Page 1 TONE N S T A L L A T I O N U I D E N T R U S I ON R EV E N T I O N Y S T E M...
Page 2: Legal Information
N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
Page 3: Table Of Contents
ABLE OF ONTENTS NTRODUCTION ONFIGURING ENSORS AND NALYZERS HAPTER HAPTER Using StoneGate Documentation ... 7 Defining Sensors and Analyzers ... . 31 How to Use This Guide .
Page 4 Downloading the Installation Files ..62 PPENDIX Default Communication Ports ... . . 95 Checking File Integrity ....62 Management Center Ports .
Page 5: Introduction
NTRODUCTION In this section: Using StoneGate Documentation...
Page 7: Hapter
SING TONE OCUMENTATION Welcome to Stonesoft’s StoneGate™ IPS. This chapter describes how to use the StoneGate IPS Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback. The following sections are included: How to Use This Guide...
Page 8: How To Use This Guide
How to Use This Guide This IPS Installation Guide is intended for administrators who install the StoneGate IPS system. It describes the IPS Sensor and Analyzer engine installation step by step. The chapters in this guide are organized in the general order you should follow when installing the system. Most tasks are explained using illustrations that include explanations on the steps you need to complete in each corresponding view in your own environment.
Page 9: Documentation Available
The StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available at the Stonesoft website at http://www.stonesoft.com/support/. Documentation Available...
Page 10: System Requirements
For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/. Licensing Issues You can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do. For license-related queries, e-mail order@stonesoft.com.
Page 11: Preparing For Installation
REPARING FOR NSTALLATION In this section: Planning the IPS Installation - 13 Installing IPS Licenses - 19 Configuring NAT Addresses - 23...
Page 13: Hapter
H A P TE R IPS I LANNING THE NSTALLATION This chapter provides important information to take into account before the installation can begin. The chapter also includes an overview to the installation process. The following sections are included: Introduction to StoneGate IPS (page 14) Example Network Scenario (page 14)
Page 14: Introduction To Stonegate Ips
Introduction to StoneGate IPS A StoneGate IPS system consists of Sensors, Analyzers, and the StoneGate Management Center. Sensors pick up network traffic, inspect it, and create event data for further processing by the Analyzers. StoneGate Sensors and Analyzers can be distributed as follows: •...
Page 15: Overview To The Installation Procedure
Purpose-built StoneGate IPS appliances. • Standard Intel-compatible servers. Search for the version-specific Hardware Requirements in the technical documentation search at http://www.stonesoft.com/en/support/. • As a VMware virtual host. There are some additional requirements and limitations when StoneGate IPS is run as a virtual host. See the Release Notes for more information. Detailed...
Page 16: Capture Interfaces
Sensor, allowing active blocking of any connection. For more specific information on compatibility of different network devices and StoneGate IPS, refer to the Stonesoft website at http://www.stonesoft.com/support/. Switch SPAN Ports A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch.
Page 17: Speed And Duplex
Speed And Duplex Mismatched speed and duplex settings are a frequent source of networking problems. The basic principle for speed and duplex is simply that network cards at both ends of each cable must have identical settings. This principle also applies to the automatic negotiation setting: if one end of the cable is set to autonegotiate, the other end must also be set to autonegotiate and not to any fixed setting.
Page 18 Chapter 2 Planning the IPS Installation...
Page 19: Installing Ips Licenses
H A P TE R IPS L NSTALLING ICENSES This chapter instructs how to generate and install licenses for sensors and analyzers. The following sections are included: Getting Started with IPS Licenses (page 20) Generating New Licenses (page 20) Installing Licenses (page 21)
Page 20: Getting Started With Ips Licenses
(page 21). Generating New Licenses You generate the licenses at the Stonesoft website based on your proof-of-license (POL), included in the order confirmation message sent by Stonesoft or the proof-of-serial-number (POS) printed on the side of StoneGate appliances. Evaluation licenses are also available at the website.
Page 21: Installing Licenses
Installing Licenses To install licenses, the license files must be available to the computer you use to run the Management Client. Note – All licenses can be installed even though you have not yet defined all the elements the licenses will be bound to. ...
