SnapGearメーカー2.0.1の使用説明書/サービス説明書
ページ先へ移動 of 189
CyberGuard SG Firewall V PN Applian ce User Manua l Revision 2.0.1 June 7, 2004 CyberGuard 7984 South W elby Park Drive #10 1 Salt Lake City, Uta h 84084 Email: suppo rt@snapgear.
Contents 1. Introduction ............................................................................................... 1 CyberGuard SG Gateway Appli a n c es ................................................................... 1 CyberGuard SG PCI Appli a n c es .
4. Dialin Setup ............................................................................................. 52 Dialin Setup ......................................................................................................... 53 Dialin User Accounts .
10. System ................................................................................................... 159 Date and Time ................................................................................................... 159 Users ............
Introductio n 1 1. Introduction This chap ter provides an overview of your Cyber Guard SG appli ance’s features an d capabilities , and explains ho w to install and c onfigure your CyberGuard SG applianc e.
Introductio n 2 The following figure shows how you r CyberGuar d SG appliance i nterconnects. Figure 1-1 CyberGuard SG PCI Appliances The CyberGua rd SG PCI applia nce (SG630, SG635) is a hardware-bas ed firewall and VPN server emb edded in a 10/1 00 Ethernet PCI ne twork interface c ard (NIC).
Introductio n 3 This approac h offers an increa sed measure of protection against internal threats as well as conventiona l Internet securi ty concerns. You can update, configur e and monitor the firewall and VPN connectivity of a workstation or server from any web browser.
Introductio n 4 Document Conventions This docu ment uses differen t fonts and typeface s to show speci fic actions. Warning/Not e Text like thi s highlights important issues. Bold text in p rocedures indic ates text that you typ e, or the name of a s creen object (e.
Introductio n 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appli ances include : • SG300 • SG530 • SG550 • SG570 • SG575 The following items are include d with your CyberGua .
Introductio n 6 Note Not all the LEDs described belo w are present on al l CyberGuard SG ap pliance models . Also, labels va ry from model to model. Label Activity Description Power On Power is sup pl.
Introductio n 7 CyberGuard SG Gateway Appliance Fea tures Internet link featur es • 10/100baseT E thernet port (Inte rnet/WAN) • Serial port • Front panel se rial status LEDs (for TX/RX) • Onl.
Introductio n 8 Your CyberGuard SG PCI Appliance CyberGuard SG PCI applianc es include: • PCI630 • PCI635 The following items are include d with your CyberGua rd SG PCI appl iance: • Installation CD • Printed Quick Install guide LEDs The rear pan el contains LEDs in dicating status .
Introductio n 9 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT E thernet port • Ethernet LEDs (link, activity) Environmental featur es • Status LEDs: Power, Heart Bea t.
Getting Started 10 2. Getting S t arted This chap ter provides step-by-ste p instructions for i nstalling your Cyber Guard SG appliance into your network an d connecting to the Internet. This is a slightly more detailed vers ion of the printed Quick Install Gui de that shipped with your CyberGuard SG appliance.
Getting Started 11 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management C onsole The CyberGua rd SG applianc e ships with initial, st atic IP settings of: IP address: 192.168.0.1 Subnet mask: 255.255.25 5.0 Note The Internet/ WAN and DMZ int erfaces are by default inactive, i.
Getting Started 12 Connect the su pplied power adapte r to the CyberGuard SG applianc e. If you are usi ng the SG530, SG550 , SG570 or SG575 model, conne ct the CyberGuard SG appliance ’s LAN Ethernet port directly to your PC’ s network inte rface card using the crossover cab le (red or gray).
Getting Started 13 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections (or in 95/98/Me, dou ble click Netwo rk ).
Getting Started 14 Select Use th e following IP addre ss and enter the fo llowing details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: P r e f e r r e d D N S s e r v e r : 192.
Getting Started 15 Select Quick Setup Wizard from t he center of the pa ge. You will be pro mpted to log in. Enter the initial user n ame and passwor d for your CyberGuard SG a ppliance: User name: root Password: default Note If you are u nable to connect to the Management Con sole at 192.
Getting Started 16 The Quick Se tup Wizard will d isplay. Figure 2-3 Hostname: You may change th e name the CyberGuard SG appliance knows itself by. This is not gen erally necessa ry. Manual configu ration: Select th is to manually spec ify your CyberGuar d SG appliance’ s LAN connect ion settings.
Getting Started 17 Figure 2-4 Note This page will only display if yo u previously sel ected Manual config uration . Otherwis e skip to the next step. Enter an IP ad dress and Subnet mask for your CyberGuard SG appliance’s LAN connectio n.
Getting Started 18 Set up Internet Connection Settings Select your In ternet connectio n type and click Ne xt . Figure 2-5 Cable modem If connecti ng using a cable mo dem, select the appropriate ISP. Cho ose Generic c able modem provid er if unsure. Analog modem If connecti ng using a regular analog modem, ent er the details pro vided by your ISP.
Getting Started 19 Note For detailed help for each of the se options, ple ase refer to the the c hapter entitled Network Con nections . Once the Cyb erGuard SG appli ance’s Internet connection has be en set up, click Ne xt , select Reboot and click Next aga in.
Getting Started 20 LAN with a DHCP serv er Add a lease to your existing DHCP s erver to reserve the IP address yo u chose in STEP 3 for the Cyber Guard SG applia nce’s LAN connect ion.
Getting Started 21 To manually s et up each Windo ws PC on your ne twork: Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections ( or in 95/98/Me, doub le click Network ). If presented with multiple connec tions, right click on L ocal Area Connect ion (or appropriate ne twork connection ) and select Properties .
Getting Started 22 Alternatively, to activate your Cybe rGuard SG applian ce's DHCP server: Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to the IP address of the CyberGuard SG app liance’s LAN co nnection. The Web Mana gement Console will display.
