CyberGuard SG300 User Manual

Cyberguard sg series

Table of Contents

Quick Links

CyberGuard SG™

User Manual

CyberGuard

7984 South Welby Park Drive #101

Salt Lake City, Utah 84084

Email: support@cyberguard.com.au

Revision 3.1.2

Web: www.cyberguard.com

December 20

, 2005

Table of Contents

Troubleshooting

Summary of Contents for CyberGuard SG300

Page 1 CyberGuard SG™ User Manual CyberGuard 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@cyberguard.com.au Revision 3.1.2 Web: www.cyberguard.com December 20 , 2005...
Page 2: Table Of Contents
Contents Introduction....................1 CyberGuard SG Gateway Appliances (SG3xx, SG5xx Series) ......1 CyberGuard SG Rack Mount Appliances (SG7xx Series) ........4 CyberGuard SG PCI Appliances (SG6xx Series) ..........7 Document Conventions ..................10 Getting Started..................11 CyberGuard SG Gateway Appliance Quick Setup ..........12 CyberGuard SG Rack Mount Appliance Quick Setup .........
Page 3 DHCP Server ..................... 111 Web Cache ......................116 QoS Traffic Shaping ..................123 IPv6........................125 Firewall ....................126 Incoming Access....................126 Web Server......................128 Customizing the Firewall..................130 Definitions ......................131 Packet Filtering ....................134 Network Address Translation (NAT) ..............137 Connection Tracking..................
Page 4 Printer Troubleshooting ..................242 USB Network Devices and Modems..............243 System....................244 Date and Time ....................244 Backup/Restore Configuration................245 Users ......................... 248 Management...................... 252 Diagnostics ......................255 Advanced......................256 Reboot and Reset....................259 Flash upgrade....................260 Configuration Files..................... 262 Support ......................263 Appendix A –...
Page 5: Introduction
CyberGuard SG appliance on your existing or new network using the web management console (Getting Started). This chapter provides a high level overview to familiarize you with your CyberGuard SG appliance’s features and capabilities. CyberGuard SG Gateway Appliances (SG3xx, SG5xx Series)
Page 6 It is separated both physically and by the firewall, in order to shield your LAN from external traffic. The CyberGuard SG appliance allows you to establish a virtual private network (VPN). A VPN enables remote workers or branch offices to connect securely to your LAN over the public Internet.
Page 7 Network traffic on the Wireless network interface DMZ Activity Flashing Network traffic on the DMZ network interface Serial Flashing For either of the CyberGuard SG appliance COM Activity ports, these LEDs indicate receive and transmit data The CyberGuard SG appliance has switched to a backup device...
Page 8: Cyberguard Sg Rack Mount Appliances (Sg7Xx Series)
Ethernet switches as standard, and the option for two additional gigabit ports (SG710+). In addition to providing all of the features described in CyberGuard SG Gateway Appliances earlier in this chapter, it equips central sites to securely connect hundreds of mobile employees and branch offices.
Page 9 Failover The CyberGuard SG appliance has switched to the backup Internet connection High Avail The CyberGuard SG appliance has switched to a backup device Online An Internet connection has been established Note If H/B does not begin flashing 20 – 30 seconds after power is supplied, refer to Appendix E, Recovering From a Failed Upgrade.
Page 10 Rear panel The rear panel contains a power switch and a power inlet for an IEC power cable. Additionally, the SG710+ has two gigabit Ethernet ports (E and F). Specifications Internet link Two 10/100baseT Ethernet ports (C, D) Two GbE ports (E, F – SG710+ only) Serial port Online status LEDs (Online, Failover) Ethernet link and activity status LEDs...
Page 11: Cyberguard Sg Pci Appliances (Sg6Xx Series)
SG PCI appliance is not intended as a means for your entire office LAN to be connected to, and shielded from, the Internet. Installing a CyberGuard SG PCI appliance in each network connected PC gives it its own independently manageable, enterprise-grade VPN server and firewall, running in isolation from the host operating system.
Page 12 One IP address is used to manage the CyberGuard SG appliance via the web management console. The other is the host PC's IP address, which is configurable through the host operating system, identically to a regular NIC. This is the IP address that other PCs on the LAN see.
Page 13 Flashing Data is being transmitted or received (top left). (Network activity) Bottom left The CyberGuard SG appliance is attached to the network (Network link) Note If Heart beat does not begin flashing shortly after power is supplied, refer to Appendix D, Recovering From a Failed Upgrade.
Page 14: Document Conventions
Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights important issues. Bold text in procedures indicates text that you type, or the name of a screen object (e.g. a menu or button). Introduction...
Page 15: Getting Started
If you are setting up a CyberGuard SG gateway appliance (SG3xx, SG5xx series) proceed to CyberGuard SG Gateway Appliance Quick Setup. If you are setting up a CyberGuard SG rack mount appliance (SG7xx series) proceed to CyberGuard SG Rack Mount Appliance Quick Setup.
Page 16: Cyberguard Sg Gateway Appliance Quick Setup
Power is ON when power is applied (use only the power adapter packaged with the unit). System/Heart Beat/TST flashes when the CyberGuard SG appliance is running. Initially, all appliance models except for the SG300 also have all other front panel LEDs flashing.
Page 17 PC’s network interface card using the supplied network cable. Note At this point, if you attach the CyberGuard SG appliance directly to a LAN with an existing DHCP server, or a PC running a DHCP service, it will automatically obtain an additional address.
Page 18 Note If there is more than one existing network connection, select the one corresponding to the network interface card to which the CyberGuard SG appliance is attached. Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> your network card name if there are multiple entries) and click Properties.
Page 19 Note If you are unable to browse to the CyberGuard SG appliance at 192.168.0.1, or the initial username and password are not accepted, press the black Reset/Erase button on the CyberGuard SG appliance’s rear panel twice, wait 20 – 30 seconds, then try again.
Page 20 DHCP server. The CyberGuard SG appliance’s DHCP server automatically configures the network settings of PCs and other hosts on your LAN. Changes to the CyberGuard SG appliance’s LAN configuration do not take effect until the quick setup wizard has completed.
Page 21 LAN that are set to automatically obtain network settings are assigned an address from this range, and instructed to use the CyberGuard SG appliance as their gateway to the Internet and as their DNS server for Internet domain name resolution.
