1. Manuals
  2. Brands
  3. CyberGuard Manuals
  4. Firewall
  5. 2.0.1
  6. User manual

CyberGuard 2.0.1 User Manual

Firewall vpn appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
CyberGuard SG™
Firewall VPN Appliance

User Manual

Revision 2.0.1
June 7, 2004
CyberGuard
7984 South Welby Park Drive #101
Salt Lake City, Utah 84084
Email: support@snapgear.com
Web: www.cyberguard.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 2.0.1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for CyberGuard 2.0.1

Summary of Contents for CyberGuard 2.0.1

  • Page 1: User Manual

    CyberGuard SG™ Firewall VPN Appliance User Manual Revision 2.0.1 June 7, 2004 CyberGuard 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@snapgear.com Web: www.cyberguard.com...

  • Page 2: Table Of Contents

    Contents Introduction...1 CyberGuard SG Gateway Appliances ... 1 CyberGuard SG PCI Appliances ... 2 Document Conventions ... 4 Your CyberGuard SG Gateway Appliance ... 5 CyberGuard SG Gateway Appliance Features... 7 Your CyberGuard SG PCI Appliance... 8 CyberGuard SG PCI Appliance Features ... 9 Getting Started...10 CyberGuard SG Gateway Appliances ...
  • Page 3 Dialin Setup ...52 Dialin Setup ... 53 Dialin User Accounts ... 55 Account list ... 56 Remote User Configuration ... 58 DHCP Server ...63 DHCP Server Configuration... 63 DHCP Proxy ... 67 Firewall ...68 Incoming Access... 68 CyberGuard SG Administrative Web Server ... 70 Packet Filtering ...
  • Page 4 10. System...159 Date and Time ... 159 Users ... 161 Diagnostics ... 163 Advanced... 165 Technical Support... 168 Appendix A – IP Address Ranges...169 Appendix B – Terminology...170 Appendix C – System Log ...177 Access Logging ... 177 Creating Custom Log Rules... 179 Rate Limiting...

  • Page 5: Introduction

    1. Introduction This chapter provides an overview of your CyberGuard SG appliance’s features and capabilities, and explains how to install and configure your CyberGuard SG appliance. This manual describes how to take advantage of the features of your CyberGuard SG appliance, including setting up network connections, a secure firewall and a VPN.

  • Page 6: Cyberguard Sg Pci Appliances

    The following figure shows how your CyberGuard SG appliance interconnects. CyberGuard SG PCI Appliances The CyberGuard SG PCI appliance (SG630, SG635) is a hardware-based firewall and VPN server embedded in a 10/100 Ethernet PCI network interface card (NIC). It is installed into the host PC like a regular NIC, providing a transparent firewall to shield the host PC from malicious Internet traffic, and VPN services to allow secure remote access to the host PC.
  • Page 7 This approach offers an increased measure of protection against internal threats as well as conventional Internet security concerns. You can update, configure and monitor the firewall and VPN connectivity of a workstation or server from any web browser. In the event of a breach, you have complete control over individual PCs' access policies independent of the host PC's operating system, even if the system has been subverted and is denying normal administrator access.

  • Page 8: Document Conventions

    Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights important issues. Bold text in procedures indicates text that you type, or the name of a screen object (e.g. a menu or button). Introduction...

  • Page 9: Your Cyberguard Sg Gateway Appliance

    Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appliances include: SG300 SG530 SG550 SG570 SG575 The following items are included with your CyberGuard SG gateway appliance: Power adaptor Installation CD Printed Quick Install guide Cabling including o 1 normal straight through UTP cable (blue color). o 1 crossover UTP cable (either gray or red color) Note The SG300 model includes two blue straight through UTP cables.
  • Page 10 Note Not all the LEDs described below are present on all CyberGuard SG appliance models. Also, labels vary from model to model. Label Activity Power Heart Beat Flashing Flashing LAN Activity Flashing WAN Activity Flashing DMZ Activity Flashing Serial Activity Online Rear panel The rear panel contains the connector ports for the LAN, Internet, modem (COM1) and...

  • Page 11: Cyberguard Sg Gateway Appliance Features

    CyberGuard SG Gateway Appliance Features Internet link features 10/100baseT Ethernet port (Internet/WAN) Serial port Front panel serial status LEDs (for TX/RX) Online status LEDs (for Internet/VPN) Rear panel Ethernet link and activity status LEDs LAN link features 10/100BaseT LAN port 10/100BaseT 4 port LAN switch (SG300 model only) Rear panel Ethernet link and activity status LEDs DMZ link features (SG570, SG575 only)

  • Page 12: Your Cyberguard Sg Pci Appliance

    Your CyberGuard SG PCI Appliance CyberGuard SG PCI appliances include: PCI630 PCI635 The following items are included with your CyberGuard SG PCI appliance: Installation CD Printed Quick Install guide LEDs The rear panel contains LEDs indicating status. The two LEDs closest to the network port are network activity (upper) and network link (lower).

  • Page 13: Cyberguard Sg Pci Appliance Features

    CyberGuard SG PCI Appliance Features Network link features 10/100baseT Ethernet port Ethernet LEDs (link, activity) Environmental features Status LEDs: Power, Heart Beat Operating temperature between 0° C and 40° C Storage temperature between -20° C and 70° C Humidity between 0 to 95% (non-condensing) Introduction...

  • Page 14: Getting Started

    This chapter provides step-by-step instructions for installing your CyberGuard SG appliance into your network and connecting to the Internet. This is a slightly more detailed version of the printed Quick Install Guide that shipped with your CyberGuard SG appliance. These instructions assume you have a PC running Microsoft Windows (95/98/Me/ 2000/XP for CyberGuard SG gateway appliances, 2000/XP only for CyberGuard SG PCI appliances).

  • Page 15: Cyberguard Sg Gateway Appliances

    CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initial, static IP settings of: IP address: Subnet mask: Note The Internet/WAN and DMZ interfaces are by default inactive, i.e. there are no network services such as DHCP in operation, and no IP address is configured.
  • Page 16 Connect the supplied power adapter to the CyberGuard SG appliance. If you are using the SG530, SG550, SG570 or SG575 model, connect the CyberGuard SG appliance’s LAN Ethernet port directly to your PC’s network interface card using the crossover cable (red or gray). If you are using the SG300 model, connect your PC’s network interface card directly to one of the ports on the CyberGuard SG appliance’s LAN Ethernet switch using a straight through cable (blue).
  • Page 17 CyberGuard SG appliance is directly attached. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> your network card name if there are multiple entries) and click Properties. Figure 2-1 Getting Started...

