SnapGear 2.0.1 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of SnapGear 2.0.1, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of SnapGear 2.0.1 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of SnapGear 2.0.1. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of SnapGear 2.0.1 should contain:
- informations concerning technical data of SnapGear 2.0.1
- name of the manufacturer and a year of construction of the SnapGear 2.0.1 item
- rules of operation, control and maintenance of the SnapGear 2.0.1 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of SnapGear 2.0.1 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of SnapGear 2.0.1, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the SnapGear service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of SnapGear 2.0.1.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the SnapGear 2.0.1 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    CyberGuard SG  Firewall V PN Applian ce User Manua l Revision 2.0.1 June 7, 2004 CyberGuard 7984 South W elby Park Drive #10 1 Salt Lake City, Uta h 84084 Email: suppo rt@snapgear.com Web: www.c yberguard.com[...]

  • Page 2

    Contents 1. Introduction ............................................................................................... 1 CyberGuard SG Gateway Appli a n c es ................................................................... 1 CyberGuard SG PCI Appli a n c es ........................................................................... 2 Document [...]

  • Page 3

    4. Dialin Setup ............................................................................................. 52 Dialin Setup ......................................................................................................... 53 Dialin User Accounts ........................................................................................... 55[...]

  • Page 4

    10. System ................................................................................................... 159 Date and Time ................................................................................................... 159 Users ...............................................................................................................[...]

  • Page 5

    Introductio n 1 1. Introduction This chap ter provides an overview of your Cyber Guard SG appli ance’s features an d capabilities , and explains ho w to install and c onfigure your CyberGuard SG applianc e. This manual describes how to ta ke advantage of the features of your CyberGuard SG appliance , including setting up n etwork connec tions, a [...]

  • Page 6

    Introductio n 2 The following figure shows how you r CyberGuar d SG appliance i nterconnects. Figure 1-1 CyberGuard SG PCI Appliances The CyberGua rd SG PCI applia nce (SG630, SG635) is a hardware-bas ed firewall and VPN server emb edded in a 10/1 00 Ethernet PCI ne twork interface c ard (NIC). It is installed int o the host PC like a regular NIC, [...]

  • Page 7

    Introductio n 3 This approac h offers an increa sed measure of protection against internal threats as well as conventiona l Internet securi ty concerns. You can update, configur e and monitor the firewall and VPN connectivity of a workstation or server from any web browser. In th e event of a brea ch, you have compl ete control over individual PCs&[...]

  • Page 8

    Introductio n 4 Document Conventions This docu ment uses differen t fonts and typeface s to show speci fic actions. Warning/Not e Text like thi s highlights important issues. Bold text in p rocedures indic ates text that you typ e, or the name of a s creen object (e.g. a menu or butt on).[...]

  • Page 9

    Introductio n 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appli ances include : • SG300 • SG530 • SG550 • SG570 • SG575 The following items are include d with your CyberGua rd SG gateway app liance: • Power adaptor • Installation CD • Printed Quick Install guide • Cabling inc luding o 1 normal stra ight through UT[...]

  • Page 10

    Introductio n 6 Note Not all the LEDs described belo w are present on al l CyberGuard SG ap pliance models . Also, labels va ry from model to model. Label Activity Description Power On Power is sup plied to the Cyber Guard SG applia nce Flashing The CyberGua rd SG applianc e is operating correc tly Heart Beat On If this LED is o n and not flashi ng[...]

  • Page 11

    Introductio n 7 CyberGuard SG Gateway Appliance Fea tures Internet link featur es • 10/100baseT E thernet port (Inte rnet/WAN) • Serial port • Front panel se rial status LEDs (for TX/RX) • Online status LEDs (for Internet /VPN) • Rear panel Et hernet link and a ctivity status LEDs LAN link features • 10/100Base T LAN port • 10/100Base[...]

  • Page 12

    Introductio n 8 Your CyberGuard SG PCI Appliance CyberGuard SG PCI applianc es include: • PCI630 • PCI635 The following items are include d with your CyberGua rd SG PCI appl iance: • Installation CD • Printed Quick Install guide LEDs The rear pan el contains LEDs in dicating status . The two LEDs clo sest to the network port are netwo rk ac[...]

  • Page 13

    Introductio n 9 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT E thernet port • Ethernet LEDs (link, activity) Environmental featur es • Status LEDs: Power, Heart Bea t • Operating temp erature between 0 ° C and 40° C • Storage temp erature between -20° C and 7 0° C • Humidity betwe en 0 to 95% (no n-conden[...]

  • Page 14

    Getting Started 10 2. Getting S t arted This chap ter provides step-by-ste p instructions for i nstalling your Cyber Guard SG appliance into your network an d connecting to the Internet. This is a slightly more detailed vers ion of the printed Quick Install Gui de that shipped with your CyberGuard SG appliance. These ins tructions assume you ha ve [...]

  • Page 15

    Getting Started 11 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management C onsole The CyberGua rd SG applianc e ships with initial, st atic IP settings of: IP address: 192.168.0.1 Subnet mask: 255.255.25 5.0 Note The Internet/ WAN and DMZ int erfaces are by default inactive, i.e . there are no netwo rk services su ch as DHCP[...]

  • Page 16

    Getting Started 12 Connect the su pplied power adapte r to the CyberGuard SG applianc e. If you are usi ng the SG530, SG550 , SG570 or SG575 model, conne ct the CyberGuard SG appliance ’s LAN Ethernet port directly to your PC’ s network inte rface card using the crossover cab le (red or gray). If you are usi ng the SG300 model , connect your PC[...]

  • Page 17

    Getting Started 13 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections (or in 95/98/Me, dou ble click Netwo rk ). Right click on Local Area Connectio n and select Prop erties . Note If there is mo re[...]

  • Page 18

    Getting Started 14 Select Use th e following IP addre ss and enter the fo llowing details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: P r e f e r r e d D N S s e r v e r : 192.168.0.1 Note If you wish to retain your exis ting IP settings f or this networ[...]

  • Page 19

    Getting Started 15 Select Quick Setup Wizard from t he center of the pa ge. You will be pro mpted to log in. Enter the initial user n ame and passwor d for your CyberGuard SG a ppliance: User name: root Password: default Note If you are u nable to connect to the Management Con sole at 192.168. 0.1, or the initial username and password are not accep[...]

  • Page 20

    Getting Started 16 The Quick Se tup Wizard will d isplay. Figure 2-3 Hostname: You may change th e name the CyberGuard SG appliance knows itself by. This is not gen erally necessa ry. Manual configu ration: Select th is to manually spec ify your CyberGuar d SG appliance’ s LAN connect ion settings. Skip: LAN al ready configured: Select this if yo[...]

  • Page 21

    Getting Started 17 Figure 2-4 Note This page will only display if yo u previously sel ected Manual config uration . Otherwis e skip to the next step. Enter an IP ad dress and Subnet mask for your CyberGuard SG appliance’s LAN connectio n. You may choose to use the CyberGuard SG applianc e’s initial network settings if you are sure no other PC o[...]

  • Page 22

    Getting Started 18 Set up Internet Connection Settings Select your In ternet connectio n type and click Ne xt . Figure 2-5 Cable modem If connecti ng using a cable mo dem, select the appropriate ISP. Cho ose Generic c able modem provid er if unsure. Analog modem If connecti ng using a regular analog modem, ent er the details pro vided by your ISP. [...]

  • Page 23

    Getting Started 19 Note For detailed help for each of the se options, ple ase refer to the the c hapter entitled Network Con nections . Once the Cyb erGuard SG appli ance’s Internet connection has be en set up, click Ne xt , select Reboot and click Next aga in. Set up the PCs on your LAN to Acc ess the Internet Note If you have changed the CyberG[...]

  • Page 24

    Getting Started 20 LAN with a DHCP serv er Add a lease to your existing DHCP s erver to reserve the IP address yo u chose in STEP 3 for the Cyber Guard SG applia nce’s LAN connect ion. If you chose to set the CyberGuard S G appliance’s LAN connection s ettings using Manual configu ration , you may simp ly remove this address from the po ol of a[...]