Page 22 Set up the CyberGuard SG appliance’s Internet connection settings First, attach the CyberGuard SG appliance to your modem device or Internet connection medium. If necessary, give the modem device some time to power up. Select your Internet connection type and click Next. The options displayed differ depending on the connection type selected.
Page 23 This page will only display if you are setting up the SG560, SG565 or SG580. Otherwise skip to the next step. By default, the CyberGuard SG appliance’s switch A behaves as a conventional switching hub. However, it may be configured so that each port behaves as if it were physically separate from the others.
Page 24 CyberGuard SG appliance and the Internet. Connect the CyberGuard SG appliance to your LAN if you haven’t already done so. If you are setting up the SG300, connect PCs and/or your LAN hub directly to its LAN switch.
Page 25 If you do not want to use a DHCP server, proceed to Manual configuration of your LAN. Automatic configuration of your LAN By selecting Manual Configuration for the CyberGuard SG appliance’s LAN connection, and supplying DHCP Server Address Range, the CyberGuard SG appliance’s DHCP server is already set up and running.
Page 26 Automatic configuration of your LAN using an existing DHCP server If you chose to have the CyberGuard SG appliance Obtain LAN IP address from a DHCP server on LAN, It is strongly recommended that you add a lease to your existing DHCP server to reserve the IP address you chose for the CyberGuard SG appliance’s LAN connection.
Page 27: Cyberguard Sg Pci Appliance Quick Setup
Enter the following details: IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance’s LAN connection (if using the default settings, 192.168.0.2 – 192.168.0.254). Subnet mask is the subnet mask of the CyberGuard SG appliance’s LAN connection (if using the default settings, 255.255.255.0).
Page 28 CyberGuard SG appliance. Note Power is ON when power is applied. H/B (heart beat) flashes when the CyberGuard SG appliance is running. Each of the network ports has two LEDs indicating link, activity and speed. In its factory default state, the four status LEDs next to Power flash.
Page 29 Connect the supplied power cable to the power inlet on the rear panel of the CyberGuard SG appliance and turn on the rear panel power switch. Connect one of the ports of network switch A (A1 – A4) directly to your PC’s network interface card using the supplied network cable.
Page 30 Note If you are unable to browse to the CyberGuard SG appliance at 192.168.0.1, or the initial username and password are not accepted, press the black Erase button on the CyberGuard SG appliance’s front panel twice, wait 20 – 30 seconds, then try again.
Page 31 Enter and confirm a password for your CyberGuard SG appliance. This is the password for the user root, the main administrative user account on the CyberGuard SG appliance. It is therefore important that you choose a password that is hard to guess, and keep it safe.
Page 32 LAN that are set to automatically obtain network settings are assigned an address from this range, and instructed to use the CyberGuard SG appliance as their gateway to the Internet and as their DNS server for Internet domain name resolution.
Page 33 To use the CyberGuard SG appliance’s built-in DHCP server (recommended), proceed to Automatic configuration of your LAN. If your LAN already has a DHCP server that you will use instead of the CyberGuard SG appliance’s built-in DHCP server, proceed to Automatic configuration of your LAN using an existing DHCP server.
Page 34 Automatic configuration of your LAN using an existing DHCP server If you chose to have the CyberGuard SG appliance Obtain LAN IP address from a DHCP server on LAN, It is strongly recommended that you add a lease to your existing DHCP server to reserve the IP address you chose for the CyberGuard SG appliance’s LAN connection.
Page 35 Enter the following details: IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance’s LAN connection (e.g. if using the default settings, 192.168.0.2 –...
Page 36 Perform these steps for each PC on your network. Set up the CyberGuard SG appliance’s Internet connection settings Choose a port on the CyberGuard SG appliance for your primary Internet connection. Port C is used in this guide. Attach Port C to your modem device or Internet connection medium.
Page 37 Unpack the CyberGuard SG appliance Check that the CyberGuard SG CD is included with your appliance: On the CyberGuard SG appliance is a single 10/100 network port, a Reset button and four LEDs (lights). The LEDs provide information on the operating status of your CyberGuard SG appliance.
Page 38 PC and the LAN, transparently filtering network traffic. If you want to set up your CyberGuard SG appliance for NAT mode or to connect directly to your ISP, refer to the User Manual on the CyberGuard SG CD (\doc\UserManual.pdf).
Page 39 If you are unable to connect to the management console at 192.168.0.1, or the initial username and password are not accepted, press the Reset button on the CyberGuard SG appliance’s rear panel twice, wait 20 – 30 seconds, and try again.
Page 40 The purpose of this step is to configure the IP address for the web management console. For convenience, this is generally a free IP address on your LAN. If your LAN has a DHCP server running, you may set up the CyberGuard SG appliance and your PC to obtain their network settings automatically. Proceed to Automatic configuration.
Page 41 Check DHCP assigned. Anything in the IP Address and Subnet Mask fields is ignored. Click Update. Click Start -> (Settings ->) Control Panel and double click Network Connections. Right click on Local Area Connection (or appropriate network connection for the newly installed PCI appliance) and select Properties.
Page 42 Check Obtain an IP address automatically, check Obtain DNS server address automatically and click OK. Attach your CyberGuard SG appliance’s Ethernet port to your LAN’s hub or switch. Quick setup is now complete. Manual configuration Ensure you have two free IP addresses that are part of the subnet range of your LAN, and ensure you know your LAN’s subnet mask, and the DNS server address and...
Page 43 You may also enter one or more DNS Server(s) and a Gateway address to be used by the CyberGuard SG appliance, not your PC, for access to the Internet. Typically this is not necessary, as only your PC needs to access the Internet.
Page 44 Quick setup is now complete. Disabling the reset button on your CyberGuard SG PCI appliance For convenience, the CyberGuard SG appliance ships with the rear panel Reset button enabled. This allows the CyberGuard SG appliance’s configuration to be reset to factory defaults.
Page 45: The Cyberguard Sg Management Console
From a network security standpoint, it may be desirable to disable the Reset switch after initial setup has been performed. This is accomplished by removing the jumper linking CON2 on the CyberGuard SG appliance. This jumper is labeled Remove Link to Disable Erase.
Page 46 Backup/restore configuration Hover your mouse over the black backup/restore icon on the top right hand side of the screen to display the date on which configuration changes were last backed up. Click the icon to backup or restore backed up configuration; see the Backup/Restore section of the chapter entitled System for details.