Page 22: C Hapter
You should see one license for each analyzer and sensor engine. If you have Management- bound engine licenses, you must bind them manually to the correct engines once you have configured the engine elements. What’s Next?  If NAT is applied to communications between system components, proceed to Configuring NAT Addresses (page 23).
Page 23: Configuring Nat Addresses
H A P TE R NAT A ONFIGURING DDRESSES This chapter contains the steps needed to configure Locations and contact addresses when a NAT (network address translation) operation is applied to the communications between the sensor or analyzer and other StoneGate components. The following sections are included: Getting Started with NAT Addresses (page 24)
Page 24: Getting Started With Nat Addresses
Getting Started with NAT Addresses If there is network address translation (NAT) between communicating system components, the translated IP address may have to be defined for system communications. All communications between the StoneGate components are presented as a table in Default Communication Ports (page 95).
Page 25: Configuration Overview
Configuration Overview To add contact addresses, proceed as follows: 1. Define Location element(s). See Defining Locations (page 25). 2. Define contact addresses for the Management Server and Log Server(s). See Adding SMC Server Contact Addresses (page 26). 3. Select the correct Location for the IPS engines when you create the Sensor and Analyzer elements.
Page 26: Adding Smc Server Contact Addresses
Right-click Locations and select New Location. The Location Properties dialog opens. Type in a Name. Select element(s). Click Add. Repeat steps 5-6 until all necessary elements are added. Click OK. Repeat to add other Locations as necessary. What’s Next?  If your Management Server or Log Server needs a contact address configuration, proceed to Adding SMC Server Contact Addresses...
Page 27 Select the Location of this server. Enter the Default contact address. If the server has multiple alternative IP addresses, separate the addresses with commas. Click Exceptions and define Location-specific contact addresses if the Default Contact Address(es) are not valid from all other Locations. Note –...
Page 28 Chapter 4 Configuring NAT Addresses...
Page 29: Configuring Sensors And Analyzers
ONFIGURING ENSORS NALYZERS In this section: Defining Sensors and Analyzers - 31 Saving the Initial Configuration - 45 Configuring Routing and Installing Policies - 51...
Page 31: Hapter
H A P TE R EFINING ENSORS AND NALYZERS This chapter contains the steps needed to complete the sensor and analyzer configuration that prepares the Management Center for a StoneGate sensor and analyzer installation. Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the Management Center as outlined in this chapter.
Page 32: Getting Started With Defining Sensors And Analyzers
Getting Started with Defining Sensors and Analyzers The Sensor and Analyzer elements are a tool for configuring nearly all aspects of your physical IPS components. An important part of the Sensor and Analyzer elements are the interface definitions. There are two main categories of Sensor and Analyzer interfaces: •...
Page 33: Defining System Communication Interfaces For Ips Engines
Right-click IPS Engines and select one of the following: • New→Analyzer • New→Combined Sensor-Analyzer • New→Sensor Cluster • New→Single Sensor. Enter a unique Name. (Sensors only) Select the Analyzer to which the Sensor sends event data. Select the Log Server options according to the type of element you are creating: Element Option Description...
Page 34: Defining Physical Interfaces
Defining Physical Interfaces  To define a physical interface Switch to the Interfaces tab. Right-click and select New Physical Interface. The Physical Interface Properties dialog opens. Select the Interface ID. (Not applicable to Analyzers) Select Normal Interface as the Type. Click OK.
Page 35: Defining Vlan Interfaces
Defining VLAN Interfaces VLANs divide a single physical network link into several virtual links. You can add up to 4094 VLANS per interface. Analyzers cannot use VLANs. Caution – Do not add any manual VLAN definitions to an interface you want to use for sending resets.
Page 36: Defining Ip Addresses
Defining IP Addresses  To define an IP address Right-click a physical interface or a VLAN interface and select New→IP Address. The IP Address Properties dialog opens. Double-click the IPv4 Address cell and enter the IPv4 Address. Repeat for each node if this is a Sensor Cluster element.
