconds This is set by default to 7800 seconds 2h 10 min
129. e following settings A description of how to use the selection field tool can be found in chapter 4 3 2 on page 36 Allowed Networks Here you can select the networks and hosts that should be allowed to use the proxy All settings take effect immediately and will be saved if you leave this menu SOCKS Proxy with User Authentication If you have enabled the User Authentication function proxy users must use a username and password to log into the SOCKS proxy Because only SOCKSv5 supports User Authentication SOCKSv4 is automatically disabled The Authentication Methods selection menu allows you to select the user authentication method to be used Only those authentication methods you have configured in the Settings User Authentication menu are available here If you choose to use the Local Users method you can select which local users may access the SOCKS 230 Using the Security System Proxy Local Users are managed in the Definitions Users menu 231 Using the Security System 5 6 4 POPS Transparent POP3 Proxy Status eo Disable POP3 stands for Post Office Protocol 3 This is a protocol which allows the retrieval of e mails from a mail server POP3 is the logical opposite of SMTP Sak Rien lt SMTP stands for Simple Mail CEE Transfer Protocol This proto Paia m col is used to deliver e mails to a mail server Proxied Source Destination e networks Please select gt i Please se
130. e system encounters another problem delivering it the message will return to its previous status Download as zip file The chosen e mails are packed into a zip file and then saved to the selected local host 257 Using the Security System Global Actions In order to save disk space on the security system you can use this option to delete all messages of a certain type E mails being sent or forwarded while the system is deleting messages will not be affected From the Please select drop down menu select the type and start the action by clicking on the Start button If you wish to actualize the SMTP POP3 Proxy Content table select the Refresh proxy content table action from the Please select drop down menu Attention Messages of the selected type will be deleted without further confirmation Filters The Filters function allows you to filter E Mai s with specific attributes from the table The function facilitates the management of huge networks since the protocols of a specific type can be presented in a concise way Filtering e mails 1 Click on the Filters button The entry window will open 2 Enter the filter attributes in the following fields Not all attributes have to be defined Type If you wish to filter e mails of a specific type select them from the drop down menu Status If you wish to filter e mails of a specific status select them from the drop down menu 258 Using the Security System Content
131. e wireless LAN can coexist 131 Using the Security System in the same physical space provided that they have different names or use separate channels The name of a network can be chosen freely the only requirement is that it not contain any space characters If you are configuring a Wireless LAN Station interface to connect to an already existing wireless network this must be the name of that network The name can be up to 32 characters long e Channel This system must be manually configured with the radio channel to use If other wireless networks are in the area you should chose an unused channel for your network Please also note that only certain channels may be used in certain countries USA amp Canada Spain 10 11 Europe ETSI France 1 to 13 Japan e WEP In order to use WEP encryption you will need at least one WEP key up to four can be used You can choose between a 40 bit and 104 bit keys A 40 bit key requires 5 hexadecimal num bers while a 104 bit key requires 13 numbers Please note that a hexadecimal number is two characters each either a number 0 9 or a letter A F Example of a 40 bit key 17 A5 6B 45 23 e Access Mode only for Wireless LAN Access Point mode If you wish to use the MAC address filter you must compile a list of the MAC addresses which are explicitly allowed to connect to the network positive filter or which are explicitly not allowed to negative filter How to determine the
132. eaeeeaseseeeeeeeeueuaeaeaeeeeeeeeaeonee 200 AVANCE 2 ceceeeeeeeeeeeeeeeeeeeeeseeeeseeeeeeeeaseeeeseeeaseeees 203 Application Gateways ProxieS ssssseseseseeeeees 209 HTTP Surf Protection ccccccsecseeseeeseeeeeeeeeseseeeeees 210 DNS cases aanaeio a aa aaa aaar oaa 227 SOCKS occ ccceeeeeeeeeeeeeeeeeeeeeeeeeaeaeaeeseseeeeeeeeueeeneeaeagas 229 POPS wiscicccecsieecne tec ecenseseviseeeesceceeeweweueceesceeseaseeecen 232 TOI cc r A E E 237 SMTP oa ccccceeeeeeeeeeeeeeeeeeeeeeeeeeeaeaeaeeeeseeeeeeneueeenenaeaeas 238 Virus Protection Content Filter ccsscssesseseeees 243 Spam Protection cccceeeeeeseeeeeeeeeeeeeeeeeveeeeeeeeeees 248 Proxy Content Manager ccsceseeeeeeeeeeeeeeeneeneeeens 255 Virtual Private Networks IPSec VPN s s s 260 CONMNECUIONS ccceceeeeeeeeeeneeeeeeeseneeeeeeeseneeseeeeseneeae 269 Policies uana aeaaea aap naaa anaE aia 277 Local KCYS cccscsccceceeeeeeeeeeueueeeeeeeeeeeseeeeeeueuenenenaes 282 Remote KEyYyS ssssssssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 285 L2TP Over IPSCC cccseeseeeceeeeeeeeeeeeeeeeeaeeseeeeeeneeaeen 288 CA Manageme nt ccccssccceeeeeeeeseeeeeeeeeeeueeeeueeeeeeneas 290 AROVANCO vaiciscetsiescscieedsceevacedswerevedecsuewescevedeancsaues 295 Table of Contents Contents Page 5 8 System Management Reporting sseseseseeees 298 5 8 1 Administration cccecseseseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 298 5 8 2 VIFUS we eeece cece eee eee eee nena ee ea
133. echanisms hitelist URL Bl Oentries Oentries Those protection mechanisms are e Virus Protection VP e Embedded Object Filter e Script Content Filter This Surf Protection option can only be configured when the HTTP proxy is enabled 215 Using the Security System Surf Protection Categories The Surf Protection SSS g option contains 17 de Community_Education_Religion e Cities Countries Regions a Te fined Surf Protection ae F eoan Categories The cat e Upbringing Education Reconnoitring i Criminal_Activities o Shiner egories are based on e Illegal Activities Drugs Haone the URL data base S uE z o E E from Cobion Security Entertainment_Culture e Art Museums Sa es Technologies and Humor Bae tes can be edited in this Extremistic_Sites Extreme Finance_Investing 0 ocume atonal eapicayinvesting ta ble e Brokerage Stock Exchange Games_Gambles e Computer Games Editing Surf Protection Categories 1 Enable this option by clicking the Enable button in the Surf Protection Content Filter window The status light will show green and an advanced entry window will open 2 Click the Show Hide button to open the table with the categories The name of category is displayed in the Name field This name will be selected later from the Profiles Table The Subcategories field lists the subcategories 3 Now click on the entry you wish to edit Clicking on Name opens another entry wind
134. ectet ter rue ts dsabied DBE statu ight rocket fiter rue enabled 193 Using the Security System Icon Spalte Anzeige Einstellung p Action Allow low priority D Action Drop pa I Action Reject Vw Log Log disabled Q Log Log enabled Adding editing groups Clicking in the field in the Group column opens an entry window Clicking on the Save button saves your changes To cancel this service click on the Cancel button Enabling Disabling Packet filter rules The status light in the fourth column shows the rule status Clicking the status light toggles the state between active green light and inactive red light Deactivated rules remain in the database but have no effect on firewall behavior Edit rules Clicking on the correspondent setting will open an entry window The rule can then be modified Click Save to save your changes In order to interrupt this process click on the Cancel button Re order rules The order of the rules in the table determines the behavior of the firewall having the correct order is essential for secure operation By clicking the position number you can adjust the order to suit your needs In the drop down menu select the Position to which you wish to place the packet filter rule and confirm your settings by clicking on the Save button Delete rules Click the trash can icon to delete a rule from the table Sorting the rules table By clicking on the column headers you can sort
135. ection the standby system can monitor the active system through the serial interface No data is transferred over this connection Use the drop down menu to select the appropriate serial interface to use this option Note sine you save the settings according to the following instructions the system will shut down and reboot immediately 4 Click the Save button to save these settings The first system will shut down and reboot immediately If you have connected a keyboard to this machine the Num Lock light will flash When the system is in Hot Standby Mode it will beep twice and the LED display will stop blinking Because system 2 is still disabled the first system will boot normally into normal mode and the Num Lock light will continue to blink After system 1 completes the boot process the Num Lock light will stop blinking and the system will beep five times This signals that the middleware has successfully loaded and initialized all services rules and processes Note If the beeps are not heard and the LED light continues to blink the middleware was unable to initialize all services rules and processes If this happens please contact the service department of your security solution supplier 100 Using the Security System Configuring System 2 Hot Standby Mode 1 Start system 2 as normal 2 Complete steps 3 through 6 as above and click Save The system 2 will now shut down and reboot immediat
136. ectly The Certificate window will open These registers allow you to inspect the information contained in the certificate before installing it Click the OK button to start the process Note l Due to system time differences and timezone offsets the generated certificate may not yet be valid Many browsers wrongly report that such certificates have expired however this is not the case and any generated certificates will become valid after a maximum of 12 hours 96 Using the Security System 5 1 10 High Availability The main cause of system failure is hardware failure such as a failure of the network card hard disk or processor The High Availability HA option allows you to use two systems with identical hardware in parallel The first system runs normally master mode while the second runs in standby slave mode monitoring the active system over the data transfer link using the link beat The standby system also receives periodic updates over this link so that in the case of system failure on the primary it can take over operations immediately External Network a Ea Router Internal Network LAN Site IE snnm a Internet External IP data transfer DMZ Firewall 1 Firewall 2 Normal Hot Standby gt gt Mode Mode S Switch E switch Hardware and Software Requirements e The High Availability HA License e 2 security systems with identical
137. ectory and Novell eDirectory LDAP servers as well as those based on the Open Source OpenLDAP software Microsoft Active Directory is an indexing service designed espe cially for Windows NT 2000 networks and allows the central manage ment and organization of network resources It allows users to access system resources after a single sign on to a central server and offers administrators centrally organized management of users regardless of network topology or protocols used In order to use this directory service you will need an MS Windows NT 2000 Domain Controller Novell eDirectory Novell Directory Service 8 is an X 500 based index service designed to manage users access rights and other network resources eDirectory is available for Netware versions 5 and higher MS Windows NT 2000 Linux and Solaris 78 Using the Security System The OpenLDAP Foundation the group which manages the Open LDAP open source project has released the Stand Alone LDAP server called SLAPD OpenLDAP can also be used to build a networked directory service with various other LDAP servers For instance the iPlanet Directory Server from Sun Microsystems is based on OpenLDAP code and fully compatible User Authentication LDAP uses the Distinguished Name DN of a user to identify him or her This name must be unique within the directory Microsoft Active Directory AD and Novell eDirectory NDS8 give every object a defined DN This DN identi
138. ecurity System If the destination computer is reachable you will receive the ping replies and some information about network latency 5 Enter the following command arp g 6 Press the Enter key Your computer s local ARP table will now be displayed The Physical Address column of this table shows the MAC address for each known IP address In order to connect to a remote computer on the same subnet the local computer addresses Ethernet frames to the remote computer s MAC address In order to do this it must first determine the remote hardware address by issuing an ARP request When you issue the ping request your local computer automatically determines the remote computer s MAC address and stores it in the local ARP table for future use If you wish to configure a PCMCIA Card for the Wireless LAN as an Access Point complete the following steps Configuration as a Station is described on page 137 Configuring a Wireless LAN Access Point 1 In the Network tab open the Interfaces menu 2 Click on the New button The Add Interface window will open 3 In the Name entry field enter a descriptive name for the interface 4 Use the Hardware drop down menu to select the Wireless LAN network card 5 Use the Type drop down menu to select the Wireless LAN Access Point interface type 134 Using the Security System Fill in the required settings for the Wireless LAN Access Point Address Assign an IP address for t
139. eeeeeeeeseeeeeeeeeeeeeeneneeaeaees 299 5 8 3 HardWware ccscscscececeeeeeeeeueeeeeeeeeeeeeseseeeeeeeeueuenenaes 299 5 8 4 NeCtWOFkK ccceeeeeeeeeeeeeeeeeeeeeeeeuaeaeaeaeeseeeeeeeeeeeenauas 300 5 8 5 Packet Filter c ccccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenenanaes 301 5 8 6 Content Filter cccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeveeeeeeeeeees 301 5 8 7 PPTP IPSeCC VPN ccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeenenenenas 302 5 8 8 Intrusion Protection cccccceeeeeeeeeeeeeeeeeeeeeeeeeenee 302 5 8 9 r a T 302 5 8 10 HTTP Proxy USAGE ssssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 302 5 8 11 Executive Report ccccceeeeeeeeeeeeeseeeeeeeeeeeeeeenenenaes 302 5 8 12 ACCOUNTING ce ceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeueneneneeaeaees 303 5 8 13 System Information ccscscseeeeeeeeeeeeeeeeeeeeeeeeeees 305 5 9 Local Logs Log FileS ssssssesssensseseeesensseneeens 307 5 9 1 Settings cceceeeeeeecee ee eeeeeeeeeeeaeeeeeeeeeeeeeeeeeeeneeeeaeas 307 5 9 2 Local Log File QUerry csscseseseeeseeeeeeeeeeeeeeenenenaes 311 5 9 3 BrOWSE wcsccecceeceeeeeeeeeeeeeeeeeeeeeneeeeeeeeeeeeneeeennaneeneen 312 5 9 3 1 LOG File ccecseseecee eee eeeeeeeeeeeaeeeeeeseseseeeeeeeeeenenans 316 5 9 3 2 Error COCCS cccsccccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeueueuenenaes 320 5 10 Online Hel p ccscsceceeeeeeeeeeeeeaeeeeeeeeeeeueueueveeeeseesaees 333 5 11 Exiting the Security Solution cccseeeeeeeeeeeees 334 GIOSSALY A A ETT 3
140. el domain such as com de or org The Hostname will be included in all Notification E Mails Save the settings by clicking Save 29 Installation 6 Configure the Internal Network Interface eth0O In the Network tab open the Interfaces menu and check the settings for ethO The settings for this network card are based on the information entered during the software installation After starting the security system they are shown in the Current Interface Status window cine sen m9 If you wish to change Internal Standard ethernet interface TAR 17 7 25a 285 288 0 setti ngs for this ca rd l for example changing V nac 00 06r8e1b6 23 f3 the configured name please open the Edit Interface window by clicking the edit button and make these changes now Attention If you misconfigure the IP Address of the ethO network card you may be locked out of WebAdmin The configuration of network cards and virtual interfaces is described in chapter 5 3 2 on page 119 7 Configure the Internal Network Network Definitions Total 4enties E New ena V a In the Definitions sia tab open the Net Za Works menu and Internal Network Interface up 192 168 5 0 24 Network on interface Internal seek the eettings for the internal network Three logical networks were defined during installation based on your settings for the internal net work card ethO The interface Internal Interface consisting of the defined
141. ely If you have connected a keyboard to this machine the Num Lock light will flash When the system is in Hot Standby Mode it will beep twice and the LED display will stop blinking System 2 recognizes system 1 through the data connection and remains in Hot Standby Mode The High Availability system is now active System 2 will be updated at regular intervals over the data transfer connection Should the active system encounter an error the standby system will immediately and automatically change to normal mode and take over the system s functions 101 Using the Security System 5 1 11 Shut down Restart Restart will shut the system down completely and reboot Depending on your hardware and configuration a complete Restart can take up to 5 minutes Restart 1 Under the System tab open the Shut down Restart menu 2 In the action drop down menu choose Restart 3 Begin the reboot by clicking Start 4 When asked Do you really want to restart click OK The action Shut down allows you to shut the system down and allows you to cleanly stop all running services For systems without a monitor or LCD display the end of the shut down process is signaled by an unending series of beeps at one second intervals Depending on your hardware and configuration this process can take up to 5 minutes Only after the system has completely shut down signaled by the Power down message should you turn off the power If the syste
142. em 5 1 7 1 RADIUS RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices e g routers to authenticate users against a central database In addition to user information RADIUS can store technical information used by network devices Such as protocols supported IP addresses telephone numbers routing information and so on Together this information constitutes a user profile that is stored in a file or database on the RADIUS server In addition to authenticating dial up users RADIUS can be used as a generic authentication protocol The RADIUS protocol is very flexible and servers are available for most operating systems including Microsoft Windows NT 2000 The RADIUS implementation on this security system allows you to con figure access rights on the basis of proxies and users Before you can use RADIUS authentication you must have a functioning RADIUS server on the network As passwords are trans ferred in clear text unencrypted we strongly recommend that the RADIUS server be inside the network protected by the security system and that the security system and server be on the same switch The following section details the setting up Microsoft IAS RADIUS Server for MS Windows NT and 2000 If you use a different server you will need the following information to enable the operation of the security system together with the user authentication The authentication reques
143. entry menu Type Use this drop down menu to filter the networks of a specific type Address Values If you wish to filter networks by specific addresses enter the IP address in this entry field 3 To start the filter click on the Apply Filters button Only the filtered networks will be displayed in the table Next time when you open the menu the complete network table will be displayed Further Functions Editing Definitions Click on the settings in the Name Value and Comment columns in order to open an editing window You can then edit the entries Deleting Definitions Clicking on the symbol of the trash will delete the definition from the table 109 Using the Security System 5 2 2 Services Service Definitions es A New on 7 7 The Services menu is ee used to define the Services Protocol TcP uor TA te has ra and Service Groups Comment Add Definition Services define certain All protocols and services Any matches any service H 1165505 222 stati types of traffic over net 1024 65535 static 1024 65595 static works like the Internet A 1 65535 static EE aa service is defined by a static TSS name a protocol and 1024 65535 static 1024 65535 static po rts 1024 65535 static 1024 65535 static The following protocols can be used TCP UDP TCP UDP ICMP ESP AH and IP UDP uses port numbers between 0 and 65535 inclusive and is a stateles
144. er of topics in the Tab List Enter your license key ol si NAT MasqueradiWh 35 WebAdmin 4 3 Menus Every function of the security system has its own separate menu in WebAdmin This chapter describes the tools and displays used in the configuration menus 4 3 1 The Status Light pasar Many features and subsys a a tems of the security system can be enabled or disabled oko ae while the system is running A status light displays the current status of such sub systems DNS Proxy Status Disable Select to append Allowed Networks Selected Available Empty list Ar Broadcast Network e red Function is disabled Forwarding Name Servers Add e i no data in table e green Function is en abled For many features the configuration options and tools will not be displayed until the status light is green 4 3 2 Selection Fields There are two kinds of selection field which are used in configuring the security system Intemal_Interface Selection Fields like the one at Internal Network localhost the left called here type A are localnet NTP_Sewer Atlanta used to select arbitrary groups of Selected Available things like users or networks This kind of field is used for example when selecting Allowed Networks or Allowed Users 36 WebAdmin Adding Objects to the Selected List 1 Inthe Available list select the ob
145. erading or NAT rules must be in place PPTP Client Parameters PPTP Client Parameters This window allows you to Client DNS Servers define name servers DNS Client WINS Servers and WINS and the name Client Domain service domain which should be assigned to hosts during the connection es tablishment Connections with MS Windows 2000 The following example shows how to configure a PPTP VPN connection on a Windows 2000 host 1 2 Under the Network tab open the PPTP VPN Access menu In the PPTP VPN Access window enable the system by clicking Enable The status light will show green and the menu will open In the PPTP VPN Access window make the settings for the network access Logging Keep the setting Normal 171 Using the Security System 172 Encryption In the drop down menu select the encryption type The available options are weak 40 bit and strong 128 bit Note that in contrast to Windows 98 and Windows ME Windows 2000 does not come with 128 bit encryption installed to use this kind of connection the High Encryption Pack or Service Pack 2 must be installed SP2 cannot be uninstalled later The selected encryption strength will take effect immediately Important Note Both sides of the connection must use the same encryption strength If WebAdmin is set to use 40 bit encryption and the MS Windows 2000 client is set to use 128 bit encryption Windows will in
146. erface Please note that one network card cannot be used as both a Standard ethernet interface and a PPP over Ethernet PPPoE DSL or PPPTP over Ethernet PPPoA DSL con nection simultaneously 124 Using the Security System Now make the specific settings for this interface type Address If you wish to use a static IP address for this interface select Static from the drop down menu and enter the address to use in the entry field If you wish to have a gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Netmask If you wish to use a statically defined network mask for this interface use the drop down menu to select Static and enter the netmask to use in the entry field If you wish to have a netmask dynamically assigned via DHCP select Assign by DHCP from the drop down menu Default Gateway If you wish to use a statically defined default gateway use the drop down menu to select Static and enter the address of the gateway in the entry field If you wish to have a gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Otherwise select None Proxy ARP When this function is enabled the security system will answer ARP requests on the selected interface for all known networks This system will thus act as a proxy on this interface for all of the other directly connected networks This function is only required in special cases for example when an attached network canno
147. erface by clicking the status light The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system requires a short time to configure and load the settings When the message Up appears the interface is fully operational The new virtual interface will appear in the Hardware Device Overview just as an additional IP address IP alias on a standard Ethernet network card would The Sys ID of this virtual interface is composed of the SysID of the network card and the number of the VLAN tag 5 3 2 5 PPPoE DSL Connection Belinea This interface type is used i to connect to the Internet over a DSL connection using the PPP over Ether fee net protocol The configur Password ation will require the DSL nee connection information in See cluding username and pass word provided by your Internet Service Provider Hardware etht Realtek RT8139 Type PPP over Ethernet PPPoE DSL connection Address Assigned by remote Ld Ld Ld be Default Gateway Assigned by remote MTU Size Note The installation and specific settings required for DSL connections is described in the DSL Network guidebook Also note that once the DSL connection is activated the security system will be connected to your ISP 24 hours a day You should therefore ensure that your ISP bills on a flat rate or bandwidth based system rather than based on
148. ervice QoS function is described in chapter 5 5 1 Uplink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the avail able bandwidth for the Uplink in full kilobits This value can be determined either from the values of the upstream interface or from the router Downlink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the available bandwidth for the Downlink in full kilobits MTU Size The MTU is the size in bytes of the largest trans mittable packet MTU stands for Maximum Transfer Unit For connections using the TCP IP protocol the data will be grouped into packets A maximum size will be defined for these packets Packets larger than this value will be considered too long for the connection and fragmented into smaller ones before transmis sion These data packets will be sent again However the per formance can be limited if the upper value is too low The largest possible MTU for an Ethernet interface is 1500 Bytes The following values are the defaults for the VLAN Ethernet Interface 1500 Byte Confirm these settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red Using the Security System 8 Enable the int
149. ery menu in WebAdmin has an Online Help screen which provides a short ex planation of the available configuration options You can open the help oot e ERE screen by clicking the button at the top right hand corner of the screen 40 alala I wechsehnzu Links Time Zone Use NTP Server Set Time SSH Shell Access Settin Status Allowed Netwarks El WebAchin on hast domain com 192 168 5217 Bi E internet WebAdmin ma To load the menu again click the Refresh button Don t use the Refresh button of the tool bar of your browser to actualize the menu otherwise you are logged off the session and have to log in again under the Web Admin configuration tool 41 Using the Security System 5 Using the Security System We have already seen ara the web based configur eke m l ation tool WebAdmin in action during the instal Allowed Networks re a lation process This chap ter will describe how to use WebAdmin to con Fae trol and monitor your se curity system on a day to day basis The specific settings what they do and how to change them will be described step by step Please look to chapter 4 for a more general description of how to use the tools provided by the WebAdmin interface TCP Port Authentication Methods Allowed Users Selected Available
150. es Please see chapter 4 3 4 on page 39 for a description of how to use the ordered list 5 1 5 SNMP Access GEES The Simple Network Manage oer memm E ae ment Protocol SNMP moni n tors and manages the local net work SNMP allows the adminis trator to make quick queries about the condition of the network devices such as the number and configuration of the network interfaces the forwarded traffic the current processes and hard disk utilization Next to the current state tendencies and time rows are interesting They give a detailed insight into the functions of a network the history can be monitored and remedied before turning into a real problem Community String Configure the access rights to the SNMP service in the SNMP Access window The users of the configured networks can then conduct queries about the SNMP server on the Security system with their read only rights A Security Note The SNMP data traffic Protocol version 2 between the Security system and the network is not encrypted 68 Using the Security System Authorizing access to the SNMP server 1 Enable SNMP Access by clicking the Enable button 2 From the Allowed Networks selection field select the networks that you wish to allow for accessing the SNMP server 3 Enter the Community String in this entry window 4 Save your configuration by clicking Save 5 1 6 Remote Syslog Server Rene GGL This function allo
151. essage Authentication Code HMAC in connection with a key One of the following hashing algorithms will be used Message Digest Version 5 MDS5 This algorithm generates a 128 bit checksum from a message of any size This checksum is like a fingerprint of the message and will change if the message is altered This hash value is sometimes also called a digital signature or a message digest The Secure Hash SHA 1 algorithm generates a hash similar to that of MD5 though the SHA 1 hash is 160 bits long SHA 1 is more secure than MDS due to its longer key Compared to MD5 an SHA 1 hash is somewhat harder to compute and requires more CPU time to generate The computation speed depends of course on the processor speed and the number of IPSec VPN connections in use at the Security Gateway In addition to encryption the Encapsulated Security Payload Protocol ESP offers the ability to authenticate senders and verify packet contents If ESP is used in Tunnel Mode the complete IP packet header and payload is encrypted New unencrypted IP and ESP headers are added to the encapsulating packet The new IP header contains the address of the receiving gateway and the address 266 Using the Security System of the sending gateway These IP addresses are those of the VPN tunnel For ESP with encryption normally the following algorithms are used e Triple Data Encryption Standard 3DES e Advanced Encryption Standard AES Of these AES
