CyberGuard SG User Manual CyberGuard 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@snapgear.com Web: www.cyberguard.com Revision 2.1.
Contents 1. Introduction...............................................................................................1 CyberGuard SG Gateway Appliances ................................................................... 1 CyberGuard SG Rack Mount Appliances .............................................................. 2 CyberGuard SG PCI Appliances ........................................................................... 3 Document Conventions ..........................................................
Internet................................................................................................................. 51 Internet Connection Methods............................................................................... 51 COM/Modem ....................................................................................................... 54 DMZ ..................................................................................................................... 56 Services on the DMZ Network .......
Peers ................................................................................................................. 120 Set up LAN PCs to Use the Web Cache ........................................................... 120 9. Virtual Private Networking ...................................................................121 PPTP Client Setup............................................................................................. 122 PPTP Server Setup ....................................................
1. Introduction This chapter provides an overview of your CyberGuard SG appliance’s features and capabilities, and explains how to install and configure your CyberGuard SG appliance. This manual describes how to take advantage of the features of your CyberGuard SG appliance, including setting up network connections, a secure firewall and a VPN. It also describes how to set up the CyberGuard SG appliance on your existing or new network using the Web Management Console web administration pages.
The following figure shows how your CyberGuard SG appliance interconnects. Figure 1-1 CyberGuard SG Rack Mount Appliances The CyberGuard SG710 is the flagship of CyberGuard’s SG series. It features multimegabit throughput, rack-optimized form factor, two fast Ethernet ports and two 4-port fast Ethernet switches as standard, and the option for two additional gigabit ports (SG710+). Each of these four (or six with the SG710+) can be configured as a LAN, DMZ or Internet connection.
It provides central sites the capacity to securely connect hundreds of mobile and remote employees. The SG710 includes a high-performance, VPNC-certified VPN solution for securely connecting branch office networks to the corporate hub using IPsec, PPTP, L2TP, and other industry-standard protocols. Onboard cryptographic acceleration ensures excellent VPN throughput.
Bridged mode By default, the CyberGuard SG PCI appliance operates in bridged mode. This is distinctly different from the NAT/masquerading behavior of the CyberGuard SG gateway appliance range. In bridged mode, the CyberGuard SG appliance uses two IP addresses. Note that these addresses are both in the same range as the LAN, as no NAT/masquerading is being performed (see the chapter entitled Firewall for more information).
Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appliances include: • SG300 • SG530 • SG550 • SG570 • SG575 The following items are included with your CyberGuard SG gateway appliance: • Power adaptor • Installation CD • Printed Quick Install guide • Cabling including o 1 normal straight through UTP cable (blue color). o 1 crossover UTP cable (either gray or red color) Note The SG300 model includes two blue straight through UTP cables.
Note Not all the LEDs described below are present on all CyberGuard SG appliance models. Also, labels vary from model to model.
CyberGuard SG Gateway Appliance Features Internet link features • 10/100baseT Ethernet port (Internet/WAN) • Serial port • Front panel serial status LEDs (for TX/RX) • Online status LEDs (for Internet/VPN) • Rear panel Ethernet link and activity status LEDs LAN link features • 10/100BaseT LAN port • 10/100BaseT 4 port LAN switch (SG300 model only) • Rear panel Ethernet link and activity status LEDs DMZ link features (SG570, SG575 only) • 10/100BaseT DMZ port • Real panel Ethernet link and
Your CyberGuard SG Rack Mount Appliance CyberGuard SG rack mount appliances include: • SG710 • SG710+ The following items are included with your CyberGuard SG rack mount appliance: • Power cable • Installation CD • Printed Quick Install guide • Cabling including o 1 normal straight through UTP cable (blue color). o 1 crossover UTP cable (either gray or red color) Front panel LEDs The front panel contains LEDs indicating status.
Front panel The front panel contains two 10/100 Ethernet four port switches (A and B), two 10/100 Ethernet ports (C and D) and analog/ISDN modem (Serial) as well as operating status LEDs and the configuration reset button (Erase). On the front panel Ethernet ports, the right hand LED indicates the link condition, where a cable is connected correctly to another device. The left hand LED indicates network activity. Rear panel The rear panel contains a power switch and a power inlet for an IEC power cable.
CyberGuard SG Rack Mount Appliance Features Internet link features • Two 10/100baseT Ethernet ports (C, D) • Two GbE ports (E, F – SG710+ model only) • Serial port • Online status LEDs (Online, Failover) • Ethernet link and activity status LEDs LAN/DMZ link features • Two 10/100BaseT 4 port LAN switches • Ethernet link and activity status LEDs Enviromental features • Front panel operating status LEDs: Power, H/B • Operating temperature between 0° C and 40° C • Storage temperature between
Your CyberGuard SG PCI Appliance CyberGuard SG PCI appliances include: • PCI630 • PCI635 The following items are included with your CyberGuard SG PCI appliance: • Installation CD • Printed Quick Install guide LEDs The rear panel contains LEDs indicating status. The two LEDs closest to the network port are network activity (upper) and network link (lower). The two other LEDs are power (upper) and heart beat (lower).
CyberGuard SG PCI Appliance Features Network link features • 10/100baseT Ethernet port • Ethernet LEDs (link, activity) Environmental features • Status LEDs: Power, Heart Beat • Operating temperature between 0° C and 40° C • Storage temperature between -20° C and 70° C • Humidity between 0 to 95% (non-condensing) 12 Introduction
2. Getting Started This chapter provides step-by-step instructions for installing your CyberGuard SG appliance into your network and connecting to the Internet. This is a slightly more detailed version of the printed Quick Install Guide that shipped with your CyberGuard SG appliance. These instructions assume you have a PC running Microsoft Windows (95/98/Me/ 2000/XP for CyberGuard SG gateway and rack mount appliances, 2000/XP only for CyberGuard SG PCI appliances).
CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initial, static IP settings of: IP address: 192.168.0.1 Subnet mask: 255.255.255.0 Note The Internet/WAN and DMZ interfaces are by default inactive, i.e. there are no network services such as DHCP in operation, and no IP address is configured. The CyberGuard SG appliance’s LAN interface will always be initially reachable at 192.168.0.1.
Connect the supplied power adapter to the CyberGuard SG appliance. If you are using the SG530, SG550, SG570 or SG575 model, connect the CyberGuard SG appliance’s LAN Ethernet port directly to your PC’s network interface card using the crossover cable (red or gray). If you are using the SG300 model, connect your PC’s network interface card directly to one of the ports on the CyberGuard SG appliance’s LAN Ethernet switch using a straight through cable (blue).
Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Settings -> Control Panel and double click Network Connections (or in 95/98/Me, double click Network). Right click on Local Area Connection and select Properties. Note If there is more than one existing network connection, select the one corresponding to the network interface card to which the CyberGuard SG appliance is directly attached.
Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: Preferred DNS server: 192.168.0.1 Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.
Select Quick Setup Wizard from the center of the page. You will be prompted to log in. Enter the initial user name and password for your CyberGuard SG appliance: User name: root Password: default Note If you are unable to connect to the Management Console at 192.168.0.1, or the initial username and password are not accepted, press the black Reset/Erase button on the CyberGuard SG appliance’s rear panel twice, wait 20 – 30 seconds, and try again.
The Quick Setup Wizard will display. Figure 2-3 Hostname: You may change the name the CyberGuard SG appliance knows itself by. This is not generally necessary. Manual configuration: Select this to manually specify your CyberGuard SG appliance’s LAN connection settings. Skip: LAN already configured: Select this if you wish to use the CyberGuard SG appliance’s initial network settings (IP address 192.168.0.1 and subnet mask 255.255.255.0) as a basis for your LAN settings. You may skip to the next step.
Figure 2-4 Note This page will only display if you previously selected Manual configuration. Otherwise skip to the next step. Enter an IP address and Subnet mask for your CyberGuard SG appliance’s LAN connection. You may choose to use the CyberGuard SG appliance’s initial network settings if you are sure no other PC or network device already has the address of 192.168.0.1. The IP address will later be used as the gateway address for the PCs on your LAN.
