CyberGuard SG Firewall VPN Appliance User Manual Revision 2.0.1 June 7, 2004 CyberGuard 7984 South Welby Park Drive #101 Salt Lake Ci
Introduction 6 Note Not all the LEDs described below are present on all CyberGuard SG appliance models. Also, labels vary from model to model. Label
Intrusion Detection 96 Setting up the analysis server Specific open source tools are required to be installed on the Analysis server for a straightfor
97 PHPlot graph library for charts written in PHP http://www.phplot.com/ ACID analysis console http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b
Web Cache 98 8. Web Cache Note The web cache is only available on SG575 models. Web browsers running on PCs on your LAN can use the CyberGuard SG app
Web Cache 99 Web Cache Setup Select Web cache under Networking. A page similar to the following will be displayed. Figure 8-1 Check Enable to enable
Web Cache 100 Network Shares Typically, you will find the CyberGuard SG appliance’s web cache most useful when utilizing a Network Share for additiona
Web Cache 101 Create the network share Figure 8-2 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and o
Web Cache 102 Set the CyberGuard SG appliance to use the network share Check Use share. Enter the location of the network share in the format: \\H
Web Cache 103 Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web ca
Virtual Private Networking 104 9. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely
Virtual Private Networking 105 Figure 9-1 PPTP Client Setup The PPTP client enables the CyberGuard SG appliance to establish a VPN to a remote networ
Introduction 7 CyberGuard SG Gateway Appliance Features Internet link features • 10/100baseT Ethernet port (Internet/WAN) • Serial port • Front pan
Virtual Private Networking 106 If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the fo
Virtual Private Networking 107 PPTP Server Setup The CyberGuard SG appliance includes a PPTP Server, a virtual private network server that supports up
Virtual Private Networking 108 Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 9-3 To enable and co
Virtual Private Networking 109 The following table describes the fields in the VPN Setup screen and the options available when enabling and configurin
Virtual Private Networking 110 Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Serv
Virtual Private Networking 111 The field options in the Add New Account are detailed in the following table. Field Description Username Username for
Virtual Private Networking 112 Configuring the remote VPN client The remote VPN clients can now be configured to securely access the local network. Y
Virtual Private Networking 113 Windows 95, Windows 98 and Windows Me From the Dial-Up Networking folder, double-click Make New Connection. Type Cyber
Virtual Private Networking 114 Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header
Virtual Private Networking 115 Double-click Make New Connection from the main windows. Click Next to show the Network Connection Type window: Figure
Introduction 8 Your CyberGuard SG PCI Appliance CyberGuard SG PCI appliances include: • PCI630 • PCI635 The following items are included with your C
Virtual Private Networking 116 Figure 9-11 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to
Virtual Private Networking 117 Connecting the remote VPN client Verify that you are connected to the Internet, or have set up your VPN connection to a
Virtual Private Networking 118 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IP
Virtual Private Networking 119 Figure 9-13 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its
Virtual Private Networking 120 Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitte
Virtual Private Networking 121 Select the Internet port the IPSec tunnel is to go out on. The options will depend on what is currently configured on
Virtual Private Networking 122 • x.509 Certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate
Virtual Private Networking 123 In this example, select the be a route to the remote party option. Click the Continue button to configure the Local End
Virtual Private Networking 124 Note This option will not be available when the CyberGuard SG appliance has a static IP address and the remote party h
Virtual Private Networking 125 Other options The following options will become available on this page depending on what has been configured previousl
Introduction 9 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT Ethernet port • Ethernet LEDs (link, activity) Environmental
Virtual Private Networking 126 o des-md5-96 uses the encryption transform following the DES standard in Cipher-Block-Chaining mode with authenticatio
Virtual Private Networking 127 Other options The following options will become available on this page depending on what has been configured previousl
Virtual Private Networking 128 TCGID [Siemens] Trust Center Global ID The attribute/value pairs must be of the form attribute=value and be separate
Virtual Private Networking 129 Phase 1 settings Figure 9-17 Set the length of time before Phase 1 is renegotiated in the Key lifetime (m) field. The
Virtual Private Networking 130 Warning The secret must be entered identically at each end of the tunnel. The tunnel will fail to connect if the secr
Virtual Private Networking 131 Phase 2 settings page Figure 9-18 Set the length of time before Phase 2 is renegotiated in the Key lifetime (m) field.