Page 47: Network Setup
A wireless interface may be configured to connect to your LAN, DMZ or an untrusted LAN. If you are using a CyberGuard SG gateway or rack mount appliance, the section Set up the PCs on your LAN to access the Internet in the chapter entitled Getting Started describes how to configure the PCs on your LAN to share the connection once your Internet connection has been established.
Page 48: Multifunction Vs. Fixed-Function Ports
Before beginning configuration of multifunction ports, you should determine which function you are assigning to each of the ports. Proceed to the section pertaining to your CyberGuard SG appliance for information on its network ports and possible configurations. SG710, SG710+: Multifunction Switches and Ports...
Page 49 These per-port configuration scenarios are accomplished using VLANs (virtual local area networks). For documentation concerning the advanced use of the VLAN capability of your CyberGuard SG appliance, refer to the sections entitled VLANs and Port based VLANs towards the end of this chapter.
Page 50: Direct Connection
To assign network settings statically, enter an IP Address and Subnet Mask. If you are using the CyberGuard SG appliance in its default, network address translation mode, (see Network address translation in the Advanced section of this chapter), this is typically part of a private IP range, such as 192.168.0.1 / 255.255.255.0.
Page 51 To have your CyberGuard SG appliance obtain its LAN network settings from an active DHCP server on your local network, check DHCP assigned. Note that anything in the IP Address,Subnet Mask and Gateway fields are ignored. You may also enter one or more DNS servers. Multiple servers may be entered separated by commas.
Page 52 Address of your CyberGuard SG appliance. The MAC address is a globally unique address and is specific to a single CyberGuard SG appliance. It is set by the manufacturer and should not normally be changed. However, you may need to change it if your ISP has configured your ADSL or cable modem to only communicate with a device with a known MAC address.
Page 53: Adsl
If you have not already done so, connect the appropriate network port of your CyberGuard SG appliance to your DSL modem. Power on the DSL modem and give it some time to initialize. If fitted, ensure the Ethernet link LEDs are illuminated on both the CyberGuard SG appliance and DSL modem.
Page 54 ISP instructed you to obtain an IP address dynamically. If your ISP has given you an IP address or address range, you must Manually Assign Settings. If you are unsure, you may let the CyberGuard SG appliance attempt to Auto detect ADSL connection type. Note that the CyberGuard SG appliance is unable to detect the PPTP connection type.
Page 55 DSL connections are not generally metered by time, this is not generally necessary. PPTP To configure a PPTP connection to your ISP, enter the PPTP Server IP Address and a Local IP Address and Netmask for the CyberGuard SG network port through which you are connecting to the Internet. Network Setup...
Page 56 The Local IP address is used to connect to the PPTP server and is not typically your real Internet IP address. You may also enter a descriptive Connection Name if you wish. Click Finish or Update. DHCP DHCP connections may require a Hostname to be specified, but otherwise all settings are assigned automatically by your ISP.
Page 57 Click the Edit icon then the Connection tab for the connection for which you wish to enable dial on demand. Check Dial on Demand. Idle Time (minutes) is the number of minutes the CyberGuard SG appliance waits after the connection becomes idle before disconnecting. Max Connection Attempts specifies the number of times the CyberGuard SG appliance attempts to connect should the dial up connection fail.
Page 58: Cable Modem
If you have not already done so, connect the appropriate network port of your CyberGuard SG appliance to your cable modem. Power on the cable modem and give it some time to initialize. If fitted, ensure the Ethernet link LEDs are illuminated on both the CyberGuard SG appliance and cable modem.
Page 59: Dialout And Isdn
Terminal Adapter (TA). A TA connects into your ISDN line and has either a serial or Ethernet port that is connected to your CyberGuard SG appliance. Do not plug an ISDN connection directly in to your CyberGuard SG appliance.
Page 60: Dialin
For instructions, refer to the section entitled Dial on Demand further on in this chapter. Port settings If necessary, you may set the CyberGuard SG appliance’s serial port Baud rate and Flow Control. This is not generally necessary. Static addresses The majority of ISPs dynamically assign an IP address to your connection when you dialin.
Page 61 Enter a free IP Address for Dial-In Clients, this must be a free IP address from the network (typically the LAN) that the remote user is assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address for Dial-In Server pull down menu.
Page 62 RADIUS or TACACS+ server. Click Update. Connecting a dialin client Remote users can dial in to the CyberGuard SG appliance using the standard Windows Dial-Up Networking software or similar. The following instructions are for Windows 2000/XP. Network Setup...
Page 63 Click Start, Settings, Network and Dial-up Connections and select Make New Connection. The network connection wizard guides you through setting up a remote access connection: Click Next to continue. Select Dial-up to private network as the connection type and click Next to continue. Network Setup...
Page 64 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas. Click Next to continue. Select the option Only for myself to make the connection only available for you. This is a security feature that does not allow any other users who log onto your machine to use this remote access connection: Network Setup...
Page 65: Failover, Load Balancing And High Availability
If you did not create a desktop icon, click Start -> Settings -> Network and Dial-up Connections and select the appropriate connection. Enter the username and password set up for the CyberGuard SG appliance dialin account.
Page 66 Internet gateway for your network should the primary CyberGuard SG appliance fail Note CyberGuard SG appliance models SG300, SG530 and SG550 are limited to Internet availability configurations using a single broadband Internet connection and a single dialout or ISDN connection.
Page 67: Internet Failover
If you are using a CyberGuard SG appliance model SG560, SG565 or SG580, you may want to skip ahead to the section entitled Port Based VLANs later in this chapter, for information on establishing multiple broadband connections. Once the Internet connections have been configured, specify the conditions under which the Internet connections are established.
Page 68 Custom (advanced users only) allows you to enter a custom console command to run to determine whether the connection is up. This is typically a script you have written and uploaded to the CyberGuard SG appliance. Always Up means no test is performed, and Internet failover is disabled for this connection.