Page 37: Setting Interface Options For Ips Engines
(Optional) Click Add to define a different contact address for contacting this engine from some specific Location. Click OK to close the Contact Addresses dialog. Click OK to close the IP Address Properties dialog. You can define several IP addresses for the same physical network interface. Before you continue, write down the networks to which each Interface ID is connected.
Page 38: Defining Traffic Inspection Interfaces For Sensors
(Optional) Select a Backup Control interface that is used if the Primary interface is not available. (Sensor Cluster only) Select the Primary Heartbeat Interface for communications between the nodes of the cluster. This must not be a VLAN interface. Caution – Heartbeat traffic is time-critical. A dedicated network (without other traffic) is strongly recommended for security and reliability of heartbeat communication.
Page 39: Defining Logical Interfaces
Defining Logical Interfaces A Logical Interface is used in the IPS policies and the traffic inspection process to represent a network segment. The StoneGate system contains one default Logical Interface. A Logical interface can represent any number or combination of interfaces and VLAN interfaces, except that the same Logical interface cannot be used to represent both capture interfaces and inline interfaces on the same Sensor.
Page 40: Defining Reset Interfaces
(Optional) If you use VLAN tagging on capture or inline interfaces, select View interface as one LAN if you do not want the sensor to see a single connection as multiple connections when a switch passes traffic between different VLANs and all traffic is mirrored to the sensor through a SPAN port.
Page 41: Defining Capture Interfaces
Select Normal Interface as the Type. Click OK. This interface can now be used as a reset interface. When you set up the physical network, make sure that the reset interface connects to the same network as the capture interface(s). Defining Capture Interfaces Capture interfaces listen to traffic that is not routed through the Sensor.
Page 42: Defining Inline Interfaces
Click OK. Repeat these steps to define any additional capture interfaces. What’s Next?  To define inline interfaces, proceed to Defining Inline Interfaces (page 42).  To define how an inline sensor handles traffic when the traffic load is too high, proceed Bypassing Traffic on Overload (page 43).
Page 43: Bypassing Traffic On Overload
Select Inline Interface as the Type. (Optional) Change the automatically selected Second Interface ID. Leave Inspect Unspecified VLANs selected if you want the sensor to inspect traffic also from VLANs that are not included in the sensor’s interface configuration. If your configuration requires you to change the Logical Interface from Default_Eth, click Select and select the Logical interface in the dialog that opens.
Page 44: Finishing The Engine Configuration
Finishing the Engine Configuration  To finish the engine configuration Write down the networks to which each Interface ID is connected Click OK close the engine properties. The following notification opens. Click No. What’s Next? You are now ready to transfer the configuration to the physical Sensor and Analyzer ...
Page 45: Hapter
H A P TE R AVING THE NITIAL ONFIGURATION This chapter explains how to save the Sensor and Analyzer initial configuration in the Management Center and how to transfer it to the physical sensor and analyzer engines. The following sections are included: Configuration Overview (page 46) Saving the Initial Configuration for Sensors and Analyzers...
Page 46: Configuration Overview
Configuration Overview Once you have configured the Sensor and Analyzer elements in the Management Client, you must transfer the initial configuration to the physical sensor and analyzer engines. You must complete the following steps: 1. Save the initial configuration in the Management Client. See Saving the Initial Configuration for Sensors and Analyzers (page 46).
Page 47 Right-click the Sensor or Analyzer element and select Save Initial Configuration. The Initial Configuration dialog opens. What’s Next?  If you want to use the Configuration Wizard, proceed to the section To prepare for configuration using the Configuration Wizard (page 47). ...
Page 48  To prepare for fully automatic configuration (Optional) Enable SSH Daemon to allow remote access to the engine command line. Select the Local Time Zone and Keyboard Layout for the engine. (Sensors only) Click Select and select the appropriate policy if you already have a policy you want to use.
Page 49: Transferring The Initial Configuration To Sensors And Analyzers
Transferring the Initial Configuration to Sensors and Analyzers You are now ready to install the StoneGate sensor and analyzer engine(s). The initial configuration is transferred to the engines during the installation. What’s Next?  If you have a StoneGate appliance, see the installation and initial configuration instructions in the Appliance Installation Guide that was delivered with the appliance.
Page 50 Chapter 6 Saving the Initial Configuration...
