Page 2
GNU General Public License (GPL) and will make all required source code available. If you would like a copy of the GPL source code contained in Allied Telesis products, please send us a request by registered mail including a check for US$15 to cover production and shipping costs and a CD with the GPL code will be mailed to you.
Advanced Network Protection Contents Introduction ........................5 Products and Software Versions that apply to this Guide..............6 Related Documents..........................7 Licensing .............................8 Feature Overview....................... 9 Intrusion Prevention System (IPS) .....................10 Anti-virus ............................13 IP Reputation.............................14 Malware Protection ...........................16 Web Control............................17 URL filtering............................20 UTM Offload ............................22 Selecting a Security Solution..................
Page 4
Advanced Network Protection How to Discover which Web Control Categories Website URLs Belong to........42 Configuring Web Control with Firewall Enabled ................43 Configuring URL filtering ....................45 How to Use URL Filtering........................45 Configuring URL Filtering ........................48 Setting up and Configuring UTM Offload ..............53 Setting up UTM Offload ........................53 About the Offload Image ........................55 Configuring UTM Offload on VMware ESXi Server ................56...
Introduction Advanced Network Protection Introduction This guide describes the Advanced Network Protection features on AR-Series UTM firewalls AR4050S and AR3050S and how to configure them. It also describes the performance effects when various combinations of advanced security features are in use. AlliedWare Plus Advanced Network Protection features provide the first line of defense against a wide range of malicious content.
Introduction Advanced Network Protection Products and Software Versions that apply to this Guide This guide applies to AlliedWare Plus™ products that support Advanced Network Threat Protection features, running version 5.4.5 and later. To see whether your AR-Series UTM Firewall supports a particular feature or command, see the following documents: ...
Introduction Advanced Network Protection UTM Offload Version 5.4.8-1.2 supports UTM Offload (AR4050S only). Logging Version 5.4.7-1.x assigns facility local5 for all log messages generated by firewall UTM features. Version 5.4.7-1.x and later support firewall connection logging. Related Documents The following documents give more information about related features on AlliedWare Plus products: ...
Introduction Advanced Network Protection Licensing The AR-Series UTM firewalls have two subscription licensing options for the advanced security features. The following table shows the features included in those licenses, and whether they are proxy or stream-based processes: License Type Features included Base Intrusion Prevention System (IPS) Next-Gen Firewall (NGFW)
Feature Overview Advanced Network Protection Feature Overview This section provides a brief description of each of the Advanced Network Protection features available on the AR-Series UTM firewalls. Intrusion Prevention System (IPS) IPS is a stream-based intrusion detection and prevention system that is positioned at the perimeter of a network and effectively protects the network security.
The pattern files are frequently updated (some are updated multiple times a day) and made available for download on the Allied Telesis update server. The AR-Series UTM firewalls automatically checks the Allied Telesis download server for new updates to pull down.
Page 11
Feature Overview Advanced Network Protection Once threats or attacks are detected, the IPS engine can take the following actions: Alert: generate a log message (default action) Deny: drop matching packets The firewall is used in conjunction with the IPS engine. The IPS engine is the first line of defense and it captures the traffic before it reaches the firewall.
Page 12
Feature Overview Advanced Network Protection AlliedWare Plus IPS supports the following key IPS features: Basic Operation IPS protection is disabled by default IPS is deployed in stream mode IPS processing occurs before the firewall Configuration All categories have a default action of alert ...
Feature Overview Advanced Network Protection Anti-virus This feature is supported from AlliedWare Plus version 5.4.5 or later. AlliedWare Plus™ Anti-virus provides the first line of defense against a wide range of malicious content, guarding against threats, such as viruses, Trojans, worms, spyware and adware. In addition to protecting the local network by blocking threats in inbound traffic, it also prevents compromised hosts or malicious users from launching attacks.
Feature Overview Advanced Network Protection IP Reputation This feature is supported from AlliedWare Plus version 5.4.5 or later. IP Reputation uses Emerging Threats' ET Intelligence to identify and categorize IP addresses that are known sources of spam, viruses and other malicious activity. This can improve the success of Intrusion Prevention System (IPS) by reducing false positives.
Page 15
Feature Overview Advanced Network Protection Figure 1: IP Reputation Traffic Probes Threat Internet Analysis Category: spammer IP address A score: 30 Traffic IP address B score: 40 IP address C score: 20 Category: bot IP address score IP address A score: 30 <...