Getting Started 23 Select Intern et Protocol (TCP/I P) and click P roperties (or in 95 /98/Me, TCP/IP -> [your netw ork card name] i f there are multiple entries) and cli ck Properties (in 95/98/Me, you may also have to click the IP Addres s tab).
Getting Started 24 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PC I Slot Power off you r PC and remove its c over. Select an unused PCI slot an d insert the CyberGuard SG a ppliance, then power on your PC.
Getting Started 25 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections .
Getting Started 26 Set up the Password and Network Connection Settings Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to 192.168.0.1 . Figure 2-8 The Web Mana gement Console will display. Select Network Setup under Networking i n the left hand menu.
Getting Started 27 Note The purpose o f this step is to co nfigure the IP addres s for the Web Manag ement Console. For c onvenience, thi s will generally be a free IP address on your LAN. The Network Setup Connect ions page will di splay. Locate the Bridge / br0 port an d select Edit curren t settings under Configuratio n .
Getting Started 28 The first IP add ress will be used b y the Web Manageme nt Console. Figure 2-9 Enter this IP address and the subnet mask for your LAN into the IP Ad dress / Netmas k fields on t he Web Management Con sole’s Bridge IP Co nfiguration pag e.
Getting Started 29 Figure 2-10 Enter the follow ing details: • IP address the second free IP ad dresses that is part of the subnet ra nge of your LAN. • Subnet mask is the subnet mas k of your LAN. • Default gatew ay is the IP address of your LAN’s de fault gateway.
Getting Started 30 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continu ing, ensure your DHC P server has two free leases.
Getting Started 31 Next, configur e your PC to obta in its network settings automatically fr om your LAN DHCP server. Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections . Right click on Local Area Connec tion (or appropria te network con nection for the newly installed PCI a ppliance) and s elect Properties .
Getting Started 32 Disabling the Reset Button on your Cy berGuard SG PCI Appliance For convenie nce, the CyberGuard SG appliance ships with the r ear panel Reset button enabled. T his allows the Cyber Guard SG applia nce’s configurati on to be reset to f actory defaults.
Network Con nections 33 3. Network Conn ections This chap ter describes the Netw ork Setup section of the Web Managemen t Console. Here you can c onfigure each of your CyberGuard SG appliance’s network ports (Ethernet, se rial).
Network Con nections 34 LAN Unlike Intern et , DMZ or COM1 p orts, the LAN netw ork port has on ly one configura ble function, to connect to your lo cal area network. Network setting s for the LAN networ k port may be a ssigned staticall y, or dynamically by a DHCP server.
Network Con nections 35 • It allo ws users to trans mit IPX/SPX over a VPN, something that is not supported by other VPN ven dors. • It allo ws users to trans mit DHCP to remote si tes this ensures that they are under better control. • It allo ws users to make u se of protocols that do not work we ll in a WAN environment (e.
Network Con nections 36 CyberGuard SG PCI applianc es can also con nect to the Internet i n this manner, but generally wil l be connecting directly to a LAN by selecting either Di rect Internet or Bridged Interne t .
Network Con nections 37 Use PPPoE if y our ISP uses us ername and passwo rd authenticat ion to access the Internet. Use DHCP if your ISP d oes not requir e a username and p assword, or your ISP instructed you to obtain an IP add ress dynamicall y. If your ISP has gi ven you an IP address or address range, you must Manually A ssign Settings .
Network Con nections 38 Figure 3-4 To manually configure your In ternet network s ettings, enter the IP Address , Netmas k , Internet Gate way and DNS Server(s) supplied by your IS P. If you have been given a range of IP ad dresses, they ma y be added as Interface Aliases .
Network Con nections 39 When the Cybe rGuard SG applia nce is in bri dged mode, it will not be performing NAT/masque rading. PCs will typically use an IP ad dress on the netwo rk connected to the CyberGuar d SG applianc e’s Internet port as their gateway, rather than the CyberGuard SG appliance i tself.
Network Con nections 40 Figure 3-5 The following table describes the fields and expla ins how to config ure the dial up connectio n to your ISP. Field Description Name of Inte rnet provider Enter the name of your ISP. Phone numb er(s) to dial Enter the numb er to dial to rea ch your ISP.
Network Con nections 41 Statically ass igned IP address The majority of ISPs dynamicall y assign an IP addres s to your connect ion when you dia lin. However some I SPs use pre-assign ed static address es. If your ISP has gi ven you a static IP ad dress, enter it in Lo cal IP Address and enter the address of the ISP gateway in Rem ote IP Addres s .
Network Con nections 42 Services on the DMZ Network Once you ha ve configured th e DMZ connect ion, you will also wan t to configure t he CyberGuard SG appliance to allow access to s ervices on the DMZ.
Network Con nections 43 DMZ as a backup/failover Internet connection See the Intern et Failover sec tion later in this chapte r. Load Balancing If you have enabled both the Internet and DMZ ports as primary In ternet conne ctions, enabling l oad balacing will s hare Internet traffic load over the two co nnections.
Network Con nections 44 Enable the primary connection for failover Set up your p rimary broadban d Internet connec tion as described in the Internet sect ion of this chapt er. From the Conne ctions menu, sel ect Edit failover p arameters from th e Configuratio n pull down box.
Network Con nections 45 Note The Failover Cable/DSL/Direct/D ialout Internet option will not ap pear as an ava ilable Configuratio n until a primary In ternet connec tion has been confi gured. Refer to Enabl e the primary conn ection for failove r above for deta ils on enabling yo ur primary broad band Internet con nection for failover.
Network Con nections 46 Routes Additional routes The Additional routes feature al lows expert users t o add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatic ally by the CyberGuar d SG applianc e configuration sc ripts.