Page 51: Hapter
H A P TE R ONFIGURING OUTING AND NSTALLING OLICIES After successfully installing the Sensor and Analyzer engines and establishing contact between the engine(s) and the Management Server, the engines are left in the initial configuration state. Now you must define basic routing and policies to be able to use the engines to inspect traffic.
Page 52: Configuring Routing
Configuring Routing In StoneGate, routing is done entirely through the Management Client. The routing information of sensors and analyzers is only used for system communications. The inspected traffic is not routed. The sensor’s Inline interfaces are always fixed as port pairs; traffic that enters through one port is automatically forwarded to the other port.
Page 53: Adding Next-Hop Routers
Expand the routing tree to view all the routing information for the interfaces. Note – Networks are only added automatically. Networks and interfaces are never deleted automatically. Inappropriate elements are marked with a symbol to show that they are invalid. You must delete the invalid elements manually if you do not want them to be shown in the Routing view.
Page 54: Adding The Default Route
Adding the Default Route  To add the default route  Right-click the Router and select New→Any Network. You are not actually creating a new element, just inserting the existing default element “Any Network”. What’s Next?  To add other routes, proceed to Adding Other Routes.
Page 55: Installing The Initial Policy
Repeat these steps to add any additional Networks to the Router element. The routing configuration changes are transferred to the engine with the other configuration information when you install an IPS policy on the Sensor. Installing the Initial Policy To be able to inspect traffic, the sensors and analyzers must have an IPS policy installed on them.
Page 56 Right-click Strict Policy or System Policy and select Install Policy. The Policy Install task dialog opens. Note – The Strict Policy and the System Policy contain a rule that uses the Terminate action for an Analyzer-only Situation. This produces an Unsupported Definitions issue during validation, but does not affect the functioning of the system.
Page 57: Commanding Ips Engines
Click OK. A new tab opens to show the progress of the policy installation. Check that the policy installation is successful for both the sensor and the analyzer. When you install a policy, all the rules in the policy as well as all the IPS engine’s other configuration information (including interface definitions and routing information) are transferred to the engines.
Page 58  To check system status and issue commands to sensors and analyzers Select IPS Engines. Check the status of the engines in the Status column. You can select an element to view more information about it in the Info panel at the bottom of the window. Use the Commands menu to command sensors Online/Offline.
Page 59: Installing Sensors And Analyzers
NSTALLING ENSORS AND NALYZERS In this section: Installing the Engine on Intel-Compatible Platforms - 61...
Page 61: Hapter
H A P TE R NSTALLING THE NGINE ON NTEL OMPATIBLE LATFORMS This chapter describes how to install StoneGate IPS Sensors and Analyzers on standard Intel or Intel-compatible platforms, such as AMD. The following sections are included: Installing the Sensor or Analyzer Engine (page 62) Obtaining Installation Files (page 62)
Page 62: Installing The Sensor Or Analyzer Engine
Note – The engines must be dedicated to StoneGate IPS. No other software can be installed on them. Configuration Overview 1. If you do not have ready-made installation CD-ROMs, obtain the files from the Stonesoft website. See Obtaining Installation Files (page 62).
Page 63: Creating The Installation Cd-Rom
Compare the displayed output to the checksum on the website. They must match. Caution – Do not use files that have invalid checksums. If downloading the files again does not help, contact Stonesoft technical support to resolve the issue. Creating the Installation CD-ROM Once you have checked the integrity of the installation files, create the installation CD-ROM from the files.
Page 64: Configuring The Engine
Enter the number of processors: • For a uniprocessor machine, type and press E NTER • For a multiprocessor machine, type and press E NTER Type and press E to accept automatic hard disk partitioning. The installation NTER process starts. •...
Page 65: Configuring The Engine In The Engine Configuration Wizard
Configuring the Engine in the Engine Configuration Wizard If you have stored the configuration on a floppy disk or a USB memory stick (see Saving the Initial Configuration for Sensors and Analyzers (page 46)), you can import it to reduce the need for typing in information.
Page 66  To set the engine’s timezone Highlight the entry field for Local Timezone using the arrow keys and press E NTER Select the correct timezone in the dialog that opens. The timezone setting only affects the way the time is displayed on the engine command line. The engine always uses UTC time.