152. ey distribution 267 POLICIES ake vies aa asians 277 PSK authentication 284 Remote KeyYS eeeeeeee 285 RSA authentication 283 Transport mode 265 Tunnel mode 55 265 VPN Routes seeeeee 270 VPN StatuS cceeeeeeaee 270 IPSec VPN CONFIQUIING aeee 271 configuring a Policy 278 defining remote keys 285 344 generate a client host certificate 292 L2TP over IPSec L2TP over IPSec client parameters 289 L2TP over IPSec IP pool 289 L2TP over IPSec settings Paea Pimia aea i bane 288 Licensed Users aecccccn 53 LICENSING cee eee einai 50 Licensing Information 53 Load Balancing deleting rules 164 editing rules 164 Load Balancing 163 Load Balancing defining rules 163 Local Logs BrOWSE oseeecee eect eee eens 312 configuring local log file leveli irii h uaiiie 308 configuring remote log file archive eases rairs 309 filtEriN G arcana 315 filt rS isinisi 315 introduction seee 307 local log file archive 308 Local Log File Query 311 Log Filesissscciscc estas 316 remote log file archive 309 Setting Sisin le sce dito 307 starting search 311 Local User deleting sssini 117 editing isisisi sirine iiaii 117 Local User adding aiana 115 Log files error codes sasen 320 Log Files Admin notifications 318 Astaro Configuration Manager ensenen 316
153. f an error the system was unable to forward This menu uses the following concepts to display and manage the e mails Global Actions Please select Refresh proxy contenttable gt SMTP POP3 proxy content Total 17 entries 9 Filters 7 l Type 7 Age Sender Recipient s Pops 4hi10m SP lt rdiehl vinet qa gt rdiehl vinet ga SMTP 2d 23h 34m EXP lt rdiehl vinet qa gt rdichl vinet gqa SMTP 2d 23h 36m EXP lt rdiehl vinet qa gt rdichl vinet ga r POP3 3d0h4m vP lt rdiehl vinet qa gt rdiehl vinet ga B 8 POP3 3dih7m SP lt rdiehl vinet qa gt rdiehl vinet qa r Pops 3dih9m SP lt rdiehl vinet qa gt rdiehl vinet ga Pops 3dihi0m vP lt rdiehl vinet qa gt rdiehl vinet ga PoP3 3dihiim vP lt rdiehl vinet qa gt rdiehl vinet ga m SMTP 3dih20m SP lt rdiehl vinet qa gt rdichl vinet ga SMTP 3dih37m vP lt rdiehl vinet qa gt rdiehl vinet ga SMTP 3dih46m FILE lt rdiehl vinet qa gt rdiehl vinet gqa SMTP 3d2h8m vP lt rdiehl vinet qa gt rdiehl vinet ga SMTP 3d2h10m vP lt rdiehl vinet qa gt rdichl vinet ga POP3 3d2hiim vP lt rdiehl vinet qa gt rdiehl vinet ga SMTP 3d2hi6m vP lt rdiehl vinet qa gt rdiehl vinet ga gt SMTP 3d2hi7m vP lt rdiehl vinet qa gt rdiehl vinet ga r SMTP 3d3h24m lt gt do not reply fw notify net checked entries ID Every e mail in this security system contains a uniqu
154. fetime secs This option allows you to set the lifetime of the IPSec connection This is set by default to 3600 seconds 1h In general times between 60 and 28800 seconds 1 min to 8 hours are allowed PFS The IPSec key used for VPN connections is generated from random numbers When Perfect Forwarding Secrecy PFS is enabled the system will ensure that the numbers used have not already been used for another key such as for an IKE key If an attacker discovers or cracks an old key he or she will have no way of guessing future keys The IPSec VPN system on this security system supports the Group 1 MODP768 Group 2 MODP 1024 Group 5 MODP 1536 Group X MODP 2048 Group X MODP 3072 and Group X MODP 4096 protocols If you do not wish to use PFS select No PFS By default this is set to Group 5 MODP 1536 PFS requires a fair amount of processing power to complete the Diffie Hellmann key exchange PFS is also often not 100 compatible between manufacturers In case of problems with the firewall s performance or with building connections to remote systems you should disable this option Important Note Compression This algorithm compresses IP packets before they are encrypted resulting in faster data speeds This system supports the Deflate algorithm 6 If you have not yet named this policy scroll back to the Name field and enter one now 280 Using the Security System 7 Create the new policy by clicki
155. fficulty if you use the Masquerading function in that case the Forward Connection function will pass the ident request on to the internal masquerading host Please note however that the actual internal IP address will not be released Instead the system will query the internal machine and simply pass the response string to the remote server This is often useful for internal clients with a mini ident server such as the ones often included in IRC and FTP clients 237 Using the Security System Global Settings Status An SMTP Proxy allows you Disable Hostname MX Postmaster Address Max Message Size fox domain example postmaster tw notify net to protect an internal mail server from remote attacks unlimited Save While forwarding and receiv DoS Protection Incoming Mail eu Disable ing messages the proxy can Domain Name SMTP Host SMTP Routes Table by DNS MX record E i no SMTP routes defined also scan them for potentially dangerous contents This Recipient Verification Outgoing Mail oe menu also allows you to con Enable figure anti spam parameters Allowed Networks Selected Empty list Available Internal Address Internal Broadcast gt Internal Network Marketing a in order to block unwanted e mails Use Smarthost oe This menu allows you to configure the
156. fied this as medium priority level Event buffering has been activated Further Intrusion Protection events will be collected and sent to you when the collection period has expired If more events occur this period will be increased Further information on the Intrusion Prevention event can be found in the notification e mail System Up2Date failed Could not connect to Authentication Server s The authentication server is not reachable If the problem continues please contact the sup port department of your firewall provider System Up2Date failed Download of System Up2Date Packages failed If the problem continues please contact the support department of your firewall provider System Up2Date Wrong MD5sum for local System Up2Date package Please download a new Up2Date package The Up2Date packages can be downloaded from http download astaro de asl up2date If the problem recurs please contact the support department of your firewall provider System Up2Date failed Wrong MD5sum for down loaded Up2Date Package Please download a new Up2Date package If the problem recurs please contact the support department of your firewall provider 327 Using the Security System 320 322 323 324 325 333 334 335 336 328 System Up2Date failed Wrong start parameters If the problem recurs please contact the sup port department of your firewall provider System Up2date st
157. fies the object uniquely in the AD index or NDS tree This DN is composed of the Common Name CN and Domain Component DC Example CN Administrator CN Users DC example DC com MS Active Directory also allows for user authentication by User Principal Name UPN This name consists of the login name and DNS name of the domain Example admin example com OpenLDAP simply uses the Common Name CN to identify users Please make certain that every user has a unique CN A Security Note User authentication with a stand alone LDAP server involves sending passwords in clear text over the network As these passwords are not encrypted an attacker with access to the network may be able to intercept them 79 Using the Security System Note User authentication with an LDAP Server requires that the DNS Proxy on the Proxies DNS menu be enabled Configuring the Microsoft Active Directory Server Make sure that there is a user configured on your LDAP server to have full read privileges for the directory This will be the query user A Security Note Make sure that the user has only read privileges Microsoft Active Directory AD can grant privileges on the basis of group memberships or on the basis of particular user attributes In most cases it is easier to use the Member Of query type to authenticate by group The Directory can be extended by self defined attributes If you wish to authenticate on the basis of particular User
158. file is e mailed to the entered e mail address These e mailed files are about 100 kilobytes long Generating an E Mail Backup File 1 2 Open the Backup menu in the System tab In the Advanced window enable the Send Backups by E Mail function by clicking on the Enable button The Backups by E Mails function is enabled if the status light shows green Important Note If the Encryption function has been enabled the backup file will be encrypted with either the DES or 3DES algorithms and can only be read or loaded using the correct password Use the Interval drop down menu to define how often backups should be made The available choices are Daily weekly and monthly In the E Mail to field enter the e mail addresses which should receive the backup files in regular intervals Click the Add button next to the E Mail to entry field to add this address to the ordered list If you would like to add more addresses repeat step 5 If you wish to generate and send a backup file immediately click the Start button next to Send backup now Check the generated files for readability by importing the respective backup file and clicking on the Start button 67 Using the Security System The security system will now load and check the backup file If the ckecksums are correct you will now receive the Backup Information 8 Abort the restore process by opening a different menu within the tab Editing E Mail Address
159. g connections in the opposite direction When a computer in the protected network establishes a connection with an external server the stateful packet filter will allow the server s response packets in to the protected network When the original connection is closed however the packet filter will block all 12 Introduction to the Technology further packets from the unprotected network unless of course they have been explicitly allowed Application Layer Gateways Application Proxies The second main kind of firewall is the application layer gateway These gateways act as a middleman in connections between external systems and protected ones With such gateways packets aren t for warded so much as translated and rewritten with the gateway performing the translation The translation process on the gateway is called a proxy server or proxy for short Because each proxy serves only one or a few well defined application protocols it is able to analyze and log protocol usage at a fine grained level and thereby offer a wide range of monitoring and security options The analysis can be especially intensive at the application level because the application data transferred conforms to standardized protocols The firewall knows about and can inspect every aspect of the data flow This also means that small manageable modules can be used for each kind of data which in turn means the system is less prone to problems due to impleme
160. gainst a Denial of Service DoS attack a maximum of 25 incoming concurrent connections are supported The 26 connection will not be accepted By default the DoS Protection function is enabled In the Incoming Mail window set the route for incoming mails Domain Name In order to send mails for a certain domain to the correct machine the domain name e g mydomain com must be configured here SMTP Host All e mails for this domain can be forwarded to a certain host This will normally be a host like Microsoft 239 Using the Security System 240 Exchange Server or Lotus Notes The host must be defined in the Definitions Networks before it will appear in the drop down menu You can also set the system to forward e mails to the system specified by the MX record You should take care that the firewall itself is not the MX host for the domain Confirm your selection by clicking Add Recipient Verification The SMTP proxy will only accept in coming e mails after verifying that the receiving address exists This will dramatically reduce the number of spam messages re ceived as only messages with valid destination addresses will be accepted This function requires that the internal SMTP server reject messages to unknown addresses The basic rule The basic rule is that if the mail server rejects a message then so too will the firewall In the Outgoing Mail window select the Allowed Networks or hosts to which outgoing m
161. gt gt Admin notifications Sunday April 04 2004 notifier 2004 04 04 log gz 784 amp m Admin notifications Saturday April 03 2004 notifier 2004 04 03 log gz 644 S r a Admin notifications Friday April 02 2004 notifier 2004 04 02 log gz 457 P a a Admin notifications Thursday April 01 2004 notifier 2004 04 01 log gz 439 amp checked entries The following additional functions are available in the sub tab Date For older protocols listed in the sub tab the date and time will be displayed B Return to the overview by clicking on the folder icon 7 This is today s protocol Clicking on the icon opens the Live Log window B This in an archived protocol Clicking on the symbol opens the Log window File Count Name In the protocol from today the path to the log file and the Live Log message will be displayed in this column In this column the file names will be displayed next to the archived log files 314 Using the Security System Filters The Filters function allows you to filter Log Files with specific attributes from the table This function enhances the management of huge networks as log files of a specific type can be presented in a concise form Filtering Log files 1 3 Click on the Filters button The entry window will open Enter the filter attributes in the fields Not all attributes have to be defined Group If you wish to filter the log files of a specific group select it
162. hardware e 2 additional Ethernet interfaces if you wish to use heartbeat monitoring both of these must support link beat e One Ethernet crossover cable e One serial interface cable optional 97 Using the Security System The hardware components supported by the Internet security Important Note system e g for a monitoring through Heart Beat requests are listed under http docs astaro org in the Hardware Compatibility List for Astaro Security Linux tab Installing the High Availability System Preparation 1 First install the software on both machines and configure the first active system as described in chapter 3 2 on page 22 Security Note If you install High Availability HA to a system updated using Up2Date please ensure that the standby system is using the same version of the security solution as the normal mode system Shut both systems down Connect the firewall system 2 standby to the firewall system 1 active as in the graphic Configuring the Firewall System 1 normal mode 1 2 98 Start system 1 as normal In the System tab open the High Availability menu Enable the HA system by clicking Enable under Status Device Name Enter a descriptive name for the system here This name will be shown to allow you to know which system is active at a given time The name can be up to 11 characters long Using the Security System Device IP Assign an IP address from a Class C
163. he Enable button under Prefetch Up2Dates automatic ally 3 In the selection menu Interval specify how often the security system should contact the Up2Date Server to check for new System Up2Dates The available choices are every hour every day or once per week 56 Using the Security System Newly imported Up2Date packages are presented with their respective version number and file name in the Unapplied Up2Dates table Further information is available by clicking the Info button Note that the Unapplied Up2Dates in the table have not yet been installed yet If you are using the HA system unapplied updates will be listed in the Unapplied Up2Dates Master window Loading System Up2Dates from a local disk The filename of an Up2Date update consists of the version number tar to signify it is an encrypted archive file and the file extension gpg Example 3 033 tar gpg Up2Date packages can be downloaded from the ftp astaro com FTP server 1 Open the Up2Date Service menu in the System tab 2 In the System Up2Date window click on the Browse button next to Import from File 3 In the File Upload window choose the Up2Date packages you would like to load and click on the Open button Important Note When using Microsoft Windows make sure not to use a UNC Path Instead choose the updates by using the Look in option 4 In the System Up2Date window next to Import from File click Start Successfully loaded upd
164. he access point For this interface type the address must be statically defined Enter the address into this entry field Netmask This interface type requires a statically defined netmask Enter the network mask into this entry field Default Gateway If you wish to use a default gateway with this interface select Static from the drop down menu and enter the gateway address in the entry field Otherwise select None SSID Enter the network name for the wireless network here Enter a string without space characters here This should be a string up to 32 characters long Channel Use the drop down menu to select a frequency channel for the network Use WEP If you wish to use WEP encryption on the wireless LAN select Yes from the drop down menu A Security Note You should always use WEP encryption as an unencrypted network presents a serious threat to network security If you select No from the drop down menu the WEP specific configuration options will be ignored by the system WEP Authentication If you wish to enable WEP authentication select Yes from the drop down menu All nodes on the wireless network must be configured with the correct WEP Key Require WEP If you do not wish to allow nodes not supporting WEP onto the wireless network choose Yes here WEP Key Enter the WEP key to use in the WEP Key O through 3 entry fields In order to use WEP encryption you will need at least one WEP key up to four can be used For a
165. he password you might not be able to access the newly configured system 65 Using the Security System Advanced Encryption The backup file contains all configuration settings as well as the respective certificates and keys The Encryption function allows you to encrypt the file using DES or 3DES Encryption of e mail Backup Files 1 Open the Backup menu in the System tab 2 Scroll to the Advanced window 3 Enable the Encryption function by clicking on the Enable button The Encryption function is enabled when the status light shows green 4 Inthe Passphrase entry field enter the password A Security Note With passwords with up to seven characters the Backup file will be encrypted with DES and from eight characters on with 3DES 5 To confirm enter the password again into the Confirmation entry field 6 Click the Save button to save these settings All Backup files that have been created manually or automatically by the system will now be encrypted with the defined password Important Note A backup file that has been encrypted with Encryption can only be loaded to the system with the password that was used for the creation of the Backup 66 Using the Security System Send Backups by E Mail The Security system can also send you automatically created backup files by e mail so that you don t have to remember to save the settings of your Internet security system manually on a data carrier Then the
166. ich it can be sorted or filtered on the mail server or in the e mail programs of the recipient 244 Using the Security System For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 Trigger on In this drop down menu you define which errors cause that the e mail is treated according to the Action function Level 1 This step causes that only e mails with most serious errors are treated This setting is recommended since many users use a deficient encryption program that already responds in the higher levels Level 2 und 3 Level 2 With the exception of the e mails with the ordinary errors all are being treated Level 3 Any e mails with errors are being treated File Extension Filter This module allows the firewall to selectively filter attachments based on their file extensions The extensions to filter can be selected in the Extensions list tool Action This drop down menu allows you to select the action the proxy should take upon finding a message with a filtered string The following actions are possible Reject The message will be bounced back to the sender with a 5xx error message The bounce message sent to the sender will also contain an explanation of why the message was blocked Blackhole The e mail will be accepted and silently dropped Do not use this action unless you are absolutely certain no legitimate e mails will be lost Quarantine The e mail will be accepte
167. ield Save your changes by clicking Save Using the Security System 5 9 2 Local Log File Query aeaea The Local Log File Query Time Span Yesterday and Today a aa ae action allows you to search sms Gals for specific Log Files in a eee local archive The search result will be displayed in a separate window Mode Search Term Starting searches 1 Inthe Time Span drop down menu select the time span 2 In the selection field Logs choose the protocols Please see chapter 4 3 2 on page 36 for a description of how to use selection fields 3 In the Mode drop down menu select the mode 4 If you are looking for protocols with specific strings enter the strings into the Search Term entry field 5 Begin the search by clicking seek The protocols will be listed in a separate window 311 Using the Security System 5 9 3 Browse Each protocol is contained in the Browse menu If this menu is opened the protocol groups logs will be displayed in the Browse Local Log Files overview The Log File Overview All protocol groups logs are contained in this overview The groups with the current protocols can directly be opened from this overview Browse local Log Files Total 121 entries 102 filtered Filters 7 7Name Date in File Count Name Accounting data 4 files Admin notifications 6 files Boot messages 6 files Content filter D 4 files DHCP server 4 file
168. ill be displayed in real time in the Log Window When the DONE message appears the process has completed successfully Then the installation automatiscally starts on system 2 During this process the Up2Date package and the message Polled by slave will be displayed in the Unapplied Up2Dates Slave table The table will show the message No locally stored Up2Date packages available when the installation on system 2 has completed successfully 5 If the Unapplied Up2Dates Master table lists more unapplied updates repeat steps 2 and 3 until all updates have been installed The HA system is fully updated when the Unapplied Up2Dates Master table shows the message No locally stored Up2Date packages available and if both systems display the same version number Pattern Up2Date The Pattern Up2Date function ees Sin Cau ees pater updates the virus patterns for Up2Date packages now ae the security system s integrated virus scanner and the Intrusion Protection System IPS with IPS attack signatures You can choose to update signatures manually or automatically at certain intervals The Latest Pattern Up2Dates table shows the date of the most recently installed Pattern Up2Date Virus Protection Patterns and Intrusion Protection attack signatures will be listed separately 59 Using the Security System Manual Pattern Up2Date 1 Open the Up2Date Service menu in the System tab 2 In the Patter
169. ill extend all the way to that computer where the data is encrypted and decrypted If one end point is a net work the connection will end at a Security Gateway which man ages the VPN functions for the rest of the network The data transmission within the network between the security gateway and client computers is not encrypted Data transfer between two computers over a Public Wide Area Network WAN uses public routers switches and other network components This is in general not secure as messages can be read in clear text at every point between the end computers An IPSec VPN however builds a secured IP Security IPSec tunnel through the public WAN Messages sent through this tunnel cannot be read An IPSec tunnel consists of a two directional Security Associations SAs one for each direction of communication 260 Using the Security System An IPSec SA consists of three components e the Security Parameter Index SPI e the IP address of the receiver e a Security Protocol Authentication Header AH or En capsulated Security Payload ESP With the help of the SA the IPSec VPN tunnel has the following features e Data confidentiality through encryption e Data integrity through data authentication e Sender authentication through PSK RSA or X 509 certificates The security features can be combined as desired Most adminis trators use at least the encryption and authentication components There are a few scen
170. ill only be displayed after clicking on the show support logs button Content Filter The activities of the content filters on the HTTP SMTP and POP3 Proxies are logged to these log files DHCP client If the interfaces are automatically assigned to IP addresses on the Internet security system the activities are recorded to these log files DHCP server If the Internet security system is used as DHCP server and assigns dynamic IP addresses to the clients in the network the activities are recorded to these log files Fallback archive These log files are used as a security archive for logged processes which cannot be assigned to one of the log files 316 Using the Security System The log files belong to the support logs and will only be displayed after clicking on the show support logs button In general those log files are empty High Availability The activities of the High Availability HA system are logged to these log files HTTP daemon The log files for the HTTP daemon belong to the support logs and will only be displayed after clicking on the show support logs button WebAdmin access The requests to the user data base are recorded to these log files Intrusion Protection The activities of the Intrusion Protection System IPS are recorded to these log files IPSec VPN Extensive information on the configuration of the IPSec VPN and L2TP over IPSec connections is recorded to these log files And also informati
171. in the Comment field enter a description of this backup When restoring system backups this description will be displayed to help distinguish between different configurations If the Encryption function has been enabled the backup file will be encrypted with either the DES or 3DES algorithms and can only be read or loaded using the correct password Important Note 3 To generate the backup file click the Start button The system will now generate a backup file When the message Backup has been restored successfully appears the process has completed successfully 4 To copy the backup file to your local PC click the Save button 64 Using the Security System On the File download menu choose the Save file to disk and click the OK button Choose a descriptive file name on the Safe file as menu The security system will automatically produce file names consisting of backup date and time backup_yyyymmdd_hhmmss abf astaro backup file Check the generated backup file for readability by importing it back into WebAdmin and clicking on the Start button The security system will now load and check the backup file If the ckecksums are correct you will now receive the Backup Information Abort the restore process by opening a different menu within the tab Attention After each system change create a new backup file If you load a new backup file and if for example you have changed the IP address or forgotten t
172. in the certificate private key and verification CA Delete Delete the specified certificate Issue CERT from CSR This function signs a CSR generating a full host certificate 291 Using the Security System Generating a Client Host Certificate Step 1 Create a Signing CA 1 2 8 The Under the IPSec VPN tab open the CA Management menu In the Certificate Authorities table click the New button The Add Certificate Authority window will open Select the Generate option In the Name field enter a descriptive Name for the certificate authority Allowed characters are Only alphanumeric and underscore characters are allowed Enter a password with at least four characters in the Pass phrase field Use the Key Size drop down menu to select the desired key length Use the drop down menus and entry fields from Country to E Mail Address to enter identifying on the CA To save the entries click the on the Start button Signing CA will be loaded into the Certificate Authorities menu This CA will answer CSR requests by generating new host certificates Step 2 Generate a Certificate Request 1 292 In the Host CSR or Certificate table click the New button The Host CSR or Certificate window will open Select the Generate CSR option In the VPN ID drop down menu select the type of VPN ID to use If you select E Mail Address Hostname or IPv4 Ad dress you must enter the relevant informatio
173. ing Protocol PPTP option Sharing This menu allows you to share the PPTP connection with other computers on the local network To start the PPTP connection simply click the new icon in the Start Settings Network and Dialup Connections menu Further information is usually available from the network administrator 174 Using the Security System 5 3 7 Accounting Tra ReIASSOUNT When the Accounting func ii a tion is enabled the security system will track all trans ELIE z2 mitted data and compile Ignored Networks Selected Available EE Cema aaea statistics about it The ac ose counting menu allows you to select which network cards should be monitored You can download the data from the Log Files Accounting menu or view daily reports in the Reporting Accounting menu Interfaces Empty list Important Note In the normal case you should only enable Accounting on one network card because if more than one card is monitored data forwarded from one monitored interface to another monitored one will be counted twice If you use Masquerading you should probably use Accounting on the internal interface Otherwise data packets dropped by the security system filters will be included and will appear to come from the wrong interface It is also possible to exclude certain Hosts or Networks from the accounting records After installation all networks are included in accounting records I
174. ing files will be displayed in this column The old protocols can be opened from the sub tab Activity If the protocols in a group have been logged since Midnight a correspondent message will be displayed e Now The protocols are being generated right now e Today Protocols have been generated since Midnight Open the protocols by clicking on the message Now or Today Open the current protocol Live Log by clicking on the message Now or Today see left hand picture Size The size of the log file group will be displayed in this column Clicking the download icon will allow you to download this Log File to your local client computer You can then use these Log Files to import data into another program for example Microsoft Excel 313 Using the Security System The Log File Sub Tab All protocols Logs of a group are listed in this sub tab The sub group can be opened in the overview by clicking on the folder icon s 102 filtered E 7 A r Accounting data 4 files 184 4 ria Admin notifications re files Today 3064 rig Boot messages 6 files 3473 amp rs Content filter 4 files 254 amp Total 121 entries 114 filtered File Count Name m Admin notifications 6 files Today 3064 B Admin notifications Tuesday April 06 2004 amp var log notifier log Live log Today 225 amp r a Admin notifications Monday April 05 2004 notifier 2004 04 05 log gz 515 amp