  • Page 18: Set Up The Password And Lan Connection Settings

    Select Use the following IP address and enter the following details: IP address: Subnet mask: Default gateway: Select Use the following DNS server addresses and enter: Preferred DNS server: 192.168.0.1 Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.
  • Page 19 Select Quick Setup Wizard from the center of the page. You will be prompted to log in. Enter the initial user name and password for your CyberGuard SG appliance: User name: Password: Note If you are unable to connect to the Management Console at 192.168.0.1, or the initial username and password are not accepted, press the black Reset/Erase button on the CyberGuard SG appliance’s rear panel twice, wait 20 –...
  • Page 20 The Quick Setup Wizard will display. Figure 2-3 Hostname: You may change the name the CyberGuard SG appliance knows itself by. This is not generally necessary. Manual configuration: Select this to manually specify your CyberGuard SG appliance’s LAN connection settings. Skip: LAN already configured: Select this if you wish to use the CyberGuard SG appliance’s initial network settings (IP address 192.168.0.1 and subnet mask 255.255.255.0) as a basis for your LAN settings.
  • Page 21 Figure 2-4 Note This page will only display if you previously selected Manual configuration. Otherwise skip to the next step. Enter an IP address and Subnet mask for your CyberGuard SG appliance’s LAN connection. You may choose to use the CyberGuard SG appliance’s initial network settings if you are sure no other PC or network device already has the address of 192.168.0.1.

  • Page 22: Set Up Internet Connection Settings

    Set up Internet Connection Settings Select your Internet connection type and click Next. Cable modem If connecting using a cable modem, select the appropriate ISP. Choose Generic cable modem provider if unsure. Analog modem If connecting using a regular analog modem, enter the details provided by your ISP. DSL modem If connecting using an ADSL modem, select Auto detect ADSL connection type and enter the details provided by your ISP.

  • Page 23: Set Up The Pcs On Your Lan To Access The Internet

    Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGuard SG appliance’s Internet connection has been set up, click Next, select Reboot and click Next again. Set up the PCs on your LAN to Access the Internet Note If you have changed the CyberGuard SG appliance’s LAN connection settings, it may become uncontactable at this point.
  • Page 24 LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG appliance’s LAN connection. If you chose to set the CyberGuard SG appliance’s LAN connection settings using Manual configuration, you may simply remove this address from the pool of available addresses.
  • Page 25 Properties. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries). Enter the following details: IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance’s LAN connection (e.g.
  • Page 26 Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser) and navigate to the IP address of the CyberGuard SG appliance’s LAN connection. The Web Management Console will display. Select DHCP Server from the Networking menu. Click Add Server and configure the DHCP server with the following details: Gateway Address is the IP address of the CyberGuard SG appliance’s LAN connection, or leave it blank.
  • Page 27 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple entries) and click Properties (in 95/98/Me, you may also have to click the IP Address tab). Figure 2-6 Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK (in 95/98/Me, reboot the PC if prompted to do so).

  • Page 28: Cyberguard Sg Pci Appliances

    CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PCI Slot Power off your PC and remove its cover. Select an unused PCI slot and insert the CyberGuard SG appliance, then power on your PC. Install the Network Driver on your PC The CyberGuard SG appliance will be automatically detected and have the appropriate driver installed when Windows starts up.
  • Page 29 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Settings -> Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties.

  • Page 30: Set Up The Password And Network Connection Settings

    Set up the Password and Network Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.168.0.1. The Web Management Console will display. Select Network Setup under Networking in the left hand menu. You will be prompted to log in. Enter the initial user name and password for your CyberGuard SG appliance: User name: Password:...
  • Page 31 Note The purpose of this step is to configure the IP address for the Web Management Console. For convenience, this will generally be a free IP address on your LAN. The Network Setup Connections page will display. Locate the Bridge / br0 port and select Edit current settings under Configuration. If your LAN has an active DHCP server, you may set up your CyberGuard SG appliance and PC for auto-configuration.
  • Page 32 The first IP address will be used by the Web Management Console. Figure 2-9 Enter this IP address and the subnet mask for your LAN into the IP Address / Netmask fields on the Web Management Console’s Bridge IP Configuration page. Ensure DHCP assigned is unchecked.
  • Page 33 Enter the following details: IP address the second free IP addresses that is part of the subnet range of your LAN. Subnet mask is the subnet mask of your LAN. Default gateway is the IP address of your LAN’s default gateway. Preferred DNS server is the IP address of the DNS server used by PCs on your LAN.
  • Page 34 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continuing, ensure your DHCP server has two free leases. One will be used for the Web Management Console, the other for your PC. Note It is highly recommended that you reserve the IP address to be used by the Web Management Console using the CyberGuard SG appliance’s MAC address.
  • Page 35 Next, configure your PC to obtain its network settings automatically from your LAN DHCP server. Click Start -> Settings -> Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties.

  • Page 36: Disabling The Reset Button On Your Cyberguard Sg Pci Appliance

    Disabling the Reset Button on your CyberGuard SG PCI Appliance For convenience, the CyberGuard SG appliance ships with the rear panel Reset button enabled. This allows the CyberGuard SG appliance’s configuration to be reset to factory defaults. From a network security standpoint, it may be desirable to disable the Reset switch after initial setup has been performed.

  • Page 37: Network Connections

    3. Network Connections This chapter describes the Network Setup section of the Web Management Console. Here you can configure each of your CyberGuard SG appliance’s network ports (Ethernet, serial). Network ports may be configured for Internet connection, LAN connection, DMZ connection, remote dialin access or Internet failover. If you are using a CyberGuard SG gateway appliance, the section Set up the PCs on your LAN to access the Internet in the chapter entitled Getting Started describes how to configure the PCs on your LAN to share the connection once your Internet connection...

  • Page 38: Lan

    Unlike Internet, DMZ or COM1 ports, the LAN network port has only one configurable function, to connect to your local area network. Network settings for the LAN network port may be assigned statically, or dynamically by a DHCP server. Select Edit current settings to continue.

  • Page 39: Internet

    It allows users to transmit IPX/SPX over a VPN, something that is not supported by other VPN vendors. It allows users to transmit DHCP to remote sites this ensures that they are under better control. It allows users to make use of protocols that do not work well in a WAN environment (e.g.