Page 69 Times to attempt this connection is the number of times to try a connection before giving up. Once the CyberGuard SG appliance has given up trying this connection, manual intervention is required to re-establish it. Click Next to configure settings specific to the Test Type.
Page 70 Ping Interval is the time to wait in between sending each ping, Failed Pings is the number of missed ping replies before this connection attempt is deemed to have failed. Click Finish. Modify failover levels (primary, secondary, tertiary) The second and final step of configured Internet failover is associating Internet connections with and primary, secondary and optionally tertiary connection levels.
Page 71: Internet Load Balancing
First, configure the Primary connection level. If you have a single Internet connection only, setting it to Enabled or Required has the same effect. For failover to occur, you must then configure at least the secondary connection level. Click Finish. This returns you to the main Connection Failover page.
Page 72 The Internet connections need not be the same, e.g. you can perform load balancing between a PPPoE ADSL connection on one network port, and a Cable Internet connection on the other. Enabling load balancing Under the Failover & H/A tab, click Modify Levels. Check Load Balance for each connection to enable for load balancing.
Page 73: High Availability
High Availability Just as Internet failover keeps a redundant Internet connection on stand-by should the primary connection fail, high availability allows a second CyberGuard SG appliance to provide network connectivity should the primary SG appliance fail. High availability is accomplished with two CyberGuard SG appliances on the same network segment which provide some identical network service (such as Internet access) to other hosts on that network segment.
Page 74 You may use either the supplied script, /bin/highavaild, to manage the shared address, or you may write your own script, possibly based on /bin/highavaild. Note /bin/highavaild is a Tcl script. The CyberGuard SG appliance uses TinyTcl, which provides a fairly extensive subset of regular Tcl’s features. Documentation is available from: http://tinytcl.sourceforge.net/...
Page 75 If you do not specify an alias, the script automatically selects the eth0:9. -d enables extra debug output to the sytem log. -n disables the High Availability or HA LED, if it is present on your CyberGuard SG appliance. Note...
Page 76: Dmz Network
DMZ Network Note Not available on the SG300, SG530, SG550 or CyberGuard SG PCI appliances. A DMZ (de-militarized zone) is a physically separate LAN segment, typically used to host servers that are publically accessible from the Internet. Servers on this segment are isolated to provide better security for your LAN.
Page 77 Connection towards the beginning of this chapter. Services on the DMZ network Once you have configured the DMZ connection, configure the CyberGuard SG appliance to allow access to services on the DMZ. There are two methods of allowing access. If the servers on the DMZ have public IP addresses, you need to add packet filtering rules to allow access to the services.
Page 78: Guest Network
The intended usage of Guest connections is for connecting to a Guest network, i.e. an untrusted LAN or wireless networks. Machines connected to the Guest network must establish a VPN connection to the CyberGuard SG appliance in order to access the LAN, DMZ or Internet.
Page 79 Machines on the Guest network typically have addresses in a private IP address range, such as 192.168.2.0 / 255.255.255.0 or 10.2.0.0 / 255.255.0.0. For network address translation (NAT) purposes, the Guest connection is considered a LAN interface, i.e. the NAT checkboxes for LAN interfaces under Advanced modify settings for both LAN connections and Guest connections.
Page 80: Wireless
802.11b (11mbit/s) or 802.11g (54mbit/s) capable wireless clients. Typically, the CyberGuard SG appliance’s wireless interface is configured in one of two ways; with strong wireless security (WPA) to bridge wireless clients directly onto your LAN, or with weak wireless security as a Guest connection. The latter requires wireless clients to establish a VPN tunnel on top of the wireless connection to access the LAN, DMZ and Internet, to compensate for the security vulnerabilities WEP poses.
Page 81 (ACL) and advanced settings. These settings are described in the following section. Note A walkthrough for configuring your CyberGuard SG appliance to bridge wireless clients directly onto your LAN is provided in the section entitled Connecting wireless clients, towards the end of the Wireless section.
Page 82 ESSID: (Extended Service Set Identifier) The ESSID is a unique name that identifies a wireless network. This value is case sensitive, and may be up to 32 alphanumeric characters. Broadcast ESSID: Enables broadcasting of the ESSID. This makes this wireless network visible to clients that are scanning for wireless networks.
Page 83 If Security Method is set to None, any client is allowed to connect, and there is no data encryption. Warning If you use this setting, then it is highly recommended that you configure wireless interface as a Guest connection, disable bridging between clients, and only allow VPN traffic over the wireless connection.
Page 84 WEP Key Length: This sets the length of the WEP keys to be entered below. It is recommended to use 128 bit keys if possible. WEP Key: Enter up to 4 encryption keys. These must be either 10 hexadecimal digits (0 –...
Page 85 When the Access Control List is disabled (Disable Access Control List), any wireless client with the correct ESSID (and encryption key if applicable) can connect to the wireless network. For additional security, you can specify a list of MAC addresses (network hardware addresses) to either allow or deny.
Page 86 Advanced To edit access control list settings, click the Edit icon alongside the Wireless network interface, click the Wireless Configuration tab, then the Advanced tab. Region: Select the region in which the access point is operating. This restricts the allowable frequencies and channels. If your region is not listed, select a region that has similar regulations.
Page 87 Preamble Type: The preamble is part of the physical wireless protocol. Using a short preamble can give higher throughput. However, some wireless clients may not support short preambles. Enable RTS: RTS (Request to Send) is used to negotiate when wireless clients can transmit.
Page 88 LAN interfaces. The result of this configuration would be similar to attaching a wireless access point in bridge mode to one of the CyberGuard SG appliance’s LAN ports. Individual settings and fields are detailed earlier in the Wireless section.
Page 89 Select Allow authentication for MACs in the Access Control List and click Apply. Add the MAC address of each wireless client you wish to allow to connect. Click Advanced. Ensure the Region has been set appropriately. You may also restrict the Protocol to 802.11b only or 802.11g only if you wish.
