Snapgear 2.0.1 Bedienungsanleitung

CyberGuard SG Firewall VPN Appliance User Manual Revision 2.0.1 June 7, 2004 CyberGuard 7984 South Welby Park Drive #101 Salt Lake Ci

Introduction 6 Note Not all the LEDs described below are present on all CyberGuard SG appliance models. Also, labels vary from model to model. Label

Intrusion Detection 96 Setting up the analysis server Specific open source tools are required to be installed on the Analysis server for a straightfor

97 PHPlot graph library for charts written in PHP http://www.phplot.com/ ACID analysis console http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b

Web Cache 98 8. Web Cache Note The web cache is only available on SG575 models. Web browsers running on PCs on your LAN can use the CyberGuard SG app

Web Cache 99 Web Cache Setup Select Web cache under Networking. A page similar to the following will be displayed. Figure 8-1 Check Enable to enable

Web Cache 100 Network Shares Typically, you will find the CyberGuard SG appliance’s web cache most useful when utilizing a Network Share for additiona

Web Cache 101 Create the network share Figure 8-2 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and o

Web Cache 102 Set the CyberGuard SG appliance to use the network share Check Use share. Enter the location of the network share in the format: \\H

Web Cache 103 Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web ca

Virtual Private Networking 104 9. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely

Virtual Private Networking 105 Figure 9-1 PPTP Client Setup The PPTP client enables the CyberGuard SG appliance to establish a VPN to a remote networ

Introduction 7 CyberGuard SG Gateway Appliance Features Internet link features • 10/100baseT Ethernet port (Internet/WAN) • Serial port • Front pan

Virtual Private Networking 106 If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the fo

Virtual Private Networking 107 PPTP Server Setup The CyberGuard SG appliance includes a PPTP Server, a virtual private network server that supports up

Virtual Private Networking 108 Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 9-3 To enable and co

Virtual Private Networking 109 The following table describes the fields in the VPN Setup screen and the options available when enabling and configurin

Virtual Private Networking 110 Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Serv

Virtual Private Networking 111 The field options in the Add New Account are detailed in the following table. Field Description Username Username for

Virtual Private Networking 112 Configuring the remote VPN client The remote VPN clients can now be configured to securely access the local network. Y

Virtual Private Networking 113 Windows 95, Windows 98 and Windows Me From the Dial-Up Networking folder, double-click Make New Connection. Type Cyber

Virtual Private Networking 114 Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header

Virtual Private Networking 115 Double-click Make New Connection from the main windows. Click Next to show the Network Connection Type window: Figure

Introduction 8 Your CyberGuard SG PCI Appliance CyberGuard SG PCI appliances include: • PCI630 • PCI635 The following items are included with your C

Virtual Private Networking 116 Figure 9-11 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to

Virtual Private Networking 117 Connecting the remote VPN client Verify that you are connected to the Internet, or have set up your VPN connection to a

Virtual Private Networking 118 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IP

Virtual Private Networking 119 Figure 9-13 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its

Virtual Private Networking 120 Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitte

Virtual Private Networking 121 Select the Internet port the IPSec tunnel is to go out on. The options will depend on what is currently configured on

Virtual Private Networking 122 • x.509 Certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate

Virtual Private Networking 123 In this example, select the be a route to the remote party option. Click the Continue button to configure the Local End

Virtual Private Networking 124 Note This option will not be available when the CyberGuard SG appliance has a static IP address and the remote party h

Virtual Private Networking 125 Other options The following options will become available on this page depending on what has been configured previousl

Introduction 9 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT Ethernet port • Ethernet LEDs (link, activity) Environmental

Virtual Private Networking 126 o des-md5-96 uses the encryption transform following the DES standard in Cipher-Block-Chaining mode with authenticatio

Virtual Private Networking 127 Other options The following options will become available on this page depending on what has been configured previousl

Virtual Private Networking 128 TCGID [Siemens] Trust Center Global ID The attribute/value pairs must be of the form attribute=value and be separate

Virtual Private Networking 129 Phase 1 settings Figure 9-17 Set the length of time before Phase 1 is renegotiated in the Key lifetime (m) field. The

Virtual Private Networking 130 Warning The secret must be entered identically at each end of the tunnel. The tunnel will fail to connect if the secr

Virtual Private Networking 131 Phase 2 settings page Figure 9-18 Set the length of time before Phase 2 is renegotiated in the Key lifetime (m) field.