175. ing services in ad Internal Broadcast Slept rea dition to simple proxy ser Surf Protection Content Filter a vices resulting in dramatic performance increases be Advanced are _ cause the system can store Block CONNECT Method oe Enable a copy of often visited Alowed Target Services Selected AS pages locally these pages FTP CONTROL ra faus HTTP BGP DAP Top eg do not need to be loaded SQUID EUDORA across the Internet Status oe _ Enable TCP Port 8080 Clear HTTP Proxy Cache Note WebAdmin should not be used through a proxy Configure your browser so that connections to the security system s IP address do not use a proxy server Disabling Netscape Communicator Proxy 1 In Netscape open the Edit Settings Advanced Proxies menu 2 Under Manual Proxy Configuration click Show 3 In the No Proxy for this address field enter the IP address of your security system 4 Click OK to save your changes 210 Using the Security System Disabling Proxy Use with Microsoft Explorer In Explorer open the Extras Internet Options menu Choose the Connections tab 1 2 3 Open the LAN Settings Advanced menu 4 Under Exceptions enter the IP Address of your security system 5 Click OK to save your settings The HTTP proxy controls web transactions using the HTTP Protocol usually TCP IP Port 80 Please note that some web servers transmit
176. ion address If Strict Routing is enabled it is possible to simultaneously set encrypted and decrypted connections from different source addresses to one network If the Strict Routing function is disbled Off further networks and hosts can be connected to the IPSec VPN tunnel through the setting of Source NAT rules The Strict Routing function can only be disabled or enabled in the Standard type of connection For all other types of con nections the function is always enabled In the Endpoint Definition window select the endpoint of the IPSec tunnel Local Endpoint Use the drop down menu to select the local endpoint Always choose the network interface on the same side of the firewall as the remote endpoint Remote Endpoint Choose the IP address of the remote end point here With the Road Warrior or MS Windows L2TP IPSec types of con nection the remote endpoint has always a dynamic IP address The Subnet definition optional window allows you to set an optional subnet for both endpoints Local Subnet Choose the local subnet here Remote Subnet Choose the remote subnet here 273 Using the Security System 274 With a road warrior connection only the local subnet can be configured This is no more possible if you additionaly enable the L2TP Encapsulation function in step 7 Note With the MS Windows L2TP IPSec connection this window will not be displayed The IPSec VPN access will be managed through the Packe
177. is The WebAdmin is currently occupied by the following user wane admin already logged in to Web Address or Hostname 10 113 113 3 Admin a notice will ap pear on screen The IP ad dress shows you which computer the other administrator is using You can terminate this users session by confirming your login and optionally provide a reason for the takeover Reason The kick function allows you to end the other administrator s session In the Reason field type a reason for ending the other user s session and click Login 43 Using the Security System You are now logged in and can use system the WebAdmin to manage the 5 1 Basic Settings System The menus under the System tab allow you to configure and manage the basic settings of your Security Solution 5 1 1 Settings Administrator Contact Administrator Contact E Mail Addresses E Mail Addresses Whenever certain important events occur such as portscans failed logon attempts or reboots as well as whenever the self monitor or Up2 Date systems generate alerts or reboots the security system will send a notification e mail to the administrator through the e mail addresses entered into the ordered list At least one e mail address must be present otherwise the E Mail Reporting module will be disabled To add a new e mail address enter it in the entry field and click Add Please see chapter 4 3 4 on
178. is correctly configured start it and enter the management address of the security system the internal IP address configured for eth0 as follows https IP Address In the example from step 6 above this would be https 192 168 2 100 A security notice will appear When you generate a certificate for WebAdmin in a later step this notice will disappear Further information on generating and installing certificates can be found in chapter 5 1 9 on page 94 For now simply accept the security notice by clicking the Yes button The first time you start WebAdmin two windows will open the first contains the License Agreement and the second is used for Setting system passwords Complete the License Agreement In the License Agreement window accept the terms of the license by clicking the I agree to the terms of the license selection box Note Please read the terms of the license carefully 27 Installation 28 Set the System Passwords In the Setting system passwords window enter the pass words for the Internet security system A Security Note Use a secure password Your name spelled backwards is for example not a secure password while something like xfT35 4 would be You will only be able to start WebAdmin once you have entered passwords for the functions listed below Enter the password for each service and then re enter it in the text field labeled Confirm The usernames are pre defined and cannot
179. is initially disabled when it is added to the table Active rules are applied in the given order ending with the first matching rule The order of this process will be displayed in the table through the Position number second column from the left If you re sort the rules table later for example according to the source address please note that the rules won t be displayed in the order in which the system processes the rules If however you change the numerical rule order via the Position number the processing order will change correspondingly In our example if rule 189 Using the Security System 2 were moved to be before rule 1 all SMTP traffic for both networks would be blocked Be very careful when defining rules and their order as this will determine the security of your firewall When one filter rule applies all other rules will be ignored The sequence of rules is thus very important Never place a rule like Any Source Any Service Any Destination Allow Action at the top of the rule set Important Note Setting Packet Filter Rules 1 Under the Packet Filter tab open the Rules menu 2 Click on the New button The entry window will open Packet Filter Rules Total 1 entries New Rule 7 Filters 7 Position Tebotom a Group mon Al Source maketin zl Service rrr xl Destination ay xl Action Anw Comment S I Log Add Definition Group Source Service Action Destination
180. is not yet enabled status light is red The profile assignment will be enabled by clicking on the status light status light is green Profile Name Select the Surf Protection Profile in this field from the Profiles Table Clicking on the field with the entry opens the drop down menu Save your changes by clicking on the Save button To keep an entry click cancel Assigned local Users Select the local user from this field Clicking on this field with the entry opens the selection field Save your changes by clicking on the Save button To keep an entry click cancel 224 Using the Security System Important Note If you are simultaneously assigning a Profile to a local user and to a network this Profile will only take effect if the user accesses the HTTP proxy from the configured network Only one Surf Pro tection Profile can be configured for each user or network Assigned Network Blocks Select the Network from this field Clicking on this field with the entry opens the selection field Save your changes by clicking on the Save button To keep an entry click cancel Assigning Surf Protection Profiles By default the table contains already a Blank Assignment If this blank assignment has not been edited yet continue with step 1 1 By clicking on the Add blank Assignment button add a new blank assignment 2 From the Profile Name field select the Surf Protection Profile 3 From the Assigned local User
181. isplayed then When the menu is closed the complete set of rules will be displayed again Quality of Service QoS The graphic at left for example shows a network with a web server and an FTP server Both servers share a 2Mbit uplink to the Internet Due to the protocols TCP based applications e g FTP always use the full bandwidth It might thus happen that not enough bandwidth is available for the Web Server Internet Internet Service Providers usually measure the rie service they provide in terms of bandwidth aa gt measured in kBit s If a server tries to cross the saturation boundary if it tries to send Web Server u More information than the link can carry the a 2mBivs communication can either slow to a crawl or be gt Toren dropped altogether 100 MBit s FTP Server Firewall The Quality of Service QoS function allows you to assign different priorities to the connections if the Uplink is overloaded These priorities are defined in the packet filter rules through the Allow Allow high priority and Allow low priority actions Important Note In order to enable the priorities high priority and low priority you must select the respective interface for the QoS function in the Network Interfaces menu and also define the values Uplink Bandwidth kbits and Downlink Bandwidth kbits 196 Using the Security System In order to assign the same bandwidth to the connection
182. ity System sseseeeeeee 27 4 WebAdmin ose seeeeeeceeee eee eeeeeeeaeaeaeeeeeeeeeeeeeeeeeneneeae 34 4 1 Info BOX ccccccceeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeuaeaeaeeeeeeeeoeenes 35 4 2 Tab List cccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeasesaeaeeeeeeeeenenenans 35 4 3 MenUS 2 cecceeeceeeeeeeeeeeeeeeeeeeueeeeeuaseaneeneeneegeeseeaeuaneagne 36 4 3 1 The Status Light cccccceeseeeeeeeeeeeeeeeeeeeeeeeeeeeeenaes 36 4 3 2 Selection Fields cccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeaees 36 4 3 3 Drop down MeMUS cceceeeeeeeeeeeeeeeeeeeeeeueeeeeeenenenans 38 4 3 4 LESUS wa cei scene cei cnecete cece eesedeveseresevececnweseueneseceessssesenenss 39 4 4 Online Hel p scccsceceeeeeeeeeeeeeaeaeeeeeeeeeeeeeeeeeeeueeeeaeaees 40 4 5 ReEFIreSH oo cccceceeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeaeaeaseeueeeeeeeneeenans 41 5 Using the Security System cscscseeeeeeeeeeeeeeeneeaes 42 5 1 Basic Settings System ccscseseseseseeeeeeeeeeeeenenans 44 5 1 1 SettingS cceeeeeeeeeeeeeeeeeeeeeeeeeeeavaeeeeeeeeseeeeeeeeeenenenae 44 5 1 2 LICENSING eececeeeeeeeeeeeeeeeeeeeeeeeeeaeeeaseeeseeueeeeeeeuenenans 50 5 1 3 Up2Date ServiCe cccccceeeeeeeeueeeeeeeeeeeeeeeeeeeeeeeenenaes 54 5 1 4 BaCKUP occ cececeeeeeeeeeeeeeeeeeeeeeeeeeaeaeaeaeaeuseeueeeeeueneuenans 62 5 1 5 SNMP ACCESS ccccceeeeeeeeeeeeeeeeeeeueeeeueeeeueeeeueeeeneeeenas 68 5 1 6 Remote Syslog Server s ssscseseseseeeeeeeeeeeeeeeeeneneeaes 69 5 1 7 User Authentic
183. ity System DN Template For the VPN ID Type Distinguished Name you will need the following data from the X 509 tab tree Country C State ST Local L Organization O Unit OU Common Name CN and E Mail Address E The data must be listed in the same order as a certificate in this entry field Comment You can enter a IPsec user group description in this entry field Save the IPsec user group by clicking on the Add Definition button After successful definition the new IPSec user group will appear in the network table The IPSec user group name will also be available for use in various configuration menus Filters The Filters function allows you to filter networks or hosts with specific attributes from the table This function Any 0 0 0 0 0 none Internal Address Interface up 192 168 5 217 Address of interface Internal Internal Broadcast interface up 192166 5255 Gresdcastaccress irename Considerably enhances the Internal Network Interface up 192 168 5 0 24 Network on interface Internal management of huge net works as networks of a certain type can be presented in a concise way Filtering networks 1 Click on the Filters button The entry window will open Enter the filter attributes in the fields listed You don t have to define all attributes 108 Using the Security System Name If you want to filter the networks by names enter the expression in the
184. ived the backup interface will be enabled by the failover In this entry field there must always be an IP address for the failover QoS Status In order to use Quality of Service QoS band width management on an interface enable this option To enable the Quality of Service QoS function select On from the drop down menu Important Note For the bandwidth management Quality of Service QoS you must define the values for Uplink Bandwidth kbits and Downlink Bandwidth kbits These values are used as basis for the bandwidth management system incorrect values can lead to poor management of the data flow The Quality of Service QoS function is described in chapter 5 5 1 Uplink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the Using the Security System available bandwidth for the Uplink in full kilobits This value can be determined either from the values of the upstream interface or from the router On an interface to the Internet this value corresponds to the bandwidth of the Internet connection on an ADSL access the Uplink bandwidth amounts to 128 kBit s and on a 2 Megabit fixed connection to 2048 kBit s Downlink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the available bandwidth for the Downlink in full kilobits On an inter face to the Internet this value corresponds to the bandwidth of the
185. ject e g the network or user you wish to add by clicking its name You can select more than one object at a time by holding the CTRL key while you make your selection 2 Click the Left Arrow button The names you selected in the Available window will be moved to the Selected window Removing Objects from the Selected List 1 In the Selected list choose the objects networks or users you wish to remove by clicking them Again you can select more than one object at a time by holding the CTRL key while you make your selection 2 Click the Right Arrow button The objects will be moved back to the Available window Local Users The second kind of Selection Menu type B is used to append objects to a list for example Select to append he Authentication Methods or Network Interfaces As a rule the administrator must first configure these objects If there are objects available the drop down list in the selection menu will display the message Select to append otherwise it will read Empty List 37 WebAdmin Appending Objects to the List 1 Open the drop down menu 2 Choose the object to add by clicking its name The name will be moved to the list immediately Removing Objects from the List 1 Double click the name of the object to be removed The object will be moved back to the drop down menu immediately 4 3 3 Drop down Menus Drop down menus are used to Europe Berlin z A Europe Ber
186. l be terminated IPS Network Exclusions Specific connections between the net works of the Intrusion Protection System IPS can be excluded in this selection menu The connections will be listed in a table below the selection menu Clicking the trash can icon 8 deletes the defined connection from the table 186 Using the Security System Performance Tuning The performance of the Intrusion Prevention System IPS can be enhanced through the settings in this window in which the servers and ports are defined The correspondent IPS rules will only be used for the configured servers and ports The server must first be added as host in the Definitions Networks menu For more information on adding hosts please refer to chapter 5 2 1 on page 103 Note If you don t configure a server in this window the Intrusion Protection System IPS will monitor the complete data traffic ac cording to the settings in the Global Settings window HTTP Service In this drop down menu select the target port for the HTTP data traffic by selecting a Service In the Definitions Ser vices menu you can change or add a Service if necessary The added service will only use the target port number In the case of a port range only the first and last port will be used Example In a port range 80 8080 the HTTP rule will be used for the target port 80 and 8080 HTTP Servers Select the HTTP servers in this selection field DNS Servers Select the
187. le click the domain with the right mouse button Example Domain example com 2 With the left mouse button click New and then Group A new window will open labeled New Object Group 3 Enter a unique name for the group in the Group name field Example socks_users for the SOCKS Proxy 4 Under Group type select Security 5 Save your settings by clicking OK You have now created a new Security Group named socks_users Step 2 Adding Users to the Group 1 Inthe directory right click the username Example John Smith in the Trainees directory 2 Left click the Properties button A window named Properties will open 3 Inthe Properties window select Member Of tab 81 Using the Security System 7 Click Add to add the new group The Select Groups window will open Now choose the Security Group you wish to add the user to Example socks_users Save your changes by clicking OK The new Security Group will be added in the Member Of window Save your settings by clicking OK Now execute the settings on the Internet security system The settings in the configuration tool WebAdmin are explained on page 87 Microsoft Active Directory self defined attributes User authentication with Microsoft Active Directory can also use user attributes to assign access rights For large organizations however this can be time consuming to configure Note According to the LDAP standard each user attribute must have an
188. lect z agg Content Filter Virus Protection Enable Spam Protection oe Enable 1 no data in table This menu allows you to configure the POP3 Proxy for incoming e mails The POP3 proxy works transparently requiring no configuration on the client side POP3 requests coming from the internal network on port 110 are intercepted and redirected through the proxy This process is not visible to the client The advantage of this mode is that no additional administration or configuration is required on the client of the end user Configuring the POP3 Proxy Normally the POP3 proxy must only be enabled in order to process POP3 requests as it proxies for all networks by default The Configured Proxied Networks displays which networks are to be allowed If only POP3 requests from certain networks should be forwarded the configuration must be changed Note that the drop down menus contain only those networks you have already defined in the Definitions Networks menu Example POP3 queries from the subnet 192 168 0 0 255 255 0 0 to pop yoursite com should be forwarded through the proxy These networks must first be defined in the Networks menu Once this is done continue as follows 232 Using the Security System 1 Inthe Proxies tab open the POP3 menu 2 Click the Enable button next to Status to start the proxy An advanced entry window will open 3 In the Proxied Ne
189. licly assigned IP addresses or private IP addresses according to RFC1918 In the Action drop down menu select the action to execute if a data packet complies with the settings for Source Service und Destination In connection with this action the priority for the Quality of Service Qos function is also configured here Important Note In order to enable the priorities high priority and low priority you must select the respective interface for the QoS function in the Network Interfaces menu and also define the values Up link Bandwidth kbits and Downlink Bandwidth kbits Allow All packets complying with this rule are allowed to pass 191 Using the Security System Allow high priority All packets complying with this rule are allowed to pass In addition this data traffic gets a higher priority if the Uplink is overloaded Allow low priority All packets complying with this rule are allowed to pass through In addition this data traffic gets a lower priority if the Uplink is overloaded Drop All packets matching this rule are blocked Reject All packets complying with this rule are denied In addition the firewall will send an ICMP error to the sending computer Log Any violation of the rule will be reported in the Packet Filter Live Log This action is enabled by clicking on the check box For such filter violations which take place very often and which are not particularly security relevant and only red
190. lient In the second step the server replies by setting an ACK Bit Acknowledge to the header and also transmits the window size In the last step the client accepts this with the ACK Bit and starts to send the data themselves The firewall accepts PSH packets without having received a TCP Handshake This is necessary if for example after a Restart of the Internet security system or after a transfer of the second firewall system with a High Availability system the existing connections shall be maintained 205 Using the Security System If the Strict TCP Session Handling function is enabled the connection set up is done by TCP Handshake Validate Packet Length The Packet Filter checks the data packets for minimal length if the icmp tcp or udp protocol is being used The minimal data lengths for the individual protocols are e icmp 22 bytes e tcp 48 bytes e udp 28 bytes If the data packets are shorter than the minimal values they are blocked and recorded to the Packet Filter log file with the annotation INVALID_PKT The log files are administered in the Local Logs Browse menu Logging Options Log Unique DNS Requests DNS packets which are sent to or through the Firewall and receive a DNS request are recorded to the Packet Filter log file with the annotation DNS_REQUEST The log files are administered in the Local Logs Browse menu Log FTP Data Connections All FTP data connections either in th
191. light all IP addresses can ping the firewall when ICMP forwarding is enabled computers on the external network can ping hosts behind the firewall Pings to single IP addresses cannot then be blocked with packet filter rules Settings configured here take precedence over rules configured in the i Important Note packet filter rules table When the ICMP settings are disabled packet filter rules can be used to allow specific IP addresses or networks to ping the firewall or internal network ICMP Forwarding This allows you to forward all ICMP packets behind the firewall This means that all IPs in the local network and in all connected DMZs can be pinged Click the Enable button to enable the function status light shows green 200 Using the Security System If you wish to disable ICMP forwarding you must ensure that the Packet Filter Rules menu does not contain a rule of the form Any Source Any Service Any Destination Allow Action Otherwise ICMP forwarding will remain active irrespective of the setting here Important Note ICMP on Firewall The firewall directly receives and forwards all ICMP packets This is enabled by default status light shows green Click the Disable button to change disable the function status light shows red Note l ICMP on firewall must be activated to use the Ping action The i action is described in more detail in the Network Ping Check menu and is described in chapter 5
192. lin configure functions that can have Bratislava Brussels only one of a few values To use Bucharest simply select the value from the Budapest Chisinau list as a rule values chosen in Copenhagen Dublin drop down menus take effect Gibraltar x i Helsinki immediately Istanbul 38 WebAdmin Lists are used in contrast to configure functions that not only allow more than one value to be ae not reply fw notify net Ravy gt nastemann sgeney com Configured and where the listed pees saa a Ra objects do not need to be first myelertagency eam defined by the administrator In 5 _ koenig agency com Rvs e EA A some instances the order of the configured values is also relevant ese fmarin ageney E Each list can contain many pages E fremna com i Gia esamesa E of values and each page displays ten entries The Interfaces menu for instance uses a list to allow access to the Wireless LAN Access Point The first row of the table shows ESTI the number of pages in the list on soeder heinri the left the current page is do not reply fw notify net __r shown in white and the total mustermann agency com 3 richard striegel projektagentur com evs number of entries on the right next to the symbol Note that if you roll the mouse over one of the red page numbers a tooltip appears showing the first and last entries on that page See pi
193. ll SA as an ADSL modem with an Upin ralover on Ethernet port The connection Qos Status z to the Internet proceeds aa through two separate con nections see graphic Between the se Username curity system and the ADSL modem a BEROA odem connection using the PPTP over Ether IP Address net protocol is established The ADSL modem is in turn connected to the ISP using the PPP over ATM dialing protocol PPTPOE eth1 athos The configuration will require the DSL Internal Network i 2 P 3 r q4 connection information including user name and password provided by your Address eth0 192 168 2 100 Example INternet Service Provider Address eth1 NIC IP Address Firewall 150 Using the Security System Note The installation and specific settings required for DSL connections is described in the DSL Network guidebook Also note that once the DSL connection is activated the security system will be connected to your ISP 24 hours a day You should therefore ensure that your ISP bills on a flat rate or bandwidth based system rather than based on connection time The DSL Network guidebook is available at http docs astaro org Configuring PPTP over Ethernet PPPoA DSL 1 Inthe Network tab open the Interfaces menu 2 Click the New button to open the Add Interface window 3 In the Name entry field enter a descriptive name for the inter face 4 Use the Hardware drop down menu t
194. ll road warriors use the same type of authentication PSK RSA or X 509 a mixed operation can result in malfunctions Further configuration parameters can be set for the chosen connection type 4 Make the following basic settings for the IPSec VPN connection IPSec Policy The policy controls the parameters for the VPN connection This includes the settings for Key Exchange IKE and the IPSec connection The drop down menu contains a number of pre defined policies You can define custom ones in the IPSec VPN Policies menu Note A standard policy is used for the MS Windows L2TP IPSec type of connection The configuration of IPSec Policies is detailed in chapter 5 7 2 on page 277 Auto Packet Filter Once the IPSec VPN connection is success fully established the packet filter rules for the data traffic will automatically be added After the completion of the connection the packet filter rules will be removed The Auto Packet Filter function is available for the Standard and road warrior connection types 272 Using the Security System A Security Note If you want greater control over the packet filter rules or wish to manage them in a more centralized way disable the Auto Packet Filter function and enter the rules manu ally in the Packet Filter Rules menu Strict Routing When this function is enabled On VPN Rout ing is not only done with the destination address but in harmony with the source and destinat
195. lso chapter 1 on page 9 The IPSec standard defines two service modes and two protocols e Transport Mode e Tunnel Mode e Authentication Header AH Authentication protocol e Encapsulated Security Payload ESP Encryption and Authen tication protocol IPSec also offers methods for manual and automatic management of Security Associations SAs as well as key distribution These characteristics are consolidated in a Domain of Interpretation DOT IPSec Architecture Transport Mode aml Tunnel Mode AH Protocol ee 2 ee ESP Protocol Authentication Algorithm Encryption Algorithm MD5 SH 1 DES 3DES Domain of Interpretation DOI SA and Key Management Manual and Automatic Note This security system uses the Tunnel Mode and the Encapsulated Security Payload ESP protocol 264 Using the Security System IPSec Modes IPSec can work in either Transport Mode or Tunnel Mode In principle a host to host connection can use either mode If however one of the endpoints is a security gateway the Tunnel Mode must be used The IPSec VPN connections on this security system always use the Tunnel Mode In Transport Mode the original IP packet is not encapsulated in another pioa packet The original IP L Encrypted header is retained and the aR rest of the packet is sent either in clear text AH or encrypted ESP Either the complete packet can be authenticated with AH or the payload can be encrypted and authen
196. lso called the trusted and untrusted interfaces respectively Network cards are automatically recognized during the installation if new network cards are added later a new installation will be necessary In order to re install the system simply make a backup of your configuration install a new copy of the software and re load your backed up configuration Internet As is shown in the graphic at left the firewall fe init be the only point of contact between az internal networks and external ones All data Carre cN must pass through the security system a We strongly recom Internet mend against con rep necting nori internal gt and external interfaces Wrong to one hub or switch LAN except if the switch is configured as a VLAN switch There might be wrong ARP resolutions Address Resolution Protocol ARP clash which cannot be T mz administered by all operating systemen such as those from Microsoft Therefore one physical network segment has to be used for each firewall network interface Firewall Firewall The Interfaces menu allows you to configure and manage all network cards installed on the security system and also all interfaces with the external network Internet and interfaces to the internal networks LAN DMZ 120 Using the Security System Note While planning your network topology and configuring the security system take care to note which interface is connected to which network I