Virtual Private Networking 132 Other options The following options will become available on this page depending on what has been configured previousl
Virtual Private Networking 133 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet inte
Virtual Private Networking 134 Select the type of routing the tunnel will be used as. In this example, select the be a route to the remote party opti
Virtual Private Networking 135 Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Sec
Getting Started 10 2. Getting Started This chapter provides step-by-step instructions for installing your CyberGuard SG appliance into your network a
Virtual Private Networking 136 Tunnel List Figure 9-20 Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection
Virtual Private Networking 137 Click Remote Party to sort the tunnel list by the remote party ID/name/address. Status Tunnels that use Automatic Keyin
Virtual Private Networking 138 Figure 9-21 Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec will use. Phase 2 Ciph
Virtual Private Networking 139 Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for bo
Virtual Private Networking 140 • The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher
Virtual Private Networking 141 Certificate Management x.509 Certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Aut
Virtual Private Networking 142 To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -n
Virtual Private Networking 143 4. Create the self-signed root CA certificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out r
Virtual Private Networking 144 Adding certificates To add certificates to the CyberGuard SG appliance, click the IPSec link on the left side of the We
Virtual Private Networking 145 Adding a CA or CRL certificate Click the Add new CA or CRL Certificate tab. A window similar to the following will be
Getting Started 11 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initia
Virtual Private Networking 146 Adding a local certificate 1 Click the Add new Local Certificate tab. A window similar to the following will be displ
Virtual Private Networking 147 Figure 9-25 The certificate names will be displayed under the appropriate certificate type. Clicking the Delete butto
Virtual Private Networking 148 The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Pha
Virtual Private Networking 149 Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that t
Virtual Private Networking 150 Set up LMHOST files on remote hosts to resolve names to IP adresses. • Symptom: Tunnel comes up but the application
Virtual Private Networking 151 GRE The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support
Virtual Private Networking 152 On the Brisbane end, click GRE Tunnels from the VPN menu. Enter the following details: GRE Tunnel Name: to_slough
Virtual Private Networking 153 Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: 192.168.1.0 / 255.255.255.0 C
Virtual Private Networking 154 Enter the IP Address / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at t
Virtual Private Networking 155 Create the GRE tunnel. Select GRE Tunnels from the left hand menu. For the Slough end enter the IP addresses below.
Getting Started 12 Connect the supplied power adapter to the CyberGuard SG appliance. If you are using the SG530, SG550, SG570 or SG575 model, connect
Virtual Private Networking 156 Troubleshooting • Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set u
Virtual Private Networking 157 L2TP The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multi-purpose network transport protoco
Virtual Private Networking 158 L2TP server The L2TP Server runs in a similar way to the PPTP Server. A range of IP addresses is allocated, and then u
System 159 10. System Date and Time Set date and time If you have a Javascript enabled web browser, you will be able to click the top Set Date and Ti
System 160 Figure 10-1 Locality Select your region then select your location within said region. The system clock will subsequently show local time.
System 161 Users User accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to
System 162 Administration A user with the administration access control is permitted to edit any configuration file on the CyberGuard SG appliance. I
System 163 Internet access (via access controls) A user with this access control is permitted controlled access to the web through the CyberGuard SG a
System 164 Figure 10-3 Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top o
System 165 Advanced The options on the Advanced page are intended for network administrators and advanced users only. Warning Altering the advanced co
Getting Started 13 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se
System 166 You may also upload additional configuration files from your computer to the CyberGuard SG appliance under Upload file. To backup to an enc
System 167 The majority of Linux users will already have a TFTP server installed as part of their distribution, which must be configured and running.
168 Technical Support The System menu contains an option detailing support information for your CyberGuard SG appliance. This page provides basic tro
Appendix A – IP Address Ranges 169 Appendix A – IP Address Ranges IP ranges are fields that allow multiple IP addresses to be specified using a shor
Appendix B – Terminology 170 Appendix B – Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmet
Appendix B – Terminology 171 Certificates A digitally signed statement that contains information about an entity and the entity's public key, th
Appendix B – Terminology 172 Extranet A private network that uses the public Internet to securely share business information and operations with supp
Appendix B – Terminology 173 IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with D
Appendix B – Terminology 174 NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another netwo
Appendix B – Terminology 175 Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelli
Getting Started 14 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Defa
176 x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign
Appendix C – System Log 177 Appendix C – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG ap
Appendix C – System Log 178 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g
Appendix C – System Log 179 A typical Default Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MA
Appendix C – System Log 180 To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something
Appendix C – System Log 181 For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the machine flubber o
Appendix C – System Log 182 If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+
Appendix C – System Log 183 Administrative Access Logging When a user tries to log onto the Web Management Console web administration pages, one of th
Appendix D – Firmware Upgrade Practices and Precautions 184 Appendix D – Firmware Upgrade Practices and Precautions Prior performing any firmware upgr
Appendix D – Firmware Upgrade Practices and Precautions 185 If you encounter any problems, reset the device to its factory default settings and reconf
Getting Started 15 Select Quick Setup Wizard from the center of the page. You will be prompted to log in. Enter the initial user name and password fo
Contents 1. Introduction...1 CyberGuard SG Gateway Appli
Getting Started 16 The Quick Setup Wizard will display. Figure 2-3 Hostname: You may change the name the CyberGuard SG appliance knows itself by. T
Getting Started 17 Figure 2-4 Note This page will only display if you previously selected Manual configuration. Otherwise skip to the next step. Ent
Getting Started 18 Set up Internet Connection Settings Select your Internet connection type and click Next. Figure 2-5 Cable modem If connecting usin
Getting Started 19 Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGua
Getting Started 20 LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG
Getting Started 21 To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connect
Getting Started 22 Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser
Getting Started 23 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple
Getting Started 24 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PCI Slot Power off your PC and remove its cover. Sele
