CyberGuard SG User Manual CyberGuard 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@cyberguard.com.au Web: www.cyberguard.com Revision 3.1.
Contents 1. Introduction...............................................................................................1 CyberGuard SG Gateway Appliances (SG3xx, SG5xx Series) ............................. 1 CyberGuard SG Rack Mount Appliances (SG7xx Series) ..................................... 4 CyberGuard SG PCI Appliances (SG6xx Series) .................................................. 7 Document Conventions ....................................................................................... 10 2.
DHCP Server ..................................................................................................... 111 Web Cache ........................................................................................................ 116 QoS Traffic Shaping .......................................................................................... 123 IPv6.................................................................................................................... 125 4. Firewall .....................
Printer Troubleshooting ..................................................................................... 242 USB Network Devices and Modems.................................................................. 243 7. System...................................................................................................244 Date and Time ................................................................................................... 244 Backup/Restore Configuration.....................................
1. Introduction This manual describes the features and capabilities of your CyberGuard SG appliance, and provides you with instructions on how to best take advantage of them. This includes setting up network connections (in the chapter entitled Network Connections), tailoring the firewall to your network (Firewall), and establishing a virtual private network (Virtual Private Networking).
The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ (demilitarized zone) network. A DMZ is a separate local network typically used to host servers accessible to the outside world. It is separated both physically and by the firewall, in order to shield your LAN from external traffic. The CyberGuard SG appliance allows you to establish a virtual private network (VPN). A VPN enables remote workers or branch offices to connect securely to your LAN over the public Internet.
WAN Activity Flashing Network traffic on the Internet network interface WLAN Flashing Network traffic on the Wireless network interface DMZ Activity Flashing Network traffic on the DMZ network interface Serial Activity Flashing For either of the CyberGuard SG appliance COM ports, these LEDs indicate receive and transmit data HA On The CyberGuard SG appliance has switched to a backup device Online On An Internet connection has been established VPN On Virtual private networking is enabled
Local network link • 10/100BaseT LAN port (SG530, SG550) • 10/100BaseT 4 port LAN switch (SG300) • 10/100BaseT DMZ port (SG570, SG575) • 10/100BaseT 4 port VLAN-capable switch (SG560, SG565, SG580) • Rear panel Ethernet link and activity status LEDs Enviromental • External power adaptor (voltage/current depends on individual model) • Front panel operating status LEDs: Power, Heart Beat • Operating temperature between 0° C and 40° C • Storage temperature between -20° C and 70° C • Humidity
Front panel LEDs The front panel contains LEDs indicating status. An example of the front panel LEDs are illustrated in the following figure and detailed in the following table. Label Activity Description Power On Power is supplied to the CyberGuard SG appliance H/B (Heart Beat) Flashing The CyberGuard SG appliance is operating correctly On If this LED is on and not flashing, an operating error has occurredError! Reference source not found.
Rear panel The rear panel contains a power switch and a power inlet for an IEC power cable. Additionally, the SG710+ has two gigabit Ethernet ports (E and F).
CyberGuard SG PCI Appliances (SG6xx Series) Note The CyberGuard SG PCI appliance range includes models SG630 and SG635. The CyberGuard SG PCI appliance is a hardware based firewall and VPN server embedded in a 10/100 Ethernet PCI network interface card (NIC). It is installed into the host PC like a regular NIC, providing a transparent firewall to shield the host PC from malicious Internet traffic, and VPN services to allow secure remote access to the host PC.
One IP address is used to manage the CyberGuard SG appliance via the web management console. The other is the host PC's IP address, which is configurable through the host operating system, identically to a regular NIC. This is the IP address that other PCs on the LAN see. It should be dynamically (DHCP) or statically configured to use the same gateway, DNS, etc. settings as a regular PC on the LAN. Note It is possible to configure the CyberGuard SG PCI appliance to run in masquerading mode.
Location Activity Description Top right (Power) On Power is supplied to the CyberGuard SG appliance (top right). Bottom right (Heart beat) Flashing The CyberGuard SG appliance is operating correctly (bottom right). Top left Flashing Data is being transmitted or received (top left).
Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights important issues. Bold text in procedures indicates text that you type, or the name of a screen object (e.g. a menu or button).
2. Getting Started This chapter provides step-by-step instructions for installing your CyberGuard SG appliance. These instructions are identical to those in the printed Quick Install Guide that shipped with your CyberGuard SG appliance. Upon completing the steps in this chapter, your CyberGuard SG gateway or rack mount appliance is installed in a network configuration similar that depicted in the figure to the right.
CyberGuard SG Gateway Appliance Quick Setup Unpack the CyberGuard SG appliance Check that the following items are included with your CyberGuard SG appliance: Power adapter CyberGuard SG CD Network cable On the rear panel of the CyberGuard SG appliance you will see network, serial and possibly USB ports, a Reset/Erase button, and a power inlet. The front panel of the CyberGuard SG appliance contains activity LEDs (lights) that vary slightly between models.
LAN subnet mask: 255.255.255.0 The CyberGuard SG appliance needs an IP address suitable for your LAN before it is connected. You may choose to use the CyberGuard SG appliance’s initial network settings above as a basis for your LAN settings. Connect the supplied power adapter to the CyberGuard SG appliance. If you are setting up the SG300, attach your PC’s network interface card directly to any network port on its LAN switch using the supplied network cable.
Note If there is more than one existing network connection, select the one corresponding to the network interface card to which the CyberGuard SG appliance is attached. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> your network card name if there are multiple entries) and click Properties. Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.
Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0. Set up the CyberGuard SG appliance’s password and LAN connection settings Launch your web browser and navigate to 192.168.0.1. Select Quick Setup Wizard from the center of the page. A log in prompt is displayed.
Note The new password takes effect immediately. You are prompted to enter it when completing the next step. The quick setup wizard is displayed. Changing the Hostname is not typically necessary. Select how you would like to set up your LAN connection then click Next. Note You must select Manual configuration in order to enable the CyberGuard SG appliance’s built-in DHCP server. The CyberGuard SG appliance’s DHCP server automatically configures the network settings of PCs and other hosts on your LAN.
Select Skip: LAN already configured if you wish to use the CyberGuard SG appliance’s initial network settings (IP address 192.168.0.1 and subnet mask 255.255.255.0) as a basis for your LAN settings, and you do not wish to use the CyberGuard SG appliance’s built-in DHCP server. Skip to the next step.
Set up the CyberGuard SG appliance’s Internet connection settings First, attach the CyberGuard SG appliance to your modem device or Internet connection medium. If necessary, give the modem device some time to power up. Select your Internet connection type and click Next. The options displayed differ depending on the connection type selected. If you are connecting using a Cable Modem, select your ISP, or Generic Cable Modem Provider if yours does not appear.
Set up the CyberGuard SG appliance’s switch Note This page will only display if you are setting up the SG560, SG565 or SG580. Otherwise skip to the next step. By default, the CyberGuard SG appliance’s switch A behaves as a conventional switching hub. However, it may be configured so that each port behaves as if it were physically separate from the others. Select a configuration for the CyberGuard SG appliance’s switch then click Next.
Connect the CyberGuard SG appliance to your LAN Review your configuration changes. Once you are satisfied, click Finish to activate the new configuration. Note If you have changed the CyberGuard SG appliance’s LAN connection settings, it may become uncontactable at this point. This step describes how to set up the PCs on your network to access the CyberGuard SG appliance and the Internet. Connect the CyberGuard SG appliance to your LAN if you haven’t already done so.
If you do not want to use a DHCP server, proceed to Manual configuration of your LAN. Automatic configuration of your LAN By selecting Manual Configuration for the CyberGuard SG appliance’s LAN connection, and supplying DHCP Server Address Range, the CyberGuard SG appliance’s DHCP server is already set up and running. Each PC on your LAN must now be set up to automatically obtain network settings.
Quick setup is now complete. Automatic configuration of your LAN using an existing DHCP server If you chose to have the CyberGuard SG appliance Obtain LAN IP address from a DHCP server on LAN, It is strongly recommended that you add a lease to your existing DHCP server to reserve the IP address you chose for the CyberGuard SG appliance’s LAN connection.
Enter the following details: IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance’s LAN connection (if using the default settings, 192.168.0.2 – 192.168.0.254). Subnet mask is the subnet mask of the CyberGuard SG appliance’s LAN connection (if using the default settings, 255.255.255.0). Default gateway is the IP address of the CyberGuard SG appliance’s LAN connection (if using the default settings, 192.168.0.1).
The status LEDs on the front panel provide information on the operating status of the CyberGuard SG appliance. Note Power is ON when power is applied. H/B (heart beat) flashes when the CyberGuard SG appliance is running. Each of the network ports has two LEDs indicating link, activity and speed. In its factory default state, the four status LEDs next to Power flash. If these LEDs do not behave in this manner before your CyberGuard SG appliance is attached to the network, perform a factory reset.
Connect the supplied power cable to the power inlet on the rear panel of the CyberGuard SG appliance and turn on the rear panel power switch. Connect one of the ports of network switch A (A1 – A4) directly to your PC’s network interface card using the supplied network cable. Next, modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> (Settings ->) Control Panel and double click Network Connections (or in 95/98/Me, double click Network).
Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: Preferred DNS server: 192.168.0.1 Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0. Set up the CyberGuard SG appliance’s password and LAN connection settings Launch your web browser and navigate to 192.168.0.1. Select Quick Setup Wizard from the center of the page.
Enter and confirm a password for your CyberGuard SG appliance. This is the password for the user root, the main administrative user account on the CyberGuard SG appliance. It is therefore important that you choose a password that is hard to guess, and keep it safe. Note The new password takes effect immediately. You are prompted to enter it when completing the next step. The quick setup wizard is displayed. Changing the Hostname is not typically necessary.
Select Skip: LAN already configured if you wish to use the CyberGuard SG appliance’s initial network settings (IP address 192.168.0.1 and subnet mask 255.255.255.0) as a basis for your LAN settings, and you do not wish to use the CyberGuard SG appliance’s built-in DHCP server. Skip to the next step.
Connect the CyberGuard SG appliance to your LAN Review your configuration changes. Once you are satisfied, click Finish to activate the new configuration. Note If you have changed the CyberGuard SG appliance’s LAN connection settings, it may become uncontactable at this point. This step describes how to set up the PCs on your network to access the CyberGuard SG appliance and the Internet. Connect PCs and/or your LAN hub to switch A on the CyberGuard SG appliance.
Click Start -> (Settings ->) Control Panel and double click Network Connections (or in 95/98/Me, double click Network). If presented with multiple connections, right click on Local Area Connection (or appropriate network connection) and select Properties. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries) and click Properties (in 95/98/Me, you may also have to click the IP Address tab).
Enter this same IP address as the gateway IP address to be handed out by the existing DHCP server. Enter this same IP address as the DNS server IP address to be handed out by the DHCP server. Ensure all PCs on the network are set up to automatically obtain network configuration as per Automatic configuration of your LAN, then restart them. Note The purpose of restarting the computers is to force them to update their automatically configured network settings.
Perform these steps for each PC on your network. Set up the CyberGuard SG appliance’s Internet connection settings Choose a port on the CyberGuard SG appliance for your primary Internet connection. Port C is used in this guide. Attach Port C to your modem device or Internet connection medium. If necessary, give the modem device some time to power up. Note If you have changed the CyberGuard SG appliance’s LAN connection settings, browse to the new LAN IP address.
Note For detailed help for each of these options, please refer to the next chapter. After entering the appropriate details, click Finish. Quick setup is now complete. CyberGuard SG PCI Appliance Quick Setup Unpack the CyberGuard SG appliance Check that the CyberGuard SG CD is included with your appliance: On the CyberGuard SG appliance is a single 10/100 network port, a Reset button and four LEDs (lights). The LEDs provide information on the operating status of your CyberGuard SG appliance.