Network Con nections 47 Advanced The following figure shows the a dvanced IP configu ration: Figure 3-8 Hostname The Hostname is a descripti ve name for the Cybe rGuard SG appli ance on the netwo rk. DNS Proxy The CyberGua rd SG applianc e can also be con figured to run as a Do main Name Server.
Network Con nections 48 Figure 3-9 Network Address Translation ( NAT/masquerading) The CyberGua rd SG applianc e can utilize IP Masqu erading (a simple f orm of Network Address Trans lation, or NAT) where PCs on the lo cal network effec tively share a si ngle external IP add ress.
Network Con nections 49 Dynamic DNS A dynamic DNS service is u seful when you don’ t have a static Internet IP address , but need to remai n contactable by h osts on the Internet.
Network Con nections 50 Figure 3-10 Interface aliases Interface alia ses allow the CyberGu ard SG applianc e to respond to mu ltiple IP addresses on its LAN, Interne t and DMZ ports.
Network Con nections 51 Change MAC address On rare occa sions it may be nec essary to change the Ethernet hard ware or MAC Address of your CyberGuard SG a ppliance. The MAC address i s a globally unique address an d is specific to a sin gle CyberGuard SG app liance.
Dialin Setup 52 4. Dialin Setu p CyberGuard SG appliance e nables remote and s ecure access to your office netwo rk. This chap ter shows how to se t up the dialin fe atures. Your CyberGuar d SG applianc e can be configured t o receive dialin calls from remote users/sites.
Dialin Setup 53 Dialin Setup Once an anal og modem or ph one line has bee n attached, enable the CyberGuard SG appliance ’s COM port or interna l modem for dialin .
Dialin Setup 54 The following table describes the fields on the Dial -In Setup page: Field Description IP Address fo r Dialin cli ents Dialin user s must be assigned local IP addresses to access the local n etwork.
Dialin Setup 55 Dialin User Accounts User accounts must be set up before remote users can dialinto the C yberGuard SG appliance . The following figu re shows the Dialin u ser account cre ation: Figure 4-2 The field o ptions in Add New Acc ount are shown in the following t able: Field Description Username Username f or dialin au thentication only.
Dialin Setup 56 The following figure shows the u ser maintenance s creen: Figure 4-3 Account list As new dialin user accounts a re added, they are di splayed on the upd ated Account List. To modify a p assword for an exis ting account, s elect the account in the Account List an d enter the new pa ssword in the N ew Password and Confirm fields.
Dialin Setup 57 If the change i s unsuccessful , an error is reported as shown in the fo llowing figure: Figure 4-3 When you have f inished adding and modifying user a ccount details, you can configure other CyberGu ard SG applian ce functions by s electing the approp riate item from the Network or System menus.
Dialin Setup 58 Remote User Configuration Remote users can dialin using the CyberGuard SG app liance using the standard Windows Dia l-Up Networking so ftware. Set up a new dial-out conn ection on the remote PC to dial the phone number of the modem con nected to the Cyber Guard SG applian ce COM port.
Dialin Setup 59 Check the Log on to network and Enable software com pression checkbo xes. If your CyberGuard SG appliance d ialin server requires MSCHAP-2 authe ntication, you als o need to check the Require encr ypted password ch eckbox. Leave all other Advanced Options unch ecked.
Dialin Setup 60 Windows 2000/XP To configu re a remote access connection on a PC running Windows 2000/XP, click St art , Settings , Netw ork and Dial-up Co nnections and select Make New Connection. The network connection wiza rd will guide you th rough setting up a remote access connectio n: Figure 4-5 Click Next to c ontinue.
Dialin Setup 61 Figure 4-7 Tick Use diali ng rules to enabl e you to select a country code and area code. This feature is u seful when using remote access in another area code or overseas. Click Next to c ontinue. Figure 4-8 Select the opti on Only for myself to make the con nection only availa ble for you.
62 Figure 4-9 Enter a name for the connecti on and click Finis h to complete the c onfiguration. By ticking Add a shortcut to my desk top, an icon for the remote conn ection will appear o n the deskto p.
DHCP Server 63 5. DHCP Serve r Your CyberGuar d SG applianc e can act as a DHCP serve r for machines on your local network. To c onfigure your Cyber Guard SG appl iance as a DHCP se rver, you must se t a static IP ad dress and netmask o n the LAN or DM Z port (see the c hapter entitled Net work Connections ).
DHCP Server 64 To configu re the DHCP Server, fol low these instruc tions. • Check the En able DHCP Server c heckbox. • Enter the Subn et and netmask of the IP addres ses to be distrib uted. • Enter the Gatew ay Address that the DHCP clients will be issued with .
DHCP Server 65 Subnet List The Subnet Li st will display the status of the D HCP server. Interface Once a subn et has been conf igured, the port whi ch the IP address es will be issued from will be sho wn in the Interface fiel d. Subnet The value sh own in this field is the subnet for whi ch the IP address es distributed will use.
DHCP Server 66 Figure 5-3 For each IP a ddress that the DH CP server service s, the Status , Ho stname , MAC Address will b e shown. There is also be an option to Remove the a ddress and for reserved IP ad dresses, the add ed option to Unrese rve the address .
67 DHCP Proxy The DHCP pro xy allows the Cybe rGuard SG appl iance to forward DH CP requests from the LAN to an external server for resolution. Th is allows both stat ic and dynamic addresses to be given out on the LAN just as running a DHCP server would.
Firewall 68 6. Firewall The CyberGua rd SG applianc e has a fully featured , stateful firewall . The firewall all ows you to control both incoming an d outgoing ac cess, so that PCs on the office net work can have tailored Internet access facilities and are s hielded from malici ous attacks.