  • Page 25

    Getting Started 21 To manually s et up each Windo ws PC on your ne twork: Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections ( or in 95/98/Me, doub le click Network ). If presented with multiple connec tions, right click on L ocal Area Connect ion (or appropriate ne twork connection ) and select Properties . Selec[...]

  • Page 26

    Getting Started 22 Alternatively, to activate your Cybe rGuard SG applian ce's DHCP server: Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to the IP address of the CyberGuard SG app liance’s LAN co nnection. The Web Mana gement Console will display. Select DHCP Serv er from the Netw orking menu. Click Add Se rver an[...]

  • Page 27

    Getting Started 23 Select Intern et Protocol (TCP/I P) and click P roperties (or in 95 /98/Me, TCP/IP -> [your netw ork card name] i f there are multiple entries) and cli ck Properties (in 95/98/Me, you may also have to click the IP Addres s tab). Figure 2-6 Check Obtain an IP address aut omatically , check Obtain DNS serve r address automatical[...]

  • Page 28

    Getting Started 24 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PC I Slot Power off you r PC and remove its c over. Select an unused PCI slot an d insert the CyberGuard SG a ppliance, then power on your PC. Install the Network Driver on your PC The CyberGua rd SG applianc e will be automatica lly detected and ha ve t[...]

  • Page 29

    Getting Started 25 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections . Right click on Local Area Connectio n (or appropriat e network conn ection for the newly installed PCI a ppliance) and s elect[...]

  • Page 30

    Getting Started 26 Set up the Password and Network Connection Settings Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to 192.168.0.1 . Figure 2-8 The Web Mana gement Console will display. Select Network Setup under Networking i n the left hand menu. You will be pro mpted to log in. Enter the initial user n ame and passwor [...]

  • Page 31

    Getting Started 27 Note The purpose o f this step is to co nfigure the IP addres s for the Web Manag ement Console. For c onvenience, thi s will generally be a free IP address on your LAN. The Network Setup Connect ions page will di splay. Locate the Bridge / br0 port an d select Edit curren t settings under Configuratio n . If your LAN ha s an act[...]

  • Page 32

    Getting Started 28 The first IP add ress will be used b y the Web Manageme nt Console. Figure 2-9 Enter this IP address and the subnet mask for your LAN into the IP Ad dress / Netmas k fields on t he Web Management Con sole’s Bridge IP Co nfiguration pag e. Ensure DHCP as signed is unch ecked . You may also enter one or more DN S Server(s) to b e[...]

  • Page 33

    Getting Started 29 Figure 2-10 Enter the follow ing details: • IP address the second free IP ad dresses that is part of the subnet ra nge of your LAN. • Subnet mask is the subnet mas k of your LAN. • Default gatew ay is the IP address of your LAN’s de fault gateway. • Preferred DNS s erver is the IP address of the DNS se rver used by PC s[...]

  • Page 34

    Getting Started 30 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continu ing, ensure your DHC P server has two free leases. One wi ll be used for the Web Mana gement Consol e, the other for your P C. Note It is highly rec ommended that y ou reserve the IP ad dress to be used by the Web Management Consol[...]

  • Page 35

    Getting Started 31 Next, configur e your PC to obta in its network settings automatically fr om your LAN DHCP server. Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections . Right click on Local Area Connec tion (or appropria te network con nection for the newly installed PCI a ppliance) and s elect Properties . Sele[...]

  • Page 36

    Getting Started 32 Disabling the Reset Button on your Cy berGuard SG PCI Appliance For convenie nce, the CyberGuard SG appliance ships with the r ear panel Reset button enabled. T his allows the Cyber Guard SG applia nce’s configurati on to be reset to f actory defaults. From a netwo rk security stand point, it may be de sirable to disable the Re[...]

  • Page 37

    Network Con nections 33 3. Network Conn ections This chap ter describes the Netw ork Setup section of the Web Managemen t Console. Here you can c onfigure each of your CyberGuard SG appliance’s network ports (Ethernet, se rial). Network po rts may be config ured for Internet connection, LAN connectio n, DMZ connectio n, remote dialin access or In[...]

  • Page 38

    Network Con nections 34 LAN Unlike Intern et , DMZ or COM1 p orts, the LAN netw ork port has on ly one configura ble function, to connect to your lo cal area network. Network setting s for the LAN networ k port may be a ssigned staticall y, or dynamically by a DHCP server. Se lect Edit current settings to c ontinue. To assign network settings st at[...]

  • Page 39

    Network Con nections 35 • It allo ws users to trans mit IPX/SPX over a VPN, something that is not supported by other VPN ven dors. • It allo ws users to trans mit DHCP to remote si tes this ensures that they are under better control. • It allo ws users to make u se of protocols that do not work we ll in a WAN environment (e.g. netbios ). The [...]

  • Page 40

    Network Con nections 36 CyberGuard SG PCI applianc es can also con nect to the Internet i n this manner, but generally wil l be connecting directly to a LAN by selecting either Di rect Internet or Bridged Interne t . Physically connect m odem device The first st ep in connecting you r office network to the Internet is to physically attach your Cybe[...]

  • Page 41

    Network Con nections 37 Use PPPoE if y our ISP uses us ername and passwo rd authenticat ion to access the Internet. Use DHCP if your ISP d oes not requir e a username and p assword, or your ISP instructed you to obtain an IP add ress dynamicall y. If your ISP has gi ven you an IP address or address range, you must Manually A ssign Settings . For PP[...]

  • Page 42

    Network Con nections 38 Figure 3-4 To manually configure your In ternet network s ettings, enter the IP Address , Netmas k , Internet Gate way and DNS Server(s) supplied by your IS P. If you have been given a range of IP ad dresses, they ma y be added as Interface Aliases . F or details, see t he Advanced sec tion later in this c hapter. Reboot you[...]

  • Page 43

    Network Con nections 39 When the Cybe rGuard SG applia nce is in bri dged mode, it will not be performing NAT/masque rading. PCs will typically use an IP ad dress on the netwo rk connected to the CyberGuar d SG applianc e’s Internet port as their gateway, rather than the CyberGuard SG appliance i tself. Failover Direct/Cable/ADSL Int ernet Refer [...]

  • Page 44

    Network Con nections 40 Figure 3-5 The following table describes the fields and expla ins how to config ure the dial up connectio n to your ISP. Field Description Name of Inte rnet provider Enter the name of your ISP. Phone numb er(s) to dial Enter the numb er to dial to rea ch your ISP. If you are behind a PAB X that requires you to dial a prefi x[...]

  • Page 45

    Network Con nections 41 Statically ass igned IP address The majority of ISPs dynamicall y assign an IP addres s to your connect ion when you dia lin. However some I SPs use pre-assign ed static address es. If your ISP has gi ven you a static IP ad dress, enter it in Lo cal IP Address and enter the address of the ISP gateway in Rem ote IP Addres s .[...]

  • Page 46

    Network Con nections 42 Services on the DMZ Network Once you ha ve configured th e DMZ connect ion, you will also wan t to configure t he CyberGuard SG appliance to allow access to s ervices on the DMZ. Th ere are two methods of al lowing access . If the servers on the DMZ have pub lic IP addresse s, you need to ad d packet filtering rules to al lo[...]

  • Page 47

    Network Con nections 43 DMZ as a backup/failover Internet connection See the Intern et Failover sec tion later in this chapte r. Load Balancing If you have enabled both the Internet and DMZ ports as primary In ternet conne ctions, enabling l oad balacing will s hare Internet traffic load over the two co nnections. To enable l oad balancing, ch eck [...]

  • Page 48

    Network Con nections 44 Enable the primary connection for failover Set up your p rimary broadban d Internet connec tion as described in the Internet sect ion of this chapt er. From the Conne ctions menu, sel ect Edit failover p arameters from th e Configuratio n pull down box. The CyberGua rd SG applianc e determines wheth er an Internet c onnectio[...]