Getting Started 25 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se
4. Dialin Setup...52 Dialin Setup ...
Getting Started 26 Set up the Password and Network Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.16
Getting Started 27 Note The purpose of this step is to configure the IP address for the Web Management Console. For convenience, this will generally
Getting Started 28 The first IP address will be used by the Web Management Console. Figure 2-9 Enter this IP address and the subnet mask for your L
Getting Started 29 Figure 2-10 Enter the following details: • IP address the second free IP addresses that is part of the subnet range of your LAN.
Getting Started 30 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continuing, ensure your DHCP server has
Getting Started 31 Next, configure your PC to obtain its network settings automatically from your LAN DHCP server. Click Start -> Settings -> C
Getting Started 32 Disabling the Reset Button on your CyberGuard SG PCI Appliance For convenience, the CyberGuard SG appliance ships with the rear pan
Network Connections 33 3. Network Connections This chapter describes the Network Setup section of the Web Management Console. Here you can configure
Network Connections 34 LAN Unlike Internet, DMZ or COM1 ports, the LAN network port has only one configurable function, to connect to your local area
Network Connections 35 • It allows users to transmit IPX/SPX over a VPN, something that is not supported by other VPN vendors. • It allows users to
10. System...159 Date and Time ...
Network Connections 36 CyberGuard SG PCI appliances can also connect to the Internet in this manner, but generally will be connecting directly to a LA
Network Connections 37 Use PPPoE if your ISP uses username and password authentication to access the Internet. Use DHCP if your ISP does not require
Network Connections 38 Figure 3-4 To manually configure your Internet network settings, enter the IP Address, Netmask, Internet Gateway and DNS Serve
Network Connections 39 When the CyberGuard SG appliance is in bridged mode, it will not be performing NAT/masquerading. PCs will typically use an IP
Network Connections 40 Figure 3-5 The following table describes the fields and explains how to configure the dial up connection to your ISP. Field D
Network Connections 41 Statically assigned IP address The majority of ISPs dynamically assign an IP address to your connection when you dialin. Howev
Network Connections 42 Services on the DMZ Network Once you have configured the DMZ connection, you will also want to configure the CyberGuard SG appl
Network Connections 43 DMZ as a backup/failover Internet connection See the Internet Failover section later in this chapter. Load Balancing If you hav
Network Connections 44 Enable the primary connection for failover Set up your primary broadband Internet connection as described in the Internet secti
Network Connections 45 Note The Failover Cable/DSL/Direct/Dialout Internet option will not appear as an available Configuration until a primary Intern
Introduction 1 1. Introduction This chapter provides an overview of your CyberGuard SG appliance’s features and capabilities, and explains how to ins
Network Connections 46 Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the CyberGuard S
Network Connections 47 Advanced The following figure shows the advanced IP configuration: Figure 3-8 Hostname The Hostname is a descriptive name for
Network Connections 48 Figure 3-9 Network Address Translation (NAT/masquerading) The CyberGuard SG appliance can utilize IP Masquerading (a simple fo
Network Connections 49 Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by
Network Connections 50 Figure 3-10 Interface aliases Interface aliases allow the CyberGuard SG appliance to respond to multiple IP addresses on its L
Network Connections 51 Change MAC address On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG a
Dialin Setup 52 4. Dialin Setup CyberGuard SG appliance enables remote and secure access to your office network. This chapter shows how to set up th
Dialin Setup 53 Dialin Setup Once an analog modem or phone line has been attached, enable the CyberGuard SG appliance’s COM port or internal modem for
Dialin Setup 54 The following table describes the fields on the Dial-In Setup page: Field Description IP Address for Dialin clients Dialin users
Dialin Setup 55 Dialin User Accounts User accounts must be set up before remote users can dialinto the CyberGuard SG appliance. The following figure
Introduction 2 The following figure shows how your CyberGuard SG appliance interconnects. Figure 1-1 CyberGuard SG PCI Appliances The CyberGuard SG P
Dialin Setup 56 The following figure shows the user maintenance screen: Figure 4-3 Account list As new dialin user accounts are added, they are displ
Dialin Setup 57 If the change is unsuccessful, an error is reported as shown in the following figure: Figure 4-3 When you have finished adding and mo
Dialin Setup 58 Remote User Configuration Remote users can dialin using the CyberGuard SG appliance using the standard Windows Dial-Up Networking soft