Firewall 69 Administration services The following figure shows the A dministration Servic es page: Figure 6-1 By default the CyberGuard SG appl iance runs a web administration server and a teln et service. Acce ss to these services can be restricted to specific int erfaces.
Firewall 70 CyberGuard SG Administrative Web Server Clicking t he CyberGuard SG W eb Server tab ta kes you to the p age to configure the administrative we b server. This web server is resp onsible for running the Web Management Console. Here you can c hange the port on which the server ru ns.
Firewall 71 The Web Management Console is usually accessed on the default HTT P port (i.e. 80). After changing the web server po rt number, you mus t include the new port number in th e URL to acces s the pages.
Firewall 72 Once valid SSL certificates have been uploaded, th e CyberGuard SG a dministrative web server can op erate in one of on e of 3 different mode s.
Firewall 73 Packet Filtering By default, yo ur CyberGuard S G appliance allows network traffic as shown in the following ta ble: You can configure your Cyb erGuard SG app liance with ad ditional filter rule s to allow or restrict net work traffic.
Firewall 74 Before configu ring a filter or NAT r ule, you need to define the addres ses and service groups. Addresses Click the Addre sses tab. Any add resses tha t have already been defined will be displayed. Cli ck New to add a n ew address, or se lect an existing a ddress and click Modify .
Firewall 75 Service groups Click the Servi ce Groups tab. Any addresses that have already been defined will be displayed. Cli ck New to add a n ew service group s, or select an e xisting address and click Modif y .
Firewall 76 Rules Once addres ses and services h ave been defined, you can create fi lter rules. Click Rules . Any ru les that have alrea dy been defin ed will be displayed. Cl ick New to ad d a new filter rule, or select an exis ting filter and cl ick Modify .
Firewall 77 The Incomin g Interface is th e interface/network port that the Cyber Guard SG applian ce received the network traffic on. The Outgoing I nterface is the i nterface/network p ort that the CyberGu ard SG appliance will route the n etwork traffic o ut.
Firewall 78 Source Addre ss The address f rom which the req uest originated (for port forwardin g you may spec ify this to restric t the internal se rvice to be only acc essible from a sp ecific remot.
Firewall 79 Source Addre ss The address f rom which the req uest originated (for masqueradin g this will typical ly be a private LAN or DMZ addres s) Outgoing Interfa ce The interface that receives th e request (for masqueradin g this will typical ly be private inter face, i.
Firewall 80 Warning Leaving Create a corresp onding ACCEPT fi rewall rule will a llow all traffic i nto and out from the spec ified private addre ss, i.e. the priva te address will no longer be shield ed by your CyberGu ard SG applian ce’s firewall.
Firewall 81 Access Control and Content Filtering Inappropriate I nternet use during work hours ca n have a serious e ffect on producti vity. With the CyberGu ard SG Access Control web pro xy, you can .
Firewall 82 Users withou t web proxy acce ss will see a s creen similar to the figure below when attempting to access external w eb content. Figure 6-8 Note Each browse r on the LAN will now have to be set up to use the Cy berGuard SG appliance ’s web proxy.
Firewall 83 Browser setup The example given is for Micros oft Internet Explorer 6 . Instructions fo r other browsers should be similar, refer to their user documentatio n for details on u sing a web proxy. From the Interne t Options menu, s elect Tools .
Firewall 84 Figure 6-10 In the row lab eled HTTP , enter your CyberGuard SG appliance’s LAN IP address in the Proxy addre ss to use colu mn, and 81 in the Port column. Leave th e other rows bla nk. In the Except ions text box, enter your CyberGua rd SG applianc e’s LAN IP addres s.
Firewall 85 Web lists Access will be denied to any web ad dress (URL) th at contains text e ntered in the Blo ck List , e.g. enterin g xxx will block any URL containi ng xxx , including http://xxx.exampl e.com or www.tes t.com/xxx/index.ht ml . The Allow List also enables access to URLs co ntaining the spe cified text.
Firewall 86 Content Note Content filterin g is only availab le after your have regi stered your Cybe rGuard SG appliance and activated you r content filterin g license (sold separa tely) through www.cybergua rd.com/snapgea r/my/ . Content filterin g allows you to l imit the types of web based content ac cessed.
Firewall 87 Reports Warning The correct time/date must be set on your CyberGua rd SG applianc e for reporting to work. The mos t effective way t o do this is by usin g an NTP time server. See the Time and Date sec tion in the chap ter entitled Advanced for detai ls.
Firewall 88 ZoneAlarm This facility d enies Internet ac cess to machines your LAN that are no t running the ZoneAlarm P ro personal fire wall software. Run ning personal fir ewall software on e ach PC offers an e xtra layer of prot ection from applic ation level, operat ing system spec ific exploits and mal ware that abou nd on the Internet.
Intrusion Detec tion 89 7. Intrusion De tection Note Advanced I ntrusion Detection i s only available on SG575 models. Oth er models offer Basic Inst rusion Detection and Blocking only. The CyberGua rd SG applianc e provides two i ntrusion detection systems (IDS).
Intrusion Detec tion 90 The benefits of us ing an IDS External attac kers attempting to access desktops and servers on the private network from the Intern et are the large st source of intrusi ons. Attackers exploiting known flaws in operating s ystems, networkin g software and app lications, compromise many systems through the Inte rnet.
Intrusion Detec tion 91 Basic Intrusion Detection and Block ing The following figure shows the I ntrusion Detect ion and Blocking (I DB) configuratio n: Figure 7-1 IDB operates by offering a numbe r of services to th e outside world th at are monitored f or connectio n attempts.
Intrusion Detec tion 92 Several shortc ut buttons also provide pre-defined li sts of services to mo nitor. The basic button inst alls a bare bones s election of ports t o monitor while sti ll providing sufficie nt coverage to d etect many intru der scans.