Feature Overview Advanced Network Protection Malware Protection AlliedWare Plus Malware Protection is supported from AlliedWare Plus version 5.4.5 or later. Stream-based Malware Protection scans traffic as it traverses the device real-time for known malware and blocks the traffic once a threat has been detected. AlliedWare Plus Malware Protection provides the first line of defense against a wide range of malicious content.
Feature Overview Advanced Network Protection Web Control Web Control is supported in version 5.4.5 or later. AlliedWare Plus Web Control provides a new level of service for business productivity management, compliance and web security. It offers an easy way to monitor and control the types of websites viewed by employees.
Page 18
Feature Overview Advanced Network Protection In the case of HTTPS, if the server name indicator (SNI) is present in the TLS handshake exchange, it is extracted and sent to the URL classifier engine for categorization. The SNI only includes the hostname of the website, not the full path of the URL requested.
Page 19
Feature Overview Advanced Network Protection Figure 2: Web Control block action Digital Arts Active Rating System Router Users Web Servers Figure 3: Web Control allow action Digital Arts Active Rating System Router Users Web Servers C613-22104-00 REV B Web Control Page 19...
Kaspersky. If Kaspersky-sourced lists are being used, the device will automatically download list updates from the Allied Telesis update server. URL Filtering provides a fast efficient (stream-based) method of blocking web traffic from locations that are known to be undesirable.
Page 21
Feature Overview Advanced Network Protection are not visible for processing. Instead the domain name specified in TLS SNI (Transport Layer Security Server Name Indication) for each HTTPS request is used as the URL for matching. The SNI field is contained within the Client Hello message supplied during the TLS handshake when a client web browser first attempts to access a secure HTTPS server website.
Feature Overview Advanced Network Protection UTM Offload UTM Offload is supported in version 5.4.8-1.2 or later on the AR4050. How does UTM Offload work? UTM Offload enables some security and threat protection features (IPS, IP Reputation, Malware Protection, and URL Filtering) to be offloaded to a secondary physical or virtual machine that is automatically managed by the AR4050S.
Page 23
Feature Overview Advanced Network Protection The AR4050S automatically manages the offload device for you. You don’t need to configure the offload device, as configuration and the status of all features is presented the same whether offloaded or not. See also "Setting up and Configuring UTM Offload"...
Selecting a Security Solution Advanced Network Protection Selecting a Security Solution This section describes in more detail the following: "Proxy Versus Stream-based Security Processing" on page 24 "Packet Flow Architecture" on page 25, including UTM CPU processing requirements ...
Selecting a Security Solution Advanced Network Protection By the nature of its operation, proxy-based scanning provides the best detection, and is equivalent to desktop computer based anti-virus systems. However, it is also more memory and CPU resource- intensive, and therefore inherently slower than stream-based scanning. A single-user connection to a single website can potentially involve managing multiple simultaneous sessions.
Page 26
Selecting a Security Solution Advanced Network Protection Firstly, let's take a look at the basic security architecture. Figure 5: Firewall proxy and stream processing order MALWARE IP REP PROTECTION FILTERING STREAM FORWARDING DPI APPLICATION FIREWALL DECODING ENGINE SHAPING ANTI- CONTROL VIRUS PROXY ENGINE PROXY...
Page 27
Selecting a Security Solution Advanced Network Protection matches. For example, an HTTP/1.1 Get request containing a URL would be processed via the URL filtering rule-set within the Suricata engine, whereas an IP data stream not containing a URL would not be matched against the URL filtering rule-set. UTM CPU processing requirements As each security function is enabled, the additional processing cost results in less CPU processing cycles being available to be dedicated to packet forwarding, so therefore overall throughput can be...
Selecting a Security Solution Advanced Network Protection Selecting a UTM Firewall Use this section to select the appropriate UTM firewall router platform to meet your network security and forwarding performance requirements. Each network is different, so we recommend fully auditing your current network application traffic flows, and assess your network security and performance requirements as part of your platform selection process.
Page 29
Selecting a Security Solution Advanced Network Protection internal hosts. This method of security is inherently more secure than stream-based scanning. However, this reduces the number of concurrent connections per second and the recommended number of users. Features required for each scenario The following table shows the features to use to support each scenario, and the licenses that contain each feature: LICENSE...