Set up Internet Connection Settings Select your Internet connection type and click Next. Figure 2-5 Cable modem If connecting using a cable modem, select the appropriate ISP. Choose Generic cable modem provider if unsure. Analog modem If connecting using a regular analog modem, enter the details provided by your ISP. DSL modem If connecting using an ADSL modem, select Auto detect ADSL connection type and enter the details provided by your ISP.
Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGuard SG appliance’s Internet connection has been set up, click Next, select Reboot and click Next again. Set up the PCs on your LAN to Access the Internet Note If you have changed the CyberGuard SG appliance’s LAN connection settings, it may become uncontactable at this point.
LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG appliance’s LAN connection. If you chose to set the CyberGuard SG appliance’s LAN connection settings using Manual configuration, you may simply remove this address from the pool of available addresses. Enter this same IP address as the gateway IP address to be handed out by the DHCP server.
To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connections (or in 95/98/Me, double click Network). If presented with multiple connections, right click on Local Area Connection (or appropriate network connection) and select Properties. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries).
Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser) and navigate to the IP address of the CyberGuard SG appliance’s LAN connection. The Web Management Console will display. Select DHCP Server from the Networking menu. Click Add Server and configure the DHCP server with the following details: • Gateway Address is the IP address of the CyberGuard SG appliance’s LAN connection, or leave it blank.
Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries) and click Properties (in 95/98/Me, you may also have to click the IP Address tab). Figure 2-6 Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK (in 95/98/Me, reboot the PC if prompted to do so). You are now finished.
CyberGuard SG Rack Mount Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initial, static IP settings of: IP address: 192.168.0.1 Subnet mask: 255.255.255.0 Note Initial configuration is performed through a port on network switch A (A1 – A4). All other interfaces are by default inactive, i.e. there are no network services such as DHCP in operation, and no IP address is configured.
Note It is recommended that you perform the initial setup steps with the CyberGuard SG appliance connected to a single PC only. However, you may choose to connect the CyberGuard SG appliance to the LAN before completing the initial setup steps. Before doing so, it is critical that you ensure there are no other devices on the LAN with an address of 192.168.0.1 Use the straight through cable (blue) to connect the CyberGuard SG appliance to your LAN’s hub.
Figure 2-7 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: Preferred DNS server: 192.168.0.1 Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.
Set up the Password and LAN Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.168.0.1. Figure 2-8 The Web Management Console will display. Select Network Setup from the Networking menu. You will be prompted to log in. Enter the initial user name and password for your CyberGuard SG appliance: User name: root Password: default Note If you are unable to connect to the Management Console at 192.168.0.
Note Before continuing, take some time to decide on which roles you will be assigning to your CyberGuard SG appliance’s network ports and switches. Any of the network ports or switches can be configured as a LAN, DMZ or Internet connection. We recommend leaving network switch A as a LAN connection, as this is the interface through which the CyberGuard SG appliance will attempt to network load a recovery firmware image in the unlikely event that it fails to boot.
It is recommended that you statically configure your CyberGuard SG appliance’s LAN connection settings rather than rely on an existing DHCP server. Enter an IP address and Netmask for your CyberGuard SG appliance’s LAN connection. You may choose to use the CyberGuard SG appliance’s initial network settings if you are sure no other PC or network device already has the address of 192.168.0.1. Figure 2-10 The IP address will later be used as the gateway address for the PCs on your LAN.
Note Do not click Reboot Now. Rebooting your CyberGuard SG appliance at this point may cause it to become uncontactable. Set up Internet Connection Settings In the row labeled Port C, select your Internet connection type from the Configuration drop down list. Figure 2-11 Cable modem If connecting using a cable modem, select the appropriate ISP. Choose Generic cable modem provider if unsure. Analog modem If connecting using a regular analog modem, enter the details provided by your ISP.
Direct connection If you have a direct connection to the Internet (e.g. a leased line), enter the IP settings provided by your ISP. Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGuard SG appliance’s Internet connection has been set up, click Next, select Reboot and click Next again.
LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG appliance’s LAN connection. If you chose to set the CyberGuard SG appliance’s LAN connection settings using Manual configuration, you may simply remove this address from the pool of available addresses. Enter this same IP address as the gateway IP address to be handed out by the DHCP server.
To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connections (or in 95/98/Me, double click Network). If presented with multiple connections, right click on Local Area Connection (or appropriate network connection) and select Properties. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries).
Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser) and navigate to the IP address of the CyberGuard SG appliance’s LAN connection. The Web Management Console will display. Select DHCP Server from the Networking menu. Click Add Server and configure the DHCP server with the following details: • Gateway Address is the IP address of the CyberGuard SG appliance’s LAN connection, or leave it blank.
Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries) and click Properties (in 95/98/Me, you may also have to click the IP Address tab). Figure 2-12 Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK (in 95/98/Me, reboot the PC if prompted to do so). You are now finished.
CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PCI Slot Power off your PC and remove its cover. Select an unused PCI slot and insert the CyberGuard SG appliance, then power on your PC. Install the Network Driver on your PC The CyberGuard SG appliance will be automatically detected and have the appropriate driver installed when Windows starts up. It will be detected as a Realtek RTL8139-series Fast Ethernet Adapter.
Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Settings -> Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties. Select Internet Protocol (TCP/IP) and click Properties. Figure 2-13 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.
Set up the Password and Network Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.168.0.1. Figure 2-14 The Web Management Console will display. Select Network Setup under Networking in the left hand menu. You will be prompted to log in. Enter the initial user name and password for your CyberGuard SG appliance: User name: root Password: default Note If you are unable to connect to the Management Console at 192.168.0.
Note The purpose of this step is to configure the IP address for the Web Management Console. For convenience, this will generally be a free IP address on your LAN. The Network Setup Connections page will display. Locate the Bridge / br0 port and select Edit current settings under Configuration. If your LAN has an active DHCP server, you may set up your CyberGuard SG appliance and PC for auto-configuration. Otherwise you must manually set up your CyberGuard SG appliance’s and PC’s network settings.
The first IP address will be used by the Web Management Console. Figure 2-15 Enter this IP address and the subnet mask for your LAN into the IP Address / Netmask fields on the Web Management Console’s Bridge IP Configuration page. Ensure DHCP assigned is unchecked. You may also enter one or more DNS Server(s) to be used by the CyberGuard SG appliance, not your PC, for Internet name resolution. Click Apply and Reboot.
Figure 2-16 Enter the following details: • IP address the second free IP addresses that is part of the subnet range of your LAN. • Subnet mask is the subnet mask of your LAN. • Default gateway is the IP address of your LAN’s default gateway. • Preferred DNS server is the IP address of the DNS server used by PCs on your LAN. Click OK. Attach your CyberGuard SG appliance’s Ethernet port to your LAN’s hub. You are now finished.
Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continuing, ensure your DHCP server has two free leases. One will be used for the Web Management Console, the other for your PC. Note It is highly recommended that you reserve the IP address to be used by the Web Management Console using the CyberGuard SG appliance’s MAC address. In bridged mode, this will be the top MAC address of the three displayed on the CyberGuard SG appliance itself.
Next, configure your PC to obtain its network settings automatically from your LAN DHCP server. Click Start -> Settings -> Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties. Select Internet Protocol (TCP/IP) and click Properties and click Properties. Figure 2-18 Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK.
Disabling the Reset Button on your CyberGuard SG PCI Appliance For convenience, the CyberGuard SG appliance ships with the rear panel Reset button enabled. This allows the CyberGuard SG appliance’s configuration to be reset to factory defaults. From a network security standpoint, it may be desirable to disable the Reset switch after initial setup has been performed. This is accomplished by removing the jumper linking CON2 on the CyberGuard SG appliance. This jumper is labeled Remove Link to Disable Erase.
3. Network Connections This chapter describes the Network Setup section of the Web Management Console. Here you can configure each of your CyberGuard SG appliance’s network ports (Ethernet, serial). Network ports may be configured for Internet connection, LAN connection, DMZ connection, remote dialin access or Internet failover.