Intrusion Detec tion 93 Advanced Intrusion Detection Advanced I ntrusion Detection i s based on the tried a nd tested Snort v2 IDS. It is able to detect attack s by matching in coming network d ata against defin ed patterns or rul es. Advanced Intru sion Detection u tilizes a combination of methods to pe rform extensive IDS analysis on the fly.
Intrusion Detec tion 94 Advanced Intrusion De tection configuration Figure 7-2 Check Enabl ed , and select th e Interface /networ k port to monitor. This will typical ly be Internet , or po ssibly DMZ .
Intrusion Detec tion 95 Note The more rule sets that are selec ted, the greater lo ad is imposed on the CyberGuard SG appliance . Therefore a cons ervative rather tha n aggressive appro ach to adding rule sets should be followed initially. Figure 7-3 Check Log resu lts to database t o use a remote an alysis server.
Intrusion Detec tion 96 Setting up the analysis server Specific o pen source tools a re required to be i nstalled on the Anal ysis server for a straightforwa rd evaluation. The analysis s erver will typically be a Pentium IV level system running L inux ( Red Hat , Debian , etc.
97 PHPlot graph library for chart s written in PHP http://www.ph plot.com/ ACID analysis console http://www.an drew.cmu.edu/~ rdanyliw/snort/ac id-0.9.6b23.tar.gz Snort will be running as an IDS sensor on the CyberGuard SG ap pliance and log ging to the MySQL da tabase on the an alysis server.
Web Cache 98 8. W eb Cache Note The web cac he is only avail able on SG575 models . Web browser s running on PCs o n your LAN can use the CyberGuard SG appliance ’s proxy-cache server to reduce Internet access ti me and bandwidth consumption. A proxy-cach e server implemen ts Internet obj ect caching.
Web Cache 99 Web Cache Setup Select Web ca che under Networking . A p age similar to the fol lowing will be dis played. Figure 8-1 Check Enabl e to enable the web cache. Cache size Select the amoun t of memory (RA M) on the Cybe rGuard SG appli ance to be reserved for caching In ternet objects.
Web Cache 100 Network Shares Typically, yo u will find the Cyber Guard SG applian ce’s web cach e most useful wh en utilizing a Ne twork Share for a dditional storage s pace. The CyberGu ard SG applian ce is not equipped w ith a hard disk of its own, so is qui te limited in terms o f the amount of Internet obj ects it can cache.
Web Cache 101 Create the network share Figure 8-2 Launch Windo ws Explorer ( Start -> (All) Progra ms -> Accessories -> Windows Explorer ) an d open up a folde r or drive to dedicate a s a network share for use by the CyberGuard SG appliance’s web cache.
Web Cache 102 Set the CyberGuard SG appliance to use the network share Check Use s hare . Enter the lo cation of the network share in the forma t: HOSTNAMEsharename Figure 8-3 Enter the ma ximum size for th e cache in Cache size . Warning Cache size s hould not be more than 90% of the space available to the network share, e.
Web Cache 103 Peers The CyberGua rd SG applianc e’s web cache can be configured to share cached o bjects with, and acce ss objects cach ed by, other web c aches. Web cache s communicate usi ng the Internet Cac he Protocol (ICP). IC P is used to exchange hin ts about the exist ence of URLs in ne ighbour caches .
Virtual Private Networking 104 9. V irtual Priv ate Networking Virtual Private Networking (VPN) en ables two o r more locations to communicate securel y and effecti vely, usually acros s a public netwo rk (e.
Virtual Private Networking 105 Figure 9-1 PPTP Client Setup The PPTP cli ent enables the Cyb erGuard SG appli ance to establi sh a VPN to a remote network runn ing a PPTP server (u sually a Micros oft Windows server).
Virtual Private Networking 106 If the remote VPN is already up a nd running, chec k Start Now to es tablish the connectio n immediately as sho wn in the following fi gure: Figure 9-2 The CyberGua rd SG applianc e supports multiple VPN c lient connec tions.
Virtual Private Networking 107 PPTP Server Setup The CyberGua rd SG applianc e includes a PPTP Se rver, a virtual pri vate network serve r that suppor ts up to forty simulta neous VPN tunnel s (depending on your CyberGuard SG appliance model). The CyberGua rd SG PPTP S erver allows remote Windows cli ents to securely conn ect to the local network.
Virtual Private Networking 108 Enable and configure the PPTP VPN server The following figure shows the P PTP server setup: Figure 9-3 To enable and configure your Cyb erGuard SG app liance’s VPN se rver, select PPTP VPN Server from th e VPN menu on the Web Management Cons ole web adminis tration pages.
Virtual Private Networking 109 The following table describes the fields in the VPN Setup screen a nd the options available whe n enabling and c onfiguring VPN acc ess. Field Description Enable PPTP Server Check this box to enable PPTP c onnections to be established to your CyberGu ard SG applian ce.
Virtual Private Networking 110 Configuring user ac counts for VPN server After setting up the VPN server, select Continue an d to show the PPTP VPN Server Accounts scree n as shown in the following figure: Figure 9-4 If you selected None as the Auth entication Schem e , setup is now c omplete.
Virtual Private Networking 111 The field o ptions in the Add New Account are det ailed in the foll owing table. Field Description Username Username f or VPN authe ntication only. Th e name selecte d is case- sensitive (e .g. Jimsmith is di fferent to jimsmith ).
Virtual Private Networking 112 Configuring the r emote VPN client The remote VPN c lients can now b e configured to s ecurely access the local network. You need to enter the a PPTP Acc ount username an d password that yo u added in the previous secti on, and the IP addr ess of the CyberGu ard SG PPTP VPN server.
Virtual Private Networking 113 Windows 95, Windows 98 and Windows Me From the Dia l-Up Networkin g folder, double-c lick Make New Conne ction . Type CyberGuard SG appliance or a similar descript ive name for your new VPN connection. From the Sel ect a device dro p-down menu, sel ect the Microsoft V PN Adapter and c lick Next .