Page 90 Under the main table, select Bridge and click Add. Select your wired LAN connection from the Existing Interface Configuration pull down box. This is the address to share between the interfaces. Click Next. Network Setup...
Page 91: Bridging
If your LAN interface was previously configured to obtain an IP address automatically from a DHCP server, the CyberGuard SG appliance now uses the MAC address of the wireless device when obtaining an IP address. You may have to update your DHCP server accordingly.
Page 92 Add. Once this bridge interface has been added, it appears on the Network Setup page under the Connections tab, along with the CyberGuard SG appliance’s other network interfaces. When network interfaces are bridged, they all share a common configuration for the network connection.
Page 93 Existing Interface Configuration pull down menu. Click Next. Note As the CyberGuard SG appliance automatically directs network traffic, hosts on either side do not need to specify this IP address as a gateway to the networks connected to the bridge.
Page 94 This usually only occurs when the unit first boots, or the bridge configuration is modified. This delay allows the CyberGuard SG appliance’s bridge to begin learning which hosts are connected to each of the bridge’s interfaces, rather than blindly sending network traffic out all network interfaces.
Page 95: Vlans
VLANs. Further, this means that VLANs should not be used for security unless you trust all the devices on the network segment. A typical use of VLANs with the CyberGuard SG appliance is to it to enforce access policies between ports on an external switch that supports port-based VLANs.
Page 96 Note Additionally, switch A on the SG560, SG565 and SG580 (but not the SG710 or SG710+) supports port based VLANs. One benefit of this feature is that you are able to assign individual functions to each of the ports on the switch, e.g. you might decide to use port A2 to connect to a DMZ, and port A3 as a second Internet connection.
Page 97: Port Based Vlans
The CyberGuard SG appliance may also participate on an existing VLAN. When you add a VLAN interface to connect to the existing VLAN, you may associate it with one or more of the CyberGuard SG appliance’s ports.
Page 98 Typically, a tagged VLAN interface is used when you want to join an existing VLAN on the network, and an untagged VLAN interface is used when you are using the port based VLAN feature to isolate the ports so that you can configure each of them individually. Limitations of port based VLANs There are few further limitations to keep in mind when using port based VLANs: The total bandwidth from the switch into the CPU is 100Mbps, which is shared...
Page 99 The following settings pertain to port based VLANs: Enable port based VLANs: Check to enable port based VLANs. Default port based VLAN ID: As the default VLAN is always untagged, typically you only need to change this from the default setting of 2 if you want another port to participate on an existing tagged VLAN with the ID of 2.
Page 100 Some Cisco equipment uses tagged VLAN 1 for its own purposes. We therefore recommend setting the default VLAN ID to 2 or greater for tagged VLANs, unless you intend for the CyberGuard SG appliance and Cisco equipment to interact over tagged VLAN 1.
Page 101: Gre Tunnels
GRE Tunnels The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support the Generic Routing Encapsulating protocol. You can build GRE tunnels to other CyberGuard SG appliances that support GRE, or to other devices such as Cisco equipment.
Page 102 Ensure Enable is checked and enter a descriptive GRE Tunnel Name for this tunnel. Enter the address of the remote GRE endpoint in Remote Address, e.g. the Internet IP address of a remote CyberGuard SG appliance. Enter the address of the local GRE endpoint in Local Address. This is typically a free address on your main LAN.
Page 103 Ensure the alias address is not part of the network to bridge across the tunnel (in this example, it mustn’t be part of 192.168.0.0 / 24), and not on the same network as any of the CyberGuard SG appliance’s other interfaces. Note The alias IP addresses are essentially dummy addresses and can be anything that does not conflict with your existing network infrastructure.
Page 104 Create an IPSec tunnel between Brisbane and Slough. Select IPSec from the VPN section of the main menu and click New. For a complete overview of all available options when setting up an IPSec tunnel, refer to the IPSec section earlier in this chapter. Take note of the following important settings: Set the local party as a single network behind this appliance.
Page 105: Routes
To configure the CyberGuard SG appliance’s advanced routing features, click the Routes tab on the Network Setup page. Static routes Here you may add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatically by the CyberGuard SG appliance configuration scripts.
Page 106 Zebra routing daemon and/or the RIP, BGP or OSPF routing protocol attempt configuration of this feature. Advanced users may configure the CyberGuard SG appliance to automatically manage its routing tables, exchanging routes with other routers using RIP, BGP or OSPF protocol.
Page 107 If a comment character is not the first character of the word, it's a normal character. In the example below, ! is not regarded as a comment and the password is set to zebra!password: password zebra!password In these examples,! denotes a descriptive comment, and # indicates a configuration line that is currently commented out, that you may want to uncomment depending on your network setup.
Page 108 ! Enable the RIP routing process router rip ! Define interfaces which exchange RIP messages over network eth0 #network eth2 ! Define neighbor routers to exchange RIP with if disabling multicast above in zebra.conf, or neighbors don't have multicast enabled #neighbor 192.168.45.238 #neighbor 192.168.45.231 ! Redistribute routing information for interfaces with RIP...
Page 109 OSPF Note This example is adapted from the LARTC (Linux Advanced Routing & Traffic Control) dynamic routing howto, available from: http://lartc.org/howto/ LARTC is an invaluable resource for those wanting to learn about and take advantage the advanced routing capabilities of Linux systems. OSPF stands for Open Shortest Path First, and some of its principal features are: Networks are grouped by areas, which are interconnected by a backbone area which will be designated as area 0.
Page 110 The CyberGuard SG is configured to exchange routes with the routers named Atlantis, Legolas and Frodo. Ensure you have enabled OSPF under Route Management, then open zebra.conf and ospfd.conf for editing as described in the Route management section. In zebra.conf, enter:...
Page 111 ! Uncomment and set telnet/vty passwords to enable telnet access on port 2604 #password changeme #enable password changeme ! Instruct ospfd about our network topology router ospf network 192.168.0.0/24 area 0 network 172.17.0.0/16 area 1 Restart route management to enable the updated configuration – uncheck Enable route management, click Update, check Enable route management and click Update.