Note You can check that a new network adapter has been installed by clicking Start -> (Settings ->) Network and Dialup Connections -> Local Area Connection (possibly followed by a number) -> Properties and ensure the adapter is listed in the Connect using field. Set up your PC to connect to the web management console Note The following steps assume you want to set up your CyberGuard SG appliance in bridged mode, so that it sits between your PC and the LAN, transparently filtering network traffic.
Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Leave the Default gateway and DNS server addresses blank. Set up the CyberGuard SG appliance’s password and network connection settings Launch your web browser and navigate to 192.168.0.1. Select Network Setup from the Networking menu. A log in prompt is displayed.
Pressing Reset twice within 2 seconds resets the CyberGuard SG appliance to its factory default settings Enter and confirm a password for your CyberGuard SG appliance. This is the password for the user root, the main administrative user account on the CyberGuard SG appliance. It is therefore important that you choose a password that is hard to guess, and keep it safe. Note The new password takes effect immediately. You are prompted to enter it when completing the next step.
Check DHCP assigned. Anything in the IP Address and Subnet Mask fields is ignored. Click Update. Click Start -> (Settings ->) Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties. Select Internet Protocol (TCP/IP) and click Properties and click Properties.
Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK. Attach your CyberGuard SG appliance’s Ethernet port to your LAN’s hub or switch. Quick setup is now complete. Manual configuration Ensure you have two free IP addresses that are part of the subnet range of your LAN, and ensure you know your LAN’s subnet mask, and the DNS server address and gateway address used by PCs on your LAN.
Enter this address as the IP Address, and the subnet mask for your LAN as the Subnet mask. Ensure DHCP assigned is unchecked. You may also enter one or more DNS Server(s) and a Gateway address to be used by the CyberGuard SG appliance, not your PC, for access to the Internet. Typically this is not necessary, as only your PC needs to access the Internet. Click Update.
Enter the following details: IP address is the second free IP addresses that is part of the subnet range of your LAN. Subnet mask is the subnet mask of your LAN. Default gateway is the IP address of your LAN’s default gateway. Preferred DNS server is the IP address of the DNS server used by PCs on your LAN. Click OK. Attach your CyberGuard SG appliance’s Ethernet port to your LAN’s hub. Quick setup is now complete.
From a network security standpoint, it may be desirable to disable the Reset switch after initial setup has been performed. This is accomplished by removing the jumper linking CON2 on the CyberGuard SG appliance. This jumper is labeled Remove Link to Disable Erase. The CyberGuard SG Management Console The various features of your CyberGuard SG appliance are configured and monitored using the management console.
Backup/restore configuration Hover your mouse over the black backup/restore icon on the top right hand side of the screen to display the date on which configuration changes were last backed up. Click the icon to backup or restore backed up configuration; see the Backup/Restore section of the chapter entitled System for details.
3. Network Setup This chapter describes the Network Setup sections of the web management console. Here you can configure each of your CyberGuard SG appliance’s Ethernet, wireless and serial ports. It is accessed by clicking Network Setup under the Network Setup section of the main web management console menu. The QoS Traffic Shaping and IPv6 sections are also described towards the end of this chapter.
A network interface is configured by selecting a connection type from the Change Type pull down menu. The current configuration can be viewed or modified by clicking the Edit icon. Clicking the Delete icon unconfigures a network interface; you are prompted to confirm this action. Multifunction vs. Fixed-function Ports Some CyberGuard SG appliances have network ports with labels corresponding to the port’s function, i.e. LAN, DMZ and Internet/WAN. These are said to be fixed-function ports.
Note The switches’ ports can not be configured individually; a switch is configured with a single function only (e.g., LAN switch, DMZ switch). SG560, SG565 and SG580: Multifunction Ports The CyberGuard SG560, SG565 and SG580 have generically named Ethernet ports (ports A1, A2, A3, A4 and B). By default, switch A functions as a regular LAN switch, with network traffic passing freely between its ports. Typically, port B is used as your primary Internet connection.
Direct Connection A direct connection is a direct IP connection to a network, i.e. a connection that does not require a modem to be established. This is typically a LAN, DMZ or Guest connection, but may also be an Internet connection. Network settings may be assigned statically, or dynamically by a DHCP server. Note Direct connections may be added to a network bridge, this is discussed in Bridging later in this chapter. Network settings Click the Edit icon of the interface your wish to modify.
To have your CyberGuard SG appliance obtain its LAN network settings from an active DHCP server on your local network, check DHCP assigned. Note that anything in the IP Address,Subnet Mask and Gateway fields are ignored. You may also enter one or more DNS servers. Multiple servers may be entered separated by commas. Firewall class The Firewall class setting controls the basic allow/deny policy for this interface.
If an Ethernet port is experiencing difficulties auto-negotiating with another device, Ethernet Speed and duplex may be set manually. On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG appliance. The MAC address is a globally unique address and is specific to a single CyberGuard SG appliance. It is set by the manufacturer and should not normally be changed.
For aliases on interfaces that have the DMZ or Internet firewall class, you must also setup appropriate Packet Filtering and/or Port forwarding rules to allow traffic on these ports to be passed onto the local network. See the chapter entitled Firewall for details. IPv6 Click the IPv6 tab to Enable IPv6 for this connection. Note To route and filter IPv6 traffic, you must also check the Enable IPv6 option on the IPv6 page; refer to the section entitled IPv6 towards the end of this chapter.
Select the connection method to use in establishing a connection to your ISP: PPPoE, PPTP, DHCP, or Manually Assign Settings. Note Use PPPoE if your ISP uses username and password authentication to access the Internet. Use PPTP if your ISP has instructed you to make a dial-up VPN connection to the Internet. Use DHCP if your ISP does not require a username and password, or your ISP instructed you to obtain an IP address dynamically.
PPPoE To configure a PPPoE or PPPoA connection, enter the user name and password provided by your ISP. You may also enter a descriptive Connection Name if you wish. Click Finish. Note For PPPoE/PPPoA connections, ensure your DSL modem is set to operate in bridged mode. Typically, for PPPoE connections, your DSL modem must be set to use LLC multiplexing/encapsulation. For PPPoA connections, your DSL modem must be set to use VC-based multiplexing/encapsulation.
The Local IP address is used to connect to the PPTP server and is not typically your real Internet IP address. You may also enter a descriptive Connection Name if you wish. Click Finish or Update. DHCP DHCP connections may require a Hostname to be specified, but otherwise all settings are assigned automatically by your ISP. You may also enter a descriptive Connection Name if you wish. Click Finish or Update.
The latter two settings are optional, but are generally required for normal operation. Multiple DNS addresses may be entered separated by commas. You may also enter a descriptive Connection Name if you wish. Click Finish or Update. Connection (dial on demand) You may choose to bring up a PPPoE/PPPoA DSL, dialout or ISDN connection only when PCs on the LAN, DMZ or Guest network (via a VPN tunnel) are trying to reach the Internet and disconnect again when the connection has been idle for a specified period.
Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Aliases under Direct Connection. Cable Modem To connect to the Internet using a cable Internet service, select Cable Modem from the Change Type pull down menu for the interface that connects to your cable modem. Cable Modem connections have the interface firewall class of Internet.
Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Aliases under Direct Connection. Dialout and ISDN To connect to the Internet using a regular dialup or ISDN service, select Dialout from the Change Type pull down menu for the interface that connects to your dialup modem or ISDN TA. Dialout and ISDN connections have the interface firewall class of Internet.
By default, Dialout/ISDN connections are treated as “always on” and is kept up continuously. Alternatively, you may choose to only bring the connection up when PCs on the LAN, DMZ or Guest network (via a VPN tunnel) are trying to reach the Internet. For instructions, refer to the section entitled Dial on Demand further on in this chapter. Port settings If necessary, you may set the CyberGuard SG appliance’s serial port Baud rate and Flow Control. This is not generally necessary.
If you wish, you may enter a descriptive Connection Name. Enter a free IP Address for Dial-In Clients, this must be a free IP address from the network (typically the LAN) that the remote user is assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address for Dial-In Server pull down menu. This is typically a LAN interface or alias.
• Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client passwords are transmitted unencrypted. Select the Required Encryption Level, access is denied to remote users attempting to connect not using this encryption level. Using Strong Encryption (MPPE 128 Bit) is recommended. Select the Authentication Database. This allows you to indicate where the list of valid clients can be found.
Click Start, Settings, Network and Dial-up Connections and select Make New Connection. The network connection wizard guides you through setting up a remote access connection: Click Next to continue. Select Dial-up to private network as the connection type and click Next to continue.
Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas. Click Next to continue. Select the option Only for myself to make the connection only available for you.
Enter a name for the connection and click Finish to complete the configuration. Check Add a shortcut to my desktop to add an icon for the remote connection to the desktop. To launch the new connection, double-click on the new icon on the desktop. The remote access login screen appears as in the next figure. If you did not create a desktop icon, click Start -> Settings -> Network and Dial-up Connections and select the appropriate connection.
The CyberGuard SG appliance supports a wide range of configurations through which you can utilize multiple Internet connections, and even multiple CyberGuard SG appliances, to help ensure Internet availability in the event of service outage or heavy network load. The following Internet availability services are provided by the CyberGuard SG appliance. They may be configured individually, or in combination.
If you are using a CyberGuard SG appliance model SG560, SG565 or SG580, you may want to skip ahead to the section entitled Port Based VLANs later in this chapter, for information on establishing multiple broadband connections. Once the Internet connections have been configured, specify the conditions under which the Internet connections are established. Internet Failover CyberGuard SG appliances support three connection levels. A connection level consists of one or more Internet connections.
Click the Edit icon next to the connection to edit its failover parameters. The Name and Port of this connection is displayed, along with several options. Select a Test Type. The Ping test is usually appropriate. • Ping sends network traffic to a remote host at regular intervals, if a reply is received the connection is deemed to be up. • Custom (advanced users only) allows you to enter a custom console command to run to determine whether the connection is up.
• Test Delay is the number of seconds to wait after starting this connection before testing whether it is functioning correctly, a longer delay is used for connection types that are slow to establish, such as dialout. • Retry Delay is the number of seconds to wait after a connection test fails before reattempting the test. • Times to attempt this connection is the number of times to try a connection before giving up.
Ping Interval is the time to wait in between sending each ping, Failed Pings is the number of missed ping replies before this connection attempt is deemed to have failed. Click Finish. Modify failover levels (primary, secondary, tertiary) The second and final step of configured Internet failover is associating Internet connections with and primary, secondary and optionally tertiary connection levels. Recall that a connection level is one or more connections.
First, configure the Primary connection level. If you have a single Internet connection only, setting it to Enabled or Required has the same effect. For failover to occur, you must then configure at least the secondary connection level. Click Finish. This returns you to the main Connection Failover page. You’ll notice that ticks and crosses are display alongside each connection, describing how they are configured for each connection level.
The Internet connections need not be the same, e.g. you can perform load balancing between a PPPoE ADSL connection on one network port, and a Cable Internet connection on the other. Enabling load balancing Under the Failover & H/A tab, click Modify Levels. Check Load Balance for each connection to enable for load balancing. Click Finish. Note Load balancing settings are not specified for each failover level; load balancing occurs when any two or more load balancing connections are up.
Limitations of load balancing Load balancing works by alternating outgoing traffic across Internet connections in a round robin manner. It does not bond both connections together to work as one link, e.g. it does not bond two 512 kbit/s links to function as a single 1 mbit/s link. Total bandwidth and available bandwidth are not taken into account when choosing a connection on which to send outgoing traffic.