  • Page 49

    Network Con nections 45 Note The Failover Cable/DSL/Direct/D ialout Internet option will not ap pear as an ava ilable Configuratio n until a primary In ternet connec tion has been confi gured. Refer to Enabl e the primary conn ection for failove r above for deta ils on enabling yo ur primary broad band Internet con nection for failover. Figure 3-7 [...]

  • Page 50

    Network Con nections 46 Routes Additional routes The Additional routes feature al lows expert users t o add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatic ally by the CyberGuar d SG applianc e configuration sc ripts. Route management Your CyberGuar d SG applianc e can be configured t[...]

  • Page 51

    Network Con nections 47 Advanced The following figure shows the a dvanced IP configu ration: Figure 3-8 Hostname The Hostname is a descripti ve name for the Cybe rGuard SG appli ance on the netwo rk. DNS Proxy The CyberGua rd SG applianc e can also be con figured to run as a Do main Name Server. The CyberGua rd SG applianc e acts as a DNS Pro xy an[...]

  • Page 52

    Network Con nections 48 Figure 3-9 Network Address Translation ( NAT/masquerading) The CyberGua rd SG applianc e can utilize IP Masqu erading (a simple f orm of Network Address Trans lation, or NAT) where PCs on the lo cal network effec tively share a si ngle external IP add ress. Masquera ding allows insiders to get out, withou t allowing outsider[...]

  • Page 53

    Network Con nections 49 Dynamic DNS A dynamic DNS service is u seful when you don’ t have a static Internet IP address , but need to remai n contactable by h osts on the Internet. Dynamic DNS servi ce providers such as T ZO.com and dyndns. org can regist er an Internet domain n ame that will p oint to your Internet IP address no matter h ow often[...]

  • Page 54

    Network Con nections 50 Figure 3-10 Interface aliases Interface alia ses allow the CyberGu ard SG applianc e to respond to mu ltiple IP addresses on its LAN, Interne t and DMZ ports. F or Internet and DMZ aliased port s, you must also setu p appropriate Pa cket Filtering an d/or Port forward ing rules to allow traffic on th ese ports to be pas sed [...]

  • Page 55

    Network Con nections 51 Change MAC address On rare occa sions it may be nec essary to change the Ethernet hard ware or MAC Address of your CyberGuard SG a ppliance. The MAC address i s a globally unique address an d is specific to a sin gle CyberGuard SG app liance. It is set by the manufacturer and should not no rmally be change d. However, you ma[...]

  • Page 56

    Dialin Setup 52 4. Dialin Setu p CyberGuard SG appliance e nables remote and s ecure access to your office netwo rk. This chap ter shows how to se t up the dialin fe atures. Your CyberGuar d SG applianc e can be configured t o receive dialin calls from remote users/sites. Remote users are i ndividual users (e .g. telecommuters ) who connec t direct[...]

  • Page 57

    Dialin Setup 53 Dialin Setup Once an anal og modem or ph one line has bee n attached, enable the CyberGuard SG appliance ’s COM port or interna l modem for dialin . Under Network ing , select Netw ork Setup . From the Connections men u, locate the COM port or Mode m on which you w ant to enable d ialin, and selec t Change to Dialin Access from th[...]

  • Page 58

    Dialin Setup 54 The following table describes the fields on the Dial -In Setup page: Field Description IP Address fo r Dialin cli ents Dialin user s must be assigned local IP addresses to access the local n etwork. Specify a free IP address from your lo cal network that the connected di al-up client will use when connectin g to the CyberGuard S G a[...]

  • Page 59

    Dialin Setup 55 Dialin User Accounts User accounts must be set up before remote users can dialinto the C yberGuard SG appliance . The following figu re shows the Dialin u ser account cre ation: Figure 4-2 The field o ptions in Add New Acc ount are shown in the following t able: Field Description Username Username f or dialin au thentication only. T[...]

  • Page 60

    Dialin Setup 56 The following figure shows the u ser maintenance s creen: Figure 4-3 Account list As new dialin user accounts a re added, they are di splayed on the upd ated Account List. To modify a p assword for an exis ting account, s elect the account in the Account List an d enter the new pa ssword in the N ew Password and Confirm fields. C li[...]

  • Page 61

    Dialin Setup 57 If the change i s unsuccessful , an error is reported as shown in the fo llowing figure: Figure 4-3 When you have f inished adding and modifying user a ccount details, you can configure other CyberGu ard SG applian ce functions by s electing the approp riate item from the Network or System menus. Yo u can also appl y packet filterin[...]

  • Page 62

    Dialin Setup 58 Remote User Configuration Remote users can dialin using the CyberGuard SG app liance using the standard Windows Dia l-Up Networking so ftware. Set up a new dial-out conn ection on the remote PC to dial the phone number of the modem con nected to the Cyber Guard SG applian ce COM port. After the dialin is connected, users can access [...]

  • Page 63

    Dialin Setup 59 Check the Log on to network and Enable software com pression checkbo xes. If your CyberGuard SG appliance d ialin server requires MSCHAP-2 authe ntication, you als o need to check the Require encr ypted password ch eckbox. Leave all other Advanced Options unch ecked. Select the TCP/IP network proto cols from the Allow ed network pro[...]

  • Page 64

    Dialin Setup 60 Windows 2000/XP To configu re a remote access connection on a PC running Windows 2000/XP, click St art , Settings , Netw ork and Dial-up Co nnections and select Make New Connection. The network connection wiza rd will guide you th rough setting up a remote access connectio n: Figure 4-5 Click Next to c ontinue. Figure 4-6 Select Dia[...]

  • Page 65

    Dialin Setup 61 Figure 4-7 Tick Use diali ng rules to enabl e you to select a country code and area code. This feature is u seful when using remote access in another area code or overseas. Click Next to c ontinue. Figure 4-8 Select the opti on Only for myself to make the con nection only availa ble for you. This is a security featu re that will not[...]

  • Page 66

    62 Figure 4-9 Enter a name for the connecti on and click Finis h to complete the c onfiguration. By ticking Add a shortcut to my desk top, an icon for the remote conn ection will appear o n the deskto p. To launch the new connectio n, double-click o n the new icon on the desktop, and th e remote acces s login screen wi ll appear as in th e next fig[...]

  • Page 67

    DHCP Server 63 5. DHCP Serve r Your CyberGuar d SG applianc e can act as a DHCP serve r for machines on your local network. To c onfigure your Cyber Guard SG appl iance as a DHCP se rver, you must se t a static IP ad dress and netmask o n the LAN or DM Z port (see the c hapter entitled Net work Connections ). DHCP Server Configuration The DHCP se r[...]

  • Page 68

    DHCP Server 64 To configu re the DHCP Server, fol low these instruc tions. • Check the En able DHCP Server c heckbox. • Enter the Subn et and netmask of the IP addres ses to be distrib uted. • Enter the Gatew ay Address that the DHCP clients will be issued with . If this field is left blank, the CyberGuard SG app liance's IP ad dress wil[...]

  • Page 69

    DHCP Server 65 Subnet List The Subnet Li st will display the status of the D HCP server. Interface Once a subn et has been conf igured, the port whi ch the IP address es will be issued from will be sho wn in the Interface fiel d. Subnet The value sh own in this field is the subnet for whi ch the IP address es distributed will use. Free Addresses Th[...]

  • Page 70

    DHCP Server 66 Figure 5-3 For each IP a ddress that the DH CP server service s, the Status , Ho stname , MAC Address will b e shown. There is also be an option to Remove the a ddress and for reserved IP ad dresses, the add ed option to Unrese rve the address . Unreserving the address wil l allow it to be hand ed out to any host. The Status field wi[...]

  • Page 71

    67 DHCP Proxy The DHCP pro xy allows the Cybe rGuard SG appl iance to forward DH CP requests from the LAN to an external server for resolution. Th is allows both stat ic and dynamic addresses to be given out on the LAN just as running a DHCP server would. To enable t his feature, specif y the server which is to receive the forwar ded requests in Re[...]