Selecting a Security Solution Advanced Network Protection The following table offers some guidelines for estimating the performance each UTM Firewall will experience under each scenario described above. APPLICATION- REAL-TIME HIGH AGGREGATION AWARE THREAT PROTECTION SECURITY GATEWAY FIREWALL AND WEB CONTROL Firewall throughput Throughput (Enterprise Throughput (Enterprise...
Selecting a Security Solution Advanced Network Protection Network administrators are allowed to statically configure any number of their own black-listed and white-listed URLs. Web-control is a proxy-based web-categorization service. This feature uses an external Control categorization service to provide real-time protection. The list of malicious and phishing websites is constantly updated in real-time by the categorization service provider.
Selecting a Security Solution Advanced Network Protection downloaded and scanned, whereas Malware Protection scans content as it passes through, so that the data is not held up waiting for the download to complete. As soon as Malware Protection detects a threat within a stream of data, it immediately stops forwarding any more of the stream. However, Malware Protection does not have the ability to serve an ‘Access Denied’...
Page 33
Selecting a Security Solution Advanced Network Protection In most situations, a single rule to masq any traffic from LAN to WAN is sufficient, without the need to configure NAT masq rules for each individual application. There may typically also be a few NAT port forwarding rules configured to allow external application traffic from the Internet to the public IP address to be translated to reach the internal addresses of internal servers.
Configuring Intrusion Prevention System (IPS) Advanced Network Protection Configuring Intrusion Prevention System (IPS) This is an example of how to configure IPS. By default, IPS protection is disabled; you need to explicitly enable it. To show the list of built-in categories that AlliedWare Plus IPS supports, use the command: awplus#show ips categories Enter the IPS mode.
Configuring Anti-virus Advanced Network Protection Configuring Anti-virus This section provides an example of how to configure Anti-virus. By default, Anti-virus protection is disabled and you need to explicitly enable it Enter the Antivirus mode. Step 1: awplus#configure terminal awplus(config)#antivirus Set the provider and enable Anti-virus protection. Step 2: awplus(config-antivirus)#provider kaspersky awplus(config-antivirus)#protect...
Configuring IP Reputation Advanced Network Protection Configuring IP Reputation This section shows an example of how to configure IP Reputation. By default, IP Reputation protection is disabled and you need to explicitly enable it Enter the IP Reputation mode. Step 1: awplus#configure terminal awplus(config)#ip-reputation Set the IP Reputation database provider.
Configuring Malware Protection Advanced Network Protection Configuring Malware Protection This section shows an example of how to configure Malware Protection. By default, Malware Protection is disabled and you need to explicitly enable it. Enter the Malware Protection Configuration mode. Step 1: awplus#configure terminal awplus(config)#malware-protection Set the provider and enable Malware Protection.
Configuring Web Control Advanced Network Protection Configuring Web Control This section provides examples of how to configure web control: "How to Configure Basic Web Control" on page 38 "How to Configure Web Control Default Action Per-entity" on page 40 ...
Page 39
Configuring Web Control Advanced Network Protection provider categorization. If a URL or website matches custom criteria, then the URL will not be further sent for categorization by the provider criteria. The provider performs the categorization of URLs into the appropriate category, so there is no need to configure specific match criteria for predefined categories.
Configuring Web Control Advanced Network Protection How to Configure Web Control Default Action Per-entity The default action to take on uncategorized websites and categorized websites that do not hit any user-defined Web Control filter rules is to deny access to the website. However, if there are multiple firewall entities configured in the device (such as multiple firewall zones), then you may wish to configure different default actions for each individual entity for any URLs that do not match filter rules.
Page 41
Configuring Web Control Advanced Network Protection Figure 8: Web Control for more than one entity H o s H o s H o s category banned H o s blocked category art permitted category sports permitted other sites blocked Internet Example 3 The following shows how to configure two firewall entities, with a different default action being applied for each entity.
Configuring Web Control Advanced Network Protection awplus(config-category)#match youtube awplus(config-category)#match movies awplus(config-category)#match gambling awplus(config-category)#category art awplus(config-category)#match contemporary awplus(config-category)#match classic awplus(config-category)#category sports awplus(config-category)#match rugby Create rules for the categories. Step 5: awplus(config-category)#rule 10 permit art from marketing.research awplus(config-web-control)#rule 20 permit sports from marketing.research awplus(config-web-control)#rule 30 deny any from marketing.research awplus(config-web-control)#rule 40 deny banned from admin.payroll awplus(config-web-control)#rule 50 permit any from admin.payroll...