  • Page 40: Internet Connection Methods

    CyberGuard SG PCI appliances can also connect to the Internet in this manner, but generally will be connecting directly to a LAN by selecting either Direct Internet or Bridged Internet. Physically connect modem device The first step in connecting your office network to the Internet is to physically attach your CyberGuard SG appliance to the modem device.
  • Page 41 Use PPPoE if your ISP uses username and password authentication to access the Internet. Use DHCP if your ISP does not require a username and password, or your ISP instructed you to obtain an IP address dynamically. If your ISP has given you an IP address or address range, you must Manually Assign Settings.
  • Page 42 Figure 3-4 To manually configure your Internet network settings, enter the IP Address, Netmask, Internet Gateway and DNS Server(s) supplied by your ISP. If you have been given a range of IP addresses, they may be added as Interface Aliases. For details, see the Advanced section later in this chapter.

  • Page 43: Com/Modem

    When the CyberGuard SG appliance is in bridged mode, it will not be performing NAT/masquerading. PCs will typically use an IP address on the network connected to the CyberGuard SG appliance’s Internet port as their gateway, rather than the CyberGuard SG appliance itself. Failover Direct/Cable/ADSL Internet Refer to the section entitled Internet Failover in this chapter.
  • Page 44 The following table describes the fields and explains how to configure the dial up connection to your ISP. Field Name of Internet provider Phone number(s) to dial ISP DNS Server(s) (optional) Username and password Click Advanced to configure the following options. Field Idle timeout Redial setup...

  • Page 45: Dmz

    Statically assigned IP address If a connect of demand connection has been set up, Connect Now/Disconnect Now buttons will be displayed. These make the CyberGuard SG appliance dial or hang up the modem connection immediately. Dialin access Select Dialin Access to use this port as a dialin server to allow remote users to connect to your local network.

  • Page 46: Services On The Dmz Network

    Services on the DMZ Network Once you have configured the DMZ connection, you will also want to configure the CyberGuard SG appliance to allow access to services on the DMZ. There are two methods of allowing access. If the servers on the DMZ have public IP addresses, you need to add packet filtering rules to allow access to the services.

  • Page 47: Load Balancing

    DMZ as a backup/failover Internet connection See the Internet Failover section later in this chapter. Load Balancing If you have enabled both the Internet and DMZ ports as primary Internet connections, enabling load balacing will share Internet traffic load over the two connections. To enable load balancing, check Enable Load Balancing under Load Balancing and click Apply.
  • Page 48 Enable the primary connection for failover Set up your primary broadband Internet connection as described in the Internet section of this chapter. From the Connections menu, select Edit failover parameters from the Configuration pull down box. The CyberGuard SG appliance determines whether an Internet connection is up by listening for responses to ping (ICMP echo request) packets sent to a host on the Internet.
  • Page 49 Note The Failover Cable/DSL/Direct/Dialout Internet option will not appear as an available Configuration until a primary Internet connection has been configured. Refer to Enable the primary connection for failover above for details on enabling your primary broadband Internet connection for failover. Figure 3-7 Next, configure the failover connection as you would a normal Internet connection.

  • Page 50: Routes

    Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatically by the CyberGuard SG appliance configuration scripts. Route management Your CyberGuard SG appliance can be configured to automatically exchange routing information with other routers.

  • Page 51: Advanced

    Advanced The following figure shows the advanced IP configuration: Hostname The Hostname is a descriptive name for the CyberGuard SG appliance on the network. DNS Proxy The CyberGuard SG appliance can also be configured to run as a Domain Name Server. The CyberGuard SG appliance acts as a DNS Proxy and passes incoming DNS requests to the appropriate external DNS server.
  • Page 52 Network Address Translation (NAT/masquerading) The CyberGuard SG appliance can utilize IP Masquerading (a simple form of Network Address Translation, or NAT) where PCs on the local network effectively share a single external IP address. Masquerading allows insiders to get out, without allowing outsiders in.
  • Page 53 Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by hosts on the Internet. Dynamic DNS service providers such as TZO.com and dyndns.org can register an Internet domain name that will point to your Internet IP address no matter how often it changes.
  • Page 54 Figure 3-10 Interface aliases Interface aliases allow the CyberGuard SG appliance to respond to multiple IP addresses on its LAN, Internet and DMZ ports. For Internet and DMZ aliased ports, you must also setup appropriate Packet Filtering and/or Port forwarding rules to allow traffic on these ports to be passed onto the local network.

  • Page 55: Qos Traffic Shaping

    Change MAC address On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG appliance. The MAC address is a globally unique address and is specific to a single CyberGuard SG appliance. It is set by the manufacturer and should not normally be changed.

  • Page 56: Dialin Setup

    CyberGuard SG appliance enables remote and secure access to your office network. This chapter shows how to set up the dialin features. Your CyberGuard SG appliance can be configured to receive dialin calls from remote users/sites. Remote users are individual users (e.g. telecommuters) who connect directly from their client workstations to dial into modems connected to the serial ports on the CyberGuard SG appliance.

  • Page 57: Dialin Setup

    Dialin Setup Once an analog modem or phone line has been attached, enable the CyberGuard SG appliance’s COM port or internal modem for dialin. Under Networking, select Network Setup. From the Connections menu, locate the COM port or Modem on which you want to enable dialin, and select Change to Dialin Access from the Configuration pull down menu.
  • Page 58 The following table describes the fields on the Dial-In Setup page: Field Description IP Address for Dialin users must be assigned local IP addresses to access Dialin clients the local network. Specify a free IP address from your local network that the connected dial-up client will use when connecting to the CyberGuard SG appliance.

  • Page 59: Dialin User Accounts

    Dialin User Accounts User accounts must be set up before remote users can dialinto the CyberGuard SG appliance. The following figure shows the Dialin user account creation: The field options in Add New Account are shown in the following table: Field Description Username...

  • Page 60: Account List

    The following figure shows the user maintenance screen: Figure 4-3 Account list As new dialin user accounts are added, they are displayed on the updated Account List. To modify a password for an existing account, select the account in the Account List and enter the new password in the New Password and Confirm fields.
  • Page 61 If the change is unsuccessful, an error is reported as shown in the following figure: Figure 4-3 When you have finished adding and modifying user account details, you can configure other CyberGuard SG appliance functions by selecting the appropriate item from the Network or System menus.