  • Page 72

    Firewall 68 6. Firewall The CyberGua rd SG applianc e has a fully featured , stateful firewall . The firewall all ows you to control both incoming an d outgoing ac cess, so that PCs on the office net work can have tailored Internet access facilities and are s hielded from malici ous attacks. The firewall filters packets at th e network layer, dete [...]

  • Page 73

    Firewall 69 Administration services The following figure shows the A dministration Servic es page: Figure 6-1 By default the CyberGuard SG appl iance runs a web administration server and a teln et service. Acce ss to these services can be restricted to specific int erfaces. For example , you may want to restrict acce ss to the Web Manage ment Conso[...]

  • Page 74

    Firewall 70 CyberGuard SG Administrative Web Server Clicking t he CyberGuard SG W eb Server tab ta kes you to the p age to configure the administrative we b server. This web server is resp onsible for running the Web Management Console. Here you can c hange the port on which the server ru ns. Additional ly, the SG550, SG570 and SG575 mode ls suppor[...]

  • Page 75

    Firewall 71 The Web Management Console is usually accessed on the default HTT P port (i.e. 80). After changing the web server po rt number, you mus t include the new port number in th e URL to acces s the pages. Fo r example, if you ch ange the web ad ministration to p ort number 88, the URL to access the web administratio n will be similar to : ht[...]

  • Page 76

    Firewall 72 Once valid SSL certificates have been uploaded, th e CyberGuard SG a dministrative web server can op erate in one of on e of 3 different mode s. • B oth normal and SSL web access (bo th HTTP/HTTPS) • Di sable normal acc ess (HTTPS only) • Di sable SSL acc ess (HTTP only) To access the Web Management C onsole admini strative web pa[...]

  • Page 77

    Firewall 73 Packet Filtering By default, yo ur CyberGuard S G appliance allows network traffic as shown in the following ta ble: You can configure your Cyb erGuard SG app liance with ad ditional filter rule s to allow or restrict net work traffic. These rules can match traffi c based on the s ource and desti nation address, th e incoming and outgo [...]

  • Page 78

    Firewall 74 Before configu ring a filter or NAT r ule, you need to define the addres ses and service groups. Addresses Click the Addre sses tab. Any add resses tha t have already been defined will be displayed. Cli ck New to add a n ew address, or se lect an existing a ddress and click Modify . There is no need to add addresses for the CyberGuard S[...]

  • Page 79

    Firewall 75 Service groups Click the Servi ce Groups tab. Any addresses that have already been defined will be displayed. Cli ck New to add a n ew service group s, or select an e xisting address and click Modif y . Adding or mod ifying a service grou p is shown in the following figure : Figure 6-5 A service gro up can be used t o group together s i[...]

  • Page 80

    Firewall 76 Rules Once addres ses and services h ave been defined, you can create fi lter rules. Click Rules . Any ru les that have alrea dy been defin ed will be displayed. Cl ick New to ad d a new filter rule, or select an exis ting filter and cl ick Modify . Note The first matc hing rule will de termine the acti on for the network t raffic, so t[...]

  • Page 81

    Firewall 77 The Incomin g Interface is th e interface/network port that the Cyber Guard SG applian ce received the network traffic on. The Outgoing I nterface is the i nterface/network p ort that the CyberGu ard SG appliance will route the n etwork traffic o ut. None will match network traffic tha t is destined for the CyberGuard SG appliance i tse[...]

  • Page 82

    Firewall 78 Source Addre ss The address f rom which the req uest originated (for port forwardin g you may spec ify this to restric t the internal se rvice to be only acc essible from a sp ecific remote locati on) Destination Ad dress The destin ation address of the request, this is th e address th at will be altered Destination Se rvices The destin[...]

  • Page 83

    Firewall 79 Source Addre ss The address f rom which the req uest originated (for masqueradin g this will typical ly be a private LAN or DMZ addres s) Outgoing Interfa ce The interface that receives th e request (for masqueradin g this will typical ly be private inter face, i.e. LAN or DMZ ) Destination Ad dress The destin ation address of the reque[...]

  • Page 84

    Firewall 80 Warning Leaving Create a corresp onding ACCEPT fi rewall rule will a llow all traffic i nto and out from the spec ified private addre ss, i.e. the priva te address will no longer be shield ed by your CyberGu ard SG applian ce’s firewall. Otherwise, manu ally create filt er rules through Rules . Rules The Rules co nfiguration page allo[...]

  • Page 85

    Firewall 81 Access Control and Content Filtering Inappropriate I nternet use during work hours ca n have a serious e ffect on producti vity. With the CyberGu ard SG Access Control web pro xy, you can contro l access to the Internet based on the type of web content being ac cessed ( Content ), a nd which user or workstation is accessing the In terne[...]

  • Page 86

    Firewall 82 Users withou t web proxy acce ss will see a s creen similar to the figure below when attempting to access external w eb content. Figure 6-8 Note Each browse r on the LAN will now have to be set up to use the Cy berGuard SG appliance ’s web proxy.[...]

  • Page 87

    Firewall 83 Browser setup The example given is for Micros oft Internet Explorer 6 . Instructions fo r other browsers should be similar, refer to their user documentatio n for details on u sing a web proxy. From the Interne t Options menu, s elect Tools . From the LA N Settings tab, select LAN Settings . Figure 6-9 Check Use a proxy server for your [...]

  • Page 88

    Firewall 84 Figure 6-10 In the row lab eled HTTP , enter your CyberGuard SG appliance’s LAN IP address in the Proxy addre ss to use colu mn, and 81 in the Port column. Leave th e other rows bla nk. In the Except ions text box, enter your CyberGua rd SG applianc e’s LAN IP addres s. Click OK , OK and OK a gain. IP lists Internet acces s may be B[...]

  • Page 89

    Firewall 85 Web lists Access will be denied to any web ad dress (URL) th at contains text e ntered in the Blo ck List , e.g. enterin g xxx will block any URL containi ng xxx , including http://xxx.exampl e.com or www.tes t.com/xxx/index.ht ml . The Allow List also enables access to URLs co ntaining the spe cified text. Figure 6-11[...]

  • Page 90

    Firewall 86 Content Note Content filterin g is only availab le after your have regi stered your Cybe rGuard SG appliance and activated you r content filterin g license (sold separa tely) through www.cybergua rd.com/snapgea r/my/ . Content filterin g allows you to l imit the types of web based content ac cessed. Check Enabl e Content Filtering enter[...]

  • Page 91

    Firewall 87 Reports Warning The correct time/date must be set on your CyberGua rd SG applianc e for reporting to work. The mos t effective way t o do this is by usin g an NTP time server. See the Time and Date sec tion in the chap ter entitled Advanced for detai ls. Blocked reque sts are submitted to the central content filtering se rver. The user [...]

  • Page 92

    Firewall 88 ZoneAlarm This facility d enies Internet ac cess to machines your LAN that are no t running the ZoneAlarm P ro personal fire wall software. Run ning personal fir ewall software on e ach PC offers an e xtra layer of prot ection from applic ation level, operat ing system spec ific exploits and mal ware that abou nd on the Internet.[...]

  • Page 93

    Intrusion Detec tion 89 7. Intrusion De tection Note Advanced I ntrusion Detection i s only available on SG575 models. Oth er models offer Basic Inst rusion Detection and Blocking only. The CyberGua rd SG applianc e provides two i ntrusion detection systems (IDS). The lightweight and simple to config ure Basic Intrusion De tection and Block ing , a[...]

  • Page 94

    Intrusion Detec tion 90 The benefits of us ing an IDS External attac kers attempting to access desktops and servers on the private network from the Intern et are the large st source of intrusi ons. Attackers exploiting known flaws in operating s ystems, networkin g software and app lications, compromise many systems through the Inte rnet. Generally[...]