This floating IP address is in addition to the primary IP addresses of the two devices (e.g. 192.168.1.2 and 192.168.1.3) for the interface on the network segment. The floating IP address and primary IP addresses of the two devices need not be part of the same network (e.g. 192.168.1.0/24), but typically will be. As far as hosts on the network are concerned, they may use either a device's primary IP address to address a particular device, or the floating IP address to use whichever device is currently up.
ipaddr is the floating IP address. You do not need to manually configure this address on either unit, the script handles this internally. alias is an alias interface name, such as eth0:9, on which to configure ipaddr when this device is the master. If you do not specify an alias, the script automatically selects the eth0:9. -d enables extra debug output to the sytem log. -n disables the High Availability or HA LED, if it is present on your CyberGuard SG appliance.
DMZ Network Note Not available on the SG300, SG530, SG550 or CyberGuard SG PCI appliances. A DMZ (de-militarized zone) is a physically separate LAN segment, typically used to host servers that are publically accessible from the Internet. Servers on this segment are isolated to provide better security for your LAN. If an attacker compromises a server on the LAN, then the attacker immediately has direct access to your LAN.
Configuring a DMZ connection Select Direct Connection from the Configuration pull down box of the network port to be connected to the DMZ. Enter appropriate IP address settings and select DMZ from Firewall Class pull down menu. Configuring a Direct Connection is described in detail in the section entitled Direct Connection towards the beginning of this chapter.
You may also want to configure your CyberGuard SG appliance to allow access from servers on your DMZ to servers on your LAN. By default, all network traffic from the DMZ to the LAN is dropped. See the section called Packet Filtering in the chapter entitled Firewall. Guest Network Note Not available on the SG300, SG530, SG550 or CyberGuard SG PCI appliances. The intended usage of Guest connections is for connecting to a Guest network, i.e. an untrusted LAN or wireless networks.
Machines on the Guest network typically have addresses in a private IP address range, such as 192.168.2.0 / 255.255.255.0 or 10.2.0.0 / 255.255.0.0. For network address translation (NAT) purposes, the Guest connection is considered a LAN interface, i.e. the NAT checkboxes for LAN interfaces under Advanced modify settings for both LAN connections and Guest connections. See the Network address translation section later in this chapter for further information.
Wireless Note SG565 only. The CyberGuard SG appliance’s wireless interface may be configured as a wireless access point, accepting connections from 802.11b (11mbit/s) or 802.11g (54mbit/s) capable wireless clients. Typically, the CyberGuard SG appliance’s wireless interface is configured in one of two ways; with strong wireless security (WPA) to bridge wireless clients directly onto your LAN, or with weak wireless security as a Guest connection.
Warning We strongly recommend that the wireless interface be configured as a LAN connection only if wireless clients are using WPA-PSK encryption/authentication. This is discussed in further detail later in this section. Configuring a Direct Connection is described in detail in the section entitled Direct Connection towards the beginning of this chapter. See the sections DMZ Network and Guest Network earlier in this chapter for further discussion of these network types.
ESSID: (Extended Service Set Identifier) The ESSID is a unique name that identifies a wireless network. This value is case sensitive, and may be up to 32 alphanumeric characters. Broadcast ESSID: Enables broadcasting of the ESSID. This makes this wireless network visible to clients that are scanning for wireless networks.
If Security Method is set to None, any client is allowed to connect, and there is no data encryption. Warning If you use this setting, then it is highly recommended that you configure wireless interface as a Guest connection, disable bridging between clients, and only allow VPN traffic over the wireless connection. WEP security method WEP (Wired Equivalent Privacy) allows for 64 or 128 bit encryption.
WEP Key Length: This sets the length of the WEP keys to be entered below. It is recommended to use 128 bit keys if possible. WEP Key: Enter up to 4 encryption keys. These must be either 10 hexadecimal digits (0 – 9, A – F) for 64 bit keys, or 26 hexadecimal digits for 128 bit keys. You must also select one of the 4 keys to be the default transmit key.
When the Access Control List is disabled (Disable Access Control List), any wireless client with the correct ESSID (and encryption key if applicable) can connect to the wireless network. For additional security, you can specify a list of MAC addresses (network hardware addresses) to either allow or deny.
Advanced To edit access control list settings, click the Edit icon alongside the Wireless network interface, click the Wireless Configuration tab, then the Advanced tab. Region: Select the region in which the access point is operating. This restricts the allowable frequencies and channels. If your region is not listed, select a region that has similar regulations. Protocol: • 802.11b only: Wireless clients can only connect using 802.11b (11mbit/s). Note that most wireless clients which support 802.
Preamble Type: The preamble is part of the physical wireless protocol. Using a short preamble can give higher throughput. However, some wireless clients may not support short preambles. Enable RTS: RTS (Request to Send) is used to negotiate when wireless clients can transmit. If you have two wireless clients that are out of range of each other, but both still within range of the access point, they may both attempt to transmit at the same time, causing a collision.
Connecting wireless clients The following steps detail how to configure your CyberGuard SG appliance to bridge between its wireless and LAN interfaces. The result of this configuration would be similar to attaching a wireless access point in bridge mode to one of the CyberGuard SG appliance’s LAN ports. Individual settings and fields are detailed earlier in the Wireless section.
Select Allow authentication for MACs in the Access Control List and click Apply. Add the MAC address of each wireless client you wish to allow to connect. Click Advanced. Ensure the Region has been set appropriately. You may also restrict the Protocol to 802.11b only or 802.11g only if you wish. Generally, the other settings should be left at their default values. Click Apply. Click the Connections tab.
Under the main table, select Bridge and click Add. Select your wired LAN connection from the Existing Interface Configuration pull down box. This is the address to share between the interfaces. Click Next.
Alongside the wireless interface, check Bridged and select LAN from the Firewall Class pull down menu. Click Finish. Note If your LAN interface was previously configured to obtain an IP address automatically from a DHCP server, the CyberGuard SG appliance now uses the MAC address of the wireless device when obtaining an IP address. You may have to update your DHCP server accordingly. Configure each wireless client with the Channel, ESSID, WPA Key and WPA Encryption method.
Another advantage is that network traffic not usually routed by unbridged interface, such as broadcast packets, multicast packets, and any non-IP protocols such as IPv6, IPX or Appletalk pass over the bridge to their destination host. Bridging network interfaces involves creating, then associating existing network interfaces with a Bridge interface. Warning You must trust all devices that are directly connected to bridged interfaces.
If you wish to transfer the IP address settings of an existing network connection to the bridge interface, select it from the Existing Interface Configuration pull down menu. Click Next. Note As the CyberGuard SG appliance automatically directs network traffic, hosts on either side do not need to specify this IP address as a gateway to the networks connected to the bridge.
You may want to Enable Spanning Tree Protocol if you have multiple bridges on your network. It allows the bridges to exchange information, helping elimate loops and find the optimal path for network traffic. Forwarding Delay is the time in seconds between when the bridge interface comes online and when it begins forwarding packets. This usually only occurs when the unit first boots, or the bridge configuration is modified.
A guide to bridging across an IPSec tunnel using GRE is provided in the section entitled GRE over IPSec in the Virtual Private Networking chapter. VLANs Note VLANs are not supported by the SG300. VLAN stands for virtual local area network. It is a method of creating multiple virtual network interfaces using a single physical network interface. Packets in a VLAN are simply Ethernet packets that have an extra 4 bytes immediately after the Ethernet header.
Note Additionally, switch A on the SG560, SG565 and SG580 (but not the SG710 or SG710+) supports port based VLANs. One benefit of this feature is that you are able to assign individual functions to each of the ports on the switch, e.g. you might decide to use port A2 to connect to a DMZ, and port A3 as a second Internet connection. See the section entitled Port Based VLANs later in this chapter for details.
Removing VLANs To remove a VLAN, click the Delete icon alongside the VLAN interface in the main Network Setup -> Connections table. Port Based VLANs Note SG560, SG565 and SG580 only. The CyberGuard SG560, SG565 and SG580 have a VLAN-capable switch built in. This gives you the flexibility to either use it as a simple switch that allows access between all ports (this is the default), or use port based VLANs to control access between each individual port in the switch.
Typically, a tagged VLAN interface is used when you want to join an existing VLAN on the network, and an untagged VLAN interface is used when you are using the port based VLAN feature to isolate the ports so that you can configure each of them individually. Limitations of port based VLANs There are few further limitations to keep in mind when using port based VLANs: • The total bandwidth from the switch into the CPU is 100Mbps, which is shared between the 4 ports.
The following settings pertain to port based VLANs: • Enable port based VLANs: Check to enable port based VLANs. • Default port based VLAN ID: As the default VLAN is always untagged, typically you only need to change this from the default setting of 2 if you want another port to participate on an existing tagged VLAN with the ID of 2.
The following settings are displayed: • Interface: The port based VLAN capable interface on which to add the VLAN. • VLAN ID: If you are adding a VLAN interface to participate on an existing VLAN, enter its ID number here. Otherwise enter the next available VLAN ID; if the Default port based VLAN ID has been left at its default setting of 2, Port A2 uses VLAN ID 3, Port A3 uses VLAN ID 4, and so on. Note Some Cisco equipment uses tagged VLAN 1 for its own purposes.
Refer to the section entitled Tagged and untagged VLANs earlier in this chapter for further discussion of these settings. Click Update. This VLAN interface now appears in the Connections table, and you may configure it as you would any other network interface. Editing port based VLANs Once a VLAN has been added, you may edit the settings you entered in Adding port based VLANs by clicking its Edit icon in the main Network Setup -> Connections table.
Ensure Enable is checked and enter a descriptive GRE Tunnel Name for this tunnel. Enter the address of the remote GRE endpoint in Remote Address, e.g. the Internet IP address of a remote CyberGuard SG appliance. Enter the address of the local GRE endpoint in Local Address. This is typically a free address on your main LAN. If your LAN connection has an alias address, it may also be a free address on the alias network.
6. Modify the firewall. In this example we use a dummy alias network of 10.254.0.0 / 255.255.0.0 to bridge two example local networks, one at Brisbane and one at Slough. These steps must be repeated for either end of the tunnel. Note that the two locations are using the same subnet. CyberGuard SG appliance in Brisbane Internet address: 203.23.45.6 LAN address: 192.168.1.1 LAN alias: 10.254.0.1 LAN: 192.168.1.0 / 24 CyberGuard SG appliance in Slough Internet address: 195.45.67.8 LAN address: 192.
Create an IPSec tunnel between Brisbane and Slough. Select IPSec from the VPN section of the main menu and click New. For a complete overview of all available options when setting up an IPSec tunnel, refer to the IPSec section earlier in this chapter. Take note of the following important settings: Set the local party as a single network behind this appliance. Set the remote party as single network behind a gateway. For the Slough end’s Phase 2 Settings, specify the Local Network as 10.254.0.1 / 255.255.255.
At the Brisbane end, click Packet Filtering, the Custom Firewall Rules tab and add this custom firewall rule: iptables -I OUTPUT ! -o ipsec+ -d 10.254.0.1 -j DROP Click Update. GRE troubleshooting • Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set up on the GRE tunnel to the remote network. Ensure that there is a route on the remote GRE endpoint to the network at this end of the GRE tunnel. Check that there is a GRE interface created on the device.
Click New to add a static route. Target Address and Subnet mask identify the destination network or host. You may also specify an Interface out which the network traffic should be routed, a Gateway Address through which the network traffic should be routed, and a Metric for this route. Route management Note Route management does not have full GUI configuration support.