If a port is experiencing difficulties auto-negotiating with another device, Ethernet speed and duplex may be set manually by selecting Edit Ethernet configuration. Each of the network ports that may be present on your CyberGuard SG appliance and how they may be configured are discussed below. Note SG rack mount appliances (SG710, SG710+) differ slightly from other models in that any port can be configured to perform any function.
LAN Network settings for the LAN network port may be assigned statically, or dynamically by a DHCP server (Direct LAN). Alternatively you may choose to configure LAN port as a bridge (Bridged LAN). Direct LAN To assign network settings statically, enter an IP Address and Netmask for the LAN network port.
Internet The CyberGuard SG appliance can connect to the Internet using an external dialup analog modem, an ISDN modem, a permanent analog modem, a cable modem or DSL link. Figure 3-3 CyberGuard SG PCI appliances can also connect to the Internet in this manner, but generally will be connecting directly to a LAN by selecting either Direct Internet or Bridged Internet.
Cable Select your cable ISP from the list and click Next. If your provider does not appear, select Generic Cable Modem Provider. For cable modem providers other than Generic, enter your user name and password and click Finish. You are now ready to connect. Click the Reboot button to save your configuration and reboot your CyberGuard SG appliance. ADSL If you are connecting to the Internet using ADSL, you may select the connection method PPPoE, DHCP, or Manually Assign Settings.
Direct Internet If you have a direct connection to the Internet, select this option. Typically your ISP will have provided you with network settings (possibly a range of IP addresses), or asked you to auto-configure using DHCP. To use DHCP, check the DHCP Assigned check box. You may also enter one or more DNS Server(s), however any DNS server addresses allocated by your ISP will take precedence over these.
Failover Direct/Cable/ADSL Internet Refer to the section entitled Internet Failover later in this chapter. COM/Modem With a modem attached, the COM (serial) port can be configured as a primary Dialout Internet connection, to provide Dialin Access for remote users, or as a secondary Failover Dialout Internet connection that will be activated when your primary Internet connection becomes unavailable (e.g. ISP equipment or the telecommunications network may temporarily fail).
The following table describes the fields and explains how to configure the dial up connection to your ISP. Field Description Name of Internet provider Enter the name of your ISP. Phone number(s) to dial Enter the number to dial to reach your ISP. If you are behind a PABX that requires you to dial a prefix for an outside line (e.g. 0 or 9) ensure you enter the appropriate prefix. If your ISP has provided you with multiple phone numbers, you may enter them separated with commas.
Dialin access Select Dialin Access to use this port as a dialin server to allow remote users to connect to your local network. Refer to the chapter entitled Dialin Setup for details on configuring the CyberGuard SG appliance and remote client. DMZ Note SG570 and SG575 models only.
If the servers on the DMZ have public IP addresses, you need to add packet filtering rules to allow access to the services. See the section called Packet Filtering in the chapter entitled Firewall. If the servers on the DMZ servers have private IP addresses, you need to port forward the services. See the section called Incoming Access in the chapter entitled Firewall. Creating port forwarding rules automatically creates associated packet filtering rules to allow access.
Bridging The CyberGuard SG may be configured as a network bridge. You may bridge between network ports (e.g. Internet – LAN) or enable bridging on a single port (typically LAN or DMZ) for bridging across a VPN connection. When bridging has been enabled, a Bridge / br0 port will appear in the Connections menu. It will be allocated the IP address of the port on which bridging was enabled.
Warning The unit may take up to 30 seconds longer than normal to reboot after bridging has been enabled. Load Balancing If you have enabled both the Internet and DMZ ports as primary Internet connections, enabling load balacing will share Internet traffic load over the two connections. To enable load balancing, check Enable Load Balancing under Load Balancing and click Apply. Internet Failover Note CyberGuard SG gateway and rack mount appliances only.
Enable the primary connection for failover Set up your primary broadband Internet connection as described in the Internet section of this chapter. From the Connections menu, select Edit failover parameters from the Configuration pull down box. The CyberGuard SG appliance determines whether an Internet connection is up by listening for responses to ping (ICMP echo request) packets sent to a host on the Internet. Ensure you choose a host on the Internet that can be contacted reliably and responds to pings.
Note The Failover Cable/DSL/Direct/Dialout Internet option will not appear as an available Configuration until a primary Internet connection has been configured. Refer to Enable the primary connection for failover above for details on enabling your primary broadband Internet connection for failover. Figure 3-7 Next, configure the failover connection as you would a normal Internet connection.
Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatically by the CyberGuard SG appliance configuration scripts. Route management Your CyberGuard SG appliance can be configured to automatically exchange routing information with other routers. Note that this feature is intended for network administrators adept at configuring route management services.
Advanced The following figure shows the advanced IP configuration: Figure 3-8 Hostname The Hostname is a descriptive name for the CyberGuard SG appliance on the network. DNS Proxy The CyberGuard SG appliance can also be configured to run as a Domain Name Server. The CyberGuard SG appliance acts as a DNS Proxy and passes incoming DNS requests to the appropriate external DNS server.
Figure 3-9 Network Address Translation (NAT/masquerading) The CyberGuard SG appliance can utilize IP Masquerading (a simple form of Network Address Translation, or NAT) where PCs on the local network effectively share a single external IP address. Masquerading allows insiders to get out, without allowing outsiders in. By default, the Internet port is setup to masquerade. Masquerading has the following advantages: • Added security because machines outside the local network only know the gateway address.
Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by hosts on the Internet. Dynamic DNS service providers such as TZO.com and dyndns.org can register an Internet domain name that will point to your Internet IP address no matter how often it changes. Whenever its Internet IP address changes, the CyberGuard SG appliance will alert the dynamic DNS service provider so the domain name records can be updated appropriately.
Change MAC address On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG appliance. The MAC address is a globally unique address and is specific to a single CyberGuard SG appliance. It is set by the manufacturer and should not normally be changed. However, you may need to change it if your ISP has configured your ADSL or cable modem to only communicate with a device with a known MAC address.
4. Dialin Setup CyberGuard SG appliance enables remote and secure access to your office network. This chapter shows how to set up the dialin features. Your CyberGuard SG appliance can be configured to receive dialin calls from remote users/sites. Remote users are individual users (e.g. telecommuters) who connect directly from their client workstations to dial into modems connected to the serial ports on the CyberGuard SG appliance.
Dialin Setup Once an analog modem or phone line has been attached, enable the CyberGuard SG appliance’s COM port or internal modem for dialin. Under Networking, select Network Setup. From the Connections menu, locate the COM port or Modem on which you want to enable dialin, and select Change to Dialin Access from the Configuration pull down menu.
The following table describes the fields on the Dial-In Setup page: Field Description IP Address for Dialin clients Dialin users must be assigned local IP addresses to access the local network. Specify a free IP address from your local network that the connected dial-up client will use when connecting to the CyberGuard SG appliance. Authentication Scheme The authentication scheme is the method the CyberGuard SG appliance uses to challenge users dialing into the network.
Dialin User Accounts User accounts must be set up before remote users can dialinto the CyberGuard SG appliance. The following figure shows the Dialin user account creation: Figure 4-2 The field options in Add New Account are shown in the following table: Field Description Username Username for dialin authentication only. The name is casesensitive (e.g. Jimsmith is different to jimsmith). Password Password for the remote dialin user. Confirm Re-enter the password to confirm.
The following figure shows the user maintenance screen: Figure 4-3 Account list As new dialin user accounts are added, they are displayed on the updated Account List. To modify a password for an existing account, select the account in the Account List and enter the new password in the New Password and Confirm fields. Click Apply under the Delete or Change Password for the Selected Account heading, or click Reset if you make a mistake.
If the change is unsuccessful, an error is reported as shown in the following figure: Figure 4-3 When you have finished adding and modifying user account details, you can configure other CyberGuard SG appliance functions by selecting the appropriate item from the Network or System menus. You can also apply packet filtering to the dialin service as detailed in the chapter entitled Firewall.