Page 112 Ensure you have enabled BGP under Route Management, then open zebra.conf and bgpd.conf for editing as described in the Route management section. In zebra.conf, enter: hostname cyberguard-sg ! Uncomment and set telnet/vty passwords to enable telnet access on port 2602...
Page 113: System
Hostname The Hostname is a descriptive name for the CyberGuard SG appliance on the network. It is also used as the SNMP sysName field. By default, this is set to the model name of your CyberGuard SG appliance, e.g. SG710.
Page 114: Dns
SNMP sysContact field. Device location You may also enter a short description of the physical location of the CyberGuard SG appliance for use as the SNMP sysLocation field. To configure the CyberGuard SG appliance’s DNS settings, click the DNS tab on the Network Setup page.
Page 115: Dhcp Server
Check Enable DNS proxy to enable this feature. If you are using the CyberGuard SG appliance’s DHCP server, you may also check Update DNS with local DHCP leases. This allows the CyberGuard SG appliance’s DNS proxy to look up the names of devices that have requested IP address addresses.
Page 116 To configure your CyberGuard SG appliance as a DHCP server, you must set a static IP address and netmask on the network interface on which you want the DHCP server to run; see the Direct Connection section of the chapter entitled Network Connections.
Page 117 Optionally enter a Domain Name suffix to issue DHCP clients. Optionally enter IP address of the WINS server to be distributed to DHCP clients in the WINS Address field. Enter the Default Lease Time and Maximum Lease Time in seconds. The lease time is the time that a dynamically assigned IP address is valid before the client must re-request it.
Page 118 Reserved: the address is reserved for the particular host defined by hostname and MAC address Free: the address is available to be handed out to any DHCP client host Taken: the address has been issued to a host Adding and removing addresses Under Add/Remove Dynamic IP Addresses, enter the IP address or IP address range and click Add or Remove.
Page 119 0. DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This allows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would.
Page 120: Web Cache
Note SG565, SG575, SG635 and CyberGuard SG rack mount appliances only. Web browsers running on PCs on your LAN can use the CyberGuard SG appliance’s proxy-cache server to reduce Internet access time and bandwidth consumption. A proxy-cache server implements Internet object caching. This is a way to store requested Internet objects (i.e., data available via HTTP, FTP, and other protocols) on a...
Page 121 Check Enable to enable the web cache. Selecting a cache size Select the amount of memory (RAM) on the CyberGuard SG appliance to be reserved for caching Internet objects. The maximum amount of memory you can safely reserve depends on what other services the CyberGuard SG appliance has running, such as VPN or a DHCP server.
Page 122 Create a new user account: Note We recommend that you create a special user account to be used by the CyberGuard SG appliance for reading and writing to the network share. If you have an existing account or wish to may the network share readable and writeable by everyone, you may skip the next step.
Page 123 Select this account, or Everyone if you are not securing the network share with a username and password, and check Allow next to Full Control. Click OK and OK again to finish. Set the CyberGuard SG appliance to use the network share Network Setup...
Page 124 If you allowed Full Control to Everyone, you may leave these blank. Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web caches. Web caches communicate using the Internet Cache Protocol (ICP). ICP is used to exchange hints about the existence of URLs in neighbour caches.
Page 125 Enter 3128 in Port, select Bypass proxy for local addresses and click OK. ICAP client The CyberGuard SG appliance’s ICAP client allow you to utilise a third-party ICAP server as an intermediary between LAN PCs browsing the web and/or traffic incoming from the web.
Page 126 Check Enable ICAP functionality to enable the ICAP features of the CyberGuard unit's web cache. ICAP REQMOD server is the URL for an ICAP server's REQMOD service. This allows an ICAP server to modify web transaction requests, i.e. to process as they are being initially requested by the LAN PC, e.g.
Page 127: Qos Traffic Shaping
Transparent web cache with access control You may choose to have the web cache and acess controls, including content filtering and anti-virus, operate transparently. Transparent operation filters and caches web traffic regardless of whether or not the clients on the LAN have specified an HTTP proxy in their web browsers.
Page 128 Traffic shaping provides a level of control over the relative performance of various types of IP traffic. The traffic shaping feature of your CyberGuard SG appliance allows you to allocate High, Medium, or Low priority to the following services such as domain (tcp), domain (udp), ftp, ftp-data, http, https, imap, irc, nntp, ntp, pop3, smtp, ssh, and telnet.
Page 129: Ipv6
Check Enable Traffic Shaping, select a Default priority and click Submit to enable this feature. The Default priority is assigned to all network services other than those specifically added below. To add a service, click New then New again. Select the Protocol and Port on which this service runs.
Page 130: Firewall
Firewall The CyberGuard SG appliance is equipped with a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access, so that PCs on local networks can have tailored Internet access facilities while being shielded from malicious attacks from external networks.
Page 131 Administration services The following figure shows the Administration Services page: By default the CyberGuard SG appliance runs a web administration server, a Telnet and an SSH service. Access to these services can be restricted to specific interfaces. Typically, access to the web management console (Web/SSL Web) is restricted to hosts on your local network (LAN Interfaces).
Page 132: Web Server
You can also select to Accept echo request (incoming port) on Internet interfaces. The default is to disallow echo requests, so your CyberGuard SG appliance does not respond to pings on its Internet interfaces. This may make it more difficult for external attackers scanning for hosts to discover your CyberGuard SG appliance.
Page 133 Not available on the SG300, SG530, SG570 or SG630. To enable SSL support on the CyberGuard, an RSA x509 certificate as well as its private key are required. These may be uploaded to the CyberGuard SG appliance, or you may choose to have the CyberGuard SG appliance create a self-signed certificate.
Page 134: Customizing The Firewall
Click Browse to locate the Local Certificate (RSA x509 certificate) and its corresponding Private Key Certificate Create SSL certificates To create a self-signed certificate on the CyberGuard SG appliance, click the Create SSL certificates tab. Warning When accessing the web management console using HTTPS, your web browser may give warnings/errors about the authenticity/validity of the certificate.