Page 67: Configuring The Network Interfaces
Configuring the Network Interfaces The Configuration Wizard can automatically detect which network cards are in use. You can also add interfaces manually if necessary. If the list is not populated automatically, you can launch the autodetect as explained in the illustration below. ...
Page 68: Contacting The Management Server
is ready and an IPS policy is installed on the appliance. Do not set the initial bypass state when the bypass network interface pairs are in the Bypass mode. • In the illustration below, interface 1 is soft-bypassed with interface 2. Highlight Next and press E to continue.
Page 69: Filling In The Management Server Information
Filling in the Management Server Information In the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server. If you do not have a one-time password for this engine, see the Saving the Initial Configuration (page 45).
Page 70: After Successful Management Server Contact
After Successful Management Server Contact After you see a notification that Management Server contact has succeeded, the IPS engine installation is complete and the engine is ready to receive a policy. The engine element’s status changes in the Management Client from Unknown to No Policy Installed, and the connection state is Connected, indicating that the Management Server can connect to the node.
Page 71: Allocating Partitions
Table 8.1 Partitions for the Engine (Continued) Partition Flags Partition Type Filesystem Type Size Description Twice the size Swap partition for the Swap Logical Linux swap of physical StoneGate IPS engine. memory. Used for the boot 500 MB or Data Logical Linux configuration files and the...
Page 72: C Hapter
Chapter 8 Installing the Engine on Intel-Compatible Platforms...
Page 73: Pgrading
PGRADING In this section: Upgrading - 75...
Page 75 H A P TE R PGRADING This chapter explains how you can upgrade your IPS engines. When there is a new version of the sensor and analyzer engine software, you should upgrade as soon as possible. The following sections are included: Getting Started with Upgrading (page 76) Upgrading or Generating Licenses...
Page 76: Getting Started With Upgrading
Getting Started with Upgrading How Engine Upgrades Work The primary way to upgrade engines is a remote upgrade through the Management Server. The upgrade package is imported on the Management Server manually or automatically. Then, you apply it to selected engines through the Management Client. Alternatively, the upgrade can be done locally when it is more convenient (for example, for spare appliances in storage).
Page 77: Configuration Overview
MD5 or SHA-1 checksum programs by default, but there are several third party programs available.  To manually download an engine upgrade file Download the installation file from www.stonesoft.com/download/. There are two types of packages available: • package is used in the remote upgrade on all supported platforms. It can also .zip...
Page 78: Upgrading Or Generating Licenses
(for example, when upgrading from 1.2.3 to 1.3.0). By default, licenses are regenerated and installed automatically. You can also upgrade the licenses at the Stonesoft website. What’s Next? ...
Page 79: Upgrading Licenses Under Multiple Proof Codes
Click Update. The license upgrade page opens. Follow the directions on the page that opens to upgrade the license. Repeat for other licenses. What’s Next?  Proceed to Installing Licenses (page 80). Upgrading Licenses Under Multiple Proof Codes If you have several existing licenses with different POL codes that you need to upgrade, you can make the work easier by generating the new licenses all at once.
Page 80: Installing Licenses
(Optional) Click Yes to launch the Stonesoft License Center website’s multi-upgrade form in your default Web browser. Next, upload the license upgrade request file to the Stonesoft License Center website using the multi-upgrade form, and submit the form with the required details. The upgraded licenses are sent to you.
Page 81: Checking The Licenses
Checking the Licenses After installing the upgraded licenses, check the license information. When you upgrade licenses, the old licenses are automatically replaced with the new licenses.  To check the licenses Click the Configuration icon in the toolbar and select Administration. The Administration Configuration view opens.
Page 82: Upgrading Engines Remotely
Upgrading Engines Remotely The remote upgrade has two separate parts, transfer and activation. You can choose to do both parts consecutively, or you can choose to transfer the configuration now and then launch a separate task for the activation at a later time. You can also create a scheduled Task for the remote upgrade as instructed in the Online Help.