197. m and that you keep the worksheets in a safe place for future reference Attention If you are upgrading your system from version 4 to version 5 and you wish to keep the settings from your existing installation you must first upgrade your system to version 4 021 at least Only backup files from this or higher versions of Astaro Security Linux can be loaded into Version 5 Further information on the Up2Date Service and the Backup function can be found in chapters 5 1 3 and 5 1 4 18 Installation 3 1 System Requirements The requirements for installing and using this security system are Hardware e Processor Pentium II or compatible up to 100 users e Processor Pentium III or compatible up to 100 users e 256 MB RAM e 8 GB IDE or SCSI hard drive e Bootable IDE or SCSI CD ROM drive e 2 or more PCI Ethernet network cards e For wireless LAN access a wireless LAN PCMCIA card with the Prism2 chipset or compatible Important Note The High Availability HA Wireless LAN and Virtual LAN sub systems require extra hardware Please check the Hardware Compatibility List for Astaro Security Linux available at http docs astaro org for compatibility To make Heart Beat Monitoring of the High Availability HA system easier we recommend using network cards that support link beat for all interfaces The installation of the HA system is described in detail in chapter 5 1 10 on page 97 19 Installation Administr
198. m is turned off without being shut down properly the system must check the consistency of the file system this means that the next boot will take longer In the worst case data may be lost The system will beep five times in a row to signal a successful startup Shut down 1 Under the System tab open the Shut down Restart menu 2 In the Action drop down menu choose the Shut down action 3 Begin the shutdown by clicking Start 4 When asked Do you really want to shut down click OK 102 Using the Security System 5 2 Networks and Services Definitions The Definitions tab allows you to define networks and services for all of the other configuration menus e g the packet filter VPN proxies etc in one central location This allows you to work with the names you define rather than struggling with addresses ports and network masks Another advantage is that can group individual networks and services together and configure them all at once If at a later date you assign certain settings to these groups they will apply to all networks and services contained therein It is even possible to make groups of groups Local users for the proxy services can also be defined here 5 2 1 Networks Network Definitions Se Es In the Networks menu the a hosts and networks and also Addes EEE the network groups are Add Definition z defined Any 0 0 0 0 0 none Internal Address Interface up 192 168 5 217
199. ministratively enable 121 Using the Security System or disable the interface The functions in the Actions column allow you to edit the configuration of the interface or to delete it entirely With this Internet security system you assign one Name and also a specific network card to one virtual interface Three logical networks will then be defined for each configured interface e An interface NAME Address consisting of the defined IP address and the network mask 255 255 255 255 Host e An interface NAME Network consisting of the defined IP address and the network mask 255 255 255 255 Network e A Broadcast NAME Broadcast network consisting of the broadcast IP for this interface and the network mask 255 255 255 255 Host The networks are shown in the Networks menu If an interface is configured using a dynamic addressing scheme for example through DHCP or PPPoE these settings are automatically updated This means that all functions for example packet filter rules configured with these aliases will automatically use the correct addresses Hardware List rier inn TE This table lists all net ore sa0T ag work cards installed on REET the security system to gether with the relevant hardware information The table shows for example the system assigned ID Sys ID type of network card hardware MAC address Name Parameters and PCI bus infor mation Bus Device Function PCI Device ID 122 U
200. municate with the external public address of the security system DNAT can in this case take packets ad dressed to port 80 of the system s address and forward them to the internal web server Note The method of setting up a web server behind the Internet security solution is described in the Web Server DNAT guidebook The Web Server DNAT guidebook is available at http docs astaro org Source Network Address Translation SNAT is another special case of NAT and functions just as DNAT does with the difference that source addresses rather than destination addresses are translated This is useful in complex networks where replies should be sent from other network addresses Tip To build a simple translation system from an internal network to the Internet use the Masquerading function instead of SNAT 158 Using the Security System In contrast to Masquerading which is dynamic SNAT uses a static address translation That is every internal address is translated to its own externally visible IP address Note In order to forward port 443 HTTPS to an internal server you must first change the value of the WebAdmin TCP Port e g 1443 for WebAdmin in the System WebAdmin Settings menu This function is described in chapter 5 1 8 in chapter General Settings Note Because translation occurs before Packet filtering you must ensure that appropriate rules are entered in the Packet Filter Rules menu More informati
201. n nection type the authentification is based on Preshared Keys Enter the password into this entry field 8 Save these settings by clicking Add The newly configured IPSec profile will appear deactivated at the bottom of the table status light is red Clicking on the status light enables the IPSec connection After you configure a new VPN tunnel you will need to establish the related packet filter rules to allow the two computers to communicate Configuring packet filter rules is described in chapter 5 4 on page 179 275 Using the Security System Example In order to set up a Net to Net VPN connection between network 1 and network 2 you will need to define the following rules 1 Under the Packet Filter tab open the Rules menu 2 In the Add Rules window add the following rule for network 1 Source Network1 Service Any Destination Network 2 Action Allow 3 Confirm the entries by clicking on Add Definition 4 Inthe Add Rules window add the following rule for network 2 Source Network 2 Service Any Destination Networki Action Allow 5 Confirm the entries by clicking on Add Definition These rules will allow complete access between the two networks 276 Using the Security System 5 7 2 Policies IPSec Policies In the Policies menu you aDES_COMP oe yu can customize parameters 3DES_PFS PFS edit delete CEU eee aiee for IPSec connections and AES none edit delete SEEEN ae
202. n Treaa Time ATT Ei 306 Using the Security System 5 9 Local Logs Log Files The logs generated by the system will be managed in the Local Logs tab 5 9 1 Settings Local Logging 4 Configure the basic settings Status n 7 eee A for the creation of log files Remote Log Fie Archives we in the Settings menu Status Click the Enable button to enable the function status light shows green Important Note When this function is disabled the Internet security system will not i create Log Files Local Log File Archives This function locally stores generated log files to the Security system Configure the settings for the local log file archive in the Local Log File Archive window By default this function is enabled automatically once the logging functions are enabled Remote Log File Archives This function allows you to save the generated log files to a remote host or server The settings for the automization of the log file archive on a separate server are con figured in the Remote Log File Archive 307 Using the Security System Local Log File Archive Local Log File Archive This window allows you to Log file partition status 1 full 36 MB used a N oe wam Observe the utilization of the Sera local log file partition The Threshold One diagram first displays the When usage reaches 85 used disk space in MB as well as the utilizati
203. n Up2Date window click the Start button under Update now The system checks now whether new Pattern Up2Date packages are available on the Update Server downloads and installs them to the Internet security system Details on the complete Up2Date process can be found in the Log Window shown in real time When the DONE message appears the process has completed successfully The Installed Pattern Date will be updated when you click the Up2Date Service under the System tab or when you next open this menu When using the High Availability HA solution the virus scanner on system 2 will be automatically synchronized with system 1 Automatic Pattern Up2Date 1 Open the Up2Date Service menu in the System tab 2 Click the Enable button under Update automatically 3 In the selection menu Interval specify how often the security system should contact the Up2Date Server to check for new Pattern Up2Dates The available choices are every hour every day or once per week A Security Note Choose the hourly update option to ensure that your sys tem is always up to date 60 Using the Security System The automatic Pattern Up2Date is now activated The Security sys tem will contact the Up2Date Server at regular intervals and check for new Pattern Up2Dates Whenever new Pattern Up2Dates are installed the administrator will be sent an e mail containing a list of the newest virus signatures When using the High Availability HA
204. n chapter 4 3 4 on page 39 The Header Many of the functions will add headers to the messages scanned The Header will inform the user on specific characteristics of a mes sage If you select the Pass action recipients can configure their e mail programs to filter messages with high spam scores The following is a list of the headers the SMTP proxy may insert e X Spam Score This header will be added to the Spam Detection module It contains a score consisting of a numerical value and of a number of minus and plus characters The higher the value the more likely it is that the message is spam If you select the Pass action under Spam Detection recipients can configure their e mail programs to filter messages with high spam scores e X Spam Flag This header is set to Yes when the proxy classifies a message as spam 251 Using the Security System X Spam Report The proxy identified a message as spam The added Multiline Header contains a readable and accessible anti spam report X Infected This header is added if a virus is detected within the message The value of the header is the name of the virus found X Contains File When the File Extension Filter is enabled and an attachment with a potentially dangerous extension is found the proxy will add this header X Regex Match When the Expression Filter is enabled and an attachment matching the configured regular expression is found the proxy will add this header X
205. n in the field at 7 Using the Security System right The field should be empty if you select the X509 DN option In the Name field enter a descriptive name for this certificate request Allowed characters are Only alphanumeric and underscore characters are allowed Enter a password with at least four characters in the Passphrase field Use the Key Size drop down menu to select the desired key length Use the drop down menus and entry fields from Country to E Mail Address to enter identifying information about the certificate holder Common Name If the CSR is for a road warrior connection enter the name of the user here If the CSR is for a host enter the hostname To save the entries click the on the Start button The Certificate Request CSR KEY will appear in the Host CSRs and Certificates table The table will also show the type name and VPN IP of the CSR The request can now be signed by the Signing CA created in the first step Step 3 Generate the Certificate 1 In the Host CSRs and Certificates table select the CSR KEY certificate request Use the drop down menu at the bottom of the table to select the Issue CERT from CSR function An entry field labeled Signing CA Passphrase will appear Enter the password of the Signing CA here Click Start 293 Using the Security System From the CSR KEY the CA will generate the CERT KEY certificate the certificate will replace the CSR in
206. n most configurations the network interface with SysID eth1 is chosen as the connection to the external network In order to install the High Availability HA system the selected network cards on both systems must have the same SysID Installing the HA system is described in more detail in chapter 5 1 10 on page 97 The following sections explain how to use the Current Interface Status and Hardware List windows to manage the various Inter face types Current Interface Status Current Interface Status P This window allows you to configure both logical Hardware Li l ee and virtual interfaces ae The table lists all inter ethi D Link DFE 530TX rev A irq 9 type eth mac 00 05 5d a2 14 1b eth2 DLink DFESSOTK TeV A y faces which have al ready been configured The graphic at left shows the Interfaces menu after three Ethernet network cards have been configured During the installation you will have configured the ethO interface This interface is the connection between the security solution and the internal network LAN By default this network card is named Internal The table displays all of the most important information about the interfaces the administrative status enabled disabled indicated by a green or red status light current connection status Up Down Name Name ID Sys ID network card type eth wlan as well as IP address and network mask Parameters Click the status light in the Admin column to ad
207. ncrypted and are transferred over a secure chan nel Only Astaro is entitled to create and digitally sign new Up2Dates packages Any unsigned or forged Up2Date packages are rejected and deleted Pattern Up2Date Astaro maintains a number of servers for both System Up2Date and Pattern Up2Date that are dialed in the given sequence If the first Up2Date server is not available the system will automatically query the next system or pattern Up2Dates in the list In order to download updates the Up2Date Service makes a TCP connection to the update server on port 443 The security system will permit this connection without any adjustment If there is another security system in place upstream you must allow the communi cation via the port 443 TCP to the update servers i Important Note Note When using the High Availability HA system please note the special functions of System Up2Date 54 Using the Security System System Up2Date The System Up2Date function allows you to import system patches and new security features into your Internet security system The Up2Date packages can be downloaded either manually over an en crypted connection or automatically from the Update Server If you don t have an Internet connection you can also import Up2Date packages from a local volume Newly imported Up2Date packages are presented with their respective version number and file name in the Unapplied Up2Dates table
208. nd in the Local Logs Browse menu By default this function is disabled Enable this function by clicking on the Enable button status light on green Block Password Guessing Block Password Guessing a This function can be used After failed Attempts Block IP for Period seconds 3 00 Never block Networks Selected Available Any KT Internal Address intemal Broadcast Empty list p Internal Network to limit the number of at tempts to log in to the WebAdmin configuration tool After a specific num ber of attempts the access from this IP address will be denied for a given time span Configuring the blocking protection for Login attempts 1 Configure the maximum allowable number of attempts in the After failed Attempts drop down menu 2 Enter the time span for the blocking protection in the Block IP for Period entry field 3 Save your changes by clicking Save Now the blocking protection is enabled The Never block Networks window allows you to exclude networks or hosts from the blocking protection 93 Using the Security System 5 1 9 WebAdmin Site Certificate Encryption systems are an important part of many modern security systems They are used for example when transmitting confidential information over Virtual Private Networks in chapter 5 7 on page 260 in user authentication and Up2Date Service or to securely administer the security system
209. nel with ID 0x133a has been established and the IP address of the Remote Endpoint is 233 23 43 1 Example AB gt C gt D 23 192 168 105 0 24 gt 192 168 104 0 24 gt tun0x1234 123 4 5 6 This message shows that 23 data packets have been sent from network 192 168 105 0 24 to network 192 168 104 0 24 The tunnel s ID number is 0x1234 and the remote endpoint is has IP address 123 4 5 6 Configuring an IPSec Connection 1 Under the IPSec VPN tab open the Connections menu 2 Enable the option by clicking the Enable in the Global IPSec Settings window The New IPSec Connection window will open 3 In the Name field enter a descriptive name for the new IPSec VPN connection Name Enter a descriptive name for this IPSec VPN tunnel Allowed characters are Only alphanumeric and underscore characters are allowed Type Choose the type of connection to use Use Standard for Net to Net connections The Road Warrior Road Warrior CA and MS Windows L2TP IPSec connection types are useful with HOST to NET con nections e g for sales representatives The telecommuter will then be able to build an IPSec connection to the firm s internal network A road warrior connection can only be used through a default gateway 271 Using the Security System Note Multiple remote key objects can be added to a single road warrior connection This can serve to reduce configuration hassles It must be respected however that a
210. network card 124 introduction ccceeeee 119 introduction 00000e 119 MTU size 127 144 148 154 PPPoE DSL connection 145 PPPoE DSL connections 150 Proxy ARP seeeeeeee 125 QoS status 126 147 QoS Status 143 153 Standard Ethernet interface TA AN cient 124 uplink bandwidth kbits iaiia san 126 144 148 154 Uplink Failover on Interface E E T 125 Virtual LAN ccceee eee 140 Wireless LAN 0008 130 Wireless LAN Security 130 Interfaces determining MAC addresses oia a E A D 133 343 Index hardware overview 122 Wireless LAN access point sialdnis ae Selenielddnawehevalecte re 134 Wireless LAN station 137 Intrusion Protection global settings 179 Introduction 006 179 notification levels 181 Portscan Detection 179 PUIES iea inde sb ction ete 182 IPS rule SOttiNG teas cha vei eects 184 IPSec user group defining 107 IPSec VPN AH Protocol 220085 266 CA Management 290 CONNECTIONS 000aee 269 global IPSec settings 269 Introduction 0006 260 IPSEC eideded cnten aaae 264 IPSec connections 270 IPSec MOde S 2 008 265 IPSec protocols 266 IPSec system information E E on uvievabwadvedaene 270 key managemert 267 L2TP over IPSec 288 local IPSec X 509 key 282 Local K YS eeeeee es 282 manual k
211. ng Add The new policy will appear in the IPSec Policies table 281 Using the Security System 5 7 3 Local Keys Local IPSec X 509 Key The Local Keys menu Local Certificate Please select Benig allows an administrator to manage local X 509 cer VPN Identifier IPv4 Address tifi cates to d efi ne th e Local tunnel IP address vil _ local IPSec identifier and to generate a local RSA key pair Passphrase Local IPSec RSA Key Please select a key size and click Save to generate the local RSA key A key size of at least 2048 bits is recommended RSA Key Length Please select z Save Local IPSec X 509 Key In this window you can define keys for X 509 certificates provided you have already generated these certificates in the IPSec VPN CA Management menu Chapter 5 7 6 on page 290 describes the process of generating X 509 certificates If you wish to use X 509 authentication use the Local certificate drop down menu to select the certificate This menu only contains those certificates for which the associated private key is available In the Passphrase field enter the password used to secure the private key The active key will appear with its name in the Local IPSec X 509 Key window If you choose a new local key the old key will automatically be replaced The firewall will use the ID and public private keypair of the current local Local X 509 key to sign authenticate and encrypt X
212. ng menu This will however usually only be necessary in complex network environments 31 Installation 10 11 12 13 32 Configure the DNS Proxy In order to speed up name resolution you can specify a local DNS name server or one provided by your ISP in the Proxies DNS menu Otherwise the security system will auto matically use the root name servers If you wish to use the proxy you should configure the DNS Proxy settings now More information about configuring the DNS Proxy can be found in chapter 5 6 2 on page 227 Connect Other Networks If you wish to connect other internal networks to the security system attach their cables now Configure the HTTP Proxy If computers on the internal network should use the HTTP proxy to connect to the Internet open the HTTP menu in the Proxies tab and click Enable The configuration of the HTTP proxy is described in more detail in chapter 5 6 1 on page 210 Please note that the computers on the internal network will have to be configured to make use of the proxy Configure the Packet Filter In the Rules menu under the Packet Filter tab you can establish packet filtering rules By default all packets are filtered until you explicitly enable certain services New rules are added to the bottom of the list and are inactive until explicitly enabled The rules are processed starting with the first and moving down the list stopping at the first applicable rule To
213. ngs Name In the entry field enter a unique Service name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and underscore _ Names may be up to 39 characters long Type Select Service from the drop down menu Protocol Select the Protocol from the drop down menu Source Destination Ports In the left entry menu enter the Source Port that is the Client Side of the service In the right entry menu enter the Destination Port that is the Server Side of the service The other settings depend on the selected protocol For the TCP and UDP protocols you need the following two values Entry options A single port e g 80 or a port range e g 1024 64000 111 Using the Security System 5 Source Destination Ports In the left hand entry menu enter the Source Port i e the Client Side of the service In the right hand entry menu enter the Destination Port i e the Server Side of the service The ESP and AH protocols are used for IPsec VPN connections The port entered here should be agreed upon with the remote end of the IPSec VPN tunnel SPI Enter a value from 256 to 65535 Values up to and including 255 are reserved by the Internet Assigned Numbers Authority IANA For the ICMP protocol select a type of ICMP packet from the ICMP type drop down menu For the IP protocol enter the protocol num
214. ns a Blank Surf Protection Profile To add a new Blank Surf Protection Profile to the table click on the Add blank Profile button There you can edit the Surf Protection Profile Editing Surf Protection Profiles 1 In the Profiles table go to the Surf Protection Profile that you wish to edit In the Name field enter a descriptive name for the Surf Protection Profile Now make the settings for the Surf Protection Categories functional group in the following order Surf Protection Categories In this field choose the websites topics to which access should be blocked from your network URL Whitelist In the access control list enter those Internet addresses for which you wish to allow access even though their topic matches a topic in the Surf Protection Categories field URL Blacklist In the access control list enter those Internet ad dresses for which you wish to forbid access even though their topic doesn t match a topic in the Surf Protection Categories field 221 Using the Security System The A Security Note In the HTTP protocol the header of the request will be filtered by the HTTP Cache Proxy Squid This is different in the HTTPS protocol in this case the squid does not read the header of the request but per forms a pass through Therefore the requested URL is unknown and cannot be filtered again This means that the Surf Protection option cannot block URLs on the basis of White or Blacklists
215. ns and immediately informs the adminis trator via e mail when one is detected The administrator can also decide what further measures should be taken in response to the 180 Using the Security System scan The e mail address of the administrator can be configured in the System Settings menu Security Note se The administrator should take special care that all systems have the most recent security patches installed The Up2Date service which updates the security system itself is detailed in chapter 5 1 3 on page 54 Notification Levels sella If the Intrusion Protec Sy oat te tion System IPS detects Blocked Packets High smeny o E IPS attack signatures or prevents an intrusion the system will send a message to the administrator The e mail address of the administrator can be configured in the System Settings menu Status Disable _ Detected Packets Use this drop down menu to select the severity level from which on a warning should be sent Intrusion Detection e All levels For each level of risk e High and medium severity for high and medium levels of risk e High severity only only for high risk levels e None No warning will be sent Blocked Packets Use this drop down menu to select the level of risk from which on a warning should be sent Intrusion Prevention e All levels For each level of risk e High and medium severity for high and medium levels of risk e High severity only
216. ntation errors For example this security solution includes the following proxies e An HTTP proxy with Java JavaScript and Activex e An SMTP proxy which scans e mails for viruses and controls e mail distribution e A SOCKS proxy which acts as a generic authenticating circuit level proxy for many applications Application level gateways have the advantage of allowing the complete separation of protected and unprotected networks They ensure that no packets are allowed to move directly from one network to the other This results in reduced administration costs as proxies ensure the integrity of protocol data they can protect all of the clients 13 Introduction to the Technology and servers in your network independent of brand version or platform Protection Mechanisms Some firewalls contain further mechanisms to ensure added security One such mechanism is supporting the use of private IP addresses in protected networks through Network Address Translation NAT specifically e Masquerading e Source NAT SNAT e Destination NAT DNAT This allows an entire network to hide behind one or a few IP addresses and hides the internal network topology from the outside This allows internal machines Internet to access Internet servers while m making it is impossible to E identify individual machines A sn gt gt from the outside 5 4 3 2 1111 Request Using Destination NAT it is nevertheless possible to mak
217. nter its IP address here If you do not use a BDC enter the name of the PDC here NT4 Domain Enter the name of your MS Windows NT 2000 Domain Allowed characters are Letters of the alphabet digits from 0 to 9 hyphen and underscore characters Note This is not the Internet domain as in Company com but rather a simple designator e g Intranet If you are using a stand alone server rather than a Domain Controller enter its NETBIOS name here This corresponds to the PDC Name entry Click the Save button to save these settings Security Note am the Shared Secret only passwords consisting of alphanumeric minus and period characters are allowed Other characters for example _ are not allowed 77 Using the Security System A Security Note If you use SAM authentication make sure to disable the Guest account on your Windows domain Otherwise all username password combinations will be accepted as valid 5 1 7 3 LDAP Server LDAP the Lightweight Directory Access Protocol defines the way in which clients communicate with X 500 conforming directory services The protocol thus specifies the type of access to such a directory service The security system uses the LDAP protocol to authenticate users for several of its services The security system allows or denies access on the basis of certain attributes or group memberships established on the LDAP server This system supports the Microsoft Active Dir
218. nternal Address z day summarizes their size Statistics for the preceding month are also generated at the beginning of each new month These statistics are then used to generate a report This report is useful for instance when an organization pays its service provider based on the volume of data transmitted Accounting is configured and enabled in the Network Accounting menu Further information is available in chapter 5 3 7 on page 175 Browse Accounting Reports The existing accounting protocols will be displayed in this window Select the month from the Select Report drop down menu The report will appear in the window below 303 Using the Security System Use the Local Logs Browse menu to download or delete reports Report for current Month This window displays the accounting report for the current month Configuring Accounting 1 2 The Under the Reporting tab select the Accounting menu Enable the Accounting Reports subsystem by clicking the Enable button The entry window will open Use the selection field in the Queried networks window to select the networks for which detailed reports should be gener ated This will usually include your LAN and or DMZ networks Please see chapter 4 3 2 on page 36 for a description of how to use selection fields Important Note Do NOT use the Any network since it will match all source and destination networks meaning no traffic will be counted in the re
219. o select a network card Tip For an external connection e g to the Internet choose the lt card with Sys ID eth1 You cannot choose a network card that has already been config ured with a primary network address 5 Use the Type drop down menu to select the PPTP over Ether net PPPoA DSL connection interface type You will need the connection settings provided by your ISP to configure the following settings Address If you have not been assigned a static IP address by your provider keep the default Assigned by remote setting here 151 Using the Security System If you have a static IP address choose Static from the drop down menu and enter the address in the entry field Default Gateway You should probably keep the default setting Assigned by remote Other possible values are Static and None Modem IP Address Enter the IP address of your ADSL modem here This address will usually be provided by your ISP or the modem hardware and cannot be changed Example 10 0 0 138 with AonSpeed NIC IP Address Enter the IP address of the network card on the security system which is attached to the modem here This address must be in the same subnet as the modem Example 10 0 0 140 with AonSpeed NIC Netmask Enter the network mask to use here Example 255 255 255 0 with AonSpeed Address to Ping In order to test the connection between the security system and the external network you can enter an IP address of a hos