  • Page 95

    Intrusion Detec tion 91 Basic Intrusion Detection and Block ing The following figure shows the I ntrusion Detect ion and Blocking (I DB) configuratio n: Figure 7-1 IDB operates by offering a numbe r of services to th e outside world th at are monitored f or connectio n attempts. Remote mac hines attempt ing to connect to these services generate a s[...]

  • Page 96

    Intrusion Detec tion 92 Several shortc ut buttons also provide pre-defined li sts of services to mo nitor. The basic button inst alls a bare bones s election of ports t o monitor while sti ll providing sufficie nt coverage to d etect many intru der scans. The standard option exten ds this covera ge by introducin g additional monit ored ports for ea[...]

  • Page 97

    Intrusion Detec tion 93 Advanced Intrusion Detection Advanced I ntrusion Detection i s based on the tried a nd tested Snort v2 IDS. It is able to detect attack s by matching in coming network d ata against defin ed patterns or rul es. Advanced Intru sion Detection u tilizes a combination of methods to pe rform extensive IDS analysis on the fly. The[...]

  • Page 98

    Intrusion Detec tion 94 Advanced Intrusion De tection configuration Figure 7-2 Check Enabl ed , and select th e Interface /networ k port to monitor. This will typical ly be Internet , or po ssibly DMZ . Checking Us e less memor y will result in sl ower signature dete ction throughput , but may be necess ary if your CyberGuard SG applianc e is confi[...]

  • Page 99

    Intrusion Detec tion 95 Note The more rule sets that are selec ted, the greater lo ad is imposed on the CyberGuard SG appliance . Therefore a cons ervative rather tha n aggressive appro ach to adding rule sets should be followed initially. Figure 7-3 Check Log resu lts to database t o use a remote an alysis server. Note If Log results to database i[...]

  • Page 100

    Intrusion Detec tion 96 Setting up the analysis server Specific o pen source tools a re required to be i nstalled on the Anal ysis server for a straightforwa rd evaluation. The analysis s erver will typically be a Pentium IV level system running L inux ( Red Hat , Debian , etc.) wi th sufficient memor y and disk capa city to run a data base and web[...]

  • Page 101

    97 PHPlot graph library for chart s written in PHP http://www.ph plot.com/ ACID analysis console http://www.an drew.cmu.edu/~ rdanyliw/snort/ac id-0.9.6b23.tar.gz Snort will be running as an IDS sensor on the CyberGuard SG ap pliance and log ging to the MySQL da tabase on the an alysis server. The f ollowing are detai led documents tha t aid in ins[...]

  • Page 102

    Web Cache 98 8. W eb Cache Note The web cac he is only avail able on SG575 models . Web browser s running on PCs o n your LAN can use the CyberGuard SG appliance ’s proxy-cache server to reduce Internet access ti me and bandwidth consumption. A proxy-cach e server implemen ts Internet obj ect caching. This is a way to store requested I nternet ob[...]

  • Page 103

    Web Cache 99 Web Cache Setup Select Web ca che under Networking . A p age similar to the fol lowing will be dis played. Figure 8-1 Check Enabl e to enable the web cache. Cache size Select the amoun t of memory (RA M) on the Cybe rGuard SG appli ance to be reserved for caching In ternet objects. The maximum amount o f memory you can safely reserve w[...]

  • Page 104

    Web Cache 100 Network Shares Typically, yo u will find the Cyber Guard SG applian ce’s web cach e most useful wh en utilizing a Ne twork Share for a dditional storage s pace. The CyberGu ard SG applian ce is not equipped w ith a hard disk of its own, so is qui te limited in terms o f the amount of Internet obj ects it can cache. A network sh are [...]

  • Page 105

    Web Cache 101 Create the network share Figure 8-2 Launch Windo ws Explorer ( Start -> (All) Progra ms -> Accessories -> Windows Explorer ) an d open up a folde r or drive to dedicate a s a network share for use by the CyberGuard SG appliance’s web cache. Begin by disa bling simple file sharing for this fo lder. From the Tools menu, s ele[...]

  • Page 106

    Web Cache 102 Set the CyberGuard SG appliance to use the network share Check Use s hare . Enter the lo cation of the network share in the forma t: HOSTNAMEsharename Figure 8-3 Enter the ma ximum size for th e cache in Cache size . Warning Cache size s hould not be more than 90% of the space available to the network share, e.g. if you share d a d[...]

  • Page 107

    Web Cache 103 Peers The CyberGua rd SG applianc e’s web cache can be configured to share cached o bjects with, and acce ss objects cach ed by, other web c aches. Web cache s communicate usi ng the Internet Cac he Protocol (ICP). IC P is used to exchange hin ts about the exist ence of URLs in ne ighbour caches . Caches exchange ICP queries an d re[...]

  • Page 108

    Virtual Private Networking 104 9. V irtual Priv ate Networking Virtual Private Networking (VPN) en ables two o r more locations to communicate securel y and effecti vely, usually acros s a public netwo rk (e.g. the Internet) and has the fo llowing key traits: • Privacy - no o ne else can see what you are com municating • Authentication - you kn[...]

  • Page 109

    Virtual Private Networking 105 Figure 9-1 PPTP Client Setup The PPTP cli ent enables the Cyb erGuard SG appli ance to establi sh a VPN to a remote network runn ing a PPTP server (u sually a Micros oft Windows server). Select PPTP VPN Client from the VPN menu and crea te a new VPN conn ection by entering: • A desc riptive name for the VPN connect [...]

  • Page 110

    Virtual Private Networking 106 If the remote VPN is already up a nd running, chec k Start Now to es tablish the connectio n immediately as sho wn in the following fi gure: Figure 9-2 The CyberGua rd SG applianc e supports multiple VPN c lient connec tions. Additional connectio ns can be added by foll owing these st eps. To set a VPN con nection as [...]

  • Page 111

    Virtual Private Networking 107 PPTP Server Setup The CyberGua rd SG applianc e includes a PPTP Se rver, a virtual pri vate network serve r that suppor ts up to forty simulta neous VPN tunnel s (depending on your CyberGuard SG appliance model). The CyberGua rd SG PPTP S erver allows remote Windows cli ents to securely conn ect to the local network. [...]

  • Page 112

    Virtual Private Networking 108 Enable and configure the PPTP VPN server The following figure shows the P PTP server setup: Figure 9-3 To enable and configure your Cyb erGuard SG app liance’s VPN se rver, select PPTP VPN Server from th e VPN menu on the Web Management Cons ole web adminis tration pages.[...]

  • Page 113

    Virtual Private Networking 109 The following table describes the fields in the VPN Setup screen a nd the options available whe n enabling and c onfiguring VPN acc ess. Field Description Enable PPTP Server Check this box to enable PPTP c onnections to be established to your CyberGu ard SG applian ce. IP Addresses for the Tunnel End Points Enter the [...]

  • Page 114

    Virtual Private Networking 110 Configuring user ac counts for VPN server After setting up the VPN server, select Continue an d to show the PPTP VPN Server Accounts scree n as shown in the following figure: Figure 9-4 If you selected None as the Auth entication Schem e , setup is now c omplete. Skip ahead to Configuring th e remote VPN clien t . Oth[...]

  • Page 115

    Virtual Private Networking 111 The field o ptions in the Add New Account are det ailed in the foll owing table. Field Description Username Username f or VPN authe ntication only. Th e name selecte d is case- sensitive (e .g. Jimsmith is di fferent to jimsmith ). Username can be the same as, or different to, the name set for dia lin access. Windows [...]

  • Page 116

    Virtual Private Networking 112 Configuring the r emote VPN client The remote VPN c lients can now b e configured to s ecurely access the local network. You need to enter the a PPTP Acc ount username an d password that yo u added in the previous secti on, and the IP addr ess of the CyberGu ard SG PPTP VPN server. The CyberGua rd SG PPTP VPN ser ver [...]

  • Page 117

    Virtual Private Networking 113 Windows 95, Windows 98 and Windows Me From the Dia l-Up Networkin g folder, double-c lick Make New Conne ction . Type CyberGuard SG appliance or a similar descript ive name for your new VPN connection. From the Sel ect a device dro p-down menu, sel ect the Microsoft V PN Adapter and c lick Next . Enter the PPTP IP add[...]