Remote User Configuration Remote users can dialin using the CyberGuard SG appliance using the standard Windows Dial-Up Networking software. Set up a new dial-out connection on the remote PC to dial the phone number of the modem connected to the CyberGuard SG appliance COM port. After the dialin is connected, users can access all network resources as if they were a local user.
Check the Log on to network and Enable software compression checkboxes. If your CyberGuard SG appliance dialin server requires MSCHAP-2 authentication, you also need to check the Require encrypted password checkbox. Leave all other Advanced Options unchecked. Select the TCP/IP network protocols from the Allowed network protocols list. Warning Do not select NetBEUI or IPX. If an unsupported protocol is selected, an error message is returned when attempting to connect.
Windows 2000/XP To configure a remote access connection on a PC running Windows 2000/XP, click Start, Settings, Network and Dial-up Connections and select Make New Connection. The network connection wizard will guide you through setting up a remote access connection: Figure 4-5 Click Next to continue. Figure 4-6 Select Dial-up to private network as the connection type and click Next to continue.
Figure 4-7 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas. Click Next to continue. Figure 4-8 Select the option Only for myself to make the connection only available for you.
Figure 4-9 Enter a name for the connection and click Finish to complete the configuration. By ticking Add a shortcut to my desktop, an icon for the remote connection will appear on the desktop. To launch the new connection, double-click on the new icon on the desktop, and the remote access login screen will appear as in the next figure.
5. DHCP Server Your CyberGuard SG appliance can act as a DHCP server for machines on your local network. To configure your CyberGuard SG appliance as a DHCP server, you must set a static IP address and netmask on the LAN or DMZ port (see the chapter entitled Network Connections). DHCP Server Configuration The DHCP server allows the automatic distribution of IP, gateway, DNS and WINS addresses to hosts running DHCP clients on the LAN and/or DMZ ports.
To configure the DHCP Server, follow these instructions. • • • • • • • Check the Enable DHCP Server checkbox. Enter the Subnet and netmask of the IP addresses to be distributed. Enter the Gateway Address that the DHCP clients will be issued with. If this field is left blank, the CyberGuard SG appliance's IP address will be used. Enter the DNS Address that the DHCP clients will be issues with. If this field is left blank, the CyberGuard SG appliance's IP address will be used.
Subnet List The Subnet List will display the status of the DHCP server. Interface Once a subnet has been configured, the port which the IP addresses will be issued from will be shown in the Interface field. Subnet The value shown in this field is the subnet for which the IP addresses distributed will use. Free Addresses This field will contain the number of remaining available IP addresses that can be distributed. You may need to increase the number of IP addresses to hand out if this value is 0.
Figure 5-3 For each IP address that the DHCP server services, the Status, Hostname, MAC Address will be shown. There is also be an option to Remove the address and for reserved IP addresses, the added option to Unreserve the address. Unreserving the address will allow it to be handed out to any host. The Status field will have three possible states. These include: • Reserved - the address is reserved for the particular host defined by hostname and MAC address.
DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This allows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would. To enable this feature, specify the server which is to receive the forwarded requests in Relay Host. This server must also be configured to know and accept requests from the CyberGuard SG appliance's LAN. Then check Enable DHCP Relay and click Apply.
6. Firewall The CyberGuard SG appliance is equipped with a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access, so that PCs on the LAN can have tailored Internet access facilities and are shielded from malicious attacks. By default the firewall is active, and allows all outgoing connections and blocks all incoming connections. The CyberGuard SG appliance’s stateful firewall keeps track of outgoing connections (e.g.
Administration services The following figure shows the Administration Services page: Figure 6-1 By default the CyberGuard SG appliance runs a web administration server and a telnet service. Access to these services can be restricted to specific interfaces. For example, you generally want to restrict access to the Web Management Console web administration pages (Web Admin) to machines on your local network.
CyberGuard SG Administrative Web Server Clicking the CyberGuard SG Web Server tab takes you to the page to configure the administrative web server. This web server is responsible for running the Web Management Console. Here you can change the port on which the server runs. Additionally, the SG550, SG570 and SG575 models support SSL encryption to establish secure connections to the Web Management Console web administration pages from SSL enabled browsers.
The Web Management Console is usually accessed on the default HTTP port (i.e. 80). After changing the web server port number, you must include the new port number in the URL to access the pages. For example, if you change the web administration to port number 88, the URL to access the web administration will be similar to: http://192.168.0.1:88 SSL/HTTPS (Secure HTTP) SG550, SG570 and SG575 models only. The current status of the SSL (secure HTTP) support is indicated by Active/Inactive.
Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web server can operate in one of one of 3 different modes. • Both normal and SSL web access (both HTTP/HTTPS) • Disable normal access (HTTPS only) • Disable SSL access (HTTP only) To access the Web Management Console administrative web pages securely using SSL encryption, the URL becomes https:// instead of http:// (e.g. https://10.0.0.1). Add Local and Private Certificates SG550, SG570 and SG575 models only.
Packet Filtering By default, your CyberGuard SG appliance allows network traffic as shown in the following table: Incoming Interface Outgoing Interface Action LAN/VPN/Dial-In Any Accept DMZ WAN Accept DMZ Any except WAN Drop WAN Any Drop You can configure your CyberGuard SG appliance with additional filter rules to allow or restrict network traffic. These rules can match traffic based on the source and destination address, the incoming and outgoing network port, and/or the services.
Before configuring a filter or NAT rule, you need to define the addresses and service groups. Addresses Click the Addresses tab. Any addresses that have already been defined will be displayed. Click New to add a new address, or select an existing address and click Modify. There is no need to add addresses for the CyberGuard SG appliance’s interfaces, these are predefined.
Service groups Click the Service Groups tab. Any addresses that have already been defined will be displayed. Click New to add a new service groups, or select an existing address and click Modify. Adding or modifying a service group is shown in the following figure: Figure 6-5 A service group can be used to group together similar services. For example, you can create a group of services that you wish to allow, and then use a single rule to allow them all at once.
Rules Once addresses and services have been defined, you can create filter rules. Click Rules. Any rules that have already been defined will be displayed. Click New to add a new filter rule, or select an existing filter and click Modify. Note The first matching rule will determine the action for the network traffic, so the order of the rules is important. You can use the buttons on the Packet Filtering page to change the order.
The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. The Outgoing Interface is the interface/network port that the CyberGuard SG appliance will route the network traffic out. None will match network traffic that is destined for the CyberGuard SG appliance itself. This is useful for controlling access to services provided by the CyberGuard SG appliance, such as the Web Management Console.
Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service to be only accessible from a specific remote location) Destination Address The destination address of the request, this is the address that will be altered Destination Services The destination service(s) (port(s)) of the request, many public ports may be forwarded to a single internal port The next two fields describe how matching packets should be altered.
Source Address The address from which the request originated (for masquerading this will typically be a private LAN or DMZ address) Outgoing Interface The interface that receives the request (for masquerading this will typically be private interface, i.e. LAN or DMZ) Destination Address The destination address of the request Destination Services The destination service(s) (port(s)) of the request The next two fields describe how matching packets should be altered.
Warning Leaving Create a corresponding ACCEPT firewall rule will allow all traffic into and out from the specified private address, i.e. the private address will no longer be shielded by your CyberGuard SG appliance’s firewall. Otherwise, you may manually create filter rules through Rules. Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom iptables firewall rules. To access this page, click Rules in the Firewall menu.
Configuring the UPnP Gateway The UPnP Gateway needs to be run on a pair of interfaces, the external interface and the internal interface. The UPnP Gateway will send out notifications on the internal interface, advertising its presence on the network. Any UPnP capable applications or devices that you require to make use of the UPnP Gateway need to be connected to the CyberGuard SG appliance via this interface.