220. of the attribute The possible values are TRUE and FALSE Value s The current value of the attribute is shown here 6 Save your settings by clicking OK Now make the settings on the Internet security system The settings in the configuration tool WebAdmin are explained on page 87 Configuring a Novell eDirectory Server Make sure that there is a user configured on your LDAP server to have full read privileges for the directory This will be the query user A Security Note Make sure that the user has only read privileges In most cases you should use the groupMembership query type with Novell eDirectory NDS8 as this allows an existing user index to be easily extended for proxy rights The index can also be configured to use user defined attributes which must be manually set for each user in the index If you wish to authenticate on the basis of particular User Attributes every user account in the directory must be edited to define access rights This is done by setting a particular attribute for each user which either grants or denies access to a service You will need Novell ConsoleOne to configure the eDirectory Server The configuration and management of the Novell eDirectory server is described in detail in the accompanying documentation You can find these documents at http www novell com documentation lg edir87 index htmi Then make the settings for the Internet security system The settings in the configuration
221. offers the highest standard of security The effective key lengths that can be used with AES are 128 192 and 256 Bits This security system supports a number of encryption algorithms Either the MD5 or SHA 1 algorithms can be used for authentication Key Management The secure generation management and distribution of keys is crucial to the security of IPSec connections IPSec supports both manual and automatic key distribution Manual key distribution requires that both sides of the connection be configured by hand This means that for every Security Association SA there are two per tunnel a Security Parameter Index SPI must be selected a key for encryption and authenti cation must be generated and the keys must be installed on both sides of the tunnel These keys should also be changed at regular intervals Clearly manual distribution is labor intensive Because of the com plexity of the process manual intervention intensifies the risk that an unauthorized party gains access to the keys For these reasons Manual Key Distribution is not often used The Internet Key Exchange IKE protocol provides IPSec with automatic key management capabilities Keys are automatically generated and securely exchanged IKE also allows the generation and management of multiple VPN tunnels and the use of dynamic IP addresses The IKE protocol automatically manages the Security Associations SAs for a connection 267 Using the Security
222. omputer The definition of networks is covered in greater detail in chapter 5 2 on page 103 If the NTP server has already been defined please begin with step 6 1 Open the Networks menu in the Definitions tab 2 Inthe Name entry field enter a distinct Name Allowed characters are Letters of the alphabet digits from O to 9 hyphen space and underscore characters The name must be fewer than 39 characters long 3 Now enter the IP Address of the NTP Server 47 Using the Security System 4 In the Subnet Mask entry field enter the network mask 255 255 255 255 5 Now confirm your settings by clicking on the Add button WebAdmin will now check your entries for semantic validity Once accepted the new network will appear in the network table 6 Open the Settings menu in the System tab 7 Inthe Time Settings window make the following settings in the given order Time Zone Now select the time zone Use NTP Server Select the NTP Server here The system clock of the Internet Security system will be synchronized with the external NTP server every hour SSH Shell Access Settings Ssi esne Access selitys Secure Shell SSH is a text based access mode for the ae security system intended only Allowed Networks z ER for advanced administrators In order to access this shell you will need an SSH Client which comes standard with most Linux distributions For MS Windows we recommend Putty as
223. on cceeeeee 203 loading helper modules 204 Connection Tracking Table 208 Current System NAT Rules 208 Current System Packet Filter RUIGS ss danian iaaii 208 DHCP Server assigning DNS servers 166 CONFIQUIING 0 e eee 165 current IP leasing table 168 introduction 06 165 DHCP Server static mappings 167 DNS Proxy CONFIQUIING seeen 228 342 DNS Server deleting iiini 109 Editing isian irana 109 DNS servers AACING ieder 106 Dynamic DNS Host defining 119 Dynamic DNS cceeeeeeees 118 Error codes CREM aa ASE ete 327 INFO uiuis dense semen 320 WARN eisein sicini niiina 325 Errors CAUSES aaan tsaa 123 E E E ET 26 EXIM sadinane na iaia 334 Factory Restin i iria 50 Firewall Hostname 118 General System Settings 44 Glossary broadcast 335 CHENG snorri siete 335 client server model 335 DNS anenun 335 dual homed gateway 336 firewall cceeeeeeeees 336 Header duuichadwecwetcasies 336 NOSES ennu 336 IGMP eeu caries 337 LP a AEA ice os tees 337 IP address s 338 Masquerading 338 NSIOOKUD eeeee eee eee 339 POPE ii iogan went dene 339 PrOtOCOl eceeeee eee 339 PIOXY eon iaa ara aa ta 339 RADIUS ccceee eee ea ees 340 POUT E TE 340 SEMVGR iienwettveawesaieians ie 340 SOCKS siekiais 340 subnet MaSK saec 341 UNC path ccecce 341 GlOSSAFY ee 333 Group deleting 109 editihgi inn 109 Hea
224. on Protection System IPS recognizes attacks with the help of a signature based Intrusion Detection set of rules The system analyzes the complete traffic and automatically blocks attacks before they can reach the network The existing set of rules and or IPS attack signatures are updated through the Pattern Up2Date function New IPS attack signatures will automatically be imported as IPS rule to the IPS set of rules 5 4 1 Settings Global Settings Global Settings z In the window configure Status eo _Disable Locsin Selected NRE the basic settings for the Empty list Any Internal Address eral roadeas Intrusion Protection Sys Internal Network PPTP Pool tem IPS option Status Clicking on the Enable button enables the option Local Networks From the selection field select those networks that should be monitored by the Intrusion Protection System IPS If no specific network is selected the complete data traffic will be monitored Portscan Detection paea The Portscan Detection eam PSD feature allows you to detect possible attacks from unauthorized users Portscans are used by hackers to probe secured systems for available services In order to intrude into a system or to start a Denial of Service DoS attack attackers need information on network services If this 179 Using the Security System information is available attackers might make use of the security deficiencies of
225. on of the partition in percent Ld ls do this Send Notification Threshold Two When usage reaches 30 LJ ls do this Delete oldest log files Threshold Three In the lower window select Dy eae from the drop down menu how the system has to react LJ Ls do this Shutdown system _ Save if a specific part of the partition is overloaded with log files Three levels with different actions can be selected here Configuring the Log Files Level For each level the following settings can be configured When Usage reaches Configure here at which utilization in percent of the system partition an action will be executed do this Configure the action in this selection menu The following actions can be configured Delete oldest Log Files The oldest log files will automatically be deleted by the Security system The administrator previously receives the WARN 711 notification e mail Send Notification Only the INFO 710 notification e Mail with the correspondent warning will be sent to the administrator Shut down System The security system will automatically shut down The administrator receives the CRIT 712 notification e Mail before Nothing No actions will be started 308 Using the Security System Save the settings by clicking on the Save button Remote Log File Archive Remote Log File Archive 3 In this window configure the settings fo
226. on of why the message was blocked e Blackhole The e mail will be accepted and silently dropped e Quarantine The e mail will be accepted but kept in quarantine The Proxy Content Manager menu will list this e mail with status Quarantine This menu presents further options including options to safely read the message e Pass The e mail will be treated by the filter but allowed to pass A Header will be added to the e mail by which it can be sorted or 246 Using the Security System filtered on the mail server or in the e mail programs of the recipient For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 Expression Filter There is the chance that new viruses will appear which are not yet recognized by the firewall Various viruses can be identified because of known strings such as the IloveYou virus The strings are entered into this module If an e mail contains this string it will be blocked Next to simple strings also expressions in the form of Perl Compatible Regular Expressions can be defined Action This drop down menu allows you to select the action the proxy should take upon finding a message with a filtered string The following actions are possible e Reject The message will be bounced back to the sender with a 5xx error message The bounce message sent to the sender will also contain an explanation of why the message was blocked e Blackhole The e mail will be acce
227. on on setting packet filter rules can be found in chapter 5 4 on page 179 Defining NAT rules 1 2 In the Network tab open the NAT Masquerading menu In the Name field enter a descriptive name for this NAT rule In the Rule type drop down menu select the DNAT SNAT function A window named Properties will open In the Packets to match window define which packets should be translated At least one parameter in this window must be defined in order to create a valid DNAT SNAT rule The setting No match means that packets will not be matched on the basis of this parameter 159 Using the Security System 160 Source address Choose the original source address here This can be either a single host or an entire network Destination address Choose the original destination address here This can be either a single host or an entire network Service Choose the original service here the service is defined by source and destination ports as well as protocol used e g TCP Note A service can only be redirected when the communicating addresses are also redirected In addition a service can only be redirected to another service when the two services use the same protocol Use the next drop down menus to define how the packets should be translated At least one parameter in this window must be defined in order to create a valid DNAT SNAT rule If you redirect the original ad dress to an entire network the addresses in
228. on on the Key Exchange and Encryption Virus Protection The activities of the Virus Protection System are recorded to these log files Kernel The Kernel logs record the system status including mes sages from device drivers messages relating to the boot process and information about blocked packets Logging The local archives of the log files on the Internet security system and the forwarding of files to the Remote Log File Archive are recorded to these log files Local login Information on the log in processes to the local console is recorded to these log files MiddleWare The activities of the MiddleWare are recorded to these log files The log files belong to the support logs and will only be displayed after clicking on the show support logs button Network accounting daemon The efficiency of the accounting is recorded to these log files 317 Using the Security System BIND name server The releases of host names to IP addresses are recorded to these log files Admin notifications The Notification Log Files record all notifi cation e mails sent by the firewall This allows an administrator to monitor critical system messages even if the e mail system is down Error warning and information codes are listed in chapter 5 9 3 2 on page 320 HTTP proxy The HTTP proxy logs show the activity of the HTTP proxy Packet Filter Messages relating to blocked packets are shown in the Packet Filter logs These log files a
229. onfigure the access to the WebAdmin configuration tool in this menu General Settings CETE I Language In this drop Language z ee down menu you can deter TOP Port mine the language Timeout seconds In this entry field enter the intervals in sec onds in which WebAdmin automatically logs you out if there are no actions By default the system is set to 300 seconds after the instal lation The smallest possible interval amounts to 60 seconds Click the Save button to save these settings If you close your browser with an open WebAdmin session without closing WebAdmin through Exit the last session reamins active until the end of the time out TCP Port If you want to use the standard port 443 for the HTTPS service for another purpose such as a deviation with DNAT you must enter another TCP Port for the WebAdmin Interface here Possible values are 1024 65535 while certain ports are reserved for other services In order to address WebAdmin after a modification you must separately link the port through a colon to the IP address of the Internet security system e g https 192 168 0 1 1443 91 Using the Security System Access and Authentication Access and Authentication 4 Allowed Networks Add Allowed Networks Selected Available Any those networks to the se lection field that are au thorised to access Web Empty Admin As with SSH Any ERa Selected __ cade is en
230. opped Next Up2Date install lation locked by HA System Up2Date failed Corrupt Up2Date Package Found corrupt Up2Date package Please start pro cess again If the problem recurs please con tact the support department of your firewall provider System Up2Date failed Invalid License Your license is no longer valid System Up2Date failed License check failed Your license could not be checked If the problem continues please contact the support department of your firewall provider System Up2Date failed Internal error The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Invalid syntax The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Could not read Up2Date directory The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed No installation directory The system updat failed Pleas contact the support department of your firewall provider 337 338 339 340 342 343 344 345 346 Using the Security System System Up2Date failed Could not extract tar Please start process again If the problem recurs please contact the support department of your firewall provider System Up2Date failed Main Up2Date package not found Please start process again If the problem recurs
231. ork card can be Name Marketing ie eal aceon configured with multiple add ye onal aadress on aa etace M itional IP addresses also cane called IP aliases This func tion allows you to manage multiple logical networks on one physical network card It can also be used to assign further addresses to a security system running NAT NAT is described in further detail in chapter 5 3 4 on page 157 Each network card can be configured with up to 255 additional addresses Netmask Default Gateway Adding additional addresses to a network card 1 In the Network tab open the Interfaces menu 2 Click on the New button The Add Interface window will open 3 In the Name entry field enter a descriptive name for the interface 4 Use the Hardware drop down menu to select a network card 5 Use the Type drop down menu to select Additional address on Ethernet interface 6 Now make the specific settings for this interface type Address For this interface type the address must be statically defined This kind of interface can only use static addresses 128 8 Using the Security System Netmask This interface type requires a statically defined net mask This kind of interface can only use static masks Default Gateway If you wish to use a default gateway with this interface select Static from the drop down menu and enter the gateway address in the entry field Otherwise select None Confirm the
232. otal 1 entries Add blank Profile 7 Name URL Whitelist URL Blacklist Surf Protection Categories Content Removal YP Example 1 entries O entries e Information_and_Communication lt gt 0 entries Q The functions from the left to the right are Deleting Profiles 8 Click on the trashcan icon to delete a profile from the table Name This is the name of the Surf Protection Profile This Name is necessary to assign this profile to a specific Network or User Open the editing window by clicking on the field with the entry e g Default Save your changes by clicking on the Save button To keep an entry click cancel URL Whitelist This is an additional function from the Surf Pro tection Categories With this access control list you can allow the access to specific Websites with a content that matches the subjects in the Surf Protection Categories Profiles Total 1 entries Add blank Profile 7 Name URL Whitelist URL Blacklist Surf Protection Categories Content Removal VP Example 0 one O entries e Information_and_Communication lt gt 0 entries Q Example If you have chosen the Information and Communi cation subject in the Surf Protection Categories menu but wish to explicitly allow access to the www astaro org website simply add this address to the Whitelist 218 Using the Security System Open the access control list oe E by clicking on the field with the entry e g O entries Enter th
233. otocol The update is available from Microsoft at http support microsoft com support kb articles Q191 5 40 ASP Select the VPN Update and if you use Windows 95 also the RAS Update PPTP VPN Access PPTP VPN Access This window allows you to Status eo en ma enable or disable PPTP VPN Encryption Stony 2B z access by clicking the En Authentication Local Users Z able Disable button Logging This drop down menu allows you to choose how detailed the information recorded in the PPTP Logs should be The Extensive setting should be used when you are using the Live Log to debug connection problems When you start the connection you can view the process in real time The PPTP Live Log is in the Local Logs Browse menu Encryption This drop down menu allows you to choose between encryption strengths 40 bit or 128 bit Note that in contrast to Windows 98 and Windows ME Windows 2000 does not come with 128 bit encryption installed to use this kind of connection the High 169 Using the Security System Encryption Pack or Service Pack 2 must be installed SP2 cannot be uninstalled later A Security Note You should always set Encryption to Strong 128 bit except when your network includes endpoints which cannot support this Authentication Use this drop down menu to select an authenti cation method If you have defined a RADIUS server in the Sys tem User Authentication menu you can use RADIU
234. ou to check the integrity of the backup later Restore a Backup This window allows you to install the backup file of the configuration Loading a Backup 1 Open the Backup menu in the System tab 2 In the Restore a Backup window next to the Upload Backup File entry field click on the Browse button 3 In the File Upload window choose the Backup file you would like to load and click on the Open button Note When using Microsoft Windows make sure not to use a UNC Path for loading the backup Select the Backup file with the help of the Look in selection window 4 Click on the Start button If during the generation of the backup file the Encryption function was enabled the Enter Passphrase window will open 5 Inthe Passphrase field enter the password 63 Using the Security System 6 Confirm your settings by clicking Start The security system will now load and check the backup file If the ckecksums are correct you will now receive the Backup Information 7 Check the Backup Information 8 To import the backed up settings into the active system click the Start button When the message Backup has been restored successfully appears the process has completed successfully Create a Backup This window allows you to create and archive a backup file of the configuration of your Security system Manually Creating a Backup 1 Open the Backup menu in the System tab 2 Inthe Create a Backup window
235. over events total The following events will be displayed e WebAdmin Logins e Remote Logins e Local Logins e System Up2Dates e Virus Pattern Up2Dates e Intrusion Protection Pattern Up2Dates 298 Using the Security System e Config Changes e Astaro Configuration Manager Uploads e System Restarts e High Availability Takeover 5 8 2 Virus Report Virus Protection Statistics Today Yesterday Last 7 Days Last 30 Days SMTP viruses POPS viruses HTTP viruses The following viruses will be displayed e SMTP Viruses e POP3 Viruses e SMTP Viruses 5 8 3 Hardware Report Hardware Usage Graphs CPU load Daily Graph CPU load Daily 40 00 12100 14 00 16 00 18 00 20 00 22 00 00 00 02 00 04 00 06 00 4 ximur 20 0 42 Average 119 65 m Maximum 770 00 m 09 average 99 48 m Maximum 360 00 m tinute average Currer rinute Average Current nute Average Cu Show all CPU graphs Memory usage Daily Graph Memory usage Daily o 10 00 12 00 14 00 16 00 18 00 20 00 22 00 00 00 02 00 04 00 06 00 m icad anas Eau w The Virus menu contains an overview of the filtered vir uses of the last 7 days This menu shows the cur rent values relating to your system hardware The sys tem collects statistics about CPU utilization RAM utiliza tion and swap utilization The security system collects graphics and statistics every five minutes and updates
236. over the network Certificates and Certificate Authorities CA are an essential part of modern cryptographic protocols and help close the gaps left open by other systems Public Key Algorithms offer a particularly elegant form of encryption They do however presuppose that the public keys of all communications partners are known At this point a third trusted party is used to ensure the validity of public keys The third party issues certificates guaranteeing the authenticity of these keys this third party is called a Certificate Authority CA A certificate is a record in a standardized format with the owner s most important data his name and his public key and is signed with the private key of the CA The format for these certificates is defined in the X 509 standard In a certificate the CA certifies with its own signature that the public key belongs to the person or entity it says it does As the certificate contains information such as the name of the owner duration of validity issuing authority and the signature of the CA it can be seen as a kind of digital passport Certificate Information The WebAdmin Site Certi Country United States i A ficate menu allows you to city a create two certificates first Organization Defaultcompani a CA certificate which will ia Sars be installed in your browser E Mail Address myname mydomain com Hostnem eee TA darese AE and second the server
237. ow If you click on the subcategories another selection window will open All avail able subcategories will be listed in this selection field 216 Using the Security System 7 Name Subcategories Community_Education_Religion Cities Countries Regions Government Institutions Save Cancel Non Government Organizations Partys Religion Sects Upbringing Education Reconnoitring Computer Criminalism Hate and Discrimination Illegal Activities Warez Sites Criminal_Activities Save your changes by clicking on the Save button To keep an entry click cancel 4 To close the table click on the Show Hide button The Surf Protection Categories window will close The Profiles Table Each Surf Protection Profile will be displayed in the Profiles table through a separate line The different settings will either be displayed as alphanumeric signs or as symbols All settings can be edited by clicking on the correspondent field A Surf Protection Profile contains two function groups The Surf Protection Categories with the additional functions Blacklist Whitelist and Content Removal and the Content Filter The Surf Protection Categories prevent the access to Websites with a specific content The Content Filter contains a Virus Protection function and filters Websites with specific technical components 217 Using the Security System The Functions The following picture shows a Surf Protection profile Profiles T
238. owed networks menu do not select Any unless absolutely necessary If any is selected the DNS Proxy can be used by any Internet user Forwarding Name Servers Enter the IP addresses of your name server here Click Add to add each name server to the list Ordered Lists are described in chapter 4 3 4 on page 39 All settings take effect immediately and will be saved if you leave this menu 5 6 3 SOCKS Seet SOCKS is a generic proxy Status ao Disable Allowed Networks Selected Available used by ma ny cl ient appli Empty list oan cations Examples include In stant Messaging Clients such bes Attenyeatien T as ICQ or AIM FTP clients aa and RealAudio SOCKS can Seat to appar build TCP connections for client applications and can also provide incoming listening TCP and UDP ports This is especially important for systems using NAT as SOCKS mitigates the drawbacks of having all internal clients use the same external address This security system supports the protocols SOCKSv4 and SOCKSv5 229 Using the Security System Please note however that the SOCKSv4 protocol does not support User Authentication Note If you wish to use SOCKSv5 with name resolution you must also activate the DNS proxy service Configuring the SOCKS Proxy 1 Inthe Proxies tab open the SOCKS menu 2 Click the Enable button next to Status to start the proxy Another entry window will open 3 Make th
239. page 133 1 Inthe Network tab open the DHCP Server menu 2 Inthe Static Mappings window make the following settings MAC Address In the MAC Address entry field enter the MAC address of the network card The MAC address must be entered as in the following example Example 00 04 76 16 EA 62 IP Address Enter the IP address into this entry field The address must be within the range specified by the Range Start and Range End options 3 Save the settings by clicking Add The static address mapping will appear in the Static Mapping Table To remove an entry from this table click delete 167 Using the Security System Current IP Leasing Table The Current IP Leasing table shows all current IP address map pings If more than one entry is shown for the same IP address only the last listed one is valid This table will only be shown when there are entries in it 168 Using the Security System 5 3 6 PPTP VPN Point to Point Tunneling Protocol PPTP allows single Internet based hosts to access internal network services through an encrypted tunnel PPTP is easy to set up and requires on Microsoft Windows systems no special client software PPTP is included with versions of Microsoft Windows starting with Windows 95 In order to use PPTP with this security system the client computer must support the MSCHAPv2 authentication protocol Windows 95 and 98 users must apply an update to their systems in order to support this pr
240. pends on the type of LDAP server you are using 1 Microsoft Active Directory Microsoft Active Directory can use either the User Principal Name UPN or the full Distinguished Name DN of the user Examples UPN admin example com DN cn administrator cn users dc example dc com 2 Novell eDirectory Enter the full Distinguished Name DN of the user Example DN cn administrator o our_organisation 3 OpenLDAP OpenLDAP and OpenLDAP conforming servers can only use the Distinguished Name DN of users Base DN Enter the object name to be used as the basis for all client actions Using the Security System Examples For MS Active Directory dc example dc com For Novel eDirectory o our_organisation Enter the password in the Password entry field This password should also be used for the Administration of the Stand alone LDAP Server A Security Note Use a secure password Your name spelled backwards is for example not a secure password while something like xfT35 4 would be Click the Save button to save these settings Security Note a As long as the LDAP authentication by attribute function is disabled all users who are listed in the directory with a unique DN and a valid password can use the HTTP SMTP and SOCKS proxies and can also access the WebAdmin tool Advanced Authentication with LDAP 1 Enable the LDAP authentication by attribute function by clicking Enable next to Status Use the Ser
241. please contact the support department of your firewall provider System Up2Date failed Version conflict The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Pre Stop Services script failed System Up2Date failed Post Stop Services script failed System Up2Date failed Pre Start Services script failed System Up2Date failed Starting Services failed The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Post Start Services script failed System Up2Date failed Error occured while running installer The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Installer ended due to internal error 329 Using the Security System 347 351 352 353 354 355 356 330 The system updat failed Pleas contact the support department of your firewall provider System Up2Date failed Started without rpm parameters The system updat failed Pleas contact the support department of your firewall provider Pattern Up2Date failed Could not select Authentication Server s If the problem continues please contact the support department of your firewall provider Pattern Up2Date failed Could not connect to Authentication Server s The authentication server is not reachable If
242. port changes will be applied immediately and the networks will appear in the Queried networks window 304 5 8 13 System Process host domain com Disk Partition Status Using the Security System Information This menu offers additional Disk Partition Status List Interface Information ARP Table Local Network Connections F host domain com Disk Partition Status Microsoft Internet Explorer Filesystem 1K blocks Used Available Uset Mounted on rootfs 608756 303736 274096 53 dev root 608756 303736 274096 53 tupts 32768 3284 29484 lls opt tapfs dev hdal 350007 15089 316845 5 boot dev ndas 14845760 204764 13874696 2 var storage dev hda6 350007 8239 323695 3 var up2date dev ndes 396623 231242 144899 62 var sec dev nda9 19825488 37568 18764560 1 var log dev nda10 917104 16580 853936 2 tap none 128240 O 128240 0 var shm Show Show Show Show Show system information This in formation will be displayed in a separate window Click ing on the Show button opens this window Disk Partition This table lists the disk partitions on the system and their usage levels ioj x h manually E sax P list This t li r a i iejournald rocess IISt is tree lists ls sw 300 kjournald oo ooe 2 AE 1i05 enta erstogny E my oo 2672 gt amp 00 00 0 00 E ENA all current processes on the 0 0 2672 2 s