Dialin Setup 59 Check the Log on to network and Enable software compression checkboxes. If your CyberGuard SG appliance dialin server requires MSCHAP
Dialin Setup 60 Windows 2000/XP To configure a remote access connection on a PC running Windows 2000/XP, click Start, Settings, Network and Dial-up Co
Dialin Setup 61 Figure 4-7 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote acc
62 Figure 4-9 Enter a name for the connection and click Finish to complete the configuration. By ticking Add a shortcut to my desktop, an icon for
DHCP Server 63 5. DHCP Server Your CyberGuard SG appliance can act as a DHCP server for machines on your local network. To configure your CyberGuard
DHCP Server 64 To configure the DHCP Server, follow these instructions. • Check the Enable DHCP Server checkbox. • Enter the Subnet and netmask of t
DHCP Server 65 Subnet List The Subnet List will display the status of the DHCP server. Interface Once a subnet has been configured, the port which th
Introduction 3 This approach offers an increased measure of protection against internal threats as well as conventional Internet security concerns. Y
DHCP Server 66 Figure 5-3 For each IP address that the DHCP server services, the Status, Hostname, MAC Address will be shown. There is also be an opt
67 DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This all
Firewall 68 6. Firewall The CyberGuard SG appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and ou
Firewall 69 Administration services The following figure shows the Administration Services page: Figure 6-1 By default the CyberGuard SG appliance ru
Firewall 70 CyberGuard SG Administrative Web Server Clicking the CyberGuard SG Web Server tab takes you to the page to configure the administrative we
Firewall 71 The Web Management Console is usually accessed on the default HTTP port (i.e. 80). After changing the web server port number, you must inc
Firewall 72 Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web server can operate in one of one of 3 different modes
Firewall 73 Packet Filtering By default, your CyberGuard SG appliance allows network traffic as shown in the following table: You can configure y
Firewall 74 Before configuring a filter or NAT rule, you need to define the addresses and service groups. Addresses Click the Addresses tab. Any addr
Firewall 75 Service groups Click the Service Groups tab. Any addresses that have already been defined will be displayed. Click New to add a new serv
Introduction 4 Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights
Firewall 76 Rules Once addresses and services have been defined, you can create filter rules. Click Rules. Any rules that have already been defined
Firewall 77 The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. The Outgoing Interf
Firewall 78 Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service t
Firewall 79 Source Address The address from which the request originated (for masquerading this will typically be a private LAN or DMZ address) Outgo
Firewall 80 Warning Leaving Create a corresponding ACCEPT firewall rule will allow all traffic into and out from the specified private address, i.e.
Firewall 81 Access Control and Content Filtering Inappropriate Internet use during work hours can have a serious effect on productivity. With the Cyb
Firewall 82 Users without web proxy access will see a screen similar to the figure below when attempting to access external web content. Figure 6-8 N
Firewall 83 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their u
Firewall 84 Figure 6-10 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in th
Firewall 85 Web lists Access will be denied to any web address (URL) that contains text entered in the Block List, e.g. entering xxx will block any UR
Introduction 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appliances include: • SG300 • SG530 • SG550 • SG570 • SG575 The followi
Firewall 86 Content Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filter
Firewall 87 Reports Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do thi
Firewall 88 ZoneAlarm This facility denies Internet access to machines your LAN that are not running the ZoneAlarm Pro personal firewall software. Ru
Intrusion Detection 89 7. Intrusion Detection Note Advanced Intrusion Detection is only available on SG575 models. Other models offer Basic Instrusi
Intrusion Detection 90 The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Inter
Intrusion Detection 91 Basic Intrusion Detection and Blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Fi
Intrusion Detection 92 Several shortcut buttons also provide pre-defined lists of services to monitor. The basic button installs a bare bones selecti
Intrusion Detection 93 Advanced Intrusion Detection Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to detect
Intrusion Detection 94 Advanced Intrusion Detection configuration Figure 7-2 Check Enabled, and select the Interface/network port to monitor. This w
Intrusion Detection 95 Note The more rule sets that are selected, the greater load is imposed on the CyberGuard SG appliance. Therefore a conservati
Kommentare zu diesen Handbüchern