If a comment character is not the first character of the word, it's a normal character. In the example below, ! is not regarded as a comment and the password is set to zebra!password: password zebra!password In these examples,! denotes a descriptive comment, and # indicates a configuration line that is currently commented out, that you may want to uncomment depending on your network setup. In zebra.
! Enable the RIP routing process router rip ! Define interfaces which exchange RIP messages over network eth0 #network eth2 ! Define neighbor routers to exchange RIP with if disabling multicast above in zebra.conf, or neighbors don't have multicast enabled #neighbor 192.168.45.238 #neighbor 192.168.45.
OSPF Note This example is adapted from the LARTC (Linux Advanced Routing & Traffic Control) dynamic routing howto, available from: http://lartc.org/howto/ LARTC is an invaluable resource for those wanting to learn about and take advantage the advanced routing capabilities of Linux systems. OSPF stands for Open Shortest Path First, and some of its principal features are: • Networks are grouped by areas, which are interconnected by a backbone area which will be designated as area 0.
The CyberGuard SG is configured to exchange routes with the routers named Atlantis, Legolas and Frodo. Ensure you have enabled OSPF under Route Management, then open zebra.conf and ospfd.conf for editing as described in the Route management section. In zebra.
! Uncomment and set telnet/vty passwords to enable telnet access on port 2604 #password changeme #enable password changeme ! Instruct ospfd about our network topology router ospf network 192.168.0.0/24 area 0 network 172.17.0.0/16 area 1 Restart route management to enable the updated configuration – uncheck Enable route management, click Update, check Enable route management and click Update.
Note The AS numbers used in this example are reserved, please get your own AS from RIPE if you set up official peerings. Ensure you have enabled BGP under Route Management, then open zebra.conf and bgpd.conf for editing as described in the Route management section. In zebra.conf, enter: hostname cyberguard-sg ! Uncomment and set telnet/vty passwords to enable telnet access on port 2602 #password changeme #enable password changeme In bgpd.
access-list local_nets deny any ! Our AS number router bgp 1 ! Our IP address bgp router-id 192.168.0.1 ! Announce our own network to other neighbors network 192.168.0.0/24 ! Advertise all connected routes (directly attached interfaces) redistribute connected ! Advertise kernel routes (manually inserted routes, IPSec) redistribute kernel ! Every 'router bgp' block contains a list of neighbors to which the router is connected: neighbor 192.168.1.1 remote-as 2 neighbor 192.168.1.
If network shares or printers are being shared, this is the computer name that is displayed when browsing the network from a Windows PC (SG565 only). Workgroup/domain Note SG565 only. The Workgroup/Domain is the Windows workgroup or domain with which to share printers or network shares. These shared resources are not visible to machines on the LAN that are not members of this workgroup or domain.
Check Enable DNS proxy to enable this feature. If you are using the CyberGuard SG appliance’s DHCP server, you may also check Update DNS with local DHCP leases. This allows the CyberGuard SG appliance’s DNS proxy to look up the names of devices that have requested IP address addresses. Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by hosts on the Internet. Dynamic DNS service providers such as TZO.com and dyndns.
To configure your CyberGuard SG appliance as a DHCP server, you must set a static IP address and netmask on the network interface on which you want the DHCP server to run; see the Direct Connection section of the chapter entitled Network Connections. To begin configuring the CyberGuard SG appliance’s DHCP server, select DHCP Server from the Network Setup section of the web management console’s main menu.
• Optionally enter a Domain Name suffix to issue DHCP clients. • Optionally enter IP address of the WINS server to be distributed to DHCP clients in the WINS Address field. • Enter the Default Lease Time and Maximum Lease Time in seconds. The lease time is the time that a dynamically assigned IP address is valid before the client must re-request it. • Enter the IP address or range of IP addresses (see the appendix entitled IP Address Ranges) to be issued to DHCP clients in the Address Range field.
• Reserved: the address is reserved for the particular host defined by hostname and MAC address • Free: the address is available to be handed out to any DHCP client host • Taken: the address has been issued to a host Adding and removing addresses Under Add/Remove Dynamic IP Addresses, enter the IP address or IP address range and click Add or Remove. To remove an address, you may also click its Delete icon under the Address List.
• Enter the MAC address of the DHCP client. • Enter the reserved IP address for the DHCP client. Click Submit. DHCP status This main DHCP server page displays the status for each interface on which the DHCP server is running. There are Edit, Delete and Enable/Disable icons displayed for each Interface. The Subnet is the network on which DHCP server is handing out addresses. Free Addresses displays the number of remaining available IP addresses that can be distributed.
Web Cache Note SG565, SG575, SG635 and CyberGuard SG rack mount appliances only. Web browsers running on PCs on your LAN can use the CyberGuard SG appliance’s proxy-cache server to reduce Internet access time and bandwidth consumption. A proxy-cache server implements Internet object caching. This is a way to store requested Internet objects (i.e., data available via HTTP, FTP, and other protocols) on a server closer to the user's network than on the remote site.
Check Enable to enable the web cache. Selecting a cache size Select the amount of memory (RAM) on the CyberGuard SG appliance to be reserved for caching Internet objects. The maximum amount of memory you can safely reserve depends on what other services the CyberGuard SG appliance has running, such as VPN or a DHCP server. If you are using a Network Share (recommended, see below), it is generally best to set this to 8 Megabytes.
Refer to your operating system’s documentation for details on creating a network share. What follows are some basic instructions for creating a network share under Windows XP. • Create a new user account: Note We recommend that you create a special user account to be used by the CyberGuard SG appliance for reading and writing to the network share. If you have an existing account or wish to may the network share readable and writeable by everyone, you may skip the next step.
Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and open up a folder or drive to dedicate as a network share for use by the CyberGuard SG appliance’s web cache. Begin by disabling simple file sharing for this folder. From the Tools menu, select Folder Options. Click the View tab and under the Advanced settings section uncheck Use simple file sharing (Recommended). Click OK. Next, share the folder. Right click on the folder and select Sharing and Security.
Under the Network Share tab, check Use share. Enter the location of the network share in the format: \\HOSTNAME\sharename Enter the maximum size for the cache in Cache size. Warning Cache size should not be more than 90% of the space available to the network share, e.g. if you shared a drive with 1 gigabyte of available storage, specify a Cache size of 900 megabytes. Enter the Username and Password for a user that can read and write to the network share.
First of all, the messages transmitted by a cache to locate a specific object are sent to Sibling caches, which are placed at the same level in the hierarchy. Then, the caches placed at the Parent level are queried if the replies from sibling caches did not succeed. Enter the host or IP address of an ICP capable web cache peer in Host, then select its relationship to the CyberGuard SG appliance’s web cache (as described above) from Type and click Apply.
Check Enable ICAP functionality to enable the ICAP features of the CyberGuard unit's web cache. ICAP REQMOD server is the URL for an ICAP server's REQMOD service. This allows an ICAP server to modify web transaction requests, i.e. to process as they are being initially requested by the LAN PC, e.g. for URL filtering. It must begin with icap://, e.g.: icap://192.168.0.10:1344/reqmod ICAP RESPMOD server is the URL for an ICAP server's RESPMOD service.
Transparent web cache with access control You may choose to have the web cache and acess controls, including content filtering and anti-virus, operate transparently. Transparent operation filters and caches web traffic regardless of whether or not the clients on the LAN have specified an HTTP proxy in their web browsers. Select Packet Filtering from the Firewall menu, and click the Custom Firewall Rules tab.
QoS autoshaper The Auto Traffic Shaper uses a set of inbuilt traffic shaping rules to attempt to ensure low latency on interactive connections, while maintaining fast throughput on bulk transfers. Click Edit next to the network interface on which you wish to enable the autoshaper. Click Enable and enter the Outbound Speed (upstream speed) of this interface’s network connection in megabits per second. Click Finish.
Check Enable Traffic Shaping, select a Default priority and click Submit to enable this feature. The Default priority is assigned to all network services other than those specifically added below. To add a service, click New then New again. Select the Protocol and Port on which this service runs. Select Priority for this service click Finish. IPv6 Check Enable IPv6 to enable IPv6 routing and packet filtering. Support for IPv6 is currently limited.
4. Firewall The CyberGuard SG appliance is equipped with a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access, so that PCs on local networks can have tailored Internet access facilities while being shielded from malicious attacks from external networks. The CyberGuard SG appliance’s stateful firewall keeps track of outgoing connections (e.g.
Administration services The following figure shows the Administration Services page: By default the CyberGuard SG appliance runs a web administration server, a Telnet and an SSH service. Access to these services can be restricted to specific interfaces. Typically, access to the web management console (Web/SSL Web) is restricted to hosts on your local network (LAN Interfaces).
You can also select to Accept echo request (incoming port) on Internet interfaces. The default is to disallow echo requests, so your CyberGuard SG appliance does not respond to pings on its Internet interfaces. This may make it more difficult for external attackers scanning for hosts to discover your CyberGuard SG appliance. Destination unreachable ICMP messages are always accepted. Web Server Click the Web Server tab to configure the CyberGuard SG appliance’s administrative web server.
By default, the web management console runs on the default HTTP port (i.e. 80). After changing the web server port number, you must include the new port number in the URL to access the pages. For example, if you change the web administration to port number 88, the URL to access the web administration is similar to: http://192.168.0.1:88 SSL/HTTPS (Secure HTTP) Note Not available on the SG300, SG530, SG570 or SG630.
Upload SSL certificates If you have purchased or created SSL certificates for a web server, you can upload them to the CyberGuard SG appliance under Upload SSL certificates tab. Click Browse to locate the Local Certificate (RSA x509 certificate) and its corresponding Private Key Certificate Create SSL certificates To create a self-signed certificate on the CyberGuard SG appliance, click the Create SSL certificates tab.
A typical use of NAT rules is to forward packets destined for your Internet IP address to an internal web server or email server on your LAN. This is known as a port forward, or destination NAT as it alters the destination address of the packet. The first step in creating packet filter or NAT rules, is to define services (such as web or email) and addresses (such as your internal web server, or a trusted external host) under Definitions.
A service group can be used to group together similar services. For example, you can create a group of services that you wish to allow, and then use a single rule to allow them all at once. Select the services from the list of predefined services, or enter the port number to define a custom TCP, UDP, ICMP or IP service. A service may belong to multiple service groups. Addresses Addresses are a single IP address, or range of IP addresses, or a DNS hostname.
Adding or modifying an address is shown in the following figure: You may either add a Single Address or Range or DNS Hostname. You may also group previously added addresses together by defining an Address Group to simplify your firewall ruleset. Select how you would like to add the address or addresses, and click New. Either enter the DNS Hostname, the IP Address or address range and an optional descriptive Name, or select the addresses to group and enter a descriptive Name. Click Finish.
Packet Filtering Packet filter rules match traffic based on a combination of the source and destination address, incoming and outgoing interface, and destination service. Matched packets may be allowed or disallowed. Packet filter rules Click Packet Filter Rules. Click New to add a new filter rule. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon.
The first matching rule determines the action for the network traffic, so the order of the rules is important. You can use the Move Up and Move Down icons to change the order. The rules are evaluated top to bottom as displayed on screen. Adding or modifying a rule is shown in the following figure: The Action specifies what to do if the rule matches. • Accept means to allow the traffic. • Drop means to disallow the traffic.
The Source Address is the address that the traffic is arriving from. The Destination Address is the address that the traffic destined to. Warning The previous four fields may be set to Any. Any does not match traffic sent or received by the CyberGuard SG appliance itself, only traffic passing through it. The four fields above may also be set to None or Any. None matches requests originating from the Cyber None matches network traffic that is destined for the CyberGuard SG appliance itself.