In each case there are two distincts parts to a tunnel, the source half and the destination half. The source half listens for network connections from behind the firewall and when such occurs, forwards all traffic to the destination half. The destination accepts incoming network traffic and forwards this to a specified destination host and port. To create a port tunnel, select the type of tunnel and click Add Destination or Add Source.
Access Control and Content Filtering Inappropriate Internet use during work hours can have a serious effect on productivity. With the CyberGuard SG Access Control web proxy, you can control access to the Internet based on the type of web content being accessed (Content), and which user or workstation is accessing the Internet content (Require user authentication, IP Lists).
Users without web proxy access will see a screen similar to the figure below when attempting to access external web content. Figure 6-8 Note Each browser on the LAN will now have to be set up to use the CyberGuard SG appliance’s web proxy.
Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their user documentation for details on using a web proxy. From the Internet Options menu, select Tools. From the LAN Settings tab, select LAN Settings. Figure 6-9 Check Use a proxy server for your LAN… and Bypass proxy server for local address. All other options should remain unchecked. Click Advanced.
Figure 6-10 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the other rows blank. In the Exceptions text box, enter your CyberGuard SG appliance’s LAN IP address. Click OK, OK and OK again. IP lists Internet access may be Blocked or Allowed by the Source (LAN) IP address or address range, the Destination (Internet) host’s IP address or address range, or the Destination Host’s name.
Web lists Access will be denied to any web address (URL) that contains text entered in the Block List, e.g. entering xxx will block any URL containing xxx, including http://xxx.example.com or www.test.com/xxx/index.html. The Allow List also enables access to URLs containing the specified text.
Content Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filtering license (sold separately) through www.cyberguard.com/snapgear/my/. Content filtering allows you to limit the types of web based content accessed. Check Enable Content Filtering enter your activated License key then continue on to set reporting options and which categories to block. Click Apply once these options have been set up to enable content filtering.
Reports Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do this is by using an NTP time server. See the Time and Date section in the chapter entitled Advanced for details. Blocked requests are submitted to the central content filtering server. The user attempting to access blocked content can be identified either through User Accounts (see User Authentication earlier in this chapter) or the IP Address of their machine.
ZoneAlarm This facility denies Internet access to machines your LAN that are not running the ZoneAlarm Pro personal firewall software. Running personal firewall software on each PC offers an extra layer of protection from application level, operating system specific exploits and malware that abound on the Internet. Policy enforcement This access control module allows a site's security policy to be partially actively enforced.
7. Intrusion Detection Note Advanced Intrusion Detection is only available on SG575 models. Other models offer Basic Instrusion Detection and Blocking only. The CyberGuard SG appliance provides two intrusion detection systems (IDS). The lightweight and simple to configure Basic Intrusion Detection and Blocking, and the industrial strength Advanced Intrusion Detection. Basic and Advanced Intrusion Detection take quite different approaches.
The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Internet are the largest source of intrusions. Attackers exploiting known flaws in operating systems, networking software and applications, compromise many systems through the Internet. Generally firewalls are not granular enough to identify specific packet contents that signal an attack based on a known system exploit.
Basic Intrusion Detection and Blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Figure 7-1 IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt, and the access attempt is denied.
Several shortcut buttons also provide pre-defined lists of services to monitor. The basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans. The standard option extends this coverage by introducing additional monitored ports for early detection of intruder scans. The strict button installs a comprehensive selection of ports to monitor and should be sufficient to detect most scans.
Advanced Intrusion Detection Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to detect attacks by matching incoming network data against defined patterns or rules. Advanced Intrusion Detection utilizes a combination of methods to perform extensive IDS analysis on the fly. These include protocol analysis, inconsistency detection, historical analysis and rule based inspection engines.
Advanced Intrusion Detection configuration Figure 7-2 Check Enabled, and select the Interface/network port to monitor. This will typically be Internet, or possibly DMZ. Checking Use less memory will result in slower signature detection throughput, but may be necessary if your CyberGuard SG appliance is configured to run many services or many VPN tunnels. Next the Rule sets, of which there are more than forty, need to be selected. They are grouped by type such as DDOS, exploit, backdoor, NETBIOS, etc.
Note The more rule sets that are selected, the greater load is imposed on the CyberGuard SG appliance. Therefore a conservative rather than aggressive approach to adding rule sets should be followed initially. Figure 7-3 Check Log results to database to use a remote analysis server. Note If Log results to database is left unchecked, results will be output to the CyberGuard SG appliance system log (Advanced -> System Log). Advanced Intrusion Detection currently only supports MySQL as the Database Type.
Setting up the analysis server Specific open source tools are required to be installed on the Analysis server for a straightforward evaluation. The analysis server will typically be a Pentium IV level system running Linux (Red Hat, Debian, etc.) with sufficient memory and disk capacity to run a database and web server with at least one Ethernet port.
PHPlot graph library for charts written in PHP http://www.phplot.com/ ACID analysis console http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b23.tar.gz Snort will be running as an IDS sensor on the CyberGuard SG appliance and logging to the MySQL database on the analysis server. The following are detailed documents that aid in installing the above tools on the analysis server. http://www.snort.org/docs/snort_acid_rh9.pdf http://www.andrew.cmu.edu/~rdanyliw/snort/acid_config.html http://www.sfhn.
8. Web Cache Note The web cache is only available on SG575 models. Web browsers running on PCs on your LAN can use the CyberGuard SG appliance’s proxy-cache server to reduce Internet access time and bandwidth consumption. A proxy-cache server implements Internet object caching. This is a way to store requested Internet objects (i.e., data available via HTTP, FTP, and other protocols) on a server closer to the user's network than on the remote site.
Web Cache Setup Select Web cache under Networking. A page similar to the following will be displayed. Figure 8-1 Check Enable to enable the web cache. Cache size Select the amount of memory (RAM) on the CyberGuard SG appliance to be reserved for caching Internet objects. The maximum amount of memory you can safely reserve will depend on what other services the CyberGuard SG appliance has running, such as VPN or a DHCP server.
Network Shares Typically, you will find the CyberGuard SG appliance’s web cache most useful when utilizing a Network Share for additional storage space. The CyberGuard SG appliance is not equipped with a hard disk of its own, so is quite limited in terms of the amount of Internet objects it can cache. A network share is a shared folder or drive on a local Windows PC, or a PC running another operating system capable of SMB sharing (such as a Linux PC running the SAMBA service).
Create the network share Figure 8-2 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and open up a folder or drive to dedicate as a network share for use by the CyberGuard SG appliance’s web cache. Begin by disabling simple file sharing for this folder. From the Tools menu, select Folder Options. Click the View tab and under the Advanced settings section uncheck Use simple file sharing (Recommended). Click OK. Next, share the folder.
Set the CyberGuard SG appliance to use the network share Check Use share. Enter the location of the network share in the format: \\HOSTNAME\sharename Figure 8-3 Enter the maximum size for the cache in Cache size. Warning Cache size should not be more than 90% of the space available to the network share, e.g. if you shared a drive with 1 gigabyte of available storage, specify a Cache size of 900 megabytes. Enter the Username and Password for a user that can read and write to the network share.
Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web caches. Web caches communicate using the Internet Cache Protocol (ICP). ICP is used to exchange hints about the existence of URLs in neighbour caches. Caches exchange ICP queries and replies to gather information to use in selecting the most appropriate location from which to retrieve an object.
9. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.g.
Figure 9-1 PPTP Client Setup The PPTP client enables the CyberGuard SG appliance to establish a VPN to a remote network running a PPTP server (usually a Microsoft Windows server). Select PPTP VPN Client from the VPN menu and create a new VPN connection by entering: • A descriptive name for the VPN connection. This may describe the purpose for the connection. • The remote PPTP server IP address to connect to. • A username and password to use when logging in to the remote VPN.
If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the following figure: Figure 9-2 The CyberGuard SG appliance supports multiple VPN client connections. Additional connections can be added by following these steps. To set a VPN connection as the default route for all network traffic, check the Make VPN the Default Route checkbox and click Apply.