  • Page 118

    Virtual Private Networking 114 Click TCP/IP S ettings . Confirm th at the Server Assig ned IP Address , Server Assigned Nam e Server Address , Use IP Header C ompression and Use Default Gateway on Re mote Netw ork are all selecte d and click OK . Figure 9-7 Your VPN clie nt is now set up a nd ready to connec t. Windows 2000 Log in as A dministrator[...]

  • Page 119

    Virtual Private Networking 115 Double-click Mak e New Connectio n from the main wi ndows. Click Next to show the Network Co nnection Type windo w: Figure 9-9 Select Conne ct to a private ne twork through the Int ernet and click N ext . This displays the Destination Address window: Figure 9-10 Enter the Cyb erGuard SG PPTP se rver’s IP addre ss or[...]

  • Page 120

    Virtual Private Networking 116 Figure 9-11 Enter an appr opriate name for your connection and click Finish . Your VPN clie nt is now set up a nd ready to connec t. Windows XP Log in as A dministrator or with Administrator p rivileges. From the Start menu, sele ct Settings and then Network Connections . Click Create New Connection from the Network T[...]

  • Page 121

    Virtual Private Networking 117 Connecting the r emote VPN client Verify that you are connected to the Internet, or have s et up your VPN c onnection to automatically es tablish an initi al Internet connect ion. Select the con nection for the Cybe rGuard SG app liance VPN. Enter a usern ame and passwo rd added in the Con figuring user ac counts for [...]

  • Page 122

    Virtual Private Networking 118 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are man y possible config urations in crea ting an IPSec tunnel. The most common and simplest wi ll be described in this section. Add itional options will also be explain ed throughout this example, should it become neces sary to configure th e tunne[...]

  • Page 123

    Virtual Private Networking 119 Figure 9-13 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et port. The CyberGua rd SG applianc e can either have a s tatic IP , dynamic IP or DNS hostname ad dress . If a dynamic DNS service is to be used or the re is a DNS hostname that resolves [...]

  • Page 124

    Virtual Private Networking 120 Warning It may be nec essary to reduce t he MTU of the IPSec interface if larg e packets of data are not being tr ansmitted. Configure a tunnel to connect to the headquarters office To create an IP Sec tunnel, cl ick the IPSec link on t he left side of th e Web Management Console web administration pages and then c li[...]

  • Page 125

    Virtual Private Networking 121 Select the I nternet port the IPSec t unnel is to go ou t on. The options will depend on what is currentl y configured on the Cybe rGuard SG app liance. For the vas t majority of setu ps, this will b e the default gatew ay interface to the Internet. In this e xample, select th e default gatew ay interface op tion. Not[...]

  • Page 126

    Virtual Private Networking 122 • x.509 Certifica tes are used to authenticate the remote party again st a Certificate Authority's (CA) c ertificate. The CA certificate must have signed the lo cal certificates that are used for tunn el authentication. Certificates need to be uploaded to the CyberGuard SG ap pliance bef ore a tunnel can be con[...]

  • Page 127

    Virtual Private Networking 123 In this exampl e, select the be a rou te to the remote p arty option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings Figure 9-15 Leave the Initiate the tunne l from this end ch eckbox checked.[...]

  • Page 128

    Virtual Private Networking 124 Note This optio n will not be availa ble when the Cyber Guard SG applia nce has a static I P address an d the remote party h as a dynamic IP ad dress. Enter the Requ ired Endpoint ID of the CyberGuard SG a ppliance. This ID is used to authentica te the CyberGuard SG a ppliance to the remote party. It is required beca [...]

  • Page 129

    Virtual Private Networking 125 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The next IP a ddress on the inte rface the tunnel i s to go on field is the next gateway IP ad dress or nextho p along the previou sly selected IPSec interface. Thi s field will b ecome avail[...]

  • Page 130

    Virtual Private Networking 126 o des-md5-96 uses the encryptio n transform follo wing the DES s tandard in Cipher- Block-Chainin g mode with authe ntication provided by HMAC and MD5 (96-bit authentica tor). It uses a 56-bi t 3DES encryption k ey and a 128-bit HMAC-MD5 authentica tion key. o des-sha1-96 uses the encrypti on transform foll owing the [...]

  • Page 131

    Virtual Private Networking 127 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The remote pa rty's DNS hostnam e address field is the DNS hostnam e address of the Internet i nterface of the remo te party. This op tion will become a vailable if the remote par ty has[...]

  • Page 132

    Virtual Private Networking 128 TCGID [Siemens] Trust C enter Global ID The attribute/val ue pairs must b e of the form attrib ute=value and be separated by commas. For e xample : C=US, ST= Illinois, L=Chic ago, O=CyberGuard , OU=Sales, CN =SG550. It mus t match exactly the Distinguished Na me of the remote party's l ocal certificate to success[...]

  • Page 133

    Virtual Private Networking 129 Phase 1 settings Figure 9-17 Set the length o f time before Phas e 1 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. Sho rter values offer h igher security at the expense of th e computational overhead require d to calculate new ke ys. For most applicatio ns 60 minutes[...]

  • Page 134

    Virtual Private Networking 130 Warning The secret mus t be entered ide ntically at each end of the tunnel. Th e tunnel will fail to connect if the secret is not ide ntical at both ends. T he secret is a h ighly sensitive pie ce of information. It is essential to k eep this information confidential. Co mmunications ove r the IPSec tun nel may be com[...]

  • Page 135

    Virtual Private Networking 131 Phase 2 settings page Figure 9-18 Set the length o f time before Phas e 2 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. For most applicati ons 60 minutes is recommende d. In this example, l eave the Key Li fetime as the defa ult value of 60 minutes. Select a Pha se 2[...]

  • Page 136

    Virtual Private Networking 132 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: A separate s ection may appea r to enter multiple L ocal Networks o r Remote Networks or both. In the case where both l ocal and remote pa rties have been co nfigured to have multiple subne ts be[...]

  • Page 137

    Virtual Private Networking 133 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et interface. In this example, sel ect static IP addres s . Leave the Set the IPSec MTU to b e checkbo x unchecked. Click the Appl y button to save the changes. Configuring a tunnel t o accept connecti[...]

  • Page 138

    Virtual Private Networking 134 Select the t ype of routing the tu nnel will be used as. In this example, se lect the be a route to the rem ote party option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings page Leave the Optional Endpoin t ID field blank in this example. It is optional becau se the Cyb[...]

  • Page 139

    Virtual Private Networking 135 Enter a secret in the Preshared S ecret field. This must remain confi dential. In this example, ent er the Preshared Secret used at the branch office Cybe rGuard SG appliance , which was: This sec ret must be kept c onfidential. Select a Pha se 1 Proposal . In this example, sele ct the 3DES-SHA-Dif fie Hellman Group 2[...]

  • Page 140

    Virtual Private Networking 136 Tunnel List Figure 9-20 Connection Once a tunne l has been confi gured, an entry with the tunnel name in the Connection field will b e shown. Note You may mod ify a tunnel’s settin gs by clickin g on its connection n ame. Click Connecti on to sort the tunn el list alphabet ically by connecti on name. Remote party Th[...]

  • Page 141

    Virtual Private Networking 137 Click Remo te Party to sort the tu nnel list by the remote party ID/name/add ress. Status Tunnels th at use Automatic Key ing (IKE) will hav e one of four state s in the Status fie ld. The states include the followi ng: • Down indicate s that the tunnel is not being neg otiated. This may be d ue to the following rea[...]

  • Page 142

    Virtual Private Networking 138 Figure 9-21 Inte rfaces Loaded li sts the CyberGuard SG a ppliance's interfaces which IPSec will use. Phas e 2 Ciphers Loade d lists the encrypti on ciphers that tunn els can be con figured with for Phase 2 n egotiations. Th is will include DES, 3DES and AES. Phas e 2 Hashes Load ed lists the authen tication hash[...]