Virtual Private Networking 132 Other options The following options will become available on this page depending on what has been configured previousl

Virtual Private Networking 133 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet inte

Virtual Private Networking 134 Select the type of routing the tunnel will be used as. In this example, select the be a route to the remote party opti

Virtual Private Networking 135 Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Sec

Getting Started 10 2. Getting Started This chapter provides step-by-step instructions for installing your CyberGuard SG appliance into your network a

Virtual Private Networking 136 Tunnel List Figure 9-20 Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection

Virtual Private Networking 137 Click Remote Party to sort the tunnel list by the remote party ID/name/address. Status Tunnels that use Automatic Keyin

Virtual Private Networking 138 Figure 9-21 Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec will use. Phase 2 Ciph

Virtual Private Networking 139 Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for bo

Virtual Private Networking 140 • The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher

Virtual Private Networking 141 Certificate Management x.509 Certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Aut

Virtual Private Networking 142 To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -n

Virtual Private Networking 143 4. Create the self-signed root CA certificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out r

Virtual Private Networking 144 Adding certificates To add certificates to the CyberGuard SG appliance, click the IPSec link on the left side of the We

Virtual Private Networking 145 Adding a CA or CRL certificate Click the Add new CA or CRL Certificate tab. A window similar to the following will be

Getting Started 11 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initia

Virtual Private Networking 146 Adding a local certificate 1 Click the Add new Local Certificate tab. A window similar to the following will be displ

Virtual Private Networking 147 Figure 9-25 The certificate names will be displayed under the appropriate certificate type. Clicking the Delete butto

Virtual Private Networking 148 The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Pha

Virtual Private Networking 149 Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that t

Virtual Private Networking 150 Set up LMHOST files on remote hosts to resolve names to IP adresses. • Symptom: Tunnel comes up but the application

Virtual Private Networking 151 GRE The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support

Virtual Private Networking 152 On the Brisbane end, click GRE Tunnels from the VPN menu. Enter the following details: GRE Tunnel Name: to_slough

Virtual Private Networking 153 Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: 192.168.1.0 / 255.255.255.0 C

Virtual Private Networking 154 Enter the IP Address / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at t

Virtual Private Networking 155 Create the GRE tunnel. Select GRE Tunnels from the left hand menu. For the Slough end enter the IP addresses below.

Getting Started 12 Connect the supplied power adapter to the CyberGuard SG appliance. If you are using the SG530, SG550, SG570 or SG575 model, connect

Virtual Private Networking 156 Troubleshooting • Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set u

Virtual Private Networking 157 L2TP The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multi-purpose network transport protoco

Virtual Private Networking 158 L2TP server The L2TP Server runs in a similar way to the PPTP Server. A range of IP addresses is allocated, and then u

System 159 10. System Date and Time Set date and time If you have a Javascript enabled web browser, you will be able to click the top Set Date and Ti

System 160 Figure 10-1 Locality Select your region then select your location within said region. The system clock will subsequently show local time.

System 161 Users User accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to

System 162 Administration A user with the administration access control is permitted to edit any configuration file on the CyberGuard SG appliance. I

System 163 Internet access (via access controls) A user with this access control is permitted controlled access to the web through the CyberGuard SG a

System 164 Figure 10-3 Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top o

System 165 Advanced The options on the Advanced page are intended for network administrators and advanced users only. Warning Altering the advanced co

Getting Started 13 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se

System 166 You may also upload additional configuration files from your computer to the CyberGuard SG appliance under Upload file. To backup to an enc

System 167 The majority of Linux users will already have a TFTP server installed as part of their distribution, which must be configured and running.

168 Technical Support The System menu contains an option detailing support information for your CyberGuard SG appliance. This page provides basic tro

Appendix A – IP Address Ranges 169 Appendix A – IP Address Ranges IP ranges are fields that allow multiple IP addresses to be specified using a shor

Appendix B – Terminology 170 Appendix B – Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmet

Appendix B – Terminology 171 Certificates A digitally signed statement that contains information about an entity and the entity's public key, th

Appendix B – Terminology 172 Extranet A private network that uses the public Internet to securely share business information and operations with supp

Appendix B – Terminology 173 IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with D

Appendix B – Terminology 174 NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another netwo

Appendix B – Terminology 175 Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelli

Getting Started 14 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Defa

176 x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign

Appendix C – System Log 177 Appendix C – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG ap

Appendix C – System Log 178 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g

Appendix C – System Log 179 A typical Default Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MA

Appendix C – System Log 180 To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something

Appendix C – System Log 181 For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the machine flubber o

Appendix C – System Log 182 If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+

Appendix C – System Log 183 Administrative Access Logging When a user tries to log onto the Web Management Console web administration pages, one of th

Appendix D – Firmware Upgrade Practices and Precautions 184 Appendix D – Firmware Upgrade Practices and Precautions Prior performing any firmware upgr

Appendix D – Firmware Upgrade Practices and Precautions 185 If you encounter any problems, reset the device to its factory default settings and reconf