PPTP Server Setup The CyberGuard SG appliance includes a PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels (depending on your CyberGuard SG appliance model). The CyberGuard SG PPTP Server allows remote Windows clients to securely connect to the local network. To setup a VPN connection: • Enable and configure the PPTP VPN server. • Set up VPN user accounts on the CyberGuard SG appliance and enable the appropriate authentication security.
Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 9-3 To enable and configure your CyberGuard SG appliance’s VPN server, select PPTP VPN Server from the VPN menu on the Web Management Console web administration pages.
The following table describes the fields in the VPN Setup screen and the options available when enabling and configuring VPN access. Field Description Enable PPTP Server Check this box to enable PPTP connections to be established to your CyberGuard SG appliance. IP Addresses for the Tunnel End Points Enter the IP addresses for the tunnel end-points. You need to specify a free IP address on your local network that each VPN client will use when connecting to the CyberGuard SG appliance.
Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Server Accounts screen as shown in the following figure: Figure 9-4 If you selected None as the Authentication Scheme, setup is now complete. Skip ahead to Configuring the remote VPN client. Otherwise, before remote users can establish VPN tunnels to the CyberGuard SG appliance PPTP server, user accounts must be added.
The field options in the Add New Account are detailed in the following table. Field Description Username Username for VPN authentication only. The name selected is casesensitive (e.g. Jimsmith is different to jimsmith). Username can be the same as, or different to, the name set for dialin access. Windows Domain Most Windows clients expect you to specify a domain name in upper case. This field is optional. Password Enter the password for the remote VPN user. Confirm Re-enter the password to confirm.
Configuring the remote VPN client The remote VPN clients can now be configured to securely access the local network. You need to enter the a PPTP Account username and password that you added in the previous section, and the IP address of the CyberGuard SG PPTP VPN server. The CyberGuard SG PPTP VPN server IP address is displayed on the Diagnostics page. This will generally be the same as the IP address of your main Internet connection.
Windows 95, Windows 98 and Windows Me From the Dial-Up Networking folder, double-click Make New Connection. Type CyberGuard SG appliance or a similar descriptive name for your new VPN connection. From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next. Enter the PPTP IP address of the CyberGuard SG appliance VPN server in the VPN Server field. This may change if your ISP uses dynamic IP assignment. Click OK and then click Finish.
Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK. Figure 9-7 Your VPN client is now set up and ready to connect. Windows 2000 Log in as Administrator or with Administrator privileges. From the Start menu, select Settings and then Network and Dial-up Connections. A window similar to the following will be displayed.
Double-click Make New Connection from the main windows. Click Next to show the Network Connection Type window: Figure 9-9 Select Connect to a private network through the Internet and click Next. This displays the Destination Address window: Figure 9-10 Enter the CyberGuard SG PPTP server’s IP address or fully qualified domain name and click Next.
Figure 9-11 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Windows XP Log in as Administrator or with Administrator privileges. From the Start menu, select Settings and then Network Connections. Click Create New Connection from the Network Tasks menu to the left. Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next.
Connecting the remote VPN client Verify that you are connected to the Internet, or have set up your VPN connection to automatically establish an initial Internet connection. Select the connection for the CyberGuard SG appliance VPN. Enter a username and password added in the Configuring user accounts for VPN server section and click Connect. A PPTP status icon will appear in the system tray on the bottom right hand side of your computer, informed you that you are connected.
IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IPSec tunnel. The most common and simplest will be described in this section. Additional options will also be explained throughout this example, should it become necessary to configure the tunnel with those settings. For most applications to connect two offices together, a network similar to the following will be used.
Figure 9-13 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet port. The CyberGuard SG appliance can either have a static IP, dynamic IP or DNS hostname address. If a dynamic DNS service is to be used or there is a DNS hostname that resolves to the IP address on the Internet port, then the DNS hostname address option should be selected. In this example, select dynamic IP address.
Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted. Configure a tunnel to connect to the headquarters office To create an IPSec tunnel, click the IPSec link on the left side of the Web Management Console web administration pages and then click the Add New Tunnel tab at the top of the window. A window similar to the following will be displayed.
Select the Internet port the IPSec tunnel is to go out on. The options will depend on what is currently configured on the CyberGuard SG appliance. For the vast majority of setups, this will be the default gateway interface to the Internet. In this example, select the default gateway interface option. Note You may want to select an interface other than the default gateway when you have configured aliased Internet interfaces and require the IPSec tunnel to run on an interface other than the default gateway.
• x.509 Certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication. Certificates need to be uploaded to the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management). • Manual Keys establishes the tunnel using predetermined encryption and authentication keys. In this example, select the Preshared Secret option.
In this example, select the be a route to the remote party option. Click the Continue button to configure the Local Endpoint Settings. Local endpoint settings Figure 9-15 Leave the Initiate the tunnel from this end checkbox checked.
Note This option will not be available when the CyberGuard SG appliance has a static IP address and the remote party has a dynamic IP address. Enter the Required Endpoint ID of the CyberGuard SG appliance. This ID is used to authenticate the CyberGuard SG appliance to the remote party. It is required because the CyberGuard SG appliance in this example has a dynamic IP address. This field will also be required if RSA Digital Signatures are used for authentication.
Other options The following options will become available on this page depending on what has been configured previously: • The next IP address on the interface the tunnel is to go on field is the next gateway IP address or nexthop along the previously selected IPSec interface. This field will become available if an interface other than the default gateway was selected for the tunnel to go out on. • SPI Number field is the Security Parameters Index. It is a hexadecimal value and must be unique.
• o des-md5-96 uses the encryption transform following the DES standard in CipherBlock-Chaining mode with authentication provided by HMAC and MD5 (96-bit authenticator). It uses a 56-bit 3DES encryption key and a 128-bit HMAC-MD5 authentication key. o des-sha1-96 uses the encryption transform following the DES standard in CipherBlock-Chaining mode with authentication provided by HMAC and SHA1 (96-bit authenticator). It uses a 56-bit DES encryption key and a 160-bit HMAC-SHA1 authentication key.
Other options The following options will become available on this page depending on what has been configured previously: • The remote party's DNS hostname address field is the DNS hostname address of the Internet interface of the remote party. This option will become available if the remote party has been configured to have a DNS hostname address. • Distinguished Name field is the list of attribute/value pairs contained in the certificate.
TCGID [Siemens] Trust Center Global ID The attribute/value pairs must be of the form attribute=value and be separated by commas. For example : C=US, ST=Illinois, L=Chicago, O=CyberGuard, OU=Sales, CN=SG550. It must match exactly the Distinguished Name of the remote party's local certificate to successfully authenticate the tunnel. This field appears when x.509 Certificates has been selected.
Phase 1 settings Figure 9-17 Set the length of time before Phase 1 is renegotiated in the Key lifetime (m) field. The length may vary between 1 and 1440 minutes. Shorter values offer higher security at the expense of the computational overhead required to calculate new keys. For most applications 60 minutes is recommended. In this example, leave the Key Lifetime as the default value of 60 minutes. A new Phase 1 key can be renegotiated before the current one expires.
Warning The secret must be entered identically at each end of the tunnel. The tunnel will fail to connect if the secret is not identical at both ends. The secret is a highly sensitive piece of information. It is essential to keep this information confidential. Communications over the IPSec tunnel may be compromised if this information is divulged. Select a Phase 1 Proposal. Any combination of the ciphers, hashes and Diffie Hellman groups that the CyberGuard SG appliance supports can be selected.
Phase 2 settings page Figure 9-18 Set the length of time before Phase 2 is renegotiated in the Key lifetime (m) field. The length may vary between 1 and 1440 minutes. For most applications 60 minutes is recommended. In this example, leave the Key Lifetime as the default value of 60 minutes. Select a Phase 2 Proposal. Any combination of the ciphers, hashes and Diffie Hellman groups that the CyberGuard SG appliance supports can be selected.
Other options The following options will become available on this page depending on what has been configured previously: A separate section may appear to enter multiple Local Networks or Remote Networks or both. In the case where both local and remote parties have been configured to have multiple subnets behind them, a window similar to the following will be displayed.
Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet interface. In this example, select static IP address. Leave the Set the IPSec MTU to be checkbox unchecked. Click the Apply button to save the changes.
Select the type of routing the tunnel will be used as. In this example, select the be a route to the remote party option. Click the Continue button to configure the Local Endpoint Settings. Local endpoint settings page Leave the Optional Endpoint ID field blank in this example. It is optional because the CyberGuard SG appliance has a static IP address. If the remote party is a CyberGuard SG appliance and an Endpoint ID is used, it must have the form abcd@efgh.
Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Secret used at the branch office CyberGuard SG appliance, which was: This secret must be kept confidential. Select a Phase 1 Proposal. In this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024 bit) option (same as the Branch Office Phase 1 Proposal). Click the Continue button to configure the Phase 2 Settings.
Tunnel List Figure 9-20 Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field will be shown. Note You may modify a tunnel’s settings by clicking on its connection name. Click Connection to sort the tunnel list alphabetically by connection name. Remote party The Remote Party which the tunnel is configured to connect to will be defined either by its Endpoint ID, IP Address or Distinguished Name.
Click Remote Party to sort the tunnel list by the remote party ID/name/address. Status Tunnels that use Automatic Keying (IKE) will have one of four states in the Status field. The states include the following: • Down indicates that the tunnel is not being negotiated. This may be due to the following reasons: o IPSec is disabled. o The tunnel is disabled. o The tunnel could not be loaded due to misconfiguration.
Figure 9-21 Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec will use. Phase 2 Ciphers Loaded lists the encryption ciphers that tunnels can be configured with for Phase 2 negotiations. This will include DES, 3DES and AES. Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations. This will include MD5 and SHA1 (otherwise known as SHA).
Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiations. Connection Details lists an overview of the tunnel's configuration. It contains the following information: • An outline of the tunnel's network setup. In this example, it is 192.168.2.0/24===209.0.0.2(branch@office)...209.0.0.1===192.168.1.0/24 • Phase 1 and Phase 2 key lifetimes (ike_life and ipsec_life respectively).
• The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher 3DES (where 3DES has an id of 3, see Phase 2 Ciphers Loaded), the 2 refers to hash SHA1 or SHA (where SHA1 has an id of 2, see Phase 2 Hashes Loaded) and pfsgroup=2 refers to the Diffie Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has an id of 2). Negotiation State reports what stage of the negotiation process the tunnel is in.
Certificate Management x.509 Certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Automatic Keying. The other methods are Preshared Secrets and RSA Digital Signatures. Certificates need to be uploaded to the CyberGuard SG appliance before they can be used in a tunnel. Certificates have time durations in which they are valid. Ensure that the certificates uploaded are valid and that the Date and Time settings have been set correctly on the CyberGuard SG appliance.
To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem .. where pksc12_file is the PKCS#12 file issued by the CA and local_private_key.pem is the local private key certificate to be uploaded into the CyberGuard SG appliance. The application will prompt you to Enter Import Password. Enter the password used to create the certificate. If none was used simply press enter.
4. Create the self-signed root CA certificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS_VALID is the number of days the root CA is valid for. Remove the –nodes option if you want to use a password to secure the CA key. For each certificate you wish to create, there are two steps: 1. Create the certificate request: openssl req -config openssl.cnf -new -keyout cert1.key -out cert1.
Adding certificates To add certificates to the CyberGuard SG appliance, click the IPSec link on the left side of the Web Management Console web administration pages and then click the Certificate Lists tab at the top of the window. A window similar to the following will be displayed.
Adding a CA or CRL certificate Click the Add new CA or CRL Certificate tab. A window similar to the following will be displayed. Figure 9-23 Select whether a Certificate Authority or Certificate Revocation List certificate is to be uploaded from the Certificate Type pull down menu. Enter the Certificate Authority's Public Key certificate or CRL file in the Certificate File field. Click the Browse button to select the file from the host computer. CA Certificates have time durations in which they are valid.
Adding a local certificate 1 Click the Add new Local Certificate tab. A window similar to the following will be displayed. Figure 9-24 Enter the Local Public Key certificate in the Local Certificate field. Click the Browse button to select the file from the host computer. Certificates have time durations in which they are valid. Ensure that the certificates uploaded are valid and that the Date and Time settings have been set correctly on the CyberGuard SG appliance.
Figure 9-25 The certificate names will be displayed under the appropriate certificate type. Clicking the Delete button deletes the certificate from the CyberGuard SG appliance. Troubleshooting • Symptom: IPSec is not running and is enabled. Possible Cause: The CyberGuard SG appliance has not been assigned a default gateway.
The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Phase 1 proposals do not match. o The secrets do not match. o The RSA key signatures have been incorrectly configured. o The Distinguished Name of the remote party has not be configured correctly. o The Endpoint IDs do not match. o The remote IP address or DNS hostname has been incorrectly entered. o The certificates do not authenticate correctly against the CA certificate.
Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that the CyberGuard SG appliance has rekeying enabled. If the tunnel still goes down after a period of time, it may be due to the CyberGuard SG appliance and remote party not recognising the need to renegotiate the tunnel. This situation arises when the remote party is configured to accept incoming tunnel connections (as opposed to initiate tunnel connections) and reboots.
Set up LMHOST files on remote hosts to resolve names to IP adresses. • Symptom: Tunnel comes up but the application does not work across the tunnel. Possible cause: There may be a firewall device blocking IPSec packets. The MTU of the IPSec interface may be too large. The application uses broadcasts packets to work. Solution: Confirm that the problem is the VPN tunnel and not the application being run.
GRE The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support the Generic Routing Encapsulating protocol. You can build GRE tunnels to other CyberGuard SG appliances that support GRE, or to other devices such as Cisco equipment. GRE tunnels are useful for redistributing IPv6 or broadcast and multicast traffic across a VPN connection. It is also useful for carrying unsupported protocols such as IPX or Appletalk between remote IP networks.
On the Brisbane end, click GRE Tunnels from the VPN menu. Enter the following details: GRE Tunnel Name: to_slough Remote External Address: 195.45.67.8 Local External Address: 203.23.45.6 Local Internal Address: 192.168.1.1 Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: 10.1.0.0 / 255.255.0.0 Click Add. The Brisbane end is now set up. Figure 9-26 On the Slough end, click GRE Tunnels from the VPN menu.
Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: 192.168.1.0 / 255.255.255.0 Click Add. The GRE tunnel between the two networks is now set up. Tunnels may be Disabled, Deleted or Edited from the main table of GRE tunnels. A few further things of note are: GRE Tunnel Name The name is arbitrary. Remote External Address This may also be in the form of a DNS name, e.g. a dynamic DNS name.
Enter the IP Address / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at the Brisbane end. Click Apply and reboot the unit if prompted to do so. Note The alias IP addresses are essentially dummy addresses and can be anything that does not conflict with your existing network infrastructure. Create an IPSec tunnel between Brisbane and Slough. Select IPSec from the left hand menu and Add new tunnel.
Create the GRE tunnel. Select GRE Tunnels from the left hand menu. For the Slough end enter the IP addresses below. Leave Local Internal Address blank, and check Place on Ethernet Bridge. Figure 9-29 GRE Tunnel Name: to_bris Remote External Address: 10.254.0.2 Local External Address: 10.254.0.1 Local Internal Address: Place on Ethernet Bridge: Checked For the Brisbane end enter the IP addresses below. Leave Local Internal Address blank, and check Place on Ethernet Bridge.
Troubleshooting • Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set up on the GRE tunnel to the remote network. Ensure that there is a route on the remote GRE endpoint to the network at this end of the GRE tunnel. Check that there is a GRE interface created on the device. To do this, go into Advanced Networking and scroll to the bottom. There should be an interface called greX created.
L2TP The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multipurpose network transport protocol. Many DSL ISPs use L2TP over ATM to create tunnels across the Internet backbone. The CyberGuard SG L2TP implementation can only run L2TP over Ethernet since it doesn't have an ATM adapter. L2TP packets are encapsulated in UDP packets on port 1701 and sent over Ethernet to the L2TP server.