Page 135: Definitions
A typical use of NAT rules is to forward packets destined for your Internet IP address to an internal web server or email server on your LAN. This is known as a port forward, or destination NAT as it alters the destination address of the packet. The first step in creating packet filter or NAT rules, is to define services (such as web or email) and addresses (such as your internal web server, or a trusted external host) under Definitions.
Page 136 Click the Addresses tab. Any addresses that have already been defined are displayed. Click New to add a new address, or select an existing address and click Modify. There is no need to add addresses for the CyberGuard SG appliance’s interfaces, these are predefined.
Page 137 Interfaces Packets may also be matched by incoming and outgoing Interface. You may group the CyberGuard SG appliance network interfaces into Interface Groups, to simplify your firewall ruleset. Select the interfaces to group and enter a descriptive Name (required). Click Finish.
Page 138: Packet Filtering
Packet Filtering Packet filter rules match traffic based on a combination of the source and destination address, incoming and outgoing interface, and destination service. Matched packets may be allowed or disallowed. Packet filter rules Click Packet Filter Rules. Click New to add a new filter rule. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon.
Page 139 None means to perform no action for this rule. This is useful for a rule that logs packets, but performs no other action. The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. Set this to None to match traffic destined for the CyberGuard SG appliance itself.
Page 140 The Log option controls whether to log the first packet of the connection to the CyberGuard SG appliance’s system log. You may enter a Log Prefix to make it easier to identify which rules are being matched when inspecting the system log.
Page 141: Network Address Translation (Nat)
Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address. This is the type of NAT used by the CyberGuard SG appliance to masquerade your private network behind its public IP address.
Page 142 Click Port Forwarding. Any rules that have already been defined are displayed, you may Edit or Disable/Enable these rules by clicking the appropriate icon. Click New to add a new rule. You may also add a new rule above an existing one by clicking the Add Above icon, or below with Add Below.
Page 143 SSH to the CyberGuard SG appliance itself, which runs an SSH server on port 22. So a remote user connects to port 2222 on CyberGuard SG appliance’s Internet address in order to access port 22 of barry’s server.
Page 144 Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service to be only accessible from a specific remote location) Note When adding a rule, you may either use Predefined addresses or services that have been added under Definitions, or click New to manually enter an address or service.
Page 145 Check one or both of IMAP4 (E-Mail) if your server supports IMAP mail retrieval and POP3 (E-Mail) if your server supports POP3 mail retrieval. Enter smtp in Other TCP Ports. This is the protocol remote clients use for sending mail via the server.
Page 146 Enter your internal email server’s IP address in To Destination Address. Click Finish. Configure mail clients on the Internet with the CyberGuard SG appliance’s Internet IP address as the server to use for sending (SMTP) and receiving (POP3 or IMAP) mail. If your CyberGuard SG appliance has a dynamic Internet IP address, consider using a dynamic DNS server;...
Page 147 Source NAT Source NAT alters the source address of packets received by the CyberGuard SG appliance. This is typically used for fine tuning the CyberGuard SG appliance’s masquerading behaviour. See the Masquerading section later in this chapter for information on altering the basic masquerading relationships between your CyberGuard SG appliance’s interfaces.
Page 148 The destination service port or ports of the request The next field describes how matching packets should be altered. To Source Address The address to replace the Source Address, this is typically a public address of the CyberGuard SG appliance, i.e. Internet or Outgoing Interface Address Note When adding a rule, you may either use Predefined addresses or services that have been added under Definitions, or click New to manually enter an address or service.
Page 149 You may also add a new rule above an existing one by clicking the Add Above icon, or below with Add Below. Note The first matching rule determines the action for the network traffic, so the order of the rules is important. You can use the Move Up and Move Down icons to change the order. The rules are evaluated top to bottom as displayed on screen.
Page 150 Masquerading Masquerading is a form of source network address translation (NAT). It translates many addresses (such as private LAN IP addresses) into a single address (such as the external Internet IP address). Masquerading has the following advantages: All machines on the local network can access the Internet using a single ISP account.
Page 151 Any UPnP capable applications or devices that you require to make use of the UPnP Gateway need to be connected to the CyberGuard SG appliance via this interface. The UPnP Gateway listens on this interface to requests from UPnP capable applications and devices to establish port forwarding rules.
Page 152 Configuring UPnP rules from Windows XP Once UPnP is running on the CyberGuard SG appliance, you may configure UPnP port forwarding rules from a local Windows XP PC. Ensure the Windows PC’s Default gateway is set to the CyberGuard SG appliance’s UPnP Internal interface.
Page 153: Connection Tracking
External Port number for this service and the Internal Port number for this service. Select whether the service uses the TCP or UDP protocol. Click OK. This rule now appears on the CyberGuard SG appliance UPnP page, under Current UPnP Port Mappings. Connection Tracking Connection tracking keeps a record of what packets have passed through the unit, and how they relate to each other.
Page 154: Intrusion Detection
Intrusion Detection Note The SG300, SG530, SG550, SG560, SG570 and SG630 provide Basic Instrusion Detection and Blocking only. The CyberGuard SG appliance provides two intrusion detection systems (IDS): the lightweight and simple-to-configure Basic Intrusion Detection and Blocking, and the industrial strength Advanced Intrusion Detection and Prevention.
Page 155: Basic Intrusion Detection And Blocking (Idb)
Read on to find out how using an IDS can benefit your network’s security, or skip ahead to the Basic or Advanced Intrusion Detection section for an explanation of configuration options. The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Internet are the largest source of intrusions.
Page 156 UDP services. Block sites probing TCP ports and Block sites probing UDP ports blocks hosts attempting to connect to these services from all access to the CyberGuard SG appliance. Connection attempts are logged under Scanning Hosts. Warning A word of caution regarding automatically blocking UDP requests. Because an attacker can easily forge the source address of these requests, a host that automatically blocks UDP probes can be tricked into restricting access from legitimate services.