Configuring Web Control Advanced Network Protection awplus#web-control categorize http://www.ebay.com http://www.amazon.com http://ebay.com ==> 54 (Online Auctions) http://www.amazon.com ==> 55 (Online Shopping) You can inquire about HTTPS URLs: awplus#web-control categorize https://reddit.com/r/nfl awplus#web-control categorize https://reddit.com/r/nfl https://reddit.com ==> [Social Bookmarks(31)] [Forums(63)] Enable web control and control access to categories Step 2: Enable web control.
Page 44
Configuring Web Control Advanced Network Protection For example, the firewall rule below permits the HTTP traffic (containing categorization request) originating from the UTM firewall external interface (located with the public zone) to reach the Digital Arts ARS. awplus(config-firewall)#rule permit http from PUBLIC.EXTERNAL.INTERFACE to PUBLIC For more information about firewall rules and zone, network, or host entities see the Firewall and...
Configuring URL filtering Advanced Network Protection Configuring URL filtering This section describes how to use, configure and monitor URL filtering. For more information about the URL Filtering feature, see "URL filtering" on page How to Use URL Filtering To use URL filtering, you can either use: ...
Page 46
Configuring URL filtering Advanced Network Protection Details of the content of custom lists A custom list is an ASCII formatted text file containing zero or more single-line pattern matches. So far, we have looked at the general syntax of the entries in these files. Here we look in more detail at the rules governing the content of these files: ...
Configuring URL filtering Advanced Network Protection Limits URL filtering is limited to 1000 custom whitelist and 1000 custom blacklist rules, spread over any number of list files. Configuring URL Filtering URL filtering is turned on by configuring a whitelist that uses a custom file, a blacklist that uses a custom file, or blacklisting that uses the Kaspersky service.
Page 49
Configuring URL filtering Advanced Network Protection Using multiple whitelists and blacklists The AR-Series firewall support pattern checking against multiple whitelists and multiple blacklists. Multiple custom whitelists or blacklists can be configured and checked as follows: awplus(config)#url-filter awplus(config-url-filter)#blacklist blacklist1.txt awplus(config-url-filter)#blacklist blacklist2.txt awplus(config-url-filter)#blacklist blacklist3.txt awplus(config-url-filter)#whitelist whitelist1.txt awplus(config-url-filter)#whitelist whitelist2.txt...
Page 50
Configuring URL filtering Advanced Network Protection Rules for processing lists The order of processing of lists is: First—whitelists Second—custom blacklists Third—Kaspersky-provided blacklists The matching logic is that as soon as a URL matches an entry in a list that it is being compared against, then comparing stops and the relevant action (allow, if the match occurs in a whitelist, or deny if the match occurs in a blacklist) is taken.
Page 51
Configuring URL filtering Advanced Network Protection Updating lists Updating the Kaspersky blacklist When subscribed to the Kaspersky URL Filter service, updates to the Kaspersky blacklist will be made available. By default URL filtering checks for updates to the Kaspersky blacklist every hour. You can configure the update interval via the update-interval command in url-filter configuration mode.
Page 52
Configuring URL filtering Advanced Network Protection Monitoring URL Filtering The show url-filter command displays a summary of the state of URL filtering, including the provider state, and counts of entries in each provided list. Any lists that contain too many entries to load will be noted here.
Setting up and Configuring UTM Offload Advanced Network Protection Setting up and Configuring UTM Offload Setting up UTM Offload These are the steps, described in more detail below, are required to set up UTM Offload: Purchase, download, and install the UTM Offload license on the AR4050S ...
Page 54
Setting up and Configuring UTM Offload Advanced Network Protection The AR4050S manages the offload device and offloads traffic automatically. Setting up the offload device The offload device can be any physical computer or virtual machine (VM). To use the UTM Offload feature, there must be a direct Ethernet connection from the forwarding device (AR4050S) to the offload device.
Advanced Network Protection About the Offload Image The Allied Telesis Next Generation Firewall Appliance (AFA) software release is the image that is automatically downloaded and installed into the UTM Offload device. The offload image is downloaded from the Update Server by the forwarding device and used to network boot the offload device.