  • Page 62: Remote User Configuration

    Remote User Configuration Remote users can dialin using the CyberGuard SG appliance using the standard Windows Dial-Up Networking software. Set up a new dial-out connection on the remote PC to dial the phone number of the modem connected to the CyberGuard SG appliance COM port.
  • Page 63 Check the Log on to network and Enable software compression checkboxes. If your CyberGuard SG appliance dialin server requires MSCHAP-2 authentication, you also need to check the Require encrypted password checkbox. Leave all other Advanced Options unchecked. Select the TCP/IP network protocols from the Allowed network protocols list. Warning Do not select NetBEUI or IPX.
  • Page 64 Windows 2000/XP To configure a remote access connection on a PC running Windows 2000/XP, click Start, Settings, Network and Dial-up Connections and select Make New Connection. The network connection wizard will guide you through setting up a remote access connection: Click Next to continue.
  • Page 65 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas. Click Next to continue. Select the option Only for myself to make the connection only available for you. This is a security feature that will not allow any other users who log onto your machine to use this remote access connection: Dialin Setup...
  • Page 66 Figure 4-9 Enter a name for the connection and click Finish to complete the configuration. By ticking Add a shortcut to my desktop, an icon for the remote connection will appear on the desktop. To launch the new connection, double-click on the new icon on the desktop, and the remote access login screen will appear as in the next figure.

  • Page 67: Dhcp Server

    5. DHCP Server Your CyberGuard SG appliance can act as a DHCP server for machines on your local network. To configure your CyberGuard SG appliance as a DHCP server, you must set a static IP address and netmask on the LAN or DMZ port (see the chapter entitled Network Connections).
  • Page 68 To configure the DHCP Server, follow these instructions. Check the Enable DHCP Server checkbox. Enter the Subnet and netmask of the IP addresses to be distributed. Enter the Gateway Address that the DHCP clients will be issued with. If this field is left blank, the CyberGuard SG appliance's IP address will be used.
  • Page 69 Subnet List The Subnet List will display the status of the DHCP server. Interface Once a subnet has been configured, the port which the IP addresses will be issued from will be shown in the Interface field. Subnet The value shown in this field is the subnet for which the IP addresses distributed will use. Free Addresses This field will contain the number of remaining available IP addresses that can be distributed.
  • Page 70 For each IP address that the DHCP server services, the Status, Hostname, MAC Address will be shown. There is also be an option to Remove the address and for reserved IP addresses, the added option to Unreserve the address. Unreserving the address will allow it to be handed out to any host.

  • Page 71: Dhcp Proxy

    DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This allows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would. To enable this feature, specify the server which is to receive the forwarded requests in Relay Host.

  • Page 72: Firewall

    The CyberGuard SG appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access, so that PCs on the office network can have tailored Internet access facilities and are shielded from malicious attacks. The firewall filters packets at the network layer, determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for your private network.
  • Page 73 Administration services The following figure shows the Administration Services page: Figure 6-1 By default the CyberGuard SG appliance runs a web administration server and a telnet service. Access to these services can be restricted to specific interfaces. For example, you may want to restrict access to the Web Management Console web administration pages (Web Admin) to machines on your local network.

  • Page 74: Cyberguard Sg Administrative Web Server

    CyberGuard SG Administrative Web Server Clicking the CyberGuard SG Web Server tab takes you to the page to configure the administrative web server. This web server is responsible for running the Web Management Console. Here you can change the port on which the server runs. Additionally, the SG550, SG570 and SG575 models support SSL encryption to establish secure connections to the Web Management Console web administration pages from SSL enabled browsers.
  • Page 75 The Web Management Console is usually accessed on the default HTTP port (i.e. 80). After changing the web server port number, you must include the new port number in the URL to access the pages. For example, if you change the web administration to port number 88, the URL to access the web administration will be similar to: http://192.168.0.1:88 SSL/HTTPS (Secure HTTP)
  • Page 76 Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web server can operate in one of one of 3 different modes. Both normal and SSL web access (both HTTP/HTTPS) Disable normal access (HTTPS only) Disable SSL access (HTTP only) To access the Web Management Console administrative web pages securely using SSL encryption, the URL becomes https:// instead of http:// (e.g.

  • Page 77: Packet Filtering

    Packet Filtering By default, your CyberGuard SG appliance allows network traffic as shown in the following table: Incoming Interface LAN/VPN/Dial-In You can configure your CyberGuard SG appliance with additional filter rules to allow or restrict network traffic. These rules can match traffic based on the source and destination address, the incoming and outgoing network port, and/or the services.
  • Page 78 Before configuring a filter or NAT rule, you need to define the addresses and service groups. Addresses Click the Addresses tab. Any addresses that have already been defined will be displayed. Click New to add a new address, or select an existing address and click Modify.
  • Page 79 Service groups Click the Service Groups tab. Any addresses that have already been defined will be displayed. Click New to add a new service groups, or select an existing address and click Modify. Adding or modifying a service group is shown in the following figure: Figure 6-5 A service group can be used to group together similar services.
  • Page 80 Rules Once addresses and services have been defined, you can create filter rules. Click Rules. Any rules that have already been defined will be displayed. Click New to add a new filter rule, or select an existing filter and click Modify. Note The first matching rule will determine the action for the network traffic, so the order of the rules is important.

  • Page 81: Nat

    The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. The Outgoing Interface is the interface/network port that the CyberGuard SG appliance will route the network traffic out. None will match network traffic that is destined for the CyberGuard SG appliance itself.
  • Page 82 Source Address Destination Address Destination Services The next two fields describe how matching packets should be altered. To Destination Address To Destination Service Generally leave Create a corresponding ACCEPT firewall rule checked unless you want to manually create a more restrictive filter rule through Rules. Source NAT Source NAT alters the source address and optionally the source port of packets received by the CyberGuard SG appliance.
  • Page 83 Source Address Outgoing Interface Destination Address Destination Services The next two fields describe how matching packets should be altered. To Source Address To Source Service 1-to-1 NAT This creates both a Source NAT and Destination NAT rule for mapping an all services on an internal, private address to an external, public address.

  • Page 84: Rules

    Warning Leaving Create a corresponding ACCEPT firewall rule will allow all traffic into and out from the specified private address, i.e. the private address will no longer be shielded by your CyberGuard SG appliance’s firewall. Otherwise, manually create filter rules through Rules. Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules.