Getting Started 15 Select Quick Setup Wizard from the center of the page. You will be prompted to log in. Enter the initial user name and password fo

Contents 1. Introduction...1 CyberGuard SG Gateway Appli

Getting Started 16 The Quick Setup Wizard will display. Figure 2-3 Hostname: You may change the name the CyberGuard SG appliance knows itself by. T

Getting Started 17 Figure 2-4 Note This page will only display if you previously selected Manual configuration. Otherwise skip to the next step. Ent

Getting Started 18 Set up Internet Connection Settings Select your Internet connection type and click Next. Figure 2-5 Cable modem If connecting usin

Getting Started 19 Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGua

Getting Started 20 LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG

Getting Started 21 To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connect

Getting Started 22 Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser

Getting Started 23 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple

Getting Started 24 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PCI Slot Power off your PC and remove its cover. Sele

Getting Started 25 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se

4. Dialin Setup...52 Dialin Setup ...

Getting Started 26 Set up the Password and Network Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.16

Getting Started 27 Note The purpose of this step is to configure the IP address for the Web Management Console. For convenience, this will generally

Getting Started 28 The first IP address will be used by the Web Management Console. Figure 2-9 Enter this IP address and the subnet mask for your L

Getting Started 29 Figure 2-10 Enter the following details: • IP address the second free IP addresses that is part of the subnet range of your LAN.

Getting Started 30 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continuing, ensure your DHCP server has

Getting Started 31 Next, configure your PC to obtain its network settings automatically from your LAN DHCP server. Click Start -> Settings -> C

Getting Started 32 Disabling the Reset Button on your CyberGuard SG PCI Appliance For convenience, the CyberGuard SG appliance ships with the rear pan

Network Connections 33 3. Network Connections This chapter describes the Network Setup section of the Web Management Console. Here you can configure

Network Connections 34 LAN Unlike Internet, DMZ or COM1 ports, the LAN network port has only one configurable function, to connect to your local area

Network Connections 35 • It allows users to transmit IPX/SPX over a VPN, something that is not supported by other VPN vendors. • It allows users to

10. System...159 Date and Time ...

Network Connections 36 CyberGuard SG PCI appliances can also connect to the Internet in this manner, but generally will be connecting directly to a LA

Network Connections 37 Use PPPoE if your ISP uses username and password authentication to access the Internet. Use DHCP if your ISP does not require

Network Connections 38 Figure 3-4 To manually configure your Internet network settings, enter the IP Address, Netmask, Internet Gateway and DNS Serve

Network Connections 39 When the CyberGuard SG appliance is in bridged mode, it will not be performing NAT/masquerading. PCs will typically use an IP

Network Connections 40 Figure 3-5 The following table describes the fields and explains how to configure the dial up connection to your ISP. Field D

Network Connections 41 Statically assigned IP address The majority of ISPs dynamically assign an IP address to your connection when you dialin. Howev

Network Connections 42 Services on the DMZ Network Once you have configured the DMZ connection, you will also want to configure the CyberGuard SG appl

Network Connections 43 DMZ as a backup/failover Internet connection See the Internet Failover section later in this chapter. Load Balancing If you hav

Network Connections 44 Enable the primary connection for failover Set up your primary broadband Internet connection as described in the Internet secti

Network Connections 45 Note The Failover Cable/DSL/Direct/Dialout Internet option will not appear as an available Configuration until a primary Intern

Introduction 1 1. Introduction This chapter provides an overview of your CyberGuard SG appliance’s features and capabilities, and explains how to ins

Network Connections 46 Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the CyberGuard S

Network Connections 47 Advanced The following figure shows the advanced IP configuration: Figure 3-8 Hostname The Hostname is a descriptive name for

Network Connections 48 Figure 3-9 Network Address Translation (NAT/masquerading) The CyberGuard SG appliance can utilize IP Masquerading (a simple fo

Network Connections 49 Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by

Network Connections 50 Figure 3-10 Interface aliases Interface aliases allow the CyberGuard SG appliance to respond to multiple IP addresses on its L

Network Connections 51 Change MAC address On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG a

Dialin Setup 52 4. Dialin Setup CyberGuard SG appliance enables remote and secure access to your office network. This chapter shows how to set up th

Dialin Setup 53 Dialin Setup Once an analog modem or phone line has been attached, enable the CyberGuard SG appliance’s COM port or internal modem for

Dialin Setup 54 The following table describes the fields on the Dial-In Setup page: Field Description IP Address for Dialin clients Dialin users

Dialin Setup 55 Dialin User Accounts User accounts must be set up before remote users can dialinto the CyberGuard SG appliance. The following figure