Virtual Private Networking 114 Click TCP/IP S ettings . Confirm th at the Server Assig ned IP Address , Server Assigned Nam e Server Address , Use IP Header C ompression and Use Default Gateway on Re mote Netw ork are all selecte d and click OK . Figure 9-7 Your VPN clie nt is now set up a nd ready to connec t.
Virtual Private Networking 115 Double-click Mak e New Connectio n from the main wi ndows. Click Next to show the Network Co nnection Type windo w: Figure 9-9 Select Conne ct to a private ne twork through the Int ernet and click N ext .
Virtual Private Networking 116 Figure 9-11 Enter an appr opriate name for your connection and click Finish . Your VPN clie nt is now set up a nd ready to connec t. Windows XP Log in as A dministrator or with Administrator p rivileges. From the Start menu, sele ct Settings and then Network Connections .
Virtual Private Networking 117 Connecting the r emote VPN client Verify that you are connected to the Internet, or have s et up your VPN c onnection to automatically es tablish an initi al Internet connect ion. Select the con nection for the Cybe rGuard SG app liance VPN.
Virtual Private Networking 118 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are man y possible config urations in crea ting an IPSec tunnel.
Virtual Private Networking 119 Figure 9-13 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et port. The CyberGua rd SG applianc e can either have a s tatic IP , dynamic IP or DNS hostname ad dress .
Virtual Private Networking 120 Warning It may be nec essary to reduce t he MTU of the IPSec interface if larg e packets of data are not being tr ansmitted.
Virtual Private Networking 121 Select the I nternet port the IPSec t unnel is to go ou t on. The options will depend on what is currentl y configured on the Cybe rGuard SG app liance. For the vas t majority of setu ps, this will b e the default gatew ay interface to the Internet.
Virtual Private Networking 122 • x.509 Certifica tes are used to authenticate the remote party again st a Certificate Authority's (CA) c ertificate. The CA certificate must have signed the lo cal certificates that are used for tunn el authentication.
Virtual Private Networking 123 In this exampl e, select the be a rou te to the remote p arty option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings Figure 9-15 Leave the Initiate the tunne l from this end ch eckbox checked.
Virtual Private Networking 124 Note This optio n will not be availa ble when the Cyber Guard SG applia nce has a static I P address an d the remote party h as a dynamic IP ad dress. Enter the Requ ired Endpoint ID of the CyberGuard SG a ppliance. This ID is used to authentica te the CyberGuard SG a ppliance to the remote party.
Virtual Private Networking 125 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The next IP a ddress on the inte rface the tunnel i s to go on field is the next gateway IP ad dress or nextho p along the previou sly selected IPSec interface.
Virtual Private Networking 126 o des-md5-96 uses the encryptio n transform follo wing the DES s tandard in Cipher- Block-Chainin g mode with authe ntication provided by HMAC and MD5 (96-bit authentica tor). It uses a 56-bi t 3DES encryption k ey and a 128-bit HMAC-MD5 authentica tion key.
Virtual Private Networking 127 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The remote pa rty's DNS hostnam e address field is the DNS hostnam e address of the Internet i nterface of the remo te party.
Virtual Private Networking 128 TCGID [Siemens] Trust C enter Global ID The attribute/val ue pairs must b e of the form attrib ute=value and be separated by commas.
Virtual Private Networking 129 Phase 1 settings Figure 9-17 Set the length o f time before Phas e 1 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. Sho rter values offer h igher security at the expense of th e computational overhead require d to calculate new ke ys.
Virtual Private Networking 130 Warning The secret mus t be entered ide ntically at each end of the tunnel. Th e tunnel will fail to connect if the secret is not ide ntical at both ends. T he secret is a h ighly sensitive pie ce of information. It is essential to k eep this information confidential.
Virtual Private Networking 131 Phase 2 settings page Figure 9-18 Set the length o f time before Phas e 2 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. For most applicati ons 60 minutes is recommende d.
Virtual Private Networking 132 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: A separate s ection may appea r to enter multiple L ocal Networks o r Remote Networks or both.
Virtual Private Networking 133 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et interface. In this example, sel ect static IP addres s . Leave the Set the IPSec MTU to b e checkbo x unchecked.
Virtual Private Networking 134 Select the t ype of routing the tu nnel will be used as. In this example, se lect the be a route to the rem ote party option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings page Leave the Optional Endpoin t ID field blank in this example.
Virtual Private Networking 135 Enter a secret in the Preshared S ecret field. This must remain confi dential. In this example, ent er the Preshared Secret used at the branch office Cybe rGuard SG appliance , which was: This sec ret must be kept c onfidential.
Virtual Private Networking 136 Tunnel List Figure 9-20 Connection Once a tunne l has been confi gured, an entry with the tunnel name in the Connection field will b e shown. Note You may mod ify a tunnel’s settin gs by clickin g on its connection n ame.
Virtual Private Networking 137 Click Remo te Party to sort the tu nnel list by the remote party ID/name/add ress. Status Tunnels th at use Automatic Key ing (IKE) will hav e one of four state s in the Status fie ld. The states include the followi ng: • Down indicate s that the tunnel is not being neg otiated.
Virtual Private Networking 138 Figure 9-21 Inte rfaces Loaded li sts the CyberGuard SG a ppliance's interfaces which IPSec will use. Phas e 2 Ciphers Loade d lists the encrypti on ciphers that tunn els can be con figured with for Phase 2 n egotiations.
Virtual Private Networking 139 Diffie Hellman Groups Loaded lists the Di ffie Hellman grou ps and Oakley group extensions tha t can be configu red for both Phase 1 and Phase 2 n egotiations. Conn ection Details li sts an overview of the tunnel's c onfiguration.