  • Page 85: Access Control And Content Filtering

    Access Control and Content Filtering Inappropriate Internet use during work hours can have a serious effect on productivity. With the CyberGuard SG Access Control web proxy, you can control access to the Internet based on the type of web content being accessed (Content), and which user or workstation is accessing the Internet content (Require user authentication, IP Lists).
  • Page 86 Users without web proxy access will see a screen similar to the figure below when attempting to access external web content. Figure 6-8 Note Each browser on the LAN will now have to be set up to use the CyberGuard SG appliance’s web proxy.
  • Page 87 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their user documentation for details on using a web proxy. From the Internet Options menu, select Tools. From the LAN Settings tab, select LAN Settings.
  • Page 88 Figure 6-10 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the other rows blank. In the Exceptions text box, enter your CyberGuard SG appliance’s LAN IP address. Click OK, OK and OK again.
  • Page 89 Web lists Access will be denied to any web address (URL) that contains text entered in the Block List, e.g. entering xxx will block any URL containing xxx, including http://xxx.example.com or www.test.com/xxx/index.html. The Allow List also enables access to URLs containing the specified text. Figure 6-11 Firewall...
  • Page 90 Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filtering license (sold separately) through www.cyberguard.com/snapgear/my/. Content filtering allows you to limit the types of web based content accessed. Check Enable Content Filtering enter your activated License key then continue on to set reporting options and which categories to block.
  • Page 91 Reports Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do this is by using an NTP time server. See the Time and Date section in the chapter entitled Advanced for details. Blocked requests are submitted to the central content filtering server.
  • Page 92 ZoneAlarm This facility denies Internet access to machines your LAN that are not running the ZoneAlarm Pro personal firewall software. Running personal firewall software on each PC offers an extra layer of protection from application level, operating system specific exploits and malware that abound on the Internet. Firewall...

  • Page 93: Intrusion Detection

    7. Intrusion Detection Note Advanced Intrusion Detection is only available on SG575 models. Other models offer Basic Instrusion Detection and Blocking only. The CyberGuard SG appliance provides two intrusion detection systems (IDS). The lightweight and simple to configure Basic Intrusion Detection and Blocking, and the industrial strength Advanced Intrusion Detection.
  • Page 94 The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Internet are the largest source of intrusions. Attackers exploiting known flaws in operating systems, networking software and applications, compromise many systems through the Internet.

  • Page 95: Basic Intrusion Detection And Blocking

    Basic Intrusion Detection and Blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Figure 7-1 IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt, and the access attempt is denied.
  • Page 96 Several shortcut buttons also provide pre-defined lists of services to monitor. The basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans. The standard option extends this coverage by introducing additional monitored ports for early detection of intruder scans.

  • Page 97: Advanced Intrusion Detection

    Advanced Intrusion Detection Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to detect attacks by matching incoming network data against defined patterns or rules. Advanced Intrusion Detection utilizes a combination of methods to perform extensive IDS analysis on the fly.
  • Page 98 Advanced Intrusion Detection configuration Figure 7-2 Check Enabled, and select the Interface/network port to monitor. This will typically be Internet, or possibly DMZ. Checking Use less memory will result in slower signature detection throughput, but may be necessary if your CyberGuard SG appliance is configured to run many services or many VPN tunnels.
  • Page 99 Note The more rule sets that are selected, the greater load is imposed on the CyberGuard SG appliance. Therefore a conservative rather than aggressive approach to adding rule sets should be followed initially. Check Log results to database to use a remote analysis server. Note If Log results to database is left unchecked, results will be output to the CyberGuard SG appliance system log (Advanced ->...
  • Page 100 Setting up the analysis server Specific open source tools are required to be installed on the Analysis server for a straightforward evaluation. The analysis server will typically be a Pentium IV level system running Linux (Red Hat, Debian, etc.) with sufficient memory and disk capacity to run a database and web server with at least one Ethernet port.
  • Page 101 PHPlot graph library for charts written in PHP http://www.phplot.com/ ACID analysis console http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b23.tar.gz Snort will be running as an IDS sensor on the CyberGuard SG appliance and logging to the MySQL database on the analysis server. The following are detailed documents that aid in installing the above tools on the analysis server.

  • Page 102: Web Cache

    8. Web Cache Note The web cache is only available on SG575 models. Web browsers running on PCs on your LAN can use the CyberGuard SG appliance’s proxy-cache server to reduce Internet access time and bandwidth consumption. A proxy-cache server implements Internet object caching. This is a way to store requested Internet objects (i.e., data available via HTTP, FTP, and other protocols) on a server closer to the user's network than on the remote site.

  • Page 103: Web Cache Setup

    Web Cache Setup Select Web cache under Networking. A page similar to the following will be displayed. Check Enable to enable the web cache. Cache size Select the amount of memory (RAM) on the CyberGuard SG appliance to be reserved for caching Internet objects.

  • Page 104: Network Shares

    Network Shares Typically, you will find the CyberGuard SG appliance’s web cache most useful when utilizing a Network Share for additional storage space. The CyberGuard SG appliance is not equipped with a hard disk of its own, so is quite limited in terms of the amount of Internet objects it can cache.
  • Page 105 Create the network share Figure 8-2 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and open up a folder or drive to dedicate as a network share for use by the CyberGuard SG appliance’s web cache. Begin by disabling simple file sharing for this folder.
  • Page 106 Set the CyberGuard SG appliance to use the network share Check Use share. Enter the location of the network share in the format: \\HOSTNAME\sharename Figure 8-3 Enter the maximum size for the cache in Cache size. Warning Cache size should not be more than 90% of the space available to the network share, e.g.

  • Page 107: Peers

    Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web caches. Web caches communicate using the Internet Cache Protocol (ICP). ICP is used to exchange hints about the existence of URLs in neighbour caches. Caches exchange ICP queries and replies to gather information to use in selecting the most appropriate location from which to retrieve an object.

  • Page 108: Virtual Private Networking

    9. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.g. the Internet) and has the following key traits: Privacy - no one else can see what you are communicating Authentication - you know who you are communicating with Integrity - no one else can tamper with your messages/data Using VPN, you can access the office network securely across the Internet using Point-...

  • Page 109: Pptp Client Setup

    PPTP Client Setup The PPTP client enables the CyberGuard SG appliance to establish a VPN to a remote network running a PPTP server (usually a Microsoft Windows server). Select PPTP VPN Client from the VPN menu and create a new VPN connection by entering: A descriptive name for the VPN connection.
  • Page 110 If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the following figure: Figure 9-2 The CyberGuard SG appliance supports multiple VPN client connections. Additional connections can be added by following these steps. To set a VPN connection as the default route for all network traffic, check the Make VPN the Default Route checkbox and click Apply.