Introduction 2 The following figure shows how your CyberGuard SG appliance interconnects. Figure 1-1 CyberGuard SG PCI Appliances The CyberGuard SG P

Dialin Setup 56 The following figure shows the user maintenance screen: Figure 4-3 Account list As new dialin user accounts are added, they are displ

Dialin Setup 57 If the change is unsuccessful, an error is reported as shown in the following figure: Figure 4-3 When you have finished adding and mo

Dialin Setup 58 Remote User Configuration Remote users can dialin using the CyberGuard SG appliance using the standard Windows Dial-Up Networking soft

Dialin Setup 59 Check the Log on to network and Enable software compression checkboxes. If your CyberGuard SG appliance dialin server requires MSCHAP

Dialin Setup 60 Windows 2000/XP To configure a remote access connection on a PC running Windows 2000/XP, click Start, Settings, Network and Dial-up Co

Dialin Setup 61 Figure 4-7 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote acc

62 Figure 4-9 Enter a name for the connection and click Finish to complete the configuration. By ticking Add a shortcut to my desktop, an icon for

DHCP Server 63 5. DHCP Server Your CyberGuard SG appliance can act as a DHCP server for machines on your local network. To configure your CyberGuard

DHCP Server 64 To configure the DHCP Server, follow these instructions. • Check the Enable DHCP Server checkbox. • Enter the Subnet and netmask of t

DHCP Server 65 Subnet List The Subnet List will display the status of the DHCP server. Interface Once a subnet has been configured, the port which th

Introduction 3 This approach offers an increased measure of protection against internal threats as well as conventional Internet security concerns. Y

DHCP Server 66 Figure 5-3 For each IP address that the DHCP server services, the Status, Hostname, MAC Address will be shown. There is also be an opt

67 DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This all

Firewall 68 6. Firewall The CyberGuard SG appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and ou

Firewall 69 Administration services The following figure shows the Administration Services page: Figure 6-1 By default the CyberGuard SG appliance ru

Firewall 70 CyberGuard SG Administrative Web Server Clicking the CyberGuard SG Web Server tab takes you to the page to configure the administrative we

Firewall 71 The Web Management Console is usually accessed on the default HTTP port (i.e. 80). After changing the web server port number, you must inc

Firewall 72 Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web server can operate in one of one of 3 different modes

Firewall 73 Packet Filtering By default, your CyberGuard SG appliance allows network traffic as shown in the following table: You can configure y

Firewall 74 Before configuring a filter or NAT rule, you need to define the addresses and service groups. Addresses Click the Addresses tab. Any addr

Firewall 75 Service groups Click the Service Groups tab. Any addresses that have already been defined will be displayed. Click New to add a new serv

Introduction 4 Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights

Firewall 76 Rules Once addresses and services have been defined, you can create filter rules. Click Rules. Any rules that have already been defined

Firewall 77 The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. The Outgoing Interf

Firewall 78 Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service t

Firewall 79 Source Address The address from which the request originated (for masquerading this will typically be a private LAN or DMZ address) Outgo

Firewall 80 Warning Leaving Create a corresponding ACCEPT firewall rule will allow all traffic into and out from the specified private address, i.e.

Firewall 81 Access Control and Content Filtering Inappropriate Internet use during work hours can have a serious effect on productivity. With the Cyb

Firewall 82 Users without web proxy access will see a screen similar to the figure below when attempting to access external web content. Figure 6-8 N

Firewall 83 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their u

Firewall 84 Figure 6-10 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in th

Firewall 85 Web lists Access will be denied to any web address (URL) that contains text entered in the Block List, e.g. entering xxx will block any UR

Introduction 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appliances include: • SG300 • SG530 • SG550 • SG570 • SG575 The followi

Firewall 86 Content Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filter

Firewall 87 Reports Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do thi

Firewall 88 ZoneAlarm This facility denies Internet access to machines your LAN that are not running the ZoneAlarm Pro personal firewall software. Ru

Intrusion Detection 89 7. Intrusion Detection Note Advanced Intrusion Detection is only available on SG575 models. Other models offer Basic Instrusi

Intrusion Detection 90 The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Inter

Intrusion Detection 91 Basic Intrusion Detection and Blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Fi

Intrusion Detection 92 Several shortcut buttons also provide pre-defined lists of services to monitor. The basic button installs a bare bones selecti

Intrusion Detection 93 Advanced Intrusion Detection Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to detect

Intrusion Detection 94 Advanced Intrusion Detection configuration Figure 7-2 Check Enabled, and select the Interface/network port to monitor. This w

Intrusion Detection 95 Note The more rule sets that are selected, the greater load is imposed on the CyberGuard SG appliance. Therefore a conservati