Setting up and Configuring UTM Offload Advanced Network Protection Configuring UTM Offload on VMware ESXi Server Many enterprises today have bare-metal hypervisor technology such as VMware ESXi Server running on powerful server hardware locally, to provide business critical applications and resources. This is a great use case for UTM Offload as businesses can utilize already existing hardware, simply by creating a new VM instance (virtual machine) to provide throughput improvements with the AR4050S while using the Advanced Threat Protection feature set.
Page 57
Setting up and Configuring UTM Offload Advanced Network Protection Note: The offload device must have an unused serial port. From the Select a name and guest OS page, enter a unique Name Use the drop down boxes to select, Compatibility, Guest OS family, and Guest OS version. From the Select storage page, select the datastore for your configuration.
Page 58
Setting up and Configuring UTM Offload Advanced Network Protection From the Customize settings page, configure the Virtual Hardware and VM Options. Select Serial port. C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 58...
Page 59
Setting up and Configuring UTM Offload Advanced Network Protection Select Connect Check the settings and click Finish. C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 59...
Page 60
Setting up and Configuring UTM Offload Advanced Network Protection Click Play C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 60...
Setting up and Configuring UTM Offload Advanced Network Protection Expand the Networking drop down menu and select the vSwitch that attaches to the UTM Offload device and set the MTU to be 1600 bytes. Security Considerations In all use cases UTM Offload should be deployed on a physically secured network because data traffic between the forwarding device and offload device has no additional security applied.
Setting up and Configuring UTM Offload Advanced Network Protection Configuring Firewall and NAT allowing UTM Offload on the AR4050S The following is a simple configuration for firewall and NAT allowing UTM Offload. Configuration notes Rule 30 will allow the device to access the Update Manager. ...
Setting up and Configuring UTM Offload Advanced Network Protection UTM Offload Glossary Forwarding device (AR4050S) The device that intercepts packets, sends them to the offload device for processing and finally forwards the packets when they return. It also manages the configuration of the offload device. ...
Logging Advanced Network Protection Logging This section gives a brief summary of what you can log in AlliedWare Plus devices, including how to read AlliedWare Plus log messages, followed by details about logging for each of the UTM features, and a simple configuration example. ...
Logging Advanced Network Protection Reading Log Messages Log messages generated by AlliedWare Plus show information in the following format: <date> <time> <facility>.<severity> <hostname> <program>[<pid>]: <message> Table 3: Elements in log messages ELEMENT DESCRIPTION The date and time when the log message was generated, according to the device’s clock. <date>...
Logging Advanced Network Protection For each specific UTM feature, particular information will be generated in the log messages, as described below. IPS Log Messages IPS log messages have severity ‘info’ (6). The message part includes information in the following format: <action>...
Logging Advanced Network Protection IP Reputation Log Messages IP Reputation log messages have severity ‘info’ (6). The message includes information in the following format: <action> IPREP: <alert-msg> (URL:<url>) <protocol> <source-ip>:<source- port> -> <dest-ip>:<dest-port> Table 6: Elements in IP Reputation log messages Message element Description The action applied by the IP reputation feature;...
Logging Advanced Network Protection antivirus: Unable to scan <url> to <client-ip>: <reason> antivirus: Unable to allocate memory to scan <url> to <client-ip> antivirus: Max scan depth exceeded for <url> to <client-ip> All the above Anti-virus log messages have severity level ‘warning’ (4). Table 11: Elements in Anti-virus log messages Message element Description...
Page 73
Logging Advanced Network Protection New connection log messages includes information in the following format for a newly started firewall connection: NEW proto={tcp|udp|icmp|...|<number>} orig_src={<ipv4-addr>|<ipv6-addr>} orig_dst={<ipv4-addr>|<ipv6-addr>} [orig_sport=<source-port>] [orig_dport=<dest-port>] reply_src={<ipv4-addr>|<ipv6-addr>} reply_dst={<ipv4-addr>|<ipv6-addr>} reply_sport=<source-port> reply_dport=<dest-port> Closed connection log messages includes information in the following format for a firewall connection that has ended: END proto=[tcp|udp|icmp|...|<protocol-number>] orig_src={<ipv4-addr>| <ipv6-addr>} orig_dst={<ipv4-addr>|<ipv6-addr>} [orig_sport=<source-port>]...