Page 83 (Sensors only) If you want to activate the new version immediately (and not only transfer it), right-click the sensor node and select Commands→Go Offline. Right-click the node and select Configuration→Upgrade Software. Select whether you want to transfer the upgrade for later activation, or both transfer and activate now.
Page 84: Upgrading Engines Locally
Upgrading from an Engine Installation CD-ROM Follow the procedure below to upgrade StoneGate engines to the latest version locally from a CD-ROM that you have created from an image downloaded from the Stonesoft website or .iso shipped to you by Stonesoft.
Page 85: Upgrading From A Zip Archive File
Select to upgrade the previous installation and press E to continue. The upgrade NTER process starts. When the process is finished, remove the CD-ROM and press E to reboot. NTER • If the Configuration Wizard opens, configure the engine in the same way as after the first installation: refer to Configuring the Engine (page 100) for instructions.
Page 86 (Optional) If you have not already done so, select Calculate SHA1 to calculate the checksum. The calculation will take some time. The calculated checksum must be identical to the one from the file. .zip Caution – Do not use files that have invalid checksums. Select Cancel if the checksum does not match and acquire a new copy of the upgrade file.
Page 87: Appendices
PPENDICES In this section: Command Line Tools - 89 Default Communication Ports - 95 Example Network Scenario - 101 Index - 107...
Page 89: Appendix A Command Line Tools
P P E N D I X OMMAND OOLS This appendix describes the command line tools available on StoneGate IPS engines. For instructions on how to access the command line, see the Administrator’s Guide or the Online Help of the Management Client. The following sections are included: StoneGate-Specific Commands (page 90)
Page 90: Stonegate-Specific Commands
StoneGate-Specific Commands StoneGate engine commands can be run from the command line on the sensors and analyzers. For a full list of command line tools for all types of components, see the Command Line Tools appendix in the Administrator’s Guide or the Online Help of the Management Client. Table A.1 StoneGate-specific Command Line Tools on Engines Command Description...
Page 91 Table A.1 StoneGate-specific Command Line Tools on Engines (Continued) Command Description Can be used to edit boot command parameters for future bootups. --primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console. sg-bootconfig --secondary-console= [tty0|ttyS PORT,SPEED] [--primary-console=tty0|ttyS parameter defines the terminal settings for the secondary console.
Page 92 Table A.1 StoneGate-specific Command Line Tools on Engines (Continued) Command Description Configures a new hard drive on a StoneGate appliance. This command is only available for StoneGate appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives. -status option displays the status of the hard drive.
Page 93: General Tools
Table A.1 StoneGate-specific Command Line Tools on Engines (Continued) Command Description Gathers system information you can send to Stonesoft support if you are having problems. Use this command only when instructed to do so by Stonesoft support. -f option forces sgInfo even if the configuration is encrypted.
Page 94 Appendix A Command Line Tools...
Page 95: Default Communication Ports
P P E N D I X EFAULT OMMUNICATION ORTS This chapter lists the default ports used in connections between StoneGate components and the default ports StoneGate uses with external components. The following sections are included: Management Center Ports (page 96) IPS Engine Ports (page 98)
Page 96: Management Center Ports
TCP: 8902-8913 8914-8918 + 3021 (Log Server Certificate Request) B.2 Default Destination Ports for Optional SMC Components and Features LLUSTRATION External LDAP Server TCP: Stonesoft’s Update Service External RADIUS Server TCP: UDP: Management Server 1812 Server Web Portal Secondary Server...
Page 97 The table below lists all default ports SMC uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference. For information on communications between SMC components and the engines, see the separate listings.
Page 98: Ips Engine Ports
Server Update packages, engine upgrades, Stonesoft Management and licenses from 443/TCP HTTPS servers Server update.stonesoft.com and smc.stonesoft.com. Log data export to syslog servers. Syslog (UDP) 514/UDP , , Syslog Server Log Server The default ports can be modified in 5514/UDP [Partial match] the LogServerConfiguration.txt file.
Page 99 B.3 Default Destination Ports for Basic IPS System Communications LLUSTRATION Log Server TCP: 3020 Other Node(s) in the Cluster Sensor TCP: 18890 TCP: TCP: Analyzer 3002 4950 3003 18889 Management TCP: 3010 Server 4950 UDP: 18888 TCP: 3000 3021 3023 The table below lists all default ports StoneGate IPS uses internally and with external components.