  • Page 143

    Virtual Private Networking 139 Diffie Hellman Groups Loaded lists the Di ffie Hellman grou ps and Oakley group extensions tha t can be configu red for both Phase 1 and Phase 2 n egotiations. Conn ection Details li sts an overview of the tunnel's c onfiguration. It contai ns the following in formation: • An outl ine of the tunnel' s netw[...]

  • Page 144

    Virtual Private Networking 140 • The Pha se 2 proposal wanted. The line ESP algorithms w anted reads 3_000-2; pfsgroup=2 . Th e 3_000 refers to cipher 3 DES (where 3DE S has an id of 3, s ee Phase 2 Ciph ers Loaded), the 2 refers to hash SHA1 or SHA (where SH A1 has an id of 2, see Phase 2 Hashes Loa ded) and pfsgroup=2 refers t o the Diffie Hell[...]

  • Page 145

    Virtual Private Networking 141 Certificate Management x.509 Certific ates can be use d to authenticate IPSec endpoints duri ng tunnel negoti ation for Automatic Keying. The other methods are Pres hared Secrets and RSA Dig ital Signatures . Certificates need to be uploade d to the CyberGuard SG appliance be fore they can be used in a t unnel. Certif[...]

  • Page 146

    Virtual Private Networking 142 To extract the local private key c ertificate type, ent er the following at the Windows command pro mpt: openssl pkc s12 -nomacver -n ocerts -in pkcs1 2_file -out local_ private_key.pem .. where pksc12_file is the PK CS#12 file issu ed by the CA and l ocal_private_ke y.pem is the local private key certific ate to be u[...]

  • Page 147

    Virtual Private Networking 143 4. Create the se lf-signed root CA c ertificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS _VALID is the n umber of days the root CA is valid fo r. Remove the –n odes option if you want to use a password to secure the CA key. For each ce[...]

  • Page 148

    Virtual Private Networking 144 Adding certificates To add certi ficates to the Cyber Guard SG applia nce, click the IPSe c link on the le ft side of the Web Manag ement Consol e web administra tion pages and th en click the Certificate L ists tab at the top of the window. A wind ow similar to the following will be displayed. Figure 9-22[...]

  • Page 149

    Virtual Private Networking 145 Adding a CA or CRL c ertificate Click the Add n ew CA or CRL Certi ficate tab. A wind ow similar to the following will be displayed. Figure 9-23 Select wheth er a Certificate Auth ority or Certifica te Revocation Lis t certificate is to be uploaded fr om the Certificate T ype pull down men u. Enter the Certi ficate Au[...]

  • Page 150

    Virtual Private Networking 146 Adding a local certificat e 1 Click the Add new Local Cert ificate tab. A win dow similar to th e following will be displayed. Figure 9-24 Enter the Loc al Public Key c ertificate in the Local Certificate field. Click the Brow se button to se lect the file from the host computer. Certificates have ti me durations in w[...]

  • Page 151

    Virtual Private Networking 147 Figure 9-25 The certificate names will be di splayed under the app ropriate certific ate type. Clicking the Delete bu tton deletes the c ertificate from the Cyber Guard SG appl iance. Troubleshooting • Symptom: IPSe c is not running and is enabled. Possible Caus e: The CyberGuard SG applianc e has not been as signed[...]

  • Page 152

    Virtual Private Networking 148 The remote pa rty does not have a tunnel config ured correctly bec ause: o The tu nnel has not been configured. o The Pha se 1 proposal s do not match. o The s ecrets do not matc h. o The RSA key signatures ha ve been incorrec tly configured. o The Dis tinguished Name o f the remote party ha s not be configu red corre[...]

  • Page 153

    Virtual Private Networking 149 Solution: Co nfirm that the remot e party has IPSe c and the tunnel enabled and has an Internet IP ad dress. Ensure th at the CyberGuard SG appliance has rekeying enabled. If the tunnel still go es down after a per iod of time, it may be d ue to the CyberGuard SG appliance a nd remote party not r ecognising the need t[...]

  • Page 154

    Virtual Private Networking 150 Set up LMHOST files on remote h osts to resol ve names to IP adress es. • Symptom: Tun nel comes up b ut the application doe s not work acros s the tunnel. Possible cau se: There may be a f irewall devic e blocking IPSec packets. The MTU of t he IPSec interfac e may be too la rge. The applic ation uses broadc asts p[...]

  • Page 155

    Virtual Private Networking 151 GRE The GRE con figuration of the CyberGuard SG ap pliance allows you t o build GRE tunne ls to other devic es that support t he Generic Routi ng Encapsulating p rotocol. You can build GRE tunnels to other CyberGuard SG appliance s that support GRE, or to other de vices such as Ci sco equipment. GRE tunnels are useful[...]

  • Page 156

    Virtual Private Networking 152 On the Brisba ne end, click GRE Tunnels from the VPN me nu. Enter the following details: GRE Tunnel Na me: to_slough Remote Ext ernal Address: 195.45.67.8 Local Externa l Address: 203.23.4 5.6 Local Interna l Address: 192.168.1.1 Click Add . Cli ck Add/Remove under Rem ote Networks and enter: Rem ote subnet/netma sk: [...]

  • Page 157

    Virtual Private Networking 153 Click Add . Cli ck Add/Remove under Rem ote Networks and enter: Rem ote subnet/netma sk: 192.168.1.0 / 255.255.255.0 Click Add . The GRE tunnel bet ween the two netwo rks is now set u p. Tunnels may be Disable d, Dele te d or Edit ed from t he main table of GRE tunnels. A few further things of note are: GRE Tunnel Na [...]

  • Page 158

    Virtual Private Networking 154 Enter the IP Ad dress / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at the Brisbane end. Click Apply and reboot t he unit if prompted to do so. Note The alias IP addresses are es sentially dummy addr esses and can be anything that does not conflict with your existing n e[...]

  • Page 159

    Virtual Private Networking 155 Create the GRE tu nnel. Selec t GRE Tunnels from th e left hand menu . For the Slough end enter the IP addresses be low. Leave Local In ternal Address bla nk, and check Place on Ethe rnet Bridge . Figure 9-29 GRE Tunnel Na me: to_bris Remote Ext ernal Address: 1 0.254.0.2 Local Externa l Address: 10.254.0 .1 Local Int[...]

  • Page 160

    Virtual Private Networking 156 Troubleshooting • Symptom: Can not ping a hos t on the other sid e of the GRE tunnel . Ensure that t here is a route s et up on the GRE tu nnel to the remote n etwork. Ensure that t here is a route on the remote GRE en dpoint to the netw ork at this end of the GRE tunn el. Check that the re is a GRE interfa ce creat[...]

  • Page 161

    Virtual Private Networking 157 L2TP The Layer Two T unneling Proto col was develop ed by Microsoft an d Cisco as a mult i- purpose ne twork transport prot ocol. Many DSL ISP s use L2TP over AT M to create tu nnels across th e Internet backbo ne. The CyberGua rd SG L2TP impleme ntation can only run L2TP over Ethe rnet since it doesn't have an A[...]

  • Page 162

    Virtual Private Networking 158 L2TP server The L2TP Server runs in a simil ar way to the PPT P Server. A range of IP addresse s is allocated, and then username an d password pairs are created to all ow users to log on. Note To increas e security, L2TP VPN co nnections from Windows PCs are also run throug h an IPSec tunnel . This means an IP Sec con[...]

  • Page 163

    System 159 10. Sy stem Date and Time Set date and time If you have a Javascript enabl ed web browser, you will be able to c lick the top Set Date and Time bu tton to synchron ize the time on the CyberGuard SG ap pliance with t hat of your PC. Alternately, you can manuall y set the Year , Month , Date , Hour and Minute u sing the selection boxes to [...]