243. private networks to hide behind small numbers of IP addresses or even single addresses thus allowing the relatively limited IPv4 address space to meet the demands of an ever expanding Internet 337 Glossary IP Address Every publicly addressable host on the Internet has a unique IP address similar to a telephone number An IP address consists of decimal numbers separated by points Possible numbers are 0 to 255 inclusive Example a possible IP address is 212 6 145 1 At least one IP name in the form hostname subdomain s domain z B kises rz uni konstanz de is assigned to an IP address This refers to a computer named kises which stands in the sub domain rz of the sub domain uni konstanz of the de domain As with IP addresses the individual parts of the name are separated from each other by a point Whereas in contrast to IP addresses IP names are not limited to four numbers Moreover several IP names can be assigned to one IP address which are referred to as aliases Masquerading Dynamic Masquerading is a technology based on NAT that allows an entire LAN to use one public IP address to communicate with the rest of the Internet Example The administrator has established an internal LAN and has given each computer on it IP addresses from the private IP range 10 x x x One computer for example has the address 10 1 2 3 Only one official IP address is assigned to all computers in its network i e if only one
244. pted and silently dropped e Quarantine The e mail will be accepted but kept in quarantine The Proxy Content Manager menu will list this e mail with status Quarantine This menu presents further options including options to read or to send the message e Pass The e mail will be treated by the filter but allowed to pass A Header will be added to the e mail by which it can be sorted or filtered on the mail server or in the e mail programs of the recipient For a description of how to create rules in Microsoft Outlook 2000 please see on page 252 Expressions Enter the strings to filter in this list 247 Using the Security System The function of the Control List is identical to the Ordered List and described in chapter 4 3 4 on page 39 5 6 6 2 Spam Protection Sender Address Verification When this function is enabled the sending address of incoming e mails will be checked And also sending domain will be checked If the sending domain does not exist the e mail will be rejected If the Callout function is also enabled the proxy will connect to the mail server of the sending domain and check the sender address using an RCPT command If the sending address does not exist the proxy will reject messages from it Realtime Blackhole Lists RBL The RBL module uses an external database of known spam senders to check sending addresses Several services of this type are available on the Internet This function helps to mas
245. querading requires a source network It will automatically include all services ports on that network e The translation only occurs when the packet is sent via the supplied network card The new source address will be that of the interface Masquerading is intended to hide privately addressed LANs behind one official public Internet address 161 Using the Security System Defining Masquerading rules To define masquerading rules select which network should masquer ade as which network card Normally the external network card is used Note In order for clients from the defined network to build a connection to the Internet the appropriate rules must be entered in the Packet Filter Rules menu More information on setting packet filter rules can be found in chapter 5 4 on page 179 1 In the Network tab open the NAT Masquerading menu 2 In the Name field enter a descriptive name for this Masquer ading Rule 3 Use the Rule type drop down menu to select Masquerading A window named Properties will open 4 Use the Network drop down menu to select a network 5 Use the Interface drop down menu to select an interface 6 Save the settings by clicking Add After a masquerading rule has been defined and added it will appear in the NAT rules table The further functions in the NAT table can now be used for further customization Further Functions Edit Masquerading rules Click edit to load the rule into the Edi
246. r a remote log port a files archive If the Remote Username eb Sana Log File Archive is on a ser aan ver you must first add it to the Definitions Networks menu Configuring Remote Log File Archive 1 In the Global Settings window enable the Remote Log File Archives function by clicking on the Enable button The Remote Log File Archive window will open 2 Use the Type drop down menu to select the archiving type The drop down menus and or entry fields for the selected archiving type will be displayed 3 Configure the settings for the archiving type 3 1 FTP Server Host Use the drop down menu to select a host Port Use the drop down menu to select a port By default FTP is already selected Username Enter a username in the entry field Password Enter the password in this entry field Remote Path Enter the path in the entry field 309 Using the Security System 310 3 2 SMB CIFS Share Host Use the drop down menu to select a host Username Enter a username in the entry field Password Enter the password in this entry field Share Name Enter the share name in the entry field 3 3 Secure Copy SSH Server Public DSA Key The Public DSA Key is displayed in this window Host Use the drop down menu to select a host Username Enter a username in the entry field Remote Path Enter the absolute path in the entry field 3 4 Send by E Mail E Mail Address Enter the e Mail address into this entry f
247. r with useless packets to overload its performance Since a large bandwidth is required for such attacks more and more _ Disable 204 Using the Security System attackers start using so called SYN Flood attacks which don t aim at overloading the bandwidth but at blocking the system resources For this purpose they send so called SYN packets to the TCP port of the service i e in a web server to Port 80 The SYN Rate Limiter function reduces the number of SYN packets sent to the local network This is disabled by default status light shows red Click the Enable button to enable the function status light shows green Protocol Handling Strict TCP Session Hand ling To secure a reliable data transport the Trans mission Control Protocol TCP that is in the transport layer is used TCP then creates computer to computer connections and continues to send data until it receives an affirmative answer that the data have been transmitted This type of connection is called TCP Handshake and is executed in three steps Before a client is able to exchange data with a server for example he sends a TCP packet in the header of which there is also a so called SYN Bit sequential number This is an order to the server to set up a connection In addition the client transmits the so called window size This value defines the maximum number of bytes for the usable data in the data package so that they can be processed on the c
248. rading or NAT rules must be in place for the IPSec Pool L2TP over IPSec Client Parameters L2TP over IPSec Client Parameters This window allows you to Client DNS Servers g i define DNS and WINS ser E vers which should be as signed to hosts when the connection is established 289 Using the Security System 5 7 6 CA Management A Certificate Authority CA certifies the authenticity of public keys This ensures that the certificate used in a VPN connection really belongs to the endpoint and not to an attacker The CA Manage ment menu allows you to create and manage your own X 509 Certificate Authority CA The authority will verify the validity of X 509 certificates exchanged during IPSec VPN connections The relevant information is stored in the X 509 certficates But you can also use certificates signed by commercial providers such as VeriSign Note Every certificate has unique CA with respect to its identifying information Name Firm Location etc If the first certificate is lost a second cannot be generated to replace it The CA Management menu allows you to manage three distinct kinds of certificates which are used for different purposes The three certificates differentiate themselves according to use and import antly whether or not the Private Key is stored CA Certificate Authority Certificate If a CA is saved without private key it can be used for the authentication of the
249. rated with the packet filter will be tracked by the Conntrack module this is referred to as Con nection Tracking Some protocols such as FTP or IRC require several communication channels which cannot be connected through port numbers In order to use these protocols with the Packet filter or to replace an address through NAT the Connection Tracking Helpers are required 203 Using the Security System Helpers are structures referring to so called Conntrack Helpers Generally speaking these are additional Kernel modules that help the Conntrack module to recognize existing connections For FTP data connections a FTP Conntrack helper for example is necessary It recognizes the data connections belonging to the control connection normally TCP Port 21 which can have any destination port and adds the respective expect structures to the expect list The following protocols are supported By default all Helper modules are loaded e FIP e H323 e IRC for DCC e MMS Microsoft Media Streaming e PPTP Loading Helper Modules By default all Helper modules are loaded The helper modules are loaded and deleted in the selection field A description of how to use the selection fields can be found in chapter 4 3 2 on page 36 SYN Rate Limiter SYN Rate Limiter Denial of Service attacks DoS on servers shall deny the service access to legitimate users In the simplest case the attacker overloads the serve
250. re also included in the kernel logs POP3 proxy The activities of the POP3 Proxy are logged to these log files All outgoing e Mails will be listed there In addition all irregularities such as interruptions or blocked e mails will be logged Portscan Detection The Portscan Detection system watches for and blocks portscans and sends e mail messages to the administrator When examining the Log Files however do not draw too many conclusions from the source IP addresses SRC and port numbers SPT as they can easily be falsified by the sender The destination addresses DST and port numbers DPT however provide useful information about what the scanner was looking for PPPOA DSL dial up The processes executed in the dial up with PPP over ATM are recorded to these log files PPPoA DSL dial up The processes executed in the dial up with PPP over Ethernet are recorded to these log files PPTP VPN Access These logs record the progress of PPTP sessions from external clients This includes login and authentication infor mation as well as error messages 318 Using the Security System If you select the Extensive parameter in the Logging function of the Network PPTP VPN Access menu these logs will contain very detailed information about PPP connections Self monitor The Self monitoring continually checks the integrity of the firewall systems and notifies the administrator of important events Self monitoring checks the function
251. rity System are alphanumeric characters minus space and under score _ Names may be up to 39 characters long Type Select Network Group from the drop down menu Initial Members From the selection field select the network card by pressing the Ctrl key on the keyboard and selecting the name with the mouse Comment You can enter a network group description in this entry field Save the network group by clicking on the Add Definition button After successful definition the new network group will appear in the network table The network group name will also be available for use in various configuration menus Defining IPSec user group This definition contains only the Distinguished Name DN It is used for incoming IPSec connections using X 509 certificates If the DN of the group corresponds to the one of the user his virtual IP address will dynamically be added to the group 1 2 Under the Definitions tab open the Networks menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a unique name for the IPsec user group This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and under score _ Names may be up to 39 characters long Type Select IPsec User Group from the drop down menu 107 Using the Secur
252. rror Checking module can detect errors in messages that have been encrypted with MIME MIME stands for Multipurpose Internet Mail Extensions MIME defines the structure and the composition of e mails and of other Internet messages This is an encoding rule which allows for the transmission of non text docu ments e g pictures audio and video in text based transmission systems The non text elements are encrypted at the sender and decrypted at the receiver The MIME Error Checking module can help detecting attacks in which error tolerance variations in the MIME decryption software are being utilized Action This drop down menu allows you to select the action the proxy should take upon finding a message with a filtered string The following actions are possible e Reject The message will be bounced back to the sender with a 5xx error message The bounce message sent to the sender will also contain an explanation of why the message was blocked e Blackhole The e mail will be accepted and silently dropped Do not use this action unless you are absolutely certain no legitimate e mails will be lost e Quarantine The e mail will be accepted but kept in quarantine The Proxy Content Manager menu will list this e mail with status Quarantine This menu presents further options including options to read or to send the message e Pass The e mail will be treated by the filter but allowed to pass A Header will be added to the e mail by wh
253. rscore _ Names may be up to 39 characters long Type Select Host from the drop down menu Address Enter the IP address in the entry field Comment You can enter a host description in this entry field Save the host by clicking on the Add Definition button If the definition is successful the new Host will be entered in the network table You will now find this host under its name also in 104 Using the Security System different other menus You could for example define this host under System Remote Syslog as Remote Syslog Server Adding Network 1 2 4 Under the Definitions tab open the Networks menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a network name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and underscore _ Names may be up to 39 characters long Type Select Network from the drop down menu Address Netmask Enter the IP address in the entry field and select the network mask from the drop down menu Comment You can enter a network description in this entry field Save the network by clicking on the Add Definition button WebAdmin will check that your entries are valid After successful definition the new network will appear in the network table The network name will also be a
254. rted by the security system is listed in the Hardware Compatibility List for Astaro Security Linux available at http docs astaro org The wireless LAN interface on the security system can be configured either as a Wireless LAN Access Point or a Wireless LAN Station The Wireless LAN Access Point mode connects wireless nodes with one another its function is analogous to that of a hub in a traditional wired network Wireless nodes can also communicate with the wired LAN through the security system In the Wireless LAN Station mode the security system functions as a normal node on an existing wireless network Only in this mode can the system acquire an IP address through DHCP Wireless LAN Security The 802 11 standard includes the WEP standard for encrypting radio communications WEP stands for Wired Equivalent Privacy This encryption method is based on the RC4 cipher and uses a secret 130 Using the Security System string to encrypt and decrypt messages Activating WEP requires this secret key to be configured on all interfaces on the wireless network All transmissions over the network are encrypted with this key at the sending station and then decrypted at the receiving station Without this key the data cannot be decrypted This security system can also use WEP for Authentication A computer attempting to connect to the network which is not con figured with the correct key will be dropped at the access point The Wirele
255. rtificates are signed and issued by a trusted Certificate Authority CA During the Key Exchange process the certificates are ex changed and authenticated using a locally stored CA certificate Further information on Certificate Authorities CAs can be found in chapter 5 1 9 on page 94 and in chapter 5 7 6 on page 290 268 Using the Security System 5 7 1 Connections The Connections menu allows you to configure local settings for new IPSec VPN tunnels and to manage existing connections Global IPSec Settings Global IPSec Settings This section allows you to ae enable or disable the IPSec VPN system by clicking the Enable Dis IKE Debugging New IPSec Connection Name hpn Tea Sienaan able button next to IPSec Policy Please select X Statu sS Auto packet filter On SR on IKE Debugging This Se function allows you to Endpaint Definition Local Endpoint Pease elect check the IPSec connec Remote Endpoint Please select tion Detailed information is logged to the IPSec Subnet definition optional Local Subnet logs These protocols can ier cates be displayed in real time Gone iana aao SEn in the Local Log IPSec key Please select VPN menu or down loaded to your local com puter Further information on the Local Logs menu can be found in chapter 5 9 on page 307 Important Note The IKE Debugging function requires a large amount of sys
256. rtment of your firewall provider Pattern Up2Date failed MD5Sum Error occurred If the problem continues please contact the support department of your firewall provider System shut down due to full log file partition The log file partition usag reached th specified value in percent To prevent the loss of important log files the system has been shut down automatically Pleas check th WebAdmin settings and or remove old log files Intrusion Protection Event A packet was identified that may be part of an intrusion The matching rule classified this as 331 Using the Security System 851 860 332 highest priority level Further information on the Intrusion Prevention event can be found in the notification e mail Intrusion Protection Event Event buffering activated A packet was identified that may be part of an intrusion The matching rule classified this as highest priority level Event buffering has been activated Further Intrusion Protection events will be collected and sent to you when the collection period has expired If more events occur this period will be increased Further information on the Intrusion Prevention event can be found in the notification e mail Intrusion Protection Event Buffered Events After the activation of the event buffering further IPS events have been collected Please see the attached file for a list of collected events This
257. ry aspect of the Astaro Security Linux system This chapter explains the tools and concepts used by WebAdmin and shows how to use the built in online help system WebAdmin has four main components Europe Berlin Please select 2004 03 2 SSH Shell Access Setuings T Use slow adjustment Status ao Allowed Networks Selected Any 34 1 Info Box 2 Tabs 3 Menus 4 Online help 5 Refresh WebAdmin 4 1 Info Box The system time and time MEME CMU Emile Zone are always displayed in petting the top left hand corner of Configuration of the hostname g the screen If you roll the mouse over the time display E i the Info Box will appear con ed S taining the following infor z mation Uptime Displays how long the security system has been running without a restart User Displays which user is currently logged in to WebAdmin as well as the client the user is logged in from Last Login Displays when and from which client WebAdmin was last used 4 2 Tab List The Tab List on the left of the screen organizes the various menus ac Dra __Hostname DynDNs cording to subject To list the menus Rout contained under a subject heading simply click the tab the available menus will appear below For ease of use chapter 5 Using the Security User Authentication system has been structured to match the ord
258. s 161 editing rules 161 introduction sessen 157 Network AAGING sive iia cease 105 deleting sssini 109 editing ssri irem einn 109 filtering ini sanansa 108 introduction ssssecees 103 Network group defiNiNg a srania 106 Networks PCES asidan cniri araeir 108 Networks ccsseeeeeeeeeeaeeae 103 Notification ccceeeeaeees 118 Packet Filter advanced sss 203 system information 207 Packet Filter Live Log 207 Packet filter rule adding editing groups 194 enable disable 194 sorting rules table 194 Packet filter rules rules table 0065 193 Packet Filter Rules GeletinGsesieiiseceevenes isnt 194 editing ioiii anaiai 194 filteri aan nni 195 filters erinan 195 introduction 0 65 188 re ordering sceeeee eee 194 Packet Filter Rules SGtUING nenia anai 190 Pattern Up2Date Index installation automatic 60 installation manual 60 Ping USING ese i ahead abet dan 178 Ping Check eeceeeeeee 177 POP3 CONFIQUIING 2ee eee 232 Content Filter 233 NO AED eeeeeeseeneeaeees 235 Spam Protection 233 Virus Protection 233 PPTP VPN introduction sss 169 MS Windows 2000 Scenario E A 171 PPTP Client Parameters 171 PPTP IP pool scce 170 PPTP VPN access 169 Protocols Al E E 110 112 ESP asirni hied 110 112 IPies isra gunaan s iaa 112 TOP ANENE AE
259. s DNS proxy 6 files HTTP proxy 4 files Intrusion Protection System 4 files Kernel messages P 6 files Local logins 6 files Logging subsystem 6 files Packet filter 6 files PPTP daemon 4 files Selfmonitoring 6 files SMTP proxy 6 files SSH daemon 6 files System log messages 6 files User authentication daemon 6 files Webadmin 6 files checked entries The functions from the left to the right Ry By By By By By By Rr Re Ry Ry Ry By Br By Re Be Be By E E a a a a g a s a a a E E a a a a E z F z z F Selection box This setting is required in connection with the drop down menu at the footer of the table Select the protocol groups and then choose the action Delete or Download as ZIP File from the drop down menu The action will start immediately Clicking on the selection box in the header selects all protocol groups 312 Using the Security System 8 Clicking on the trash can icon deletes a group from the table Name All protocols are listed in alphabetical order in this column Date The date of current protocols will not be displayed B Clicking on the folder icon opens the sub tab with all protocols of this group By clicking again on the icon you will get back to the overview The additional functions in the sub tab are described in the Log File Sub tab section File Count Name The number of exist
260. s have been correctly con figured in the Network Interfaces menu The configuration process for network cards is de scribed in chapter 5 3 2 on page 119 Using the Security System 5 8 5 Packet Filter Report Packet Filter Statistics Packet fi Iter vio ations in Packet filter violations Daily Graph a ania diagrams will be displayed in oF o it HHA a graphic in this menu The rule violations will also be logged to the Packet Filter Logs The log files are saved to the Local Logs Browse menu 5 8 6 Content Filter The processed data and actions of the Content Filter relating to the HTTP SMTP and POP3 proxies will be displayed in the form of tables and diagrams in this menu The Spam Protection option and the Spam Score are described in chapter 5 6 6 2 on page 248 Information on the SMTP and POP3 proxies e Sum of the treated messages e The average size of messages in kilobytes e The average height of Spam Score Information on the HTTP proxy e Sum of requested HTTP sites e Sum of the HTTP sites blocked by Spam Protection Sum of the HTTP sites blocked by Virus Protection 301 Using the Security System 5 8 7 PPTP IPSec VPN The PPTP and IPSec VPN connections will be displayed in a graphic this menu 5 8 8 Intrusion Protection Intrusion Protection events will be displayed in a graphic in this menu 5 8 9 DNS The DNS Query statistic is represented in this menu 5 8 10
261. s allows mail clients such as Microsoft Outlook Outlook Express or Netscape Messenger to authenticate themselves to the SMTP Proxy This is especially useful for clients with dynamic IP addresses where the client IP address cannot be specified in the Outgoing Mail menu When configuring clients please note that SPA Secure Password Authentication should not be used SPA is an alternative encryption method which is not supported by this security system You should use an unencrypted authentication method instead and use TLS or SSL to encrypt the session The Authentication Methods selection field allows you to select the user authentication method to be used Only those authentication methods you have configured in the Settings User Authentication menu are available here Local users are defined in the Definitions Users menu 241 Using the Security System Global Whitelist Global Whitelist 3 Trusted Hosts Networks Trusted Hosts Networks Selected Available Ena E In the hierarchy list a GI Global Whitelist can be erga defined with reliable hosts ii no data in table or networks which in this case are excluded from the following options e Realtime Blackhole Lists e Sender Verification e MIME Error Checking e Spam Detection e Expression Filter This implicates that the necessary computing power for scans is reduced and that problematic hosts can be excluded from Content Scanning
262. s become known that the receiver of the certificate fraudulently obtained it by using wrong data name etc or because an attacker has got hold of the private key which is part of the certified public key For this purpose so called Certificate Revocation Lists or CRLs are used They normally contain the serial numbers of those certificates of a certifying instance that have been held invalid and that are still valid according to their respective periods of validity After the expiration of this periods the certificate will no longer be valid and must therefore not be maintained in the block list The Automatic CRL Fetching function automatically requests the CRL through the URL defined in the partner certificate via HTTP Anonymous FTP or LDAP Version 3 On request the CRL can be downloaded saved and updated once the validity period has expired Enable the function by clicking on the Enable button status light is green Please check if the packet filter rules in the Packet Filter Rules menu are configured such that the CRL Distribution Server can be accessed Strict CRL Policy Any partner certificate without a corresponding CRL will be rejected Enable the function by clicking on the Enable button status light is green 296 Using the Security System Send ICMP Messages If a data packet exceeds a set MTU value the system will send the following ICMP message to the source ad dress Destination unreachable fragmentation
263. s clients In addition to simplifying the configuration of client computers and allowing mobile computers to move painlessly between networks DHCP helps to localize and troubleshoot IP address related problems as these are mostly issues with the configuration of the DHCP server itself It also allows for a more effective use of address space especially when not all computers will be active at the same time as addresses can be distributed as needed and re used when unneeded Configuring the DHCP Server 1 Inthe Network tab open the DHCP Server menu 2 In the Interface drop down menu select the interface from which the IP addresses should be assigned to the clients 3 Click Enable next to Status to enable the function Another entry window will open 4 Use the Range Start and Range End menus to set the address space from which IP addresses will be distributed 165 Using the Security System By default the configured address area of the network card will appear in the entry field The settings will take effect without further confirmation Assigning DNS Servers and Gateway IP Addresses You can transmit further parameters for the network configuration to the clients Such as the DNS Server Addresses and the Default Gateway to be used by the clients The security system itself will usually fill both of these functions in this case you should enter the internal address of the system in these entry fields The DNS Proxy
264. s control Collection of audit trails Protocol analysis Reporting of security related events Concealing internal network structure Separation of servers and clients using proxies 11 Introduction to the Technology e Guaranteeing information confidentiality A firewall combines several network components in order to provide these assurances The following is a brief look at some of these tools and their uses Network Layer Firewalls Packet Filters As the name suggests this component filters IP packets on the basis of source and destination address IP flags and packet payload This allows an administrator to grant or deny access to services based on factors such as e The source address e The destination address e The protocol e g TCP UDP ICMP e The port number The primary advantages of packet filters are their speed and their independence of operating systems and applications in use behind the firewall Advanced implementations of packet filters also inspect packets at higher network layers Such filters interpret transport level infor mation such as TCP and UDP headers to analyze and record all current connections This process is known as stateful inspection A stateful packet filter records the status of all connections and allows only those packets associated with a current connection to pass This is especially important for allowing connections from a protected network to an unprotected one but disallowin
265. s field select the local user for this profile 4 From the Assigned Network Blocks select the network for this profile 5 Enable the profile assignment by clicking the status light The status light is green If a user or computer defined in the profile attempts to access a blocked website access will be blocked and the user will receive a message explaining why 225 Using the Security System Advanced iver 3 Caching This function buf Caching ao fers often used Websites to Block CONNECT Method oe le Howl TEISES the HTTP Proxy Cache FTP CONTROL aus y 7 fries ere This is enabled by default SQUID J EUDORA x status light shows green Clicking on the Disable button disbles this function TCP Port 8080 Clear HTTP Proxy Cache Block CONNECT Method All HTTP connection requests will be blocked by the HTTP proxy Only the HTTP methods GET and PUT will be allowed through the proxy Each Client Request will be introduced through the information of the method Methods define the respective action for requests The current HTTP specification offers eight methods OPTIONS GET HEAD POST PUT DELETE TRACE and CONNECT Only the GET and PUT methods are explained in this section The GET method is used with requests from a document or another source A source in this case is defined through the request URL There are two types Conditional GET and partial GET With