  • Page 111: Pptp Server Setup

    PPTP Server Setup The CyberGuard SG appliance includes a PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels (depending on your CyberGuard SG appliance model). The CyberGuard SG PPTP Server allows remote Windows clients to securely connect to the local network.
  • Page 112 Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 9-3 To enable and configure your CyberGuard SG appliance’s VPN server, select PPTP VPN Server from the VPN menu on the Web Management Console web administration pages. Virtual Private Networking...
  • Page 113 The following table describes the fields in the VPN Setup screen and the options available when enabling and configuring VPN access. Field Description Enable PPTP Check this box to enable PPTP connections to be established to Server your CyberGuard SG appliance. IP Addresses for Enter the IP addresses for the tunnel end-points.
  • Page 114 Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Server Accounts screen as shown in the following figure: Figure 9-4 If you selected None as the Authentication Scheme, setup is now complete. Skip ahead to Configuring the remote VPN client.
  • Page 115 The field options in the Add New Account are detailed in the following table. Field Description Username Username for VPN authentication only. The name selected is case- sensitive (e.g. Jimsmith is different to jimsmith). Username can be the same as, or different to, the name set for dialin access. Windows Domain Most Windows clients expect you to specify a domain name in upper case.
  • Page 116 Configuring the remote VPN client The remote VPN clients can now be configured to securely access the local network. You need to enter the a PPTP Account username and password that you added in the previous section, and the IP address of the CyberGuard SG PPTP VPN server. The CyberGuard SG PPTP VPN server IP address is displayed on the Diagnostics page.
  • Page 117 Windows 95, Windows 98 and Windows Me From the Dial-Up Networking folder, double-click Make New Connection. Type CyberGuard SG appliance or a similar descriptive name for your new VPN connection. From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next.
  • Page 118 Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK. Your VPN client is now set up and ready to connect. Windows 2000 Log in as Administrator or with Administrator privileges.
  • Page 119 Double-click Make New Connection from the main windows. Click Next to show the Network Connection Type window: Figure 9-9 Select Connect to a private network through the Internet and click Next. This displays the Destination Address window: Figure 9-10 Enter the CyberGuard SG PPTP server’s IP address or fully qualified domain name and click Next.
  • Page 120 Figure 9-11 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Windows XP Log in as Administrator or with Administrator privileges. From the Start menu, select Settings and then Network Connections. Click Create New Connection from the Network Tasks menu to the left.
  • Page 121 (aka Network Neighborhood or My Network Places). Please refer to the following knowledge base article for further details: http://www.cyberguard.com/snapgear/faqomatic/public_html/fom-serve/cache/70.html To disconnect, right click the PPTP Status system tray icon and select Disconnect. You can then disconnect from the Internet if you wish.

  • Page 122: Ipsec Setup

    IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IPSec tunnel. The most common and simplest will be described in this section. Additional options will also be explained throughout this example, should it become necessary to configure the tunnel with those settings.
  • Page 123 Figure 9-13 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet port. The CyberGuard SG appliance can either have a static IP, dynamic IP or DNS hostname address. If a dynamic DNS service is to be used or there is a DNS hostname that resolves to the IP address on the Internet port, then the DNS hostname address option should be selected.
  • Page 124 Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted. Configure a tunnel to connect to the headquarters office To create an IPSec tunnel, click the IPSec link on the left side of the Web Management Console web administration pages and then click the Add New Tunnel tab at the top of the window.
  • Page 125 Select the Internet port the IPSec tunnel is to go out on. The options will depend on what is currently configured on the CyberGuard SG appliance. For the vast majority of setups, this will be the default gateway interface to the Internet. In this example, select the default gateway interface option.
  • Page 126 x.509 Certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication. Certificates need to be uploaded to the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management).
  • Page 127 In this example, select the be a route to the remote party option. Click the Continue button to configure the Local Endpoint Settings. Local endpoint settings Figure 9-15 Leave the Initiate the tunnel from this end checkbox checked. Virtual Private Networking...
  • Page 128 ID must have the form abcd@efgh. If the remote party is not a CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG knowledge base web site (http://www.cyberguard.com/snapgear/knowledgebase.html) to determine what form it must take. In this example, enter: branch@office Leave the Enable IP Payload Compression checkbox unchecked.
  • Page 129 Other options The following options will become available on this page depending on what has been configured previously: The next IP address on the interface the tunnel is to go on field is the next gateway IP address or nexthop along the previously selected IPSec interface. This field will become available if an interface other than the default gateway was selected for the tunnel to go out on.
  • Page 130 If the remote party is not a CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG knowledge base web site (http://www.cyberguard.com/snapgear/knowledgebase.html) to determine what form it must take. In this example leave the field blank. Click the Continue button to configure the Phase 1 Settings.
  • Page 131 Other options The following options will become available on this page depending on what has been configured previously: The remote party's DNS hostname address field is the DNS hostname address of the Internet interface of the remote party. This option will become available if the remote party has been configured to have a DNS hostname address.
  • Page 132 TCGID The attribute/value pairs must be of the form attribute=value and be separated by commas. For example : C=US, ST=Illinois, L=Chicago, O=CyberGuard, OU=Sales, CN=SG550. It must match exactly the Distinguished Name of the remote party's local certificate to successfully authenticate the tunnel. This field appears when x.509 Certificates has been selected.
  • Page 133 Phase 1 settings Figure 9-17 Set the length of time before Phase 1 is renegotiated in the Key lifetime (m) field. The length may vary between 1 and 1440 minutes. Shorter values offer higher security at the expense of the computational overhead required to calculate new keys. For most applications 60 minutes is recommended.
  • Page 134 Warning The secret must be entered identically at each end of the tunnel. The tunnel will fail to connect if the secret is not identical at both ends. The secret is a highly sensitive piece of information. It is essential to keep this information confidential. Communications over the IPSec tunnel may be compromised if this information is divulged.
  • Page 135 Phase 2 settings page Figure 9-18 Set the length of time before Phase 2 is renegotiated in the Key lifetime (m) field. The length may vary between 1 and 1440 minutes. For most applications 60 minutes is recommended. In this example, leave the Key Lifetime as the default value of 60 minutes.

  • Page 136: Configuring The Headquarters

    Other options The following options will become available on this page depending on what has been configured previously: A separate section may appear to enter multiple Local Networks or Remote Networks or both. In the case where both local and remote parties have been configured to have multiple subnets behind them, a window similar to the following will be displayed.
  • Page 137 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet interface. In this example, select static IP address. Leave the Set the IPSec MTU to be checkbox unchecked. Click the Apply button to save the changes. Configuring a tunnel to accept connections from the branch office To create an IPSec tunnel, click the IPSec link on the left side of the Web Management Console web administration pages, then click the Add New Tunnel tab at the top of the...
  • Page 138 CyberGuard SG appliance refer the interoperability documents on the CyberGuard SG knowledge base to determine what form it must take (http://www.cyberguard.com/snapgear/knowledgebase.html). Leave the Enable IP Payload Compression checkbox unchecked. Leave the Enable Phase 1 & 2 rekeying to be initiated from my end checkbox checked.
  • Page 139 Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Secret used at the branch office CyberGuard SG appliance, which was: This secret must be kept confidential. Select a Phase 1 Proposal. In this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024 bit) option (same as the Branch Office Phase 1 Proposal).