Configuring the CyberGuard SG appliance’s firewall via the Incoming Access and Outgoing Access and Packet Filtering configuration pages is adequate for most applications. Refer to Appendix C – System Log for details on creating custom log rules using iptables. Network Address Translation (NAT) Network address translation (NAT) modifies the IP address and/or port of traffic traversing the CyberGuard SG appliance. The CyberGuard SG appliance supports several types of network address translation.
Click Port Forwarding. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon. Click New to add a new rule. You may also add a new rule above an existing one by clicking the Add Above icon, or below with Add Below. Note The first matching rule determines the action for the network traffic, so the order of the rules is important. You can use the Move Up and Move Down icons to change the order.
In this example, port 2222 is used rather than the standard SSH port of 22, this is to allow remote access using SSH to the CyberGuard SG appliance itself, which runs an SSH server on port 22. So a remote user connects to port 2222 on CyberGuard SG appliance’s Internet address in order to access port 22 of barry’s server.
Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service to be only accessible from a specific remote location) Note When adding a rule, you may either use Predefined addresses or services that have been added under Definitions, or click New to manually enter an address or service.
Check one or both of IMAP4 (E-Mail) if your server supports IMAP mail retrieval and POP3 (E-Mail) if your server supports POP3 mail retrieval. Enter smtp in Other TCP Ports. This is the protocol remote clients use for sending mail via the server. Click Finish. Click NAT, the Port Forwarding tab, then New. Click Advanced at the bottom of the page.
Enter Mail server In Descriptive Name. Leave Enable and Create Packet Filter Rule checked. Leave Incoming Interface and Source Address as Any. Select your Internet connection in Destination Address. Click Predefined next to Services. Select E-Mail from Services. Enter your internal email server’s IP address in To Destination Address. Click Finish.
Source NAT Source NAT alters the source address of packets received by the CyberGuard SG appliance. This is typically used for fine tuning the CyberGuard SG appliance’s masquerading behaviour. See the Masquerading section later in this chapter for information on altering the basic masquerading relationships between your CyberGuard SG appliance’s interfaces. Click Source NAT. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon.
Descriptive Name An arbitrary name for this rule This rule is applied to packets that match the critera described by the next four fields.
You may also add a new rule above an existing one by clicking the Add Above icon, or below with Add Below. Note The first matching rule determines the action for the network traffic, so the order of the rules is important. You can use the Move Up and Move Down icons to change the order. The rules are evaluated top to bottom as displayed on screen.
Masquerading Masquerading is a form of source network address translation (NAT). It translates many addresses (such as private LAN IP addresses) into a single address (such as the external Internet IP address). Masquerading has the following advantages: • All machines on the local network can access the Internet using a single ISP account. • Only one public IP address is used and is shared by all machines on the local network. Each machine has its own private IP address.
Universal plug and play gateway The Universal Plug and Play (UPnP) Gateway allows UPnP capable applications and devices to request port forwarding rules to be established on demand. This allows some applications and devices that may not operate correctly behind the NAT firewall to automatically work. Warning When UPnP in enabled, any host connected to the internal network can create a port forwarding rule on the firewall. We strongly recommend that do not enable the UPnP Gateway feature.
Configuring UPnP rules from Windows XP Once UPnP is running on the CyberGuard SG appliance, you may configure UPnP port forwarding rules from a local Windows XP PC. Ensure the Windows PC’s Default gateway is set to the CyberGuard SG appliance’s UPnP Internal interface. After 10 to 15 seconds, a new connection named Internet Connection appears in the Windows PC’s Network Connections folder. Open Internet Connection, click Settings then Add.
Enter an arbitrary Description of service, the Name or IP address of the computer hosting this service on your network, the External Port number for this service and the Internal Port number for this service. Select whether the service uses the TCP or UDP protocol. Click OK. This rule now appears on the CyberGuard SG appliance UPnP page, under Current UPnP Port Mappings. Connection Tracking Connection tracking keeps a record of what packets have passed through the unit, and how they relate to each other.
Note Implementations of protocols such as H.323 can vary, so if you are experiencing problems then you can try disabling the module. Check Enable Connection Logging to log connections to the system log as they are established and expire, however this may result in a lot of log messages if you have a large or busy network. Intrusion Detection Note The SG300, SG530, SG550, SG560, SG570 and SG630 provide Basic Instrusion Detection and Blocking only.
Read on to find out how using an IDS can benefit your network’s security, or skip ahead to the Basic or Advanced Intrusion Detection section for an explanation of configuration options. The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Internet are the largest source of intrusions. Attackers exploiting known flaws in operating systems, networking software and applications, compromise many systems through the Internet.
IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt, and the access attempt is denied. Because network scans often occur before an attempt to compromise a host, you can also deny all access from hosts that have attempted to scan monitored ports.
Trigger count before blocking specifies the number of times a host is permitted to attempt to connect to a monitored service before being blocked. This option only takes effect when one of the previous blocking options is enabled. The trigger count value should be between 0 and 2 (o represents an immediate blocking of probing hosts). Larger settings mean more attempts are permitted before blocking and although allowing the attacker more latitude, these settings reduce the number of false positives.
Warning The list of network ports can be freely edited, however adding network ports used by services running on the CyberGuard SG appliance (such as telnet) may compromise the security of the device and your network. It is strongly recommended that you use the predefined lists of network ports only. Advanced Intrusion Detection and Prevention (Snort and IPS) Advanced Intrusion Detection and Prevention is based on two variants of the tried and tested intrusion detection and prevention system Snort v2.
Check Enabled. Select the network Interface to monitor (Snort IDS only). This is typically Internet, or possibly DMZ. Check Use less memory to restrict Snort's memory usage (Snort IPS only). This results in slower signature detection throughput, but may be necessary if the device is configured to run many services, many VPN tunnels, or both Snort IDS and IPS. Rule sets are sets of defined patterns or rules used for the detection of attacks.
Log results to database to use a remote analysis server. If it is left unchecked, results are output to the device's system log (Advanced -> System Log). The device currently only supports the MySQL Database Type. Enter the table name of remote data in Database Name. Enter the IP address or resolvable Hostname of the analysis server. Enter the Database port of the analysis server. For MySQL type databases, this is typically 3306. Sensor Name is an arbitrary string that is prepended to the log output.
MySQL database http://www.mysql.com/downloads/mysql-4.0.html http://www.mysql.com/doc/en/index.html Apache web server http://httpd.apache.org/download.cgi http://httpd.apache.org/docs-2.0/ PHP scripting language for developing web pages http://www.php.net/downloads.php http://www.php.net/download-docs.php ADODB library to hide differences between databases used by PHP http://php.weblogs.com/adodb#downloads GD graphics library for GIF image creation used by PHP http://www.boutell.
Additionally, you can set up global block/allow lists for web sites that you always want to be accessible/inaccessible (Web Lists), or force users to have a personal firewall installed (ZoneAlarm) or ensure they are not running network services that may be exploited (Policy) before accessing the Internet. How access controls are applied Access control options operate in the following order for web access: 1. Web Lists allow 2. Web Lists deny 3. Security Policy enforcement 4. ACL allow 5. ACL block 6.
The Enable Access Control checkbox enables/disables the entire access control subsystem. This box must be checked for any access control operation to take place. The Default Action field defines the behaviour when none of the myriad of settings positively allow or block access. If changed to block by default, some definitions must be created elsewhere in access control to allow some network traffic or no access is possible.
Note To add or remove access controls user accounts, select Users from the main menu and click the Local Users tab. Access controls users should generally have only Internet Access (via. Access Controls) checked, with all other access permissions unchecked. See the Users section in the chapter entitled System for further details on adding user accounts. Users without web proxy access see a screen similar to the figure below when attempting to access external web content.
Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their user documentation for details on using a web proxy. From the Internet Options menu, select Tools. From the LAN Settings tab, select LAN Settings. Check Use a proxy server for your LAN… and Bypass proxy server for local address. All other options should remain unchecked. Click Advanced.
In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the other rows blank. In the Exceptions text box, enter your CyberGuard SG appliance’s LAN IP address. Click OK, OK and OK again. ACL Access may be Blocked or Allowed by the Source (LAN) IP address or address range, the Destination (Internet) host’s IP address or address range, or the Destination Host’s name.
Web lists Access is be denied to any web address (URL) that contains text Added under URL Block List, e.g. entering xxx blocks access to any URL containing xxx, e.g.: http://www.xxx.com, http://xxx.example.com or www.test.com/xxx/index.html The Allow List also enables access to URLs containing the specified text. Note Defining large numbers of URL fragments to match against can result in a significant slowing down of WWW accesses.
A number of Security Groups can be defined where each group contains a number of host IP addresses or IP address ranges. Each group is aditionally given a number of permitted and denied services which they are allowed to offer. Each host in each group are periodically actively scanned for the services they are not allowed to offer and if a connection to one of these services is successful, the host is black listed until such time as the offending service is no longer offered.
Content filtering Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filtering licence (sold separately). See the Obtaining a content filtering licence section below. Content filtering allows you to limit the types of web based content accessed. Note Content filtering is not performed for addresses specified in Web Lists or ACL.
If you have been given a single licence key, you have a subscription to the original Content system. If you have been given a certificate and private key, you have a subscription to the new Webwasher system. Content Check Enable Content Filtering enter your License key then continue on to set reporting options and which categories to block. Click Apply once these options have been set up to enable content filtering.
Select which categories you wish to block. Selecting Unratable blocks pages that the central content filtering database has not yet categorized. Webwasher Check Enable content filtering and paste in your Certificate and Private key. Check Allow accesses that cannot be rated to allow access to web sites that the Webwasher content filtering system has not yet rated. The default behaviour is to block all unrated sites.
Unchecking Allow access to newly defined categories restricts access to the categories you did not block when configuring content filtering. Leaving Allow access to newly defined categories checked allows access to any categories added after content filtering is configured. Check Identify users by account to send user names to the Webwasher reporting service. In order for this field to have any effect, Require User Authentication on the Main tab must be checked.
The Enable ZoneAlarm Pro support checkbox specifies if the ZoneAlarm Pro enforcement section of access control is active or not. Turning this feature on does involve a small sacrifice in the performance of this unit. The ZoneAlarm Hosts menu allows selection of the hosts which must be running ZoneAlarm Pro software to be able to access the Internet. The Check frequently checkbox indicates if local hosts should be queried as to their ZoneAlarm Pro status and version very often or less often.
Enable antivirus Select Antivirus from the Firewall section of the main menu. Check Enable. The Database mirror is the host from which the signature database is updated. Unless there is a specific host from which you want the CyberGuard SG appliance to retrieve signature updates, leave this at the default setting of database.clamav.net. Select the frequency to Check for updates from the database mirror.
Storage It is recommended that you use a network or local share to provide storage for the virus database and temporary space for the scanning process. This greatly increases the effectiveness of the antivirus scanner. Network storage A network share is a shared folder or drive on a local Windows PC, or a PC running another operating system capable of SMB sharing (such as Mac OS X, or a Linux PC running the SAMBA service).
Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and open up a folder or drive to dedicate as a network share for use by the CyberGuard SG appliance’s web cache. Begin by disabling simple file sharing for this folder. From the Tools menu, select Folder Options. Click the View tab and under the Advanced settings section uncheck Use simple file sharing (Recommended). Click OK. Next, share the folder. Right click on the folder and select Sharing and Security.
Under the Storage -> Network Storage tab, check Use share. Enter the location of the network share in the format: \\HOSTNAME\sharename Enter the Username and Password for a user that can read and write to the network share. If you allowed Full Control to Everyone, you may leave these blank. Local storage Note SG565 only. Attach a USB storage device to one of the CyberGuard SG appliance’s USB ports.