Virtual Private Networking 140 • The Pha se 2 proposal wanted. The line ESP algorithms w anted reads 3_000-2; pfsgroup=2 . Th e 3_000 refers to cipher 3 DES (where 3DE S has an id of 3, s ee Phase 2.
Virtual Private Networking 141 Certificate Management x.509 Certific ates can be use d to authenticate IPSec endpoints duri ng tunnel negoti ation for Automatic Keying. The other methods are Pres hared Secrets and RSA Dig ital Signatures . Certificates need to be uploade d to the CyberGuard SG appliance be fore they can be used in a t unnel.
Virtual Private Networking 142 To extract the local private key c ertificate type, ent er the following at the Windows command pro mpt: openssl pkc s12 -nomacver -n ocerts -in pkcs1 2_file -out local_ private_key.pem .. where pksc12_file is the PK CS#12 file issu ed by the CA and l ocal_private_ke y.
Virtual Private Networking 143 4. Create the se lf-signed root CA c ertificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS _VALID is the n umber of days the root CA is valid fo r.
Virtual Private Networking 144 Adding certificates To add certi ficates to the Cyber Guard SG applia nce, click the IPSe c link on the le ft side of the Web Manag ement Consol e web administra tion pages and th en click the Certificate L ists tab at the top of the window.
Virtual Private Networking 145 Adding a CA or CRL c ertificate Click the Add n ew CA or CRL Certi ficate tab. A wind ow similar to the following will be displayed. Figure 9-23 Select wheth er a Certificate Auth ority or Certifica te Revocation Lis t certificate is to be uploaded fr om the Certificate T ype pull down men u.
Virtual Private Networking 146 Adding a local certificat e 1 Click the Add new Local Cert ificate tab. A win dow similar to th e following will be displayed. Figure 9-24 Enter the Loc al Public Key c ertificate in the Local Certificate field. Click the Brow se button to se lect the file from the host computer.
Virtual Private Networking 147 Figure 9-25 The certificate names will be di splayed under the app ropriate certific ate type. Clicking the Delete bu tton deletes the c ertificate from the Cyber Guard SG appl iance. Troubleshooting • Symptom: IPSe c is not running and is enabled.
Virtual Private Networking 148 The remote pa rty does not have a tunnel config ured correctly bec ause: o The tu nnel has not been configured. o The Pha se 1 proposal s do not match. o The s ecrets do not matc h. o The RSA key signatures ha ve been incorrec tly configured.
Virtual Private Networking 149 Solution: Co nfirm that the remot e party has IPSe c and the tunnel enabled and has an Internet IP ad dress. Ensure th at the CyberGuard SG appliance has rekeying enabled.
Virtual Private Networking 150 Set up LMHOST files on remote h osts to resol ve names to IP adress es. • Symptom: Tun nel comes up b ut the application doe s not work acros s the tunnel. Possible cau se: There may be a f irewall devic e blocking IPSec packets.
Virtual Private Networking 151 GRE The GRE con figuration of the CyberGuard SG ap pliance allows you t o build GRE tunne ls to other devic es that support t he Generic Routi ng Encapsulating p rotocol. You can build GRE tunnels to other CyberGuard SG appliance s that support GRE, or to other de vices such as Ci sco equipment.
Virtual Private Networking 152 On the Brisba ne end, click GRE Tunnels from the VPN me nu. Enter the following details: GRE Tunnel Na me: to_slough Remote Ext ernal Address: 195.45.67.8 Local Externa l Address: 203.23.4 5.6 Local Interna l Address: 192.
Virtual Private Networking 153 Click Add . Cli ck Add/Remove under Rem ote Networks and enter: Rem ote subnet/netma sk: 192.168.1.0 / 255.255.255.0 Click Add . The GRE tunnel bet ween the two netwo rks is now set u p. Tunnels may be Disable d, Dele te d or Edit ed from t he main table of GRE tunnels.
Virtual Private Networking 154 Enter the IP Ad dress / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at the Brisbane end.
Virtual Private Networking 155 Create the GRE tu nnel. Selec t GRE Tunnels from th e left hand menu . For the Slough end enter the IP addresses be low. Leave Local In ternal Address bla nk, and check Place on Ethe rnet Bridge . Figure 9-29 GRE Tunnel Na me: to_bris Remote Ext ernal Address: 1 0.
Virtual Private Networking 156 Troubleshooting • Symptom: Can not ping a hos t on the other sid e of the GRE tunnel . Ensure that t here is a route s et up on the GRE tu nnel to the remote n etwork. Ensure that t here is a route on the remote GRE en dpoint to the netw ork at this end of the GRE tunn el.
Virtual Private Networking 157 L2TP The Layer Two T unneling Proto col was develop ed by Microsoft an d Cisco as a mult i- purpose ne twork transport prot ocol.
Virtual Private Networking 158 L2TP server The L2TP Server runs in a simil ar way to the PPT P Server. A range of IP addresse s is allocated, and then username an d password pairs are created to all ow users to log on. Note To increas e security, L2TP VPN co nnections from Windows PCs are also run throug h an IPSec tunnel .
System 159 10. Sy stem Date and Time Set date and time If you have a Javascript enabl ed web browser, you will be able to c lick the top Set Date and Time bu tton to synchron ize the time on the CyberGuard SG ap pliance with t hat of your PC.
System 160 Figure 10-1 Locality Select your re gion then selec t your location within said region. The system clock wi ll subsequen tly show local time. Without setti ng this, the system cl ock will show UTP. Setting a time zone is only rele vant if you are syn chronizing with an NTP server or you r CyberGuard SG appliance h as a real time clo ck.