  • Page 140: Tunnel List

    Tunnel List Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field will be shown. Note You may modify a tunnel’s settings by clicking on its connection name. Click Connection to sort the tunnel list alphabetically by connection name. Remote party The Remote Party which the tunnel is configured to connect to will be defined either by its Endpoint ID, IP Address or Distinguished Name.
  • Page 141 Click Remote Party to sort the tunnel list by the remote party ID/name/address. Status Tunnels that use Automatic Keying (IKE) will have one of four states in the Status field. The states include the following: Down indicates that the tunnel is not being negotiated. This may be due to the following reasons: o IPSec is disabled.
  • Page 142 Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec will use. Phase 2 Ciphers Loaded lists the encryption ciphers that tunnels can be configured with for Phase 2 negotiations. This will include DES, 3DES and AES. Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations.
  • Page 143 Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiations. Connection Details lists an overview of the tunnel's configuration. It contains the following information: An outline of the tunnel's network setup. In this example, it is 192.168.2.0/24===209.0.0.2(branch@office)...209.0.0.1===192.168.1.0/24 Phase 1 and Phase 2 key lifetimes (ike_life and ipsec_life respectively).

  • Page 144: Nat Traversal Support

    The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher 3DES (where 3DES has an id of 3, see Phase 2 Ciphers Loaded), the 2 refers to hash SHA1 or SHA (where SHA1 has an id of 2, see Phase 2 Hashes Loaded) and pfsgroup=2 refers to the Diffie Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has an id of 2).

  • Page 145: Certificate Management

    Certificate Management x.509 Certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Automatic Keying. The other methods are Preshared Secrets and RSA Digital Signatures. Certificates need to be uploaded to the CyberGuard SG appliance before they can be used in a tunnel.
  • Page 146 To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem .. where pksc12_file is the PKCS#12 file issued by the CA and local_private_key.pem is the local private key certificate to be uploaded into the CyberGuard SG appliance. The application will prompt you to Enter Import Password.
  • Page 147 4. Create the self-signed root CA certificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS_VALID is the number of days the root CA is valid for. Remove the –nodes option if you want to use a password to secure the CA key. For each certificate you wish to create, there are two steps: 1.
  • Page 148 Adding certificates To add certificates to the CyberGuard SG appliance, click the IPSec link on the left side of the Web Management Console web administration pages and then click the Certificate Lists tab at the top of the window. A window similar to the following will be displayed.
  • Page 149 Adding a CA or CRL certificate Click the Add new CA or CRL Certificate tab. A window similar to the following will be displayed. Figure 9-23 Select whether a Certificate Authority or Certificate Revocation List certificate is to be uploaded from the Certificate Type pull down menu. Enter the Certificate Authority's Public Key certificate or CRL file in the Certificate File field.
  • Page 150 Adding a local certificate 1 Click the Add new Local Certificate tab. A window similar to the following will be displayed. Figure 9-24 Enter the Local Public Key certificate in the Local Certificate field. Click the Browse button to select the file from the host computer. Certificates have time durations in which they are valid.

  • Page 151: Troubleshooting

    The certificate names will be displayed under the appropriate certificate type. Clicking the Delete button deletes the certificate from the CyberGuard SG appliance. Troubleshooting Symptom: IPSec is not running and is enabled. Possible Cause: The CyberGuard SG appliance has not been assigned a default gateway.
  • Page 152 The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Phase 1 proposals do not match. o The secrets do not match. o The RSA key signatures have been incorrectly configured. o The Distinguished Name of the remote party has not be configured correctly.
  • Page 153 Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that the CyberGuard SG appliance has rekeying enabled. If the tunnel still goes down after a period of time, it may be due to the CyberGuard SG appliance and remote party not recognising the need to renegotiate the tunnel.
  • Page 154 Set up LMHOST files on remote hosts to resolve names to IP adresses. Symptom: Tunnel comes up but the application does not work across the tunnel. Possible cause: There may be a firewall device blocking IPSec packets. The MTU of the IPSec interface may be too large. The application uses broadcasts packets to work.

  • Page 155: Gre

    The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support the Generic Routing Encapsulating protocol. You can build GRE tunnels to other CyberGuard SG appliances that support GRE, or to other devices such as Cisco equipment.
  • Page 156 On the Brisbane end, click GRE Tunnels from the VPN menu. Enter the following details: GRE Tunnel Name: Remote External Address: 195.45.67.8 Local External Address: Local Internal Address: Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: Click Add. The Brisbane end is now set up. On the Slough end, click GRE Tunnels from the VPN menu.
  • Page 157 Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: Click Add. The GRE tunnel between the two networks is now set up. Tunnels may be Disabled, Deleted or Edited from the main table of GRE tunnels. A few further things of note are: GRE Tunnel Name Remote External Address This may also be in the form of a DNS name, e.g.
  • Page 158 Enter the IP Address / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at the Brisbane end. Click Apply and reboot the unit if prompted to do so. Note The alias IP addresses are essentially dummy addresses and can be anything that does not conflict with your existing network infrastructure.
  • Page 159 Create the GRE tunnel. Select GRE Tunnels from the left hand menu. For the Slough end enter the IP addresses below. Leave Local Internal Address blank, and check Place on Ethernet Bridge. GRE Tunnel Name: Remote External Address: 10.254.0.2 Local External Address: Local Internal Address: Place on Ethernet Bridge: Checked For the Brisbane end enter the IP addresses below.
  • Page 160 Troubleshooting Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set up on the GRE tunnel to the remote network. Ensure that there is a route on the remote GRE endpoint to the network at this end of the GRE tunnel.

  • Page 161: L2Tp

    L2TP The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multi- purpose network transport protocol. Many DSL ISPs use L2TP over ATM to create tunnels across the Internet backbone. The CyberGuard SG L2TP implementation can only run L2TP over Ethernet since it doesn't have an ATM adapter.
  • Page 162 L2TP server The L2TP Server runs in a similar way to the PPTP Server. A range of IP addresses is allocated, and then username and password pairs are created to allow users to log on. Note To increase security, L2TP VPN connections from Windows PCs are also run through an IPSec tunnel.