L2TP server The L2TP Server runs in a similar way to the PPTP Server. A range of IP addresses is allocated, and then username and password pairs are created to allow users to log on. Note To increase security, L2TP VPN connections from Windows PCs are also run through an IPSec tunnel. This means an IPSec connection must be configured and enabled on the CyberGuard SG appliance as well as the L2TP server before Windows clients can connect.
10. System Date and Time Set date and time If you have a Javascript enabled web browser, you will be able to click the top Set Date and Time button to synchronize the time on the CyberGuard SG appliance with that of your PC. Alternately, you can manually set the Year, Month, Date, Hour and Minute using the selection boxes to set the date and time on the CyberGuard SG appliance.
Figure 10-1 Locality Select your region then select your location within said region. The system clock will subsequently show local time. Without setting this, the system clock will show UTP. Setting a time zone is only relevant if you are synchronizing with an NTP server or your CyberGuard SG appliance has a real time clock. Without either of these, the CyberGuard SG appliance's clock is set randomly at startup.
Users User accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to their level of competence and trust. Each user on the CyberGuard SG appliance has a password that they use to authenticate themselves to the unit's web pages. They also have a number of access controls that modify what they can and cannot do via the web interface, and whether they can access the Internet via the CyberGuard SG appliance’s web proxy.
Administration A user with the administration access control is permitted to edit any configuration file on the CyberGuard SG appliance. It should be given to trusted users who are permitted to configure and reconfigure the unit. Diagnostic The diagnostic access control allows a user to view status reports, the technical support report, the system log and other read only pages. No capability is granted to allow such a user to edit any of the configuration on the CyberGuard SG appliance.
Internet access (via access controls) A user with this access control is permitted controlled access to the web through the CyberGuard SG appliance’s web proxy. See the Access control and content filtering section in the chapter entitled Firewall for details on controlling LAN users’ web access. Password The CyberGuard SG appliance’s administrative (root) password is used to restrict access to the Web Management Console web administration pages (Web Admin) and the CyberGuard SG appliance itself.
Figure 10-3 Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top of the Diagnostics page.
Advanced The options on the Advanced page are intended for network administrators and advanced users only. Warning Altering the advanced configuration settings may render your CyberGuard SG appliance inoperable. System log The system log contains debugging information that may be useful in determining whether all services for your CyberGuard SG appliance are operating correctly. The CyberGuard SG appliance also provides the option of re-directing log output to a remote machine using the syslog protocol.
You may also upload additional configuration files from your computer to the CyberGuard SG appliance under Upload file. To backup to an encrypted file, click save and restore, enter a password and click Save under Save Configuration. To restore from this file, browse for the backup configuration file, enter the password you used to save it and click Restore under Restore configuration. Flash upgrade Periodically, CyberGuard may release new versions of firmware for your CyberGuard SG appliance.
The majority of Linux users will already have a TFTP server installed as part of their distribution, which must be configured and running. 3. In the Web Management Console web administration pages, click Advanced then Flash Upgrade. Enter the server IP Address (i.e. PC with the TFTP server and binary image) and the binary image’s filename. 4. Click Upgrade to commence the upgrade. During the upgrade, the front panel LEDs on the CyberGuard SG appliance will flash in an in-and-out pattern.
Technical Support The System menu contains an option detailing support information for your CyberGuard SG appliance. This page provides basic troubleshooting tips, contact details for CyberGuard SG technical support, and links to the CyberGuard SG Knowledge Base (http://www.cyberguard.com/snapgear/knowledgebase.
Appendix A – IP Address Ranges IP ranges are fields that allow multiple IP addresses to be specified using a shorthand notation. Four distinct forms of range are acceptable: 1. a.b.c.d 2. a.b.c.d-e 3. a.b.c.d-e.f.g.h 4. a.b.c.d/e The first is simply a single IP address. Thus where ever a range is permitted, a single IP address is too. The second specifies range of IP address from a.b.c.d to a.b.c.e inclusive, i.e. you are specifying a range within a C class network or subnet. For example, 192.168.5.
Appendix B – Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscriber Line. A technology allowing high-speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data.
Certificates A digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a Certification Authority (CA) after the CA has verified that the entity is who it says it is. Certificate Authority A Certificate Authority is a trusted third party, which certifies public key's to truly belong to their claimed owners.
Extranet A private network that uses the public Internet to securely share business information and operations with suppliers, vendors, partners, customers, or other businesses. Extranets add external parties to a company's intranet. Failover A method for detecting that the main Internet connection (usually a broadband connection) has failed and the CyberGuard SG apliance cannot communicate with the Internet.
IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with Dynamic DNS Dynamic DNS can be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP addresses. IKE IKE is a profile of ISAKMP that is for use by IPsec. It is often called simply IKE. IKE creates a private, authenticated key management channel. Using that channel, two peers can communicate, arranging for sessions keys to be generated for AH, ESP or IPcomp.
NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another network. Masquerading is one particular form of NAT. Net mask The way that computers know which part of a TCP/IP address refers to the network, and which part refers to the host range. NTP Network Time Protocol (NTP) used to synchronize clock times in a network of computers. Oakley Group See Diffie-Hellman Group or Oakley Group. PAT Port Address Translation.
Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelligent" and can route packets to their final destination. RSA Digital Signatures A public/private RSA key pair used for authentication. The CyberGuard SG appliance can generate these key pairs. The public keys need to be exchanged between the two parties in order to configure the tunnel. SHA Secure Hash Algorithm, a 160 bit hash. It is one of two message digest algorithms available in IPSec.
x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.x.509 certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication.
Appendix C – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default. All rules in the default security policy drop packets. They never reject them. That is, the packets are simply ignored, and have no responses at all returned to the sender.
Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g. ppp0 or ppp1 – a PPP session ipsecX e.g. ipsec0, an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar. Any traffic that does not match the exceptions however is dropped. There are also some specific rules to detect various attacks (smurf, teardrop, etc.).
A typical Default Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a packet arriving from the WAN (IN=eth1) and bound for the CyberGuard SG appliance itself (OUT=) from IP address 140.103.74.181 (SRC=140.103.74.
To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something like this: iptables -I INPUT -j LOG -p tcp --syn -s -d --dport --log-prefix This will log any TCP (-p tcp) session initiations (--syn) that arrive from the IP address/netmask X.X.X.X/XX (-s ...) and are going to Y.Y.Y.Y/YY, destination port Z (-dport). For example, to log all inbound access requests from anywhere on the Internet (0.0.0.
For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the machine flubber on the LAN with address 192.168.1.1: iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output something like this: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.
If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there are many more combinations possible. It is therefore possible to write rules that log inbound and outbound traffic, or to construct several rules that differentiate between the two. Rate Limiting iptables has the facility for rate-limiting the log messages that are generated, in order to avoid denial of service issues arising out of logging these access attempts.
Administrative Access Logging When a user tries to log onto the Web Management Console web administration pages, one of the following log messages appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2 Jan 30 03:00:14 2000 boa: Authentication attempt failed for root from 10.0.0.2 This message shows the date/time, whether the authentication succeeded or failed, the user attempting authentication (in this case root) and the IP address from which the attempt was made.
Appendix D – Firmware Upgrade Practices and Precautions Prior performing any firmware upgrade, it is important that you save a back up of your existing configuration (Advanced -> Store/restore all configuration files) to a local file. While we make every effort to ensure your existing configuration will work with the new firmware, sometimes compatibility problems will arise. You should be particularly aware of this possibility when performing a major upgrade.
If you encounter any problems, reset the device to its factory default settings and reconfigure. You may wish to use your backed up old configuration as a guide in this process, but do not restore it directly. If you are upgrading a device that you do not normally have physical access to, e.g. at a remote or client's site, we strongly recommend that following the upgrade, you reset the device to its factory default configuration and reconfigure as a matter of course.