Under the Storage -> Local Storage tab, select the partition or device to use from the Device pull down menu, and click Submit. POP email The CyberGuard SG appliance can scan email being sent by PCs on your LAN before delivering it to the destination mail server. Note Scanning of IMAP and web-based email is not supported. This service is configured differently depending on whether you want to scan all incoming email, or email being retrieved by specific PCs on your LAN only.
If most, but not all, of your internal email clients are retrieving email from a single mail server, enter this as the Default POP server. Check Allow connections to other POP servers. If there is no single mail server from which most of your internal email clients are retrieving email, leave Default POP server blank and check Allow connections to other POP servers.
Scan POP email for specific clients only Check Virus check POP based email. Uncheck Translucent. Leave Default POP server blank and check Allow connections to other POP servers. Note For each of the email clients for which to scan incoming mail, the email client’s POP3 username setting must be in the form of user@mail.isp.com, rather than simply user – user is the POP3 login, and mail.isp.com is the POP3 mail server.
Enter your LAN’s SMTP mail server address as the Destination SMTP server. Check Send keep alive bytes to requesting server to send keep alive traffic to the source SMTP server. This option is only useful on slow network connections where the source server is timing out before the CyberGuard SG appliance has finished its virus checking.
Note Enabling this automatically enables Access Control. Check Virus check web downloads. Check Reject overly large downloads to have the CyberGuard SG appliance treat oversized downloads as potential viruses and reject them. The definition of an overly large download is specified by the Maximum size field on the main Antivirus tab. Click Submit. FTP The CyberGuard SG appliance can scan files downloaded using FTP for viruses. Check Virus check FTP downloads.
You may specify the Maximum simultaneous connections to allow. This is the total number of FTP connections allowed from your LAN. Once this number is reached, subsequent FTP connections are rejected until previous FTP connections are disconnected. More resources are consumed by virus scanning when a higher number of simultaneous FTP connections are established. You may specify the Maximum connections for one host to allow. This is the number of FTP connections allowed from a single PC.
5. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.g.
PPTP and L2TP The CyberGuard SG appliance includes a PPTP and an L2TP VPN server. These allow remote Windows clients to securely connect to the local network. PPTP or L2TP are also commonly used to secure connections from a Guest network; see the Guest Network section in the chapter entitled Network Setup. PPTP VPN Server To setup a PPTP connection from a remote Windows client to your CyberGuard SG appliance and local network: • Enable and configure the PPTP VPN server.
Check Enable PPTP Server. Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of free IP addresses, from the network (typically the LAN) that the remote users are assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address to Assign VPN Server pull down menu. This is typically a LAN interface or alias.
• Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client passwords is transmitted unencrypted. Select the Required Encryption Level, access is denied to remote users attempting to connect not using this encryption level. Using Strong Encryption (MPPE 128 Bit) is recommended. Select the Authentication Database. This allows you to indicate where the list of valid clients can be found.
Your Internet IP address is displayed on the Network Setup page. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service. Otherwise you must modify the PPTP client configuration each time your Internet IP address changes. For details on configuring dynamic DNS, refer to the DNS section of the chapter entitled Network Setup. Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up two networking connections.
Select Connect to a private network through the Internet and click Next. This displays the Destination Address window: Enter the CyberGuard SG appliance’s Internet IP address or fully qualified domain name and click Next.
Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Windows XP PPTP client setup Log in as Administrator or with Administrator privileges. From the Start menu, select Settings and then Network Connections. Click Create New Connection from the Network Tasks menu to the left.
Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name for the VPN connection, such as your company name or simply Office. Click Next.
If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connection and your dial up account from the pull down menu. If not, or you wish to manually establish your ISP connection before the VPN connection, select Do not dial the initial connection. Click Next. Enter the CyberGuard SG PPTP appliance’s Internet IP address or fully qualified domain name and click Next.
Enter a username and password added in the Configuring user accounts for VPN server section and click Connect. L2TP VPN Server To setup an L2TP/IPSec connection from a remote Windows XP client to your CyberGuard SG appliance and local network: • Enable and configure the L2TP VPN server. • Configure IPSec tunnel settings. • Set up VPN user accounts on the CyberGuard SG appliance and enable the appropriate authentication security. • Configure the VPN clients at the remote sites.
Check Enable L2TP Server. Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of free IP addresses, from the network (typically the LAN) that the remote users are assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address to Assign VPN Server pull down menu. This is typically a LAN interface or alias.
• Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client passwords is transmitted unencrypted. Select the Required Encryption Level, access is denied to remote users attempting to connect not using this encryption level. Using Strong Encryption (MPPE 128 Bit) is recommended. Select the Authentication Database. This allows you to indicate where the list of valid clients can be found.
Note Only one shared secret tunnel may be added. The one shared secret is used by all remote clients to authenticate. • Select x.509 Certificate Tunnel to use x.509 certificates to authenticate the remote client against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication.
If adding an x.509 Certificate Tunnel, select the Local Certificate that you have uploaded to the CyberGuard SG appliance. Enter the Client Distinguished Name; it must match exactly the distinguished name of the remote party's local certificate to successfully authenticate the tunnel. Distinguished name fields are listed Note Certificates need to be uploaded to the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management in the IPSec section later in this chapter).
Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name for the VPN connection, such as your company name or simply Office. Click Next.
If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connection and your dial up account from the pull down menu. If not, or you wish to manually establish your ISP connection before the VPN connection, select Do not dial the initial connection. Click Next. Enter the CyberGuard SG PPTP appliance’s Internet IP address or fully qualified domain name and click Next.
• To authenticate using an x.509 Certificate Tunnel, you must first install the local certificate. The distinguished name of this local certificate must match that entered in Client Distinguished Name when configuring the x.509 certificate tunnel on the CyberGuard SG appliance. See Certificate Management and Using certificates with Windows IPSec in the IPSec section later in this chapter for details on creating, packaging and adding certificates for use by Windows IPSec.
Select PPTP VPN Client or L2TP VPN Client from the VPN section of the main menu. Any existing client tunnels are displayed alongside icons to Enable/Disable, Delete, and Edit them. To add a new tunnel, click New. Ensure Enable is checked, and enter: • A descriptive Name for the VPN connection. This may describe the purpose for the connection. • The remote PPTP or L2TP Server IP address to connect to. • A Username and Password to use when logging in to the remote VPN.
A PPTP status icon appears in the system tray on the bottom right hand side of your computer, informing you that you are connected. You can now check your e-mail, use the office printer, access shared files and and computers on the network as if you were physically on the LAN. Note Depending on how your remote network is set up, some additional configuration may be required to enable browsing the network (aka Network Neighborhood or My Network Places).
To combine the Headquarters and Branch Office networks together, an IPSec tunnel must be configured on both CyberGuard SG appliances. Set Up the Branch Office Enable IPSec Select IPSec from the VPN section of the main menu. A page similar to the following is displayed. Check the Enable IPSec checkbox. The Maximum Transmission Unit (MTU) of the IPSec interface can be configured filling in the desired MTU value in IPSec MTU.
Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted. Configure a tunnel to connect to the headquarters office To create an IPSec tunnel, click the IPSec link on the left side of the web management console and then click the New button under Tunnel List. A window similar to the following is displayed. Tunnel settings page Fill in the Tunnel name field with an apt description for the tunnel.
Note Select an interface other than the default gateway when you have more than one Internet connection or have configured aliased Internet interfaces, and require the IPSec tunnel to run on an interface other than the default gateway. Select the type of keying for the tunnel to use. The CyberGuard SG appliance supports the following types of keying: • Main Mode automatically exchanges encryption and authentication keys and protects the identities of the parties attempting to establish the tunnel.
3. DNS hostname address to static IP address 4. DNS hostname address to DNS hostname address 5. DNS hostname address to dynamic IP address Select the type of IPSec endpoint this CyberGuard SG appliance has on the interface on which the tunnel is going out. The CyberGuard SG appliance can either have a static IP, dynamic IP or DNS hostname address.
• Manual Keys establishes the tunnel using predetermined encryption and authentication keys. This authentication method is no longer widely used. It is not very secure as changing keys requires user intervention, and consequently keys are not changed very often. Using manual keys is not recommended. In this example, select the Preshared Secret option. Click the Next button to configure the Local Endpoint Settings. Local endpoint settings Leave the Initiate the tunnel from this end checkbox checked.
It becomes optional if the CyberGuard SG appliance has a static IP address and is using Preshared Secrets for authentication. If it is optional and the field is left blank, the Endpoint ID defaults to the static IP address. Note If the remote party is a CyberGuard SG appliance, the ID must have the form abcd@efgh. If the remote party is not a CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG Knowledge Base (http://www.cyberguard.com/snapgear/knowledgebase.
• SPI Number is the Security Parameters Index. It is a hexadecimal value and must be unique. It is used to establish and uniquely identify the tunnel. The SPI is used to determine which key is used to encrypt and decrypt the packets. It must be of the form 0xhex, where hex is one or more hexadecimal digits and be in the range of 0x100-0xfff. This field appears when Manual Keying has been selected. • Authentication Key is the ESP Authentication Key.
Enter the Internet IP address of the remote party in The remote party's IP address field. In this example, enter: 209.0.0.1 The Endpoint ID is used to authenticate the remote party to the CyberGuard SG appliance. The remote party's ID is optional if it has a static IP address and uses Preshared Secrets for authentication. It becomes a required field if the remote party has a dynamic IP or DNS hostname address or if RSA Digital Key Signatures are used for authentication.
OU Organizational Unit CN Common Name N Name G Given name S Surname I Initials T Personal title E E-mail Email E-mail SN Serial number D Description TCGID [Siemens] Trust Center Global ID The attribute/value pairs must be of the form attribute=value and be separated by commas. For example : C=US, ST=Illinois, L=Chicago, O=CyberGuard, OU=Sales, CN=SG550. It must match exactly the Distinguished Name of the remote party's local certificate to successfully authenticate the tunnel.
• Authentication Key field is the ESP Authentication Key. However, this applies to the remote party. It must be of the form 0xhex, where hex is one or more hexadecimal digits. The hex part must be exactly 32 characters long when using MD5 or 40 characters long when using SHA1 (excluding any underscore characters). It must use the same hash as the CyberGuard SG appliance's authentication key. This field appears when Manual Keying has been selected. • Encryption Key field is the ESP Encryption Key.
The Rekeyfuzz value refers to the maximum percentage by which the Rekeymargin should be randomly increased to randomize rekeying intervals. The Key lifetimes for both Phase 1 and Phase 2 are dependent on these values and must be greater that the value of “Rekeymargin x (100 + Rekeyfuzz) / 100.” In this example, leave the Rekeyfuzz as the default value of 100%. Enter a secret in the Preshared Secret field. Keep a record of this secret as it is used to configure the remote party's secret.
• Local Certificate pull down menu contains a list of the local certificates that have been uploaded for x.509 authentication. Select the required certificate to be used to negotiate the tunnel. This field appears when x.509 Certificates has been selected. Phase 2 settings page Specify the Local Networks and Remote Networks to link together with the IPSec tunnel. For the Local Network, you may use a Predefined network, or enter a Custom network address.
Select a Phase 2 Proposal. Any combination of the ciphers, hashes and Diffie Hellman groups that the CyberGuard SG appliance supports can be selected. The supported ciphers are DES, 3DES and AES (128, 196 and 256 bits). The supported hashes are MD5 and SHA and the supported Diffie Hellman group are 1 (768 bit), 2 (1024 bit) and 5 (1536 bits). The CyberGuard SG appliance also supports extensions to the Diffie Hellman groups to include 2048, 3072 and 4096 bit Oakley groups.