Page 100 B.2 IPS-Specific Ports (Continued) ABLE Listening Contacting Service Element Port/Protocol Service Description Hosts Hosts Name SG State Sync 3000-3001/ (Multicast), SG Sensor Sensor Heartbeat between the cluster nodes. State Sync 3002,3003, (Unicast), SG Data 3010/TCP Sync Management SG Remote Sensor 4950/TCP Remote upgrade.
Page 101: Example Network Scenario
P P E N D I X XAMPLE ETWORK CENARIO To give you a better understanding of how StoneGate fits into a network, this section outlines a network with IPS Sensors and Analyzers. All illustrations of the software configuration in the subsequent chapters are filled in according to this example scenario;...
Page 102: Overview Of The Example Network
Overview of the Example Network Three example Sensor installations are described in this Guide: • a Sensor cluster in the Headquarters Intranet network. • a single Sensor in the Headquarters DMZ network. • a combined Sensor-Analyzer in the Branch Office Intranet network. The two different Analyzer installations are illustrated with •...
Page 103: Example Headquarters Intranet Network
Example Headquarters Intranet Network Illustration C.2 Example Headquarters Intranet Network HQ Firewall 10.42.1.42 10.42.1.41 172.16.1.1 SPAN Switch Node 2 Node 1 172.16.1.42 172.16.1.41 Headquarters Management Intranet Network HQ Sensor Cluster In the example scenario, HQ Sensor Cluster is an inline serial cluster located in the Headquarters network.
Page 104: Example Headquarters Management Network
Example Headquarters Management Network Illustration C.3 Example Headquarters Management Network Management Server 192.168.10.200 192.168.10.1 192.168.10.61 HQ Analyzer HQ Firewall Switch 212.20.1.254 HQ Log Server Internet 192.168.10.201 HQ Analyzer The HQ Analyzer receives event data from the DMZ Sensor and from the HQ Sensor Cluster, and sends log data and alerts to the HQ Log Server.
Page 105: Example Headquarters Dmz Network
Table C.3 SMC Servers in the Example Scenario (Continued) SMC Server Description This server is located in the Headquarters’ Management Network with the IP HQ Log Server address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer. Example Headquarters DMZ Network Illustration C.4 Example Headquarters DMZ Network 192.168.1.41...
Page 106: Example Branch Office Network
Example Branch Office Network Illustration C.5 Example Branch Office Network 172.16.2.41 Branch Office Intranet Branch Office Firewall Internet 212.20.2.254 172.16.2.1 Branch Office Log Server 172.16.2.201 Branch Office Sensor-Analyzer In the example scenario, the Branch Office Sensor-Analyzer is an inline combined Sensor- Analyzer.
Page 107: Index
NDEX , 68 , 62–63 activating initial configuration file integrity , 62 Advanced Configuration and Power Interface (ACPI) analyzers , 31–44 configuring , 20 generating licenses , 62–71 installing , 62 Automatic Power Management (APM) , 10 hardware requirements , 62 BIOS settings , 14 IDS (intrusion detection system)
Page 108 , 70 partitioning hard disk manually , 13–17 planning installation , 15 platforms supported , 51–58 policies , 55 strict policy , 55 system policy , 16 ports , 10 requirements for hardware , 40 reset interfaces , 52–55 routing , 45–49 saving initial configuration , 14...
Page 109 FI-00210 Helsinki Suite 900 Finland Atlanta, GA 30338 Tel. +358 9 476 711 Tel. +1 770 668 1125 Fax +358 9 4767 1349 Fax +1 770 668 1131 Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Stonesoft stonegate 5.2 Installation Manual

CHAPTER 4 Configuring NAT Addresses

CHAPTER 9 Upgrading

APPENDIX A Command Line Tools

APPENDIX B Default Communication Ports

APPENDIX C Example Network Scenario

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Stonesoft stonegate 5.2

Summary of Contents for Stonesoft stonegate 5.2

Table of Contents