  • Page 164

    System 160 Figure 10-1 Locality Select your re gion then selec t your location within said region. The system clock wi ll subsequen tly show local time. Without setti ng this, the system cl ock will show UTP. Setting a time zone is only rele vant if you are syn chronizing with an NTP server or you r CyberGuard SG appliance h as a real time clo ck. [...]

  • Page 165

    System 161 Users User accounts on a CyberGuard S G appliance all ow administrative d uties to be spread amongst a nu mber of different p eople accordin g to their level of comp etence and trus t. Each user on t he CyberGuard SG a ppliance has a password that th ey use to authentica te themselves to the unit's web pages. They also have a number[...]

  • Page 166

    System 162 Administration A user with th e administratio n access control is permitted to edit a ny configuration fi le on the CyberGuar d SG applianc e. It should be given to trusted users who are permitted to configure a nd reconfigure the u nit. Diagnostic The diagno stic access control a llows a user to vie w status reports, th e technical supp[...]

  • Page 167

    System 163 Internet access (via acc ess controls) A user with th is access control is permitted contro lled access to th e web through the CyberGuard SG appliance’s web proxy. See the Access control an d content filtering section in the c hapter entitled F irewall for details on c ontrolling LAN us ers’ web acce ss. Password The CyberGua rd SG [...]

  • Page 168

    System 164 Figure 10-3 Network tests Basic network diagnostic tests ( ping , traceroute ) can b e accessed by c licking the Network Tests tab at the top of t he Diagnostics page .[...]

  • Page 169

    System 165 Advanced The options on the Advanced page are intended for networ k administrators and advanced users only . Warning Altering the ad vanced configu ration settings may r ender your CyberGua rd SG applian ce inoperable. System log The system lo g contains debuggi ng information that may be useful i n determining whether all se rvices for [...]

  • Page 170

    System 166 You may also upload addition al configuration fi les from your compu ter to the CyberGu ard SG appliance under Upload fil e . To backup to an encrypted fil e, click save and rest ore, enter a passw ord and click Save under Save C onfiguration. T o restore from this file, browse for the b ackup configura tion file, enter t he password you[...]

  • Page 171

    System 167 The majority of Linux users w ill already have a T FTP server inst alled as part of their distri bution, which must be configured an d running. 3. In the Web Manage ment Console web administration pages, click Adva nced then Flash Upgrade . Enter the server IP Address (i.e. PC w ith the TFTP ser ver and binary image ) and the binary imag[...]

  • Page 172

    168 Technical Support The System me nu contains a n option detailin g support information fo r your CyberGu ard SG appliance . This page provides basic troub leshooting tips , contact details for CyberG uard SG technical supp ort, and links to the CyberGuard SG Kno wledge Base ( http://www.c yberguard.com/sna pgear/knowledg ebase.html ) as shown in[...]

  • Page 173

    Appendix A – IP Address Ran ges 169 Appendix A – IP A ddress Range s IP ranges are fields that allo w multiple IP addres ses to be spec ified using a short hand notation. F our distinct forms of ran ge are acceptabl e: 1. a.b.c.d 2. a.b.c.d-e 3. a.b.c.d-e.f.g. h 4. a.b.c.d/e The first is simp ly a single IP ad dress. Thus w here ever a range is[...]

  • Page 174

    Appendix B – Terminology 170 Appendix B – T erminology This section e xplains terms that ar e commonly used in this document. Term Meaning ADSL Asymmetric Dig ital Subscriber L ine. A technology all owing high-sp eed data transfer o ver existing telep hone lines. ADSL sup ports data rates between 1.5 and 9 Mb/s when receiving dat a and between [...]

  • Page 175

    Appendix B – Terminology 171 Certificates A digitally s igned statement tha t contains infor mation about an ent ity and the enti ty's public key, thus binding these two pieces of informatio n together. A c ertificate is iss ued by a trusted organi zation (or entity) called a Ce rtification Authority (CA ) after the CA ha s verified that the[...]

  • Page 176

    Appendix B – Terminology 172 Extranet A private netwo rk that uses th e public Internet to securely share business in formation and opera tions with suppli ers, vendors, partn ers, customers, or o ther businesses . Extranets add extern al parties to a company's intr anet. Failover A method for detecting that th e main Internet c onnection (u[...]

  • Page 177

    Appendix B – Terminology 173 IPSec tunnel The IPSec conn ection to secur ely link two private p arties across insecure a nd public channels . IPSec with Dynamic DNS Dynamic DNS c an be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP ad dresses. IKE IKE is a profile of ISAKM P that is for use b y IPsec. It is often c a[...]

  • Page 178

    Appendix B – Terminology 174 NAT Network Add ress Translatio n. The translatio n of an IP address used on one network to an IP address on another networ k. Masqueradin g is one particu lar form of NAT. Net mask The way tha t computers kno w which part of a TCP/IP address r efers to the network, and which part refe rs to the host range . NTP Netwo[...]

  • Page 179

    Appendix B – Terminology 175 Router A network devi ce that moves pac kets of data. A route r differs from hubs and swit ches because i t is "intelligent" a nd can route packe ts to their final destination. RSA Digital Signatures A public/pri vate RSA key pair used for authenti cation. The CyberGua rd SG appliance can generate the se key[...]

  • Page 180

    176 x.509 Certific ates An x.509 certif icate includes the format of the ce rtificate, the serial number of the certificate, the alg orithm used to sig n the certificate , the name of the CA t hat issued the c ertificate, the name a nd public ke y of the entity requ esting the certi ficate, and the CA's s ignature.x.509 certificates are used t[...]

  • Page 181

    Appendix C – System Log 177 Appendix C – System Log Access Logging It is possibl e to log any traffic that arrives at or tra verses the Cyber Guard SG applia nce. The only logg ing that is enab led by default is to take note of pac kets that were dro pped. While it is pos sible to specific ally log exactly whic h rule led to suc h a drop, this [...]

  • Page 182

    Appendix C – System Log 178 Commonly us ed interfaces ar e: eth0 the LAN port eth1 the WAN/Internet po rt ppp X e.g. ppp0 or ppp1 – a PPP session ipsec X e.g. ipsec0 , an IPSec interface The firewall rules deny all pac kets arriving from th e WAN port by defa ult. There are a few ports open to deal with traffic s uch as DHCP, VPN servic es and [...]

  • Page 183

    Appendix C – System Log 179 A typical Defa ult Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a p a[...]

  • Page 184

    Appendix C – System Log 180 To log permit ted inbound acc ess requests to se rvices hosted on the CyberGuard SG appliance , the rule should lo ok something lik e this: iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix> This will log any TCP ( -p tcp ) se ssion initiation[...]

  • Page 185

    Appendix C – System Log 181 For example, to log all inbound requests from the IP address 5.6 .7.8 to the mail se rver (port 25) on t he machine flubber on the L AN with address 192.168.1.1: iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output so [...]

  • Page 186

    Appendix C – System Log 182 If we just wan ted to look at tra ffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there a re many more combi nations poss ible. It is therefo re possible to write rul es that log inboun d and outbound tra ffic, or to construc t several rules that differentiat e between [...]

  • Page 187

    Appendix C – System Log 183 Administrative Access Logging When a user tr ies to log onto th e Web Manageme nt Console web ad ministration pages , one of the foll owing log message s appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2 Jan 30 03:00:14 2000 boa: Authentication attempt failed for root from 10.0.0.2 Thi[...]

  • Page 188

    Appendix D – Firmware Upgra de Practices and Precautions 184 Appendix D – Firmware Upgrade Practices a nd Precautions Prior performin g any firmware up grade, it is impo rtant that you save a back up of yo ur existing con figuration ( Advanc ed -> Store/resto re all configuratio n files ) to a loc al file. While we mak e every effort to e ns[...]

  • Page 189

    Appendix D – Firmware Upgra de Practices and Precautions 185 If you encoun ter any problems, r eset the device to its factory default settings and reconfigure . You may wish to u se your backed up old configuratio n as a guide in t his process, b ut do not restore it directly. If you are upgr ading a device tha t you do not normally ha ve physica[...]