Select the Internet interface the IPSec tunnel is to go out on. In this example, select default gateway interface option. Select the type of keying for the tunnel to use. In this example, select the Aggressive mode with Automatic Keying (IKE) option. Select the type of IPSec endpoint this CyberGuard SG appliance has. In this example, select the static IP address option. Select the type of IPSec endpoint the remote party has. In this example, select the dynamic IP address option.
Phase 1 settings page Set the length of time before Phase 1 is renegotiated in the Key lifetime (s) field. In this example, leave the Key Lifetime as the default value of 3600 minutes. Set the time for when the new key is negotiated before the current key expires in the Rekeymargin field. In this example, leave the Rekeymargin as the default value of 600 seconds. Set the maximum percentage by which the Rekeymargin should be randomly increased to randomize rekeying intervals in the Rekeyfuzz field.
Tunnel List Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field is shown. Note You may modify, delete or disable/enable a tunnel by clicking on the corresponding Edit, Delete or Enable/Disable icon. Remote party The Remote Party which the tunnel is configured to connect to is defined either by its Endpoint ID, IP Address or Distinguished Name. Click Remote Party to sort the tunnel list by the remote party ID/name/address.
• Down indicates that the tunnel is not being negotiated. This may be due to the following reasons: o IPSec is disabled. o The tunnel is disabled. o The tunnel could not be loaded due to misconfiguration. • Negotiating Phase 1 indicates that IPSec is negotiating Phase 1 to establish the tunnel. Aggressive or Main mode packets (depending on tunnel configuration) are transmitted during this stage of the negotiation process.
Phase 1 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 1 negotiations. This includes MD5 and SHA. Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiations. Connection Details lists an overview of the tunnel's configuration. It contains the following information: • An outline of the tunnel's network setup. In this example, it is 192.168.2.0/24===209.0.0.
• The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher 3DES (where 3DES has an id of 3, see Phase 2 Ciphers Loaded), the 2 refers to hash SHA1 or SHA (where SHA1 has an id of 2, see Phase 2 Hashes Loaded) and pfsgroup=2 refers to the Diffie Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has an id of 2). Negotiation State reports what stage of the negotiation process the tunnel is in.
The CyberGuard SG appliance only supports certificates in base64 PEM or binary DER format. Some certificate authorities (CA) distribute certificates in a PKCS12 format file. This format combines the CA certificate, local public certificate and local private key certificate into one file. These certificates must be extracted before uploading them to the CyberGuard SG appliance; see Extracting certificates further on.
.. where pksc12_file is the PKCS12 file issued by the CA and local_certificate.pem is the local public key certificate to be uploaded into the CyberGuard SG appliance. When the application prompts you to Enter Import Password, enter the password used to create the certificate. If none was used simply press enter. To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem ..
Create an empty CA database file under Windows: type nul > rootCA/index.txt .. or under Linux: touch rootCA/index.txt Create the CA certificate, omit the –nodes option if you want to use a password to secure the CA key: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS_VALID is the number of days the root CA is valid for. Create local certificate pairs For each local certificate you wish to create, there are two steps.
Using certificates with Windows IPSec To create certificates to use with IPSec on a Windows system, first follow the previous instructions in Creating a CA certificate and Creating local certificate pairs. Windows IPSec requires the certificates to be in a PKCS12 format file. This format combines the CA certificate, local public certificate and local private key certificate into one file. openssl pkcs12 -export -inkey cert1.key -in cert1.pem -certfile rootCA/ca.pem -out cert1.
Select the certificate type click New. You may add a CA Certificate (Certificate Authority), CRL Certificate (Certificate Revocation List) or Local Certificate. Click Browse to locate the certificate file or files. If you are adding a Local Certificate, enter the Public Key certificate in Local Certificate the Local Private Key certificate in Private Key Certificate, and the passphrase to unlock the private key certificate in Private Key Certificate Passphrase. The certificate must be in PEM or DER format.
• Symptom: Tunnel is always Negotiating Phase 1. Possible Cause: The remote party does not have an Internet IP address (a No route to host message is reported in the system log). The remote party has IPSec disabled (a Connection refused message is reported in the system log). The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Phase 1 proposals do not match. o The secrets do not match.
Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that the CyberGuard SG appliance has rekeying enabled. If the tunnel still goes down after a period of time, it may be due to the CyberGuard SG appliance and remote party not recognising the need to renegotiate the tunnel. This situation arises when the remote party is configured to accept incoming tunnel connections (as opposed to initiate tunnel connections) and reboots.
Possible cause: There may be a firewall device blocking IPSec packets. The MTU of the IPSec interface may be too large. The application uses broadcasts packets to work. Solution: Confirm that the problem is the VPN tunnel and not the application being run.
SSL Tunnels are port tunnels that send data using an encrypted SSL pipe. In order to use an SSL tunnel, you must first install an SSL certificate using the Upload SSL Certificates page or the Create SSL Certificates page; see the Upload SSL certificates and Create SSL certificates sections of the chapter entitled Firewall. SSL tunnels can be useful for encrypting TCP services that are by themselves unencrypted, such as a telnet or FTP session.
You may specify the Protocol to use when negotiating the SSL connection. Leave this set to Raw when incoming connections are from a tunnel client. Setting Protocol to another value allows the tunnel server to accept connections directly from an SSL client other than a tunnel client, e.g. a mail client configured to use POP3 over SSL. Tunnel client A tunnel client accepts connections on Data Port from a host on the local network, and forwards them over the Tunnel Port to the Tunnel Server.
If the HTTP proxy is a buffering proxy, then enter the Proxy Buffer Size. Otherwise set this field to 0. You may also specific the timeout before sending padding to fill up the buffer size in Proxy Padding Timeout. • The following field is displayed for SSL Tunnel Server only: You may specify the Protocol to use when negotiating the SSL connection. Leave this set to Raw connecting to a tunnel server.
6. USB Note SG565 only. The CyberGuard SG565 has two USB (Universal Serial Bus) ports to which you can attach USB storage devices (e.g. hard drives, flash drives, card readers), USB printers, USB network devices and USB narrowband (non-DSL) modems. A USB hub may be used if you need to attach more than two USB devices simultaneously. Note USB DSL modems are not supported at this time.
This section describes how to set up the CyberGuard SG appliance for network attached storage. For information on using a USB mass storage device as a print spool, refer to the USB Printers section. Share the storage device Select Shares from the Networking section of the main menu. Click the Storage tab. All USB Devices or device Partitions that are available to share are listed along with their Sizes and for previously configured shares, their Share Names.
Browsable: Display an icon for the network when browsing the network from a Windows PC. To access the network share when this is unchecked, the user must manually enter the address in the address bar (e.g. \\SG565\public\). Writable: The network share is writable, i.e. users can modify and create new files. Public: A login and password is not required to access the network share. Users: A valid login and password is required to access the network share. Selecting this option displays a list of users.
Join a Windows workgroup The next step is to configure your CyberGuard SG appliance to join your Window workgroup or domain. Select Network Setup from the Networking menu. Click the Advanced tab. Under the Unit Workgroup heading, enter the name of your Windows workgroup or domain and click Apply. Typically, this name is UPPERCASE. Once NAS devices or printers have been shared, your CyberGuard SG appliance becomes visible to other members.
Partitioning a USB mass storage device Warning This procedure is intended for experts and power users only. The standard Linux command line tools are present on the CyberGuard SG appliance for partitioning (fdisk) and creating filesystems (mkfs) on an attached USB mass storage device. Alternatively, you may use the standard Windows tools or a third party utility such as PartitionMagic to partition a USB mass storage device before attaching it to the CyberGuard SG appliance.
Command (m for help): p Disk /dev/sda: 5 heads, 50 sectors, 1024 cylinders Units = cylinders of 250 * 512 bytes Device Boot Start End Blocks Id 1 1024 127975 b /dev/sda1 System Win95 FAT32 Delete any existing partitions by typing d the entering the partition number, e.g. enter 1 to delete /dev/sda1. Create a new partition by typing n then p for primary, then the partition number. Note The CyberGuard SG appliance support primary partitions only, so you are limited to four partitions.
Last cylinder or +size or +sizeM or +sizeK (1-1024, default 1024): +64M Repeat the process for each partition to want to create. For the last partition, the default last cylinder is generally be fine.
telnet or ssh to the CyberGuard SG appliance and log in. For each partition, run the appropriate mkfs command. To create FAT32 on our two example partitions, we use: mkfs.vfat –F 32 /dev/sda1 then mkfs.vfat –F 32 /dev/sda2 From the web management console, select Advanced from the System menu, and click Reboot. The partitions are now ready to use. USB Printers The CyberGuard SG appliance’s print server allows you to share attached USB printers with your LAN.
Set up the print server Attach the USB printer to the CyberGuard SG. Select Shares from the Networking section of the main menu. Click the Printing tab. Locate the printer to share and click its Edit icon. Enter a short descriptive Name for the printer. This is the name that is displayed when browsing your Windows workgroup or domain, and the name of the queue for LPR / LPD connections. Click Finish.
Otherwise, attach the USB mass storage device and select the device or device partition on which to store the print spool from the Spool pull down menu under the Printing tab. Note You may simultaneously use a USB mass storage device or device partition as a print spool and a Network Attached Storage device. However, the spool directory becomes visible (as spool) and there is a higher chance of the device filling up, causing print jobs to fail.
Select A network printer, or a printer attached to another computer and click Next. Select Browse for a printer and click Next. Locate the CyberGuard SG appliance by expanding your Windows workgroup and locating the CyberGuard SG by its hostname. The hostname is set on the CyberGuard SG appliance under Network Setup -> Advanced -> Unit Hostname. Select the printer and click Next.
You may receive a warning about the CyberGuard SG appliance automatically installing print drivers on your PC. Ignore it, the CyberGuard SG does not install print drivers automatically. If a dialog is displayed to inform you that no appropriate print driver could be found on the CyberGuard SG appliance, click OK. Select the appropriate driver for your printer.
Locate the .inf file for your printer and click Open then OK. Select your printer model and click OK. If your printer model is not listed, click Have Disk and Browse again. Drivers for several different printers and different operating systems are often distributed together by the manufacturer, so there may by several different .inf files. Follow the onscreen instructions to install the printer driver. This varies from printer to printer. Note If you cannot locate the appropriate .
LPR / LPD setup Note This information is generally not relevant for Windows network environments. Once the print server has been set up, the CyberGuard SG appliance also listen on the standard LPR / LPD network port (TCP 515) for incoming print jobs. Set up your LPR client to print to a remote LPD queue as specified by your operating system’s documentation. The queue name is the Name you specified during Set up print server.
Disable Advanced Printing Features by clicking Control Panel -> Printers and Faxes -> right click printer -> Properties -> Advanced -> and uncheck Enable Advanced Printing Features. Disable Bidirectional Support by clicking Control Panel -> Printers and Faxes -> right click printer -> Properties -> Ports -> and uncheck Enable Bidirectional Support.
7. System Date and Time We recommend setting the CyberGuard SG appliance’s clock to the correct date and time, otherwise system log message time stamps do not match the time of the event. If you are using certificates for SSL or IPSec, it is especially important that you set the date and time correctly, as all certificates include an expiry date after which they do not function.
Note When synchronizing with an NTP server, the date and time is displayed in UTC. To display local time, you must set the Locality appropriately. Locality Select your local Region and click Submit. The system clock subsequently displays local time. By default, the system clock displays UTC.
After configuring your CyberGuard SG appliance it is strongly recommended that you remotely back up your configuration to an encrypted file. Note It is good practice to perform remote configuration back ups regularly. Locally stored configurations are erased by factory resets, and will become unretrievable should the CyberGuard SG appliance become uncontactable. Therefore they should not be considered a substitute for performing regular, remote configuration back ups.