266. s protocol that uses no so called ACK Bit Because it does not keep state UDP can be faster than TCP especially when sending small amounts of data This statelessness however also means that UDP cannot recognize when packets are lost or dropped The receiving computer does not signal the sender when it receives packets successfully TCP connections also use port numbers from 0 to 65535 inclusive Lost packets can be recognized through TCP and be requested again in a TCP connection the receiver notifies the sender when a packet is successfully received connection related protocol TCP sessions begin with a three way handshake and are torn down at the close of the session The ESP and AH protocols are used for Virtual Private Networking VPN These protocols are covered in chapter 0 on page 258 110 Using the Security System The network table contains the defined services and groups By Default the table contains the already pre defined statically entered services Services can be grouped into Service Groups These service groups can be used the same way single services can and can themselves be included in other service groups In the service table service groups are labeled by the group symbole The definition of Service Groups is described on page 112 Add Service 1 2 Under the Definitions tab open the Service menu Click on the New Definition button The entry window will open Make the following setti
267. s to ICMP ping requests e g the DNS server of your ISP The security system will send ping requests to this host if no answer is received the backup interface will be enabled by the failover In this entry field there must always be an IP address for the failover QoS Status In order to use Quality of Service QoS bandwidth management on an interface enable this option To enable the Quality of Service QoS module select On from the drop down menu Important Note For the bandwidth management Quality of Service QoS you must define the values for Uplink Bandwidth kbits and Downlink Bandwidth kbits These values are used as basis for the bandwidth management system incorrect values can lead to poor management of the data flow The Quality of Service QoS function is described in chapter 5 5 1 153 Using the Security System 154 Uplink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry menu enter the avail able bandwidth for the Uplink in full kilobits This value can be determined either from the values of the upstream interface or from the router On an interface to the Internet this value corresponds to the bandwidth of the Internet connection on an ADSL access the Uplink bandwidth amounts to 128 kBit s and on a 2 Megabit fixed connection to 2048 kBit s Downlink Bandwidth kbits These settings will only appear if the QoS function is enabled In this entry men
268. sage in the Type reason here field which will be transmitted to the other administrator 334 Glossary Glossary Broadcast The address used by a computer to send a message to all other computers on the network at the same time Example A network with address 212 6 145 0 and netmask 255 255 255 240 would have a broadcast address of 212 6 145 15 Client A client is a program that communicates over a network with a server in order to make use of a particular service Example Netscape is a WWW client and communicates with a WWW server to download web pages Client Server model Applications based on the client server model use a client program on the user s computer to communicate with a central server program on the network The server is usually responsible for keeping track of the data while the client is responsible for presenting the data to the user In order to function correctly the client and server must both use a well defined network protocol to communicate All important applications on the Internet e g WWW FTP news use this model DNS The Domain Name Systems also The Domain Name Service translates the underlying IP addresses of Internet connected com puters into more human friendly names or aliases and vice versa This translation from number to name is done by the name server Every Internet connected institution must employ at least two separate DNS servers to answer queries about its internal
269. se packets Packets larger than this value will be considered too long for the connection and fragmented into smaller ones be fore transmission These data packets will be sent again How ever the performance can be limited if the upper value is too low Using the Security System The following values are the defaults for the PPP over Ethernet PPPoE DSL connection 1492 Byte 6 Confirm these settings by clicking Add The system will now check the address and netmask for seman tic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red 7 Enable the interface by clicking the status light The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system requires a short time to configure and load the settings When the message Up appears the interface is fully operational 149 Using the Security System 5 3 2 6 PPTPoE PPPo0A DSL Connections Tene i This type of interface is re Hardware etht Realtek RT8139 quired for DSL connections Type PPTP over Ethernet PPPoA DSL connection f Address Pasion by emote using the PPP over ATM aang ae Sn protocol To configure such a Modem IP Address spade connection you will need an NIC Netmask unused Ethernet interface on Address to Ping the security system as we
270. se settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red Enable the interface by clicking the status light The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system requires a short time to configure and load the settings When the message Up appears the interface is fully operational 129 Using the Security System 5 3 2 3 Wireless LAN The industry standards IEEE 802 11 apply to Wireless LAN This Internet security system supports the IEEE 802 11b protocol This standard uses radio signals in the ISM frequencies in the 2 4 GHz band to communicate between nodes ISM stands for Industrial Scientific and Medical The ISM frequencies have been specifically allocated for unlicensed communication by industrial scientific and medical organizations and are thus available for cost free private use The IEEE 802 11b standard allows for a maximum bandwidth of 11 Mbit s When planning your network design however please note that bandwidth actually available will be smaller when the distances between nodes are large Important Note In order to configure a Wireless LAN you will need a PCMCIA card with a Prism2 Prism2 5 or Prism3 compatible chipset The hard ware suppo
271. ser of MyAstaro enter the password into the Yes my password is entry field Then click on the Submit button Create a new MyAstaro Account E Mail Address You can correct your address in this entry field Password Enter your desired password here First Name Enter your first name here Last Name Enter your last name here Then click on the Register button 51 Using the Security System If the registration was successful the page with the message Congratulations you have created your MyAstaro account will be displayed Moreover you receive a confirmation by e mail Now you can download different versions of the Internet security system under MyAstaro and execute the following actions for your license 1 Convert a Version 4 license to a Version 5 license Register purchased Version 5 Activation Keys Add options to your registered license Download a free Home User license uo A WN Download a 30 days test version with additional features Licensing the Internet security system In order to license the Internet security system you need a valid license file on the local host so that you can import it to the Internet security system through the WebAdmin configuration tool 1 Open the Licensing menu in the System tab 2 In the Upload License File entry field click on the Browse button 3 From the Select File dialogue select the license file and click on the Open button 4 Click onthe Start but
272. sible for computers on an internal ceuusars dL LAN to use private IP ad dresses while still allowing them to communicate through the security system with the public Internet Rule Type DNAT SNAT NAT Rules When a client sends an IP packet to the router NAT translates the sending address to a different public IP address from the address space given by the Internet provider before forwarding the packet to the Internet When a response packet is received NAT translates the public address into the original address and forwards it on to the internal client Depending on system resources the NAT function can handle arbitrarily large internal networks Destination Network Address Translation DNAT is a special case of NAT whereby the destination addresses of packets are trans lated This is especially useful when an internal network uses private IP addresses but an administrator wishes to make some services available to the public Internet 157 Using the Security System Important Note l PPTP VPN Access is incompatible with DNAT Example Your internal network uses the address space 192 168 0 0 255 255 255 0 and a web server running at IP address 192 168 0 20 port 80 should be available to Internet based clients Because the 192 168 address space is private the Internet based clients cannot send packets directly to the web server It is however possible for them to com
273. sing the Security System Error The Hardware List table doesn t list all of the network cards Possible Causes The missing network cards were added after the installation of the security system or were not recognized during instal lation Please contact the support department of your security system provider If you change the IP Address of the internal network card ethO Attention you may lock yourself out 123 Using the Security System 5 3 2 1 Standard Ethernet Interface Bald ie To configure a network card ee for a standard Ethernet con Type Standard ethernet merac nection to an internal or ex SE a ternal network you must ee configure the card with an IP address and netmask Default Gateway All network cards installed Proxy ARP E on the security system are Uplink Failover on Interface E shown in the Hardware QoS Status x List MTU Size Configuring a Standard Ethernet Connection 1 In the Network tab open the Interfaces menu 2 Click on the New button The Add Interface window will open 3 In the Name entry field enter a descriptive name for the interface example Externally for an Internet connection 4 Use the Hardware drop down menu to select a network card Tip For an external connection e g to the Internet choose the H card with Sys ID eth1 5 Use the drop down menu Type to select Standard Ethernet Int
274. sively reduce the number of spam One commercial service for example can be found at http www mail abuse org Action This drop down menu allows you to define how filtered e mails originating from known spam sending domains should be handled The following actions are possible e Warn If an e mail is received from an RBL listed domain the X RBL Warning header will be inserted in the message and the message will be allowed to pass through the proxy More infor mation on inserted headers can be found in the Spam Detection section e Reject E mails from listed domains will not be accepted and will instead be bounced back to the sender 248 Using the Security System Zone Enter the addresses of databases to use in this list The function of the Control List is identical to the Ordered List and described in chapter 4 3 4 on page 39 Spam Protection This option heuristically checks incoming e mail for characteristics suggestive of spam This system uses an internal database of heuris tic tests and characteristics making the test independent from sender information and also more reliable Two Thresholds can be defined for the Spam Score This ensures that potential SPAM e mails are treated differently by the Firewall The two Thresholds are equal Whereas the threshold with the higher level should be treated more severely The functioning is ex plained below with the help of the default settings Default settings
275. ss LAN Access Point mode also allows stations to be selectively granted access to the network on the basis of MAC Ad dress Normally in the interest of flexibility a wireless LAN will allow any new node onto the network as long as it is configured with the correct WEP settings An administrator may choose however to control which nodes should have access Such a filter can be con figured to allow only certain nodes for instance the one identified by MAC address 00 04 76 26 65 4C onto the network When a new node attempts to join the network the security system will check its MAC address if the hardware address is in the list of allowed nodes it will be permitted to join otherwise the connection will be dropped This security solution supports two kinds of MAC address filter negative and positive A negative filter allows all hardware ad dresses except those on the list to join the network In the access control you only define those network cards that should not be accessed by Wireless LAN A positive filter on the other hand first of all excludes all MAC addresses In the access control you define explicitly those network cards that should can be accessed by Wireless LAN If at all possible a positive filter should be used which is by far safer The following settings are required to configure a wireless LAN PCMCIA card e SSID An acronym for Service Set Identifier this is essentially the name of the network More than on
276. t NAT Rule window The rule can now be changed as desired Deleting Masquerading rules Click delete to remove a rule from the list 162 Using the Security System 5 3 4 3 Load Balancing Add New NAT Rule The Load Balancing func as tion allows you to balance incoming connections e g Sey SMTP or HTTP sessions ress or Hostname Sie ase ela z across different servers be hind the security system Rule Type Pre Balancing Target Post Balancing Target Group Example In the enter aN nat teaa o eaa prise s DMZ sit two identical HTTP servers with IP addresses 192 168 66 10 and 192 168 66 20 Load Balancing can split incoming HTTP requests between the two servers evenly Before the load balancing rule can be defined the two HTTP servers must be defined as networks consisting of single hosts in the Definitions Networks menu Next add both to a single network group The procedures for adding networks and network groups are described in chapters 5 2 1 and 103 respectively Once these definitions have been saved the load balancing rules can be defined Defining Load Balancing rules 1 In the Network tab open the NAT Masquerading menu 2 Enter a descriptive name for the load balancing rule in the Name entry field A window named Properties will open 3 Enter a descriptive name for the load balancing rule in the Name entry field 4 Use the Rule Type drop down
277. t Filter Select the associated key in the Authentication of Remote Station s window IPSec remote keys are defined in the IPSec VPN Remote Key menu The settings in this window depend on the type of con nection 7 1 Standard Key Use the drop down menu to select a Remote Key 7 2 Road Warrior L2TP Encapsulation This drop down menu allows you to additionally enable L2TP over IPSec On Keys Select the Remote Keys for the road warrior connection from the selection window 7 3 Road Warrior CA L2TP Encapsulation This drop down menu allows you to ad ditionally enable L2TP over IPSec On Use CA With the road warrior CA connection type the authenti cation is based on the Distinguished Name DN of the remote receiver Remote Endpoint You thus need a Certificate Au thority CA from this endpoint Only the VPN Identifier X 509 DN can be used Using the Security System From the drop down menu select X 509 DN Certificate Authority CA Client DN Mask In order to use a Distinguished Name as an ID you will need the following information from the X 509 index Country C State ST Local L Organization O Unit OU Common Name CN und E Mail Address E The data in this entry field must be in the same order as in the certificate 7 3 MS Windows L2TP IPSec L2TP Encapsulation With this type of connection L2TP over IPSec is automatically enabled On IPSec Shared Secret With the MS Windows L2TP IPSec co
278. t Gateway filled in 3 2 1 Software Installation The first part of the installation uses the Installation Menu to con figure basic settings The setup program will check the hardware of the system see screenshot and then install the necessary software on your PC 1 Boot your PC from the CD ROM drive Step 1 In order to navigate through the menus use the following keys Please note the additional key functions listed in the green bar at the bottom of the screen Cursor keys Use these keys to navigate through the text boxes e g the license agreement or when selecting a keyboard layout Enter key The entered information is confirmed and the install lation proceeds to the next step 22 Installation ESC key Abort the installation Tab key Move between text boxes entry fields and buttons Attention The installation will destroy all data on the PC 2 Keyboard Layout Step 2 Use the Cursor keys to select your keyboard layout and press Enter to continue 3 Hardware Test Step 3 The software will check the following hardware requirements CPU size and type of hard drive CD ROM drive network cards and IDE or SCSI controllers If your system does not meet the minimum requirements the installation will report the error and abort 4 License Agreement Step 4 Note Please read the license agreement carefully I Press F8 to agree to the terms of the license 5 Time and Date Step 5 Use
279. t be configured with normal routing entries e g when the network includes a router over which you have no control By default the Proxy ARP function is disabled Off To enable it select On from the drop down menu Uplink Failover on Interface This function will only displayed if the parameter Assign by DHCP or Static has been selected in the Default Gateway drop down menu If a network card is an interface to the Internet e g 2 Megabit fixed connection you can configure a standby connection by a second Internet access e g DSL connection and an additional 125 Using the Security System 126 network card If the primary connection fails the uplink will automatically be set up through the second Internet access Note You need two separate Internet accesses and an additional network card for the Uplink Failover on Interface connection Uplink Failover on Interface is by default disabled Off If you wish to use this network card as primary Internet con nection then configure it in the Primary Interface drop down menu If this network card shall contain the standby connection select the setting Backup Interface Uplink Failover check IP Once the Uplink Failover on Interface function has been enabled this entry field will be displayed Enter the IP address of a host that replies to ICMP ping requests e g the DNS server of your ISP The security system will send ping requests to this host if no answer is rece
280. t comprises three set fields e Username e Password in clear text PAP e Type of proxy the string http smtp or socks in the NAS Identifier field 72 Using the Security System Your RADIUS server should use this information to determine whether or not access should be granted and should send back a properly formatted reply Configuring Microsoft s IAS RADIUS Server IAS is a part of all versions of Microsoft Windows 2000 Server but is generally not installed by default For Microsoft Windows NT4 IAS is a part of the NT4 Option Pack and is available without charge The MS Windows NT4 IAS has fewer features than the 2000 version but is nevertheless sufficient for user authentication with the security system 1 Check that the IAS service is installed If it is not install it now 2 Create a user group for every proxy to be used Tip sam the group according to the proxy to be used For example name the group for the HTTP Proxy HTTP Proxy Users 3 For each group add the users who should be allowed to use this proxy service 4 Make sure that the user flag Allow dial in access to the net work is set for every user in these groups You can find this setting in the user properties dialog box MS Windows NT 2000 needs this flag to answer RADIUS inquiries vl Open the administration program for the IAS service g Add a client This requires the following information Client Name Enter the DNS name of
281. t may be useful to block certain hosts or networks from accounting data for instance when a DMZ host only communicates with internal systems but you are only interested in collecting accounting data for outbound traffic ince it might only be used for internal means it might not be useful to consider its traffic data In the Reporting Accounting menu you can monitor the collected accounting data and edit accounting rules 175 Using the Security System Do not use accounting on network interfaces Doing so may over Important Note load the system Configuring Traffic Accounting 1 In the Network tab open the Accounting menu 2 Enable the function by clicking the Enable button The status light will show green and another entry window will open 3 Inthe Interfaces selection field choose the network cards Please see chapter 4 3 2 on page 36 for a description of how to use selection fields 4 Use the Ignored Networks selection menu to choose which networks to ignore The settings in the Traffic Accounting menu will immediately be enabled 176 Using the Security System 5 3 8 Ping Check Pahoa Ping allows you to test the Please note that Ping Check requires that the Ping from Firewall option is active in Packet Filter gt ICMP If you want to ping DNS hostnames Proxies gt DNS must also be configured connection with a remote Ping Host lt lt Custom hostname IP address gt gt 7 Hostame IP A
282. t on the Internet e g the DNS server of your ISP here The security system will send ping requests to this host if no answer is received the connection will be broken Username Enter the username provided by your ISP Password Enter the password provided by your ISP Click Enable to open the Advanced options configuration settings Uplink Failover on Interface this function will only be displayed if the Assign by DHCP or Static is selected in the Default Gateway drop down menu You can configure a standby connection through a second inter face If the primary connection fails the uplink will automatically be set up through the second interface Using the Security System Note You need two separate Internet accesses and one additional network card for the Uplink Failover on Interface function Please note that the Security system only supports one DSL connection A standby connection for accessing the Internet can therefore only consist for example of a fixed connection and a DSL access Uplink Failover on Interface is by default disabled Off If you wish to use this virtual interface as primary connection select Primary Interface from the drop down menu If this interface shall contain the standby connection select the Backup Interface configuration Uplink Failover check IP Once the Uplink Failover on Interface function has been enabled this entry field will be displayed Enter the IP address of a host that replie
283. tem resources and can slow the IPSec VPN connection building process down considerably This system should only be enabled when IKE is actively being debugged 269 Using the Security System IPSec Connections In the IPSec Connections table all current VPN connections are listed IPSec System Information IPSec System Information VPN Status In the VPN DaS Status window status in formation is shown for ac tive encryption algorithms all active IPSec connections and detailed information about every Security Association SA VPN Routes VPN Routes The VPN Routes window shows all active IPSec SA connections If no entries exist here no IPSec connections are active Routing entries follow the following form AB gt C gt D 3 192 168 105 0 24 gt 192 168 104 0 24 gt Shold 8 192 168 105 0 24 gt 192 168 110 0 24 gt Strap O 192 168 105 0 24 gt 192 168 130 0 24 tun0x133a 233 23 43 1 gt Column A The number of packets in this VPN connection Column B The local subnet or host Column C The remote subnet or host Column D The status of the connection trap The connection is idle and is waiting for a packet The status initiates the end of the VPN connection hold The connection is being negotiated All packets will wait until the VPN tunnel is established UP tun0x133a 233 23 43 1 Messages like these show that the tunnel is up 270 Using the Security System A VPN tun
284. ter the filter attributes in the fields listed You don t have to define all attributes Name If you want to filter the services by names enter the expression in the entry menu Protocol This drop down menu allows you to filter the services by specific protocols Source Port If you want to filter services by a specific source port enter it in this entry field Destination Port If you want to filter services by a specific target port enter it in this entry field Comment If you want to filter services by specific comments enter the expressions in this entry field 113 Using the Security System 3 To start the filter click on the Apply Filters button Only the filtered services will be displayed in the table Next time when you open the menu the complete service table will be displayed Further Functions Editing Definitions Click on the settings in the Name Value and Comment columns in order to open an editing window You can then edit the entries Deleting Definitions Clicking on the symbol of the trash will delete the definition from the table 5 2 3 Users In the Users menu Local Users are added if the use of proxy services should be limited to sepcial persons This is an alternative to using an external user database This menu allows you to define which user has access to which proxy services Available options are HTTP Proxy SMTP Proxy SOCKS Proxy WebAdmin L2TP over IPSec and PP
285. tered here for a smooth installation In this case and if the password is available WebAdmin can be accessed from every where Authentication Methods Local Users Log Access Network Traffic Enable Security Note As soon as you can limit the access to the Internet security administration for example your IP address in the local network re place the Any entry in the Allowed Networks selection field through a smaller network The safest solution is if only one administrator PC has access to the Internet security system through HTTPS Networks can be defined in the Definitions Networks menu Authentication Methods Select the authentication method in the selection field In order to give you access to the Internet security system through the configurations tool WebAdmin after the installation the authentication method Local Users has already been defined here and the respective User hase been entered in the Allowed Users selection menu Further available authentication methods are NT 2000 XP Server RADIUS Database and LDAP Server Local Users are administered in the Definitions Users menu Allowed Users By default this is set to the user admin 92 Using the Security System Local users are defined in the Definitions Users menu Log Access Network Traffic All connections to the WebAdmin configuration tool are logged to the Packet Filter Logs as Accept rule The Packet Filter Logs can be fou
286. the Cursor keys to select your country and press Enter to confirm Use the Cursor keys to select your time zone and press Enter to continue Next enter the current time and date in the entry field Use Tab and the Cursor keys to switch between entry fields Invalid entries will be rejected Confirm your entries with the Enter key 23 Installation 24 Network Card Selection and Configuration Step 6 In order to use the WebAdmin tool to configure the rest of your security system you must now configure a card to be the in ternal network card ethO Choose one of the available network cards from the list and confirm your selection with the Enter key Next define the IP Address Network Mask and Default Gateway for this network card Example Address 192 168 2 100 Netmask 255 255 255 0 You must enter a value in the Gateway field if you wish to use the WebAdmin interface from a workstation outside the subnet defined by the netmask Note that the gateway itself must be within the subnet For example if you are using a netmask of 255 255 255 0 the subnet is defined by the first three values of the address in this case 192 168 2 If your administration computer is at for example 192 168 10 5 it is not on the same subnet and thus requires a gateway to be configured here The gateway router must have an interface on the 192 168 2 subnet and must be able to contact the administration computer In our example assume
287. the action move it to a specified folder With one click on Specified folder in the window Rule descrip tion a new menu appears Here you can either choose an existing folder or create a new destination folder for the filtered e mails Example Spam Click OK to save the new settings in this menu Then click on the button Next Add exceptions step 4 The module Spam Detection heuristically checks incoming e mails for certain characteristics It therefore might be that safe messages e g HTML Newsletter are filtered This menu allows you to define exceptions and to thus exclude e mails e g messages of a particular sender from this rule Then click on the button Next Enter a name for this rule step 5 Type a distinct name for this rule into the input field In the options fields below you can activate these rules and also apply them on e mails which are already in the Inbox folder You can change your settings in the window Rule description 253 Using the Security System 10 254 Then click on the button Finish Apply rules in the following order step 6 In the Rules Wizard you can activate or deactivate the rules by one click on the option field or execute changes In order to close the Rules Wizard click on the button OK Using the Security System 5 6 7 Proxy Content Manager The Proxy Content Manager menu allows you to manage all of the e mails quarantined by the proxy as well as those which because o
288. the problem continues please contact the sup port department of your firewall provider Virus Pattern Up2Date failed Could not connect to Up2Date Server The Up2Date server is not reachable If the problem continues please contact the support department of your firewall provider Intrusion Protection Pattern Up2Date failed Could not connect to Up2Date Server The Up2Date server is not reachable If the problem continues please contact the support department of your firewall provider Virus Pattern Up2Date failed No active bases for Virus Patterns found Intrusion Protection Pattern Up2Date failed No active bases for Intrusion Protection Patterns found 337 358 360 361 362 712 850 Using the Security System Virus Pattern Up2Date failed Internal MD5Sum Error Could not create correct MD5Sums If the problem recurs please contact the support department of your firewall provider Intrusion Protection Pattern Up2Date failed Internal MD5Sum Error Could not create correct MD5Sums If the problem recurs please contact the support department of your firewall provider Pattern Up2Date failed Licence Check failed Your license could not be checked If the problem continues please contact the support department of your firewall provider Pattern Up2Date failed Restart of Virus Scanner failed If the problem continues please contact the support depa