  • Page 163: System

    Date and Time Set date and time If you have a Javascript enabled web browser, you will be able to click the top Set Date and Time button to synchronize the time on the CyberGuard SG appliance with that of your PC.
  • Page 164 Figure 10-1 Locality Select your region then select your location within said region. The system clock will subsequently show local time. Without setting this, the system clock will show UTP. Setting a time zone is only relevant if you are synchronizing with an NTP server or your CyberGuard SG appliance has a real time clock.

  • Page 165: Users

    Users User accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to their level of competence and trust. Each user on the CyberGuard SG appliance has a password that they use to authenticate themselves to the unit's web pages.
  • Page 166 Administration A user with the administration access control is permitted to edit any configuration file on the CyberGuard SG appliance. It should be given to trusted users who are permitted to configure and reconfigure the unit. Diagnostic The diagnostic access control allows a user to view status reports, the technical support report, the system log and other read only pages.

  • Page 167: Diagnostics

    Internet access (via access controls) A user with this access control is permitted controlled access to the web through the CyberGuard SG appliance’s web proxy. See the Access control and content filtering section in the chapter entitled Firewall for details on controlling LAN users’ web access. Password The CyberGuard SG appliance’s administrative (root) password is used to restrict access to the Web Management Console web administration pages (Web Admin) and the...
  • Page 168 Figure 10-3 Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top of the Diagnostics page. System...

  • Page 169: Advanced

    Advanced The options on the Advanced page are intended for network administrators and advanced users only. Warning Altering the advanced configuration settings may render your CyberGuard SG appliance inoperable. System log The system log contains debugging information that may be useful in determining whether all services for your CyberGuard SG appliance are operating correctly.
  • Page 170 TFTP server. This method involves the following steps: 1. Download the appropriate .bin file. 2. Start up a TFTP server. Windows users can download a TFTP server program from: https://www.cyberguard.com/snapgear/downloads/tools/tftpd32j.zip Note Although we recommend it, this program is not supported by CyberGuard. System...
  • Page 171 The majority of Linux users will already have a TFTP server installed as part of their distribution, which must be configured and running. 3. In the Web Management Console web administration pages, click Advanced then Flash Upgrade. Enter the server IP Address (i.e. PC with the TFTP server and binary image) and the binary image’s filename.

  • Page 172: Technical Support

    SG appliance. This page provides basic troubleshooting tips, contact details for CyberGuard SG technical support, and links to the CyberGuard SG Knowledge Base (http://www.cyberguard.com/snapgear/knowledgebase.html) as shown in the following figure: Figure 10-4 The Technical Support Report page is an invaluable resource for the CyberGuard SG technical support team to analyze problems with your CyberGuard SG appliance.

  • Page 173: Appendix A - Ip Address Ranges

    Appendix A – IP Address Ranges IP ranges are fields that allow multiple IP addresses to be specified using a shorthand notation. Four distinct forms of range are acceptable: 1. a.b.c.d 2. a.b.c.d-e 3. a.b.c.d-e.f.g.h 4. a.b.c.d/e The first is simply a single IP address. Thus where ever a range is permitted, a single IP address is too.

  • Page 174: Appendix B - Terminology

    Appendix B – Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscriber Line. A technology allowing high-speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data.
  • Page 175 Certificates A digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a Certification Authority (CA) after the CA has verified that the entity is who it says it is.
  • Page 176 Extranet A private network that uses the public Internet to securely share business information and operations with suppliers, vendors, partners, customers, or other businesses. Extranets add external parties to a company's intranet. Failover A method for detecting that the main Internet connection (usually a broadband connection) has failed and the CyberGuard SG apliance cannot communicate with the Internet.
  • Page 177 IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with Dynamic DNS can be run on the IPSec endpoints thereby creating an Dynamic DNS IPSec tunnel using dynamic IP addresses. IKE is a profile of ISAKMP that is for use by IPsec. It is often called simply IKE.
  • Page 178 Network Address Translation. The translation of an IP address used on one network to an IP address on another network. Masquerading is one particular form of NAT. Net mask The way that computers know which part of a TCP/IP address refers to the network, and which part refers to the host range.
  • Page 179 Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelligent" and can route packets to their final destination. RSA Digital A public/private RSA key pair used for authentication. The CyberGuard Signatures SG appliance can generate these key pairs.
  • Page 180 x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.x.509 certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate.

  • Page 181: Appendix C - System Log

    Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default.
  • Page 182 Commonly used interfaces are: eth0 eth1 pppX ipsecX The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar. Any traffic that does not match the exceptions however is dropped.

  • Page 183: Creating Custom Log Rules

    A typical Default Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a packet arriving from the WAN (IN=eth1) and bound for the CyberGuard SG appliance itself (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181), attempting to go to port 139 (DPT=139, Windows file sharing) was dropped.
  • Page 184 To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something like this: iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix> This will log any TCP (-p tcp) session initiations (--syn) that arrive from the IP address/netmask X.X.X.X/XX (-s ...) and are going to Y.Y.Y.Y/YY, destination port Z (-- dport).
  • Page 185 For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the machine flubber on the LAN with address 192.168.1.1: iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output something like this: <12>...

  • Page 186: Rate Limiting

    If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there are many more combinations possible. It is therefore possible to write rules that log inbound and outbound traffic, or to construct several rules that differentiate between the two.

  • Page 187: Administrative Access Logging

    Administrative Access Logging When a user tries to log onto the Web Management Console web administration pages, one of the following log messages appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2 Jan 30 03:00:14 2000 boa: Authentication attempt failed for root from 10.0.0.2 This message shows the date/time, whether the authentication succeeded or failed, the user attempting authentication (in this case root) and the IP address from which the...

  • Page 188: Appendix D - Firmware Upgrade Practices And Precautions

    Appendix D – Firmware Upgrade Practices and Precautions Prior performing any firmware upgrade, it is important that you save a back up of your existing configuration (Advanced -> Store/restore all configuration files) to a local file. While we make every effort to ensure your existing configuration will work with the new firmware, sometimes compatibility problems will arise.
  • Page 189 If you encounter any problems, reset the device to its factory default settings and reconfigure. You may wish to use your backed up old configuration as a guide in this process, but do not restore it directly. If you are upgrading a device that you do not normally have physical access to, e.g. at a remote or client's site, we strongly recommend that following the upgrade, you reset the device to its factory default configuration and reconfigure as a matter of course.

This manual is also suitable for:

Sg

Table of Contents