Note Ensure this is a hard to guess password, as all passwords including IPSec passwords and private keys are downloaded into your saved configuration. Ensure your password is easy to remember, if this password is lost there is no way to restore your configuration. To restore configuration, click Browse to locate the .sgc configuration file you previously backed up, enter its Password and click Submit. Local backup/restore Click the Local backup/restore tab. Enter a Description for this configuration.
Text save/restore Click the Text save/restore tab. Copy and paste the configuration files to and from a plain text file stored on a PC for backup purposes. Click Submit and Reboot to apply any changes. Warning Passwords are stored unencrypted, and plain text files are prone to undetected corruption. It is therefore preferable to use Remote backup/restore for regular backups.
You may specify the following access controls for each administrative user. • The Login control provides the user with telnet and ssh access to the command-line administration interface of the CyberGuard unit • The Administration control provides the user with the ability to make changes to the CyberGuard unit's configuration via the web-based administration interface. This should only be provided to trusted users who are permitted to configure and reconfigure the unit.
Warning A user with Encrypted save / restore all access can conceivably create an encrypted config file with an arbitrary root password that they can restore, thus granting them Administration privileges. Therefore, grant Encrypted save / restore all only to users that you trust with Administration access. • The Change Password control provides the user with the ability to change their password. Click Finish to apply your changes.
For dial-in, PPTP and L2TP users, you may also optionally enter a Domain name if your network has a Windows domain server. You may specify the following access controls for each local user. • The Dialin Access control provides the user with the authority to connect to the CyberGuard unit's dialin server. • The PPTP Access control provides the user with the authority to connect to the CyberGuard SG appliance’s PPTP VPN server (see the PPTP VPN Server section of the chapter entitled VPN).
TACACS+ The CyberGuard SG appliance may be configured to access a central repository of users and passwords on a TACACS+ server to authenticate dial-in, PPTP VPN server and L2TP VPN server connections. Enter the TACACS+ Server address from which to obtain client authentication information. Enter and confirm the TACACS+ Secret used to access the TACACS+ server. Click Submit to apply your changes.
If you have a secondary Global Command Center server, enter its name in Secondary Host Name so the CyberGuard SG appliance’s firewall can be updated appropriately. Enter the IP address of the secondary Global Command Center server in Secondary IP Address if applicable. Clicking Submit requests a certificate from the Global Command Center server. With the appropriate credentials, you are able to download the appropriate certificates enabling this device to be managed.
In IP Address of CMS, enter the IP address of the host on which CyberGuard CMS is running. Specify the shared Authentication Key with which to authenticates this device against the CMS. This must be the same as the snmp_community configuration setting for CMS. It should be something hard to guess. When configured for centralised management, the device periodically sends a "ping" (SNMP trap) back to the CMS to indicate that it is alive.
Enter the name of a community that is allowed read-only access in Read-Only Community. You may optionally include an IP address or network to restrict who is allowed access. You may optionally include an OID to restrict the fields that are accessible. Enter the name of a community that is allowed read-write access in Read-Write Community. You may optionally include an IP address or network to restrict who is allowed access. You may optionally include an OID to restrict the fields that are accessible.
Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top of the Diagnostics page. Advanced The following options are intended for network administrators and advanced users only. Warning Altering the advanced configuration settings may render your CyberGuard SG appliance inoperable.
Appendix B contains for details on interpreting log output and configuring advanced log rules. Local syslog By default all messages are recoreded in the System Log. Filter Level allows you to control which classes of messages are recorded in the system log. Every message recorded in the System Log includes a basic time stamp. Check Include extended ISO date to force a more precise and standardized timestamp to be included with every message. Click Submit to apply your changes.
You may also Include extended ISO date, which is prepended to syslog messages before being sent. Click Submit to save your changes. Email delivery Syslog log messages may be sent to an email account. This allows you to keep system log messages persistently. Check Enable Email Logging. Enter the address of an Email Server (SMTP server) that accepts email for forwarding. Enter the Email Address(es) to which to send the system log messages. The Sender Email address that System Log messages are sent from.
Messages per Email is the maximum number of system log messages that are allowed to accumulate before sending the email. The default setting of 0 means unlimited, and is typically appropriate for all systems but those that experience heavy traffic. Click Submit to apply your changes. Reboot and Reset Rebooting does not erase your CyberGuard SG appliance’s configuration, however network connections such as your Internet connection, VPN tunnels, etc.
This is particularly useful should the CyberGuard SG appliance become uncontactable, e.g. due to misconfiguration. Pushing the reset button twice clears all stored configuration information, reverts all settings to the factory defaults, and reboots the CyberGuard SG appliance. Note When the CyberGuard SG appliance reboots, it has an IP address of 192.168.0.1, netmask 255.255.255.0.
During the upgrade, the front panel LEDs on the CyberGuard SG appliance flash in an inand-out pattern. The CyberGuard SG appliance retains its configuration information with the new firmware. Warning If the flash upgrade is interrupted (e.g. power down), the CyberGuard SG appliance stops functioning and becomes unusable until its flash is reprogrammed at the factory or a recovery boot is performed. User care is advised.
Download the binary image file (.sgu). Contact CyberGuard SG technical support for instructions on obtaining this file. Place this file in the directory your TFTP is serving files from, usually: /tftpboot/ Establish a telnet or ssh connection to the CyberGuard SG appliance. Login and run the command: flash image .. where is the address of your TFTP server, and is the binary image filename.
You may also create a new file by clicking New. Upload file Click Browse to locate the file on your local PC that you want to upload. You may upload it to an alternative file name on the CyberGuard SG appliance by specifying a Destination File Name. Click Submit to begin the upload. Warning Any existing file with the same name is overwritten Support For information on obtaining support for your CyberGuard SG appliance, select Support from the System section of the main menu.
Technical support report The Technical Support Report page is an invaluable resource for the CyberGuard SG technical support team to analyze problems with your CyberGuard SG appliance. The information on this page gives the support team important information about any problems you may be experiencing. Note If you experience a fault with your CyberGuard SG appliance and have to contact the CyberGuard SG technical support team, ensure you include the Technical Support Report with your support request.
Appendix A – Terminology This section explains some of the terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscriber Line. A technology allowing high-speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data.
Certificates A digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a Certification Authority (CA) after the CA has verified that the entity is who it says it is. Certificate Authority A Certificate Authority is a trusted third party, which certifies public key's to truly belong to their claimed owners.
Extranet A private network that uses the public Internet to securely share business information and operations with suppliers, vendors, partners, customers, or other businesses. Extranets add external parties to a company's intranet. Failover A method for detecting that the main Internet connection (usually a broadband connection) has failed and the CyberGuard SG apliance cannot communicate with the Internet.
IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with Dynamic DNS Dynamic DNS can be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP addresses. IKE IKE is a profile of ISAKMP that is for use by IPsec. It is often called simply IKE. IKE creates a private, authenticated key management channel. Using that channel, two peers can communicate, arranging for sessions keys to be generated for AH, ESP or IPcomp.
NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another network. Masquerading is one particular form of NAT. Net mask The way that computers know which part of a TCP/IP address refers to the network, and which part refers to the host range. NTP Network Time Protocol (NTP) used to synchronize clock times in a network of computers. Oakley Group See Diffie-Hellman Group or Oakley Group. PAT Port Address Translation.
Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelligent" and can route packets to their final destination. RSA Digital Signatures A public/private RSA key pair used for authentication. The CyberGuard SG appliance can generate these key pairs. The public keys need to be exchanged between the two parties in order to configure the tunnel. SHA Secure Hash Algorithm, a 160 bit hash. It is one of two message digest algorithms available in IPSec.
x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.x.509 certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication.
Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default. All rules in the default security policy drop packets. They never reject them. That is, the packets are simply ignored, and have no responses at all returned to the sender.
Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g. ppp0 or ppp1, a PPP session ipsecX e.g. ipsec0, an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar. Any traffic that does not match the exceptions however is dropped. There are also some specific rules to detect various attacks (smurf, teardrop, etc.).
A typical Default Deny: looks similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a packet arriving from the WAN (IN=eth1) and bound for the CyberGuard SG appliance itself (OUT=) from IP address 140.103.74.181 (SRC=140.103.74.
To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something like this: iptables -I INPUT -j LOG -p tcp --syn -s -d --dport --log-prefix This logs any TCP (-p tcp) session initiations (--syn) that arrive from the IP address/netmask X.X.X.X/XX (-s ...) and are going to Y.Y.Y.Y/YY, destination port Z (-dport). For example, to log all inbound access requests from anywhere on the Internet (0.0.0.
iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This results in log output similar to: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0 Note how the OUT value has now changed to show which interface the access attempt used to reach the internal host.
If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there are many more combinations possible. It is therefore possible to write rules that log inbound and outbound traffic, or to construct several rules that differentiate between the two. Rate Limiting iptables has the facility for rate-limiting the log messages that are generated, in order to avoid denial of service issues arising out of logging these access attempts.
Administrative Access Logging When a user tries to log onto the web management console, one of the following log messages appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2 Jan 30 03:00:14 2000 boa: Authentication attempt failed for root from 10.0.0.2 This message shows the date/time, whether the authentication succeeded or failed, the user attempting authentication (in this case root) and the IP address from which the attempt was made.
Appendix C – Firmware Upgrade Practices and Precautions Prior performing any firmware upgrade, it is important that you save a back up of your existing configuration (see the Save/Restore section in the chapter entitled System) to a local file. While we make every effort to ensure your existing configuration continues working after minor and patch revision upgrades, sometimes compatibility problems may arise. For major upgrades, existing configuration is not maintained.
If you encounter any problems, reset the device to its factory default settings and reconfigure. You may wish to use your backed up old configuration as a guide in this process, but do not restore it directly. If you are upgrading a device that you do not normally have physical access to, e.g. at a remote or client's site, we strongly recommend that following the upgrade, you reset the device to its factory default configuration and reconfigure as a matter of course.
Appendix D – Recovering From a Failed Upgrade If the Heart beat (or H/B) LED is not flashing 20 – 30 seconds after power is supplied, the CyberGuard SG unit is unable to boot correctly. This is usually because the firmware inside the CyberGuard SG unit has been written incorrectly or incompletely, or in rare cases it may have become corrupted. In this situation, a recovery boot reprograms the CyberGuard SG to bring it back to a usable state.
Note If you are using an older LITE(2)/LITE(2)+, you may have to attach the unit's WAN port directly to your PC using a crossover cable for the first stage of the recovery procedure. The Netflash program prompts you to switch the cable to the LAN port/switch using a straight through for the second stage of the recovery procedure. Log in to your PC with administrator privileges (2000/XP/NT4 only). Ensure there are no DHCP server programs or services (Start -> Run -> Open: services.msc) running on your PC.
Wait for the recovery procedure to complete and the CyberGuard SG unit to finish reprogramming. Note It takes a few minutes for your CyberGuard SG to finish reprogramming. After it has finished it reboots automatically with its old configuration intact. If it is uncontactable after rebooting, hit the Reset/Erase button twice within 2 seconds to restore factory default configuration, then follow the instructions in the chapter entitled Getting Started to begin reconfiguration of your unit.
(Re)start the BOOTP server. Attach the CyberGuard SG unit's LAN port or switch directly to your PC using a crossover cable. Note If you are using an older LITE(2)/LITE(2)+, you may have to attach the unit's WAN port directly to your PC using a crossover cable for the first stage of the recovery procedure Accordingly, your BOOTP server requires an entry specifying the CyberGuard SG unit’s WAN port MAC address. Hold in the Reset/Erase button while applying power, keep it held in for 3 seconds.