289. ticated using ESP In both cases the original header is sent over the WAN in clear text IP Packets Original AH Header Header Payload Transport Mode AH Authenticated Original ESP Transport Mode ESP Header Header The original packet In Tunnel Mode the com IP Packets is encapsulated i k h d d Tunnel Medea iS pter OSAI Payload E eanen ae authenticatea_ _ Payload is encapsulated Tunnel Mode ESP esger Header Header Payload in a new IP packet An IP ner el meve header is added to the IP packet with the destination address set to the receiving tunnel endpoint The IP addresses of the encapsulated packets remain unchanged The original packet is then encrypted and or authenticated in its entirety The AH protocol allows the entire packet to be authenticated 265 Using the Security System IPSec Protocols IPSec uses two protocols to communicate securely on the IP level e Authentication Header AH a protocol for the authentication of packet senders and for ensuring the integrity of packet data e Encapsulating Security Payload ESP a protocol for en crypting the entire packet and for the authentication of its contents Das Authentication Header Protocol AH checks the authenticity and integrity of packet data In addition it checks that the sender and receiver IP addresses have not been changed in transmission Packets are authenticated using a checksum created using a Hash based M
290. tigate these risks Networks The Internet is already well established as a vital communications medium and a key marketplace for both traditional and new services Since its inception its size has multiplied with domain name growth between 1995 and 2002 reaching almost exponential proportions Computers on this worldwide network communicate using the Internet Protocol IP as well as various higher level protocols such as TCP UDP and ICMP IP addresses uniquely identify each of the computers reachable on the network The Internet itself is a collection of smaller networks of various kinds When two or more networks are connected a number of issues arise which are dealt with by devices such as routers bridges and gateways A firewall is another such device designed with security in mind As a rule three kinds of network meet at the firewall e An external or Wide Area Network WAN e An internal or Local Area Network LAN e A De Militarized Zone DMZ An example configuration is shown on the next page 10 gt gt rr Introduction to the Technology External Network Router Internet Internal Network rnn a 3 hh J i Firewall E Mail Server Web Server The Firewall One of the components in this security system is a firewall The characteristic tasks of a firewall connecting a WAN LAN and DMZ are Protection against unauthorized access Acces
291. tion IP address of the web server or Any Action Allow To use the proxy configure the client browser proxy settings to use the IP address of the security system and port 8080 Transparent In this mode the system notices HTTP requests on the internal network automatically processes them and forwards them to the remote server The client browser is entirely unaware of the proxy server The advantage of this mode is that no additional adminis tration or configuration is required on the client the disadvantage is that only pure HTTP port 80 requests can be forwarded All networks allowed to use the transparent proxy must be explicitly listed in the Allowed Networks menu When Transparent mode is used the client browser settings cannot be used to control proxy settings Moreover no data can be downloaded from a FTP server in this mode HTTPS connections SSL must be executed via a Packet Filter User Authentication This mode complies with the functions of the Standard mode In addition user access to the HTTP proxy is only authorized after previous Authentication 212 Using the Security System Note Changes in Proxies become effective immediately without further ice notice Enabling the HTTP Proxy 1 2 In the Proxies tab open the HTTP menu Enable the proxy by clicking the Enable button in the Global Settings window Another entry window will open In the Operation mode drop down menu select the mo
292. ton The system will require between 30 and 60 seconds to generate the system After successful registration the License Information win dow will contain the details of your license 52 Using the Security System Licensing Information After successful registration of the Internet security system the License Information window will show the details of your license Licensed Users IPs The functions in this window are used for licenses that do not allow for an unlimited number of users IP addresses View current User IP Listing Clicking on the Show button opens a table that lists all current users through their respective IP address Reset User IPs Listing If you wish to reconfigure the internal network you can reset the user table by this action Then there is a reboot the system will shut down completely and reboot This action is enabled by clicking on the Start button 53 Using the Security System 5 1 3 UpeDate Service System Up2Date The Up2Date Service makes Prefetch Up2Dates now Click Start to prefetch Sauer le ree x it easy to keep your security Prefetch Up2Dates automatically us syste m softwa re u pd ated N ew Import frorn File Uneppled UpZDates mm Virus definitions system no locally stored Up2Date packages available patches and security features will be installed to your current ca eet densa system eee All Up2Date data are digitally ve signed and e
293. tool WebAdmin are explained on page 87 85 Using the Security System Configuring the OpenLDAP Server Make sure that there is a user configured on your LDAP server to have full read privileges for the directory This will be the query user A Security Note Make sure that the user has only read privileges With OpenLDAP users are identified on the basis of their Common Names CN Please make certain that every user has a unique CN With the installation of the software alle existing data will be deleted Important Note from the computer Because there are many different LDAP servers based on the OpenLDAP code it is impossible to describe them all here For further information please consult the documentation accompanying your LDAP server If you are using the SLAPD server from the OpenLDAP Foundation the current documentation is available at http www openldap org 86 Using the Security System Configuring LDAP on your Security System LDAP Server Settings Make sure that there is a A user configured on your Unique User Attribute ease sl z LDAP server to have full IP Address read privileges for the ANA directory This will be the A query user peared You will need the Distin LDAP Authentication by Attribute w guished Name DN of this user as well as the IP address of your LDAP server in order to complete the configuration of the security system
294. ttempt ID 264 O 39 dns 0 E DNS EXPLOIT named tsig overflow attempt ID 303 80 pr dns 0 E DNS named version attempt ID 257 BO VG dns 0 E DNS EXPLOIT named overflow ADM ID 259 80 pr dns o pB RNE SPOOF query response with TTL of 1 min and no authority ID 0 9 g dns 0 7 DNS EXPLOIT x86 Linux overflow attempt ADMy2 ID 265 The functions in the sub tab from the left to the right eG BG Clicking on the status light enables the IPS rule tr 7 9 The IPS rule can be configured as alarm rule Intrusion Detection or as blocking rule Intrusion Prevention Clicking on the icon switches the application of the IPS rule in this group 183 Using the Security System Return to the overview by clicking on the folder icon Group The name of the IPS group of rules is displayed in this column Hits This column displays how often a rule from the group became active Info The first line provides short information on this IPS rule group You can obtain detailed information on the IPS rules by clicking on the correspondent icon with the mouse o This window presents the parameters of this as Low Layer Information Quw Clicking on the icon connects you to the correspondent link in the Internet The Website contains further information on the IPS rule This information is compiled in projects such as Common Vulnerabilities and Exposures CVE and published in the Internet Setting an IPS rule You can add
295. tworks window choose the networks that the proxy should intercept requests from and to Source Choose the source address here Example The name of the 192 168 0 0 255 255 0 0 network Destination Choose the destination address here Example The name of the pop yoursite com network 4 Confirm your selection by clicking Add Content Filter Content Filter Virus Protection This op Virus Protection on tion scans e mails and at Spam Protection _ Disable Thresholds tachments passing through Pass when score exceeds HOA e the proxy for dangerous Spam Sender Whitest contents such as viruses or a sino data table Trojan horses The results of File Extension Filter the scan are inserted into a i no data in table Expression Filter header of the message Any ETS messages blocked by the proxy will be shown in the Proxies Proxy Content Manager menu Enable the Virus Protec tion by clicking on the Enable button status light is green Spam Protection This option heuristically checks incoming e mail for characteristics suggestive of spam This system uses an internal database of heuristic tests and characteristics making the test inde pendent from sender information and also more reliable Two Thresholds can be defined for the Spam Score This ensures that potential SPAM e mails are treated differently by the Firewall 233 Using the Securi
296. ty System Default settings Thresholds Pass when Score exceeds 03 aggressive Quarantine when Score exceeds 05 reasonable The first threshold implicates that e mails from level 3 on are filtered but allowed through With the help of the attached Header the e mail on the mail server or in the e mail program of the recipient can be sorted or filtered For the second threshold the e mail will be accepted but put into quarantine Basically the Threshold with the higher level is treated more severely Important Note On busy systems the Spam Protection may require a large per centage of system resources Pass Quarantine when Score exceeds These drop down menus can be used to select the strategy to use in marking messages as spam The difference between the maximum values is defined through the probability that legitimates messages such as HTML Newsletters will be blocked It is possible to set a value between 1 and 15 in the drop down menu With level 1 the e mails are already treated with a low spam score The following Levels serve as clue e Aggressive 03 This strategy will catch most spam messages It may also identify some legitimate messages for example HTML newsletters as spam e Reasonable 05 This strategy is a compromise between Aggressive and Reasonable e Conservative 08 This strategy will only catch messages that are highly likely to be spam Legitimate messages are unlikely to be caught 234
297. ty demands apply to your network Clicking on the symbol enables C82 and disables GaP the Em bedded Object Filter Script Content Filter This function deletes script contents such as Java and VBScript from incoming HTTP traffic A Security Note Enable this function only if high security demands apply to your network Clicking on the symbol enables amp and disables 2 the Script Content Filter Content Removal This is an additional function of the Surf Pro tection Categories This access control list allows you to filter Web pages that contain specific expressions Such texts which contain an expression from the access control list will be replaced by a HTML comment Open the access control list by clicking on the field with the entry e g O entries Enter the expressions one beneath the other Comments must be identified with a sign at the beginning of each line Save your changes by clicking on the Save button To keep an entry click cancel Virus Protection This functions checks incoming traffic for danger ous content such as viruses Clicking on the symbol enables and disables the Virus Protection 220 Using the Security System Enabling Surf Protection adding Profiles 1 Enable this option by clicking the Enable button in the Surf Protection Content Filter window The status light will show green and an advanced entry window will open By Default the Profiles table contai
298. u enter the available bandwidth for the Downlink in full kilobits On an inter face to the Internet this value corresponds to the bandwidth of the Internet connection on an ADSL access the Uplink band width amounts to 768 kBit s and on a 2 Megabit fixed connection to 2048 kBit s MTU Size The MTU is the size in bytes of the largest transmittable packet MTU stands for Maximum Transfer Unit For connections using the TCP IP protocol the data will be subdivided into packets A maximum size will be defined for these packets Packets larger than this value will be considered too long for the connection and fragmented into smaller ones before transmission These data packets will be sent again However the performance can be limited if the upper value is too low The following values are the defaults for the PPP over Ethernet PPPoA DSL connection 1460 Byte Confirm these settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red Enable the interface by clicking the status light Using the Security System Add Static Route The interface is now enabled oT rere status light shows green The Oper column will at ditional staro mutes God first show that the interface is Down the system re quires a short time to con figure and load
299. uce the readability of the Packet Filter Live Log e g Windows NetBIOS broadcasts we recommend not to enable the Log function Comment In this entry field you can optionally enter a comment on a rule 4 Save your configuration by clicking Add Definition If the definition was successful the new Packet filter rule will be added to the rule table in a deactivated state marked by the red status light p n Comment Marketing HTTP Example rule 5 Activate the Packet filter rule by clicking the status light After the rule is added to the table further options are available for managing and editing rules in the rules table 192 Using the Security System Note By default new rules are added in an inactive state in the table The rule will only become effective when it is set to be active See Activating deactivating rules The Rules Table Each packet filter rule will be displayed in the table through a separate line The different settings will either be displayed as alpha numeric signs or as symbols While all settings with alphanumeric signs can be edited by clicking on the correspondent field this is not possible with all symbol displays Group Source Service Action Destination Comment 1 none OU Marketing HTTP f lany B Example rule The following table explains all symbols from the rules table The Symbols tcon__ spaite anzeige Emsteiumg 6 reshen CBE sensim p
300. unchanged Open the WebAdmin configuration tool and open the User Authentication menu in the System tab In the RADIUS Server Settings window click the Enable button next to Status the status light will show green Address or Hostname Enter the IP address or the host name of the RADIUS server Shared Secret Enter the Shared Secret from step 6 Click the Save button to save these settings In the Proxies tab open the menu corresponding to the proxy service you wish to use If User Authentication is not enabled red status light click the Enable button Authentication Methods Choose RADIUS from the selection field Now confirm your settings by clicking on the Add button The user authentication using RADIUS is now active The IAS service will log every access attempt in the Microsoft Windows NT 2000 Event Log In order to prevent the Windows Event Log from overflowing the security system stores caches RADIUS access information for five 75 Using the Security System minutes This may mean that changes in the RADIUS database will not be reflected at the security system for a few minutes Attention The security system sends queries on UDP port 1812 5 1 7 2 SAM NT 2000 XP This authentication method uses an MS Windows NT 2000 Domain Controller or standalone server Many businesses already use MS Windows NT 2000 networks based on ActiveDirectory The advantage of SAM is that it is very
301. ured for each user or network Important Note If you have configured the User Authentication configuration mode in the Global Settings window the Profile Assignment via drop down menu will be displayed above the Profile Assignment table By default this is set to Local Users Network blocks If you have configured a radius or LDAP Server in the System User Authentication menu they will be displayed in the drop down menu Once you have selected one of the servers the Profile Assignment table will be masked 223 Using the Security System The Functions The following picture shows a Profile assignment Profile Assignment Total 1 entries Add blank Assignment Ey i Profile Name Assigned local Users Assigned Network Blocks 8 1 BO Example i none Any a Internal Address Internal Broadcast Internal Network X Save Cancel The functions from the left to the right are Deleting Profile assignments 8 Click the trash can icon to de lete an assignment from the table Position number The workout sequence will be displayed in the table through the respective Position number Clicking on the field with the entry will open the drop down menu This drop down menu allows you to change the order of the profile assignments Save your changes by clicking on the Save button To keep an entry click cancel Status light The status light refers to the status of the profile assignment Each new assignment
302. uthentication using the SOCKSv5 SMTP and HTTP proxy services and can control which users are allowed to use which services User accounts can be defined on the security system through the Definitions Users menu Or on an external user database Supported external databases include RADIUS SAM Windows NT Windows 2000 XP Server Microsoft Active Directory and OpenLDAP If an external user database is already present on the network you can use it instead of having to re enter user accounts on the security system itself User Authentication requires users to identify themselves before using network services This allows for user based access control and accounting rather than an IP based access control This allows for user based Accounting in the HTTP Proxy access protocol Proxy Service and Authentication Methods The SOCKSv5 SMTP and HTTP services can be configured to allow or disallow clients based on IP address or on username and password combinations In order to use User Authentication you must select at least one database against which the security system should authenticate users If user authentication is enabled and no database is selected the proxy service cannot be used The security system supports user authentication against e A RADIUS Server e An NT SAM user list e An LDAP Server e An internal database defined in WebAdmin The four user databases can be checked one after the other 71 Using the Security Syst
303. vailable for use in various configuration menus Using the network name you can for instance enable HTTP proxy access for the new network under Proxies HTTP 105 Using the Security System Adding DNS Server 1 2 4 Under the Definitions tab open the Networks menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a unique DNS Server name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters are alphanumeric characters minus space and underscore _ Names may be up to 39 characters long Type Select DNS Hostname from the drop down menu Hostname Enter the hostname in this entry field Comment You can enter a DNS Server description in this entry field Save the host by clicking on the Add Definition button If the definition is successful the new Host will be entered in the network table You will now find this host under its name also in different other menus Defining Network Group 1 2 106 Under the Definitions tab open the Networks menu Click on the New Definition button The entry window will open Make the following settings Name In the entry field enter a unique network group name This name will be used later for example to configure packet filter rules Allowed characters are The only allowed characters Using the Secu
304. vice drop down menu to select a service The available services are HTTP SMTP SOCKS and Web Admin In the Attribute Name field enter the name of the attribute If you are using authentication using the MemberOf property on a Microsoft Active Directory Server this should be the name of the Security Group to use Example socks_users 89 Using the Security System 4 Inthe Attribute Value field enter the DN for the attribute The attribute value is the DN IIE ite Sey Chace group Atrbae Vales Stac EN EdtAtrbae DSa ET f displays the DN of attributes Path LDAF LDAP erarple con CN sooks_users DC eanple DC Select uich properties to view Both z istnguishedare zi Yaet Ek eapo teen z T Microsoft Active Directory in the Management Con sole under ADSI Edit Here under the Base DN example dc example dc com find the attribute name example socks _users and right click it A window labeled CN socks_users Properties will open Use the Select which properties to view drop down menu to choose Both and in the Select a property to view drop down menu choose distinguishedName The DN for this attribute will be shown in Value s 5 Click the Save button to save these settings Every member defined as a MemberOf the security group socks_users will be allowed to use this service 90 Using the Security System 5 1 8 WebAdmin Settings C
305. with the web server as shown in the example as the one for the connection with the FTP server both packet filter rules must be set to the same Action 1 Rule for data packets from the web server Source web server Service HTTP To Server Internet Weight Allow high priority 2 Rule for data packets from the FTP server Source FTP server Service FTP Destination Internet Action Allow high priority EB Group Source Service f Action ZET Comment 1 none Bo Marketing HTP gt Any Example rule 2 none BO Web Server HTP m GF Any QoS Example rule 3 none i FTP Server FTPs fem GY Any QoS Example rule If the Uplink is only used by the data packets of these two servers each connection receives one half of the bandwidth 1MBit s in the Worst Case The High Priority setting becomes only relevant if a third data connection is established All connections with a lower priority Allow or Allow low priority will be treated with a lower ranking 197 Using the Security System Additional Functions and Settings Internet wide Broadcast In order to drop IP broadcast packets first define the broadcast address in the Definitions Networks menu in the form of a new network Next install the appropriate packet filter rule and activate it 1 198 Under Definitions open the Networks menu and define the following network Name Broadcast32 Type Host IP Address 255 255
306. ws you Status ao to forward log messages Servier SySL06 from the Security system tage a Avaiable to other hosts This is Empty list Accounting data La fAamin notification pinea especially useful for net works using a log host to collect logging informa tion from a number of different hosts By default this function is disabled A Logging Daemon compatible with Syslog protocol must be running on the selected host Host Please select Attention In the System Remote Syslog Server menu do not select one of the security system s interfaces such as eth0 as the destination address host Host Enter the host which should receive logging information in the drop down menu When a host has been selected log forwarding is enabled immediately no further messages are displayed In order to select a logging host i e a network with netmask 255 255 255 255 you will first have to define it in the Defin itions Networks menu The definition of networks is covered in greater detail in chapter 5 2 on page 103 69 Using the Security System Service The Syslog protocol is set by default You can also use this drop down menu to configure the service port that should be used on the remote server Logs This selection field allows you to select log files that should be delivered to the Remote Host 70 Using the Security System 5 1 7 User Authentication The security system supports User A
307. y defined network mask for this interface use the drop down menu to select Static and enter the netmask to use in the entry field If you wish to have a netmask dynamically assigned via DHCP select Assign by DHCP from the drop down menu Default Gateway If you wish to use a statically defined default gateway use the drop down menu to select Static and enter the address of the gateway in the entry field If you wish to have a 137 Using the Security System 138 gateway dynamically assigned via DHCP select Assign by DHCP from the drop down menu Otherwise select None SSID Enter the network name for the wireless network here If you wish to establish a connection with an already existing Wireless LAN you must enter the existing network name Use WEP If you wish to use WEP encryption on the wireless LAN select Yes from the drop down menu A Security Note You should always use WEP encryption as an unencrypted network presents a serious threat to network security If you select No from the drop down menu the WEP specific configuration options will be ignored by the system WEP Authentication If you wish to enable WEP authentication select Yes from the drop down menu All nodes on the wireless network must be configured with the correct WEP Key Require WEP If you do not wish to allow nodes not supporting WEP onto the wireless network choose Yes here WEP Key Enter the WEP key to use in the WEP Key O through 3 entr
308. y fields In order to use WEP encryption you will need at least one WEP key up to four can be used For a 40 bit key enter a string with 5 hexadecimal digits separated by colons In order to use a 104 bit key enter a string of 13 hexadecimal digits separated by colons The string must consist of hexadecimal digits Please note that a hexadecimal number is two characters each either a number 0 9 or a letter A F Example of a 40 bit key 17 A5 6B 45 23 Default WEP Key Use the drop down menu to choose one of the defined WEP Keys 0 3 which should be used as the default key This key will be used as the current key which all the other nodes must use to access the wireless network Using the Security System 7 Confirm these settings by clicking Add The system will now check the address and netmask for semantic validity After a successful check the new interface will appear in the Current Interface Status table The interface is not yet enabled status light is red 8 Enable the interface by clicking the status light The interface is now enabled status light shows green The Oper column will at first show that the interface is Down the system requires a short time to configure and load the settings When the message Up appears the interface is fully operational 139 Using the Security System 5 3 2 4 Virtual LAN avbGlEaexe Virtual LAN VLAN tech es min nology allows a network to Type VAN shame inerare be segreg
309. your own IPS rules to the set of rules The rules are based on the syntax of the Snort Open Source ID System Manually configured IPS rules are always locally imported to an IPS set of rules For more information please see the following Internet address http www snort org 1 Under the Intrusion Protection tab open the Rules menu 2 Click on the button The entry window will open 184 Using the Security System 3 Make the following settings Intrusion Protection 012 entries 1968 Rules w Rule 4 7 Filters Description Jexample Selector icmp EXTERNAL_NET any gt HOME_NET any Filter dsize gt 800 Add local Rule Hint Local rules will be added to the local group 7 Group Hits Info DO he BD attack responses O Recognition of successful attacks Description Enter a description of the rule in the entry field Example Large ICMP packet Selector Enter the selection parameters for the IPS rule in the Snort syntax in the entry field Example icmp EXTERNAL_NET any gt HOME NET any Filter Enter the real identification parameter for the IPS rule in Snort syntax in the entry field Please make sure that the entry ends with a sign Example dsize gt 800 4 Save your configuration by clicking Add local Rule The new IPS rule is always locally imported to an IPS set of rules The rule is immediately enabled status light shows green BO p
310. your security system here Protocol Choose RADIUS IP Address of the Client Enter the internal IP address of the security system 73 Using the Security System 74 Client Vendor Choose RADIUS Standard Shared Secret Enter a password here You will need this pass word again when configuring the RADIUS server with Web Admin A Security Note For the Shared Secret only passwords consisting of alphanumeric minus and period characters are allowed Other characters for example _ are not allowed Now open the RAS rules menu A standard rule is listed here If you intend to use IAS only with the security system you can delete this entry For every proxy enter a rule Choose a descriptive name such as HTTP access Add two conditions 1 Condition 1 The NAS Identifier field must correspond to a string from the following table HTTP http L2TP over IPSec I2tp PPTP pptp SOCKS socks SMTP smtp WebAdmin Access webadmin Surf Protection Profilname 2 Condition The Windows group of the user must match the group established in step 2 Access is granted only when both conditions are met 10 11 12 13 14 15 Using the Security System Edit the profile so that no unencrypted connection is allowed by disabling the No Encryption function in the Encryption register Edit the profile for the rule so that unencrypted authentication PAP is allowed Leave the other values
311. ystem Reboot the security system by pressing Ctrl Alt Del or the Reset button During the boot process the IP addresses of the internal network cards are changed The Install Routine console Alt F1 may display the message No IP on etho during this time After the security system has rebooted a process which depending on hardware can take up to five minutes ping the IP Address of the ethO interface to ensure it is reachable If no connection is possible please check for the following possible problems Error The security system is not reachable from the internal network Possible Causes The IP Address of the security system is incorrect The IP Address of the client computer is incorrect The Default Gateway on the client is incorrect The network cable is connected to the wrong network card All network cards are connected to the same hub Note If you connect to the Internet through a DSL connection please read the installation instructions at docs astaro org 26 Installation 3 2 2 Configuring the Security System The rest of the configuration will use the WebAdmin interface accessed through a standard web browser e g MS Internet Explorer from your administration PC 1 Start your browser open WebAdmin Before you can access the WebAdmin interface you must make sure that your browser is configured correctly Please see in chapter 5 6 1 on page 210 for more details Once your browser
Download Pdf Manuals
Related Search