System 161 Users User accounts on a CyberGuard S G appliance all ow administrative d uties to be spread amongst a nu mber of different p eople accordin g to their level of comp etence and trus t. Each user on t he CyberGuard SG a ppliance has a password that th ey use to authentica te themselves to the unit's web pages.
System 162 Administration A user with th e administratio n access control is permitted to edit a ny configuration fi le on the CyberGuar d SG applianc e.
System 163 Internet access (via acc ess controls) A user with th is access control is permitted contro lled access to th e web through the CyberGuard SG appliance’s web proxy. See the Access control an d content filtering section in the c hapter entitled F irewall for details on c ontrolling LAN us ers’ web acce ss.
System 164 Figure 10-3 Network tests Basic network diagnostic tests ( ping , traceroute ) can b e accessed by c licking the Network Tests tab at the top of t he Diagnostics page .
System 165 Advanced The options on the Advanced page are intended for networ k administrators and advanced users only . Warning Altering the ad vanced configu ration settings may r ender your CyberGua rd SG applian ce inoperable.
System 166 You may also upload addition al configuration fi les from your compu ter to the CyberGu ard SG appliance under Upload fil e . To backup to an encrypted fil e, click save and rest ore, enter a passw ord and click Save under Save C onfiguration.
System 167 The majority of Linux users w ill already have a T FTP server inst alled as part of their distri bution, which must be configured an d running. 3. In the Web Manage ment Console web administration pages, click Adva nced then Flash Upgrade .
168 Technical Support The System me nu contains a n option detailin g support information fo r your CyberGu ard SG appliance . This page provides basic troub leshooting tips , contact details for CyberG uard SG technical supp ort, and links to the CyberGuard SG Kno wledge Base ( http://www.
Appendix A – IP Address Ran ges 169 Appendix A – IP A ddress Range s IP ranges are fields that allo w multiple IP addres ses to be spec ified using a short hand notation. F our distinct forms of ran ge are acceptabl e: 1. a.b.c.d 2. a.b.c.d-e 3. a.
Appendix B – Terminology 170 Appendix B – T erminology This section e xplains terms that ar e commonly used in this document. Term Meaning ADSL Asymmetric Dig ital Subscriber L ine. A technology all owing high-sp eed data transfer o ver existing telep hone lines.
Appendix B – Terminology 171 Certificates A digitally s igned statement tha t contains infor mation about an ent ity and the enti ty's public key, thus binding these two pieces of informatio n together.
Appendix B – Terminology 172 Extranet A private netwo rk that uses th e public Internet to securely share business in formation and opera tions with suppli ers, vendors, partn ers, customers, or o ther businesses . Extranets add extern al parties to a company's intr anet.
Appendix B – Terminology 173 IPSec tunnel The IPSec conn ection to secur ely link two private p arties across insecure a nd public channels . IPSec with Dynamic DNS Dynamic DNS c an be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP ad dresses.
Appendix B – Terminology 174 NAT Network Add ress Translatio n. The translatio n of an IP address used on one network to an IP address on another networ k. Masqueradin g is one particu lar form of NAT. Net mask The way tha t computers kno w which part of a TCP/IP address r efers to the network, and which part refe rs to the host range .
Appendix B – Terminology 175 Router A network devi ce that moves pac kets of data. A route r differs from hubs and swit ches because i t is "intelligent" a nd can route packe ts to their final destination. RSA Digital Signatures A public/pri vate RSA key pair used for authenti cation.
176 x.509 Certific ates An x.509 certif icate includes the format of the ce rtificate, the serial number of the certificate, the alg orithm used to sig n the certificate , the name of the CA t hat issued the c ertificate, the name a nd public ke y of the entity requ esting the certi ficate, and the CA's s ignature.
Appendix C – System Log 177 Appendix C – System Log Access Logging It is possibl e to log any traffic that arrives at or tra verses the Cyber Guard SG applia nce. The only logg ing that is enab led by default is to take note of pac kets that were dro pped.
Appendix C – System Log 178 Commonly us ed interfaces ar e: eth0 the LAN port eth1 the WAN/Internet po rt ppp X e.g. ppp0 or ppp1 – a PPP session ipsec X e.g. ipsec0 , an IPSec interface The firewall rules deny all pac kets arriving from th e WAN port by defa ult.
Appendix C – System Log 179 A typical Defa ult Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.
Appendix C – System Log 180 To log permit ted inbound acc ess requests to se rvices hosted on the CyberGuard SG appliance , the rule should lo ok something lik e this: iptables -I INPUT -j LOG -p tcp --syn -s <X.
Appendix C – System Log 181 For example, to log all inbound requests from the IP address 5.6 .7.8 to the mail se rver (port 25) on t he machine flubber on the L AN with address 192.168.1.1: iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.
Appendix C – System Log 182 If we just wan ted to look at tra ffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there a re many more combi nations poss ible.
Appendix C – System Log 183 Administrative Access Logging When a user tr ies to log onto th e Web Manageme nt Console web ad ministration pages , one of the foll owing log message s appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.
Appendix D – Firmware Upgra de Practices and Precautions 184 Appendix D – Firmware Upgrade Practices a nd Precautions Prior performin g any firmware up grade, it is impo rtant that you save a back up of yo ur existing con figuration ( Advanc ed -> Store/resto re all configuratio n files ) to a loc al file.
Appendix D – Firmware Upgra de Practices and Precautions 185 If you encoun ter any problems, r eset the device to its factory default settings and reconfigure . You may wish to u se your backed up old configuratio n as a guide in t his process, b ut do not restore it directly.
デバイスSnapGear 2.0.1の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
SnapGear 2.0.1をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはSnapGear 2.0.1の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。SnapGear 2.0.1の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。SnapGear 2.0.1で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
SnapGear 2.0.1を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はSnapGear 2.0.1の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、SnapGear 2.0.1に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちSnapGear 2.0.1デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。