Page 157 Trigger count before blocking specifies the number of times a host is permitted to attempt to connect to a monitored service before being blocked. This option only takes effect when one of the previous blocking options is enabled. The trigger count value should be between 0 and 2 (o represents an immediate blocking of probing hosts).
Page 158: Advanced Intrusion Detection And Prevention (Snort And Ips)
The list of network ports can be freely edited, however adding network ports used by services running on the CyberGuard SG appliance (such as telnet) may compromise the security of the device and your network. It is strongly recommended that you use the pre- defined lists of network ports only.
Page 159 Check Enabled. Select the network Interface to monitor (Snort IDS only). This is typically Internet, or possibly DMZ. Check Use less memory to restrict Snort's memory usage (Snort IPS only). This results in slower signature detection throughput, but may be necessary if the device is configured to run many services, many VPN tunnels, or both Snort IDS and IPS.
Page 160 Ethernet port. With these tools installed, web pages can be created that display, analyze and graph data stored in the MySQL database from the CyberGuard SG appliance running Advanced Instrusion Detection. They should be installed in the...
Page 161: Access Control And Content Filtering
BASE analysis console http://secureideas.sourceforge.net/ Snort is running as an IDS sensor on the CyberGuard SG appliance, logging to the MySQL database on the analysis server. The Downloads section of the BASE website contains detailed documents that aid in installing the above tools on the analysis server.
Page 162 Additionally, you can set up global block/allow lists for web sites that you always want to be accessible/inaccessible (Web Lists), or force users to have a personal firewall installed (ZoneAlarm) or ensure they are not running network services that may be exploited (Policy) before accessing the Internet.
Page 163 The Require user authentication checkbox determines if users are asked for a username and password when attempting to access the web through the CyberGuard SG appliance. The Syslog level controls the level of debug output that is logged to the system log. The higher this is set to, the more verbose the output.
Page 164 Users without web proxy access see a screen similar to the figure below when attempting to access external web content. Note Each browser on the LAN now has to be set up to use the CyberGuard SG appliance’s web proxy. Firewall...
Page 165 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their user documentation for details on using a web proxy. From the Internet Options menu, select Tools. From the LAN Settings tab, select LAN Settings.
Page 166 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the other rows blank. In the Exceptions text box, enter your CyberGuard SG appliance’s LAN IP address.
Page 167 Web lists Access is be denied to any web address (URL) that contains text Added under URL Block List, e.g. entering xxx blocks access to any URL containing xxx, e.g.: http://www.xxx.com, http://xxx.example.com www.test.com/xxx/index.html The Allow List also enables access to URLs containing the specified text. Note Defining large numbers of URL fragments to match against can result in a significant slowing down of WWW accesses.
Page 168 A number of Security Groups can be defined where each group contains a number of host IP addresses or IP address ranges. Each group is aditionally given a number of permitted and denied services which they are allowed to offer. Each host in each group are periodically actively scanned for the services they are not allowed to offer and if a connection to one of these services is successful, the host is black listed until such time as the offending service is no longer offered.
Page 169 Content filtering Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filtering licence (sold separately). See the Obtaining a content filtering licence section below. Content filtering allows you to limit the types of web based content accessed.
Page 170 Click View Reports. Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do this is by using an NTP time server. See the Time and Date section in the chapter entitled System for details.
Page 171 Webwasher content filtering system has not yet rated. The default behaviour is to block all unrated sites. The CyberGuard SG appliance dynamically retrieves rating categories from the Webwasher server. As such, new categories may be added after content filtering is configured on your CyberGuard SG appliance.
Page 172 Unchecking Allow access to newly defined categories restricts access to the categories you did not block when configuring content filtering. Leaving Allow access to newly defined categories checked allows access to any categories added after content filtering is configured. Check Identify users by account to send user names to the Webwasher reporting service.
Page 173: Antivirus
FTP. An antivirus subscription is not required and virus definitions are automatically kept up-to-date. The CyberGuard SG appliance is equipped with proxies for POP, SMTP, HTTP and FTP that facilitate the transparent scanning of files passing through it. If a virus is detected,...
Page 174 Check Enable. The Database mirror is the host from which the signature database is updated. Unless there is a specific host from which you want the CyberGuard SG appliance to retrieve signature updates, leave this at the default setting of database.clamav.net.
Page 175 Create a new user account: Note We recommend that you create a special user account to be used by the CyberGuard SG appliance for reading and writing to the network share. If you have an existing account or wish to may the network share readable and writeable by everyone, you may skip the next step.
Page 176 Select this account, or Everyone if you are not securing the network share with a username and password, and check Allow next to Full Control. Click OK and OK again to finish. Set the CyberGuard SG appliance to use the network share Firewall...
Page 177 Enter the Username and Password for a user that can read and write to the network share. If you allowed Full Control to Everyone, you may leave these blank. Local storage Note SG565 only. Attach a USB storage device to one of the CyberGuard SG appliance’s USB ports. Firewall...
Page 178 Under the Storage -> Local Storage tab, select the partition or device to use from the Device pull down menu, and click Submit. POP email The CyberGuard SG appliance can scan email being sent by PCs on your LAN before delivering it to the destination mail server. Note Scanning of IMAP and web-based email is not supported.
Page 179 If most, but not all, of your internal email clients are retrieving email from a single mail server, enter this as the Default POP server. Check Allow connections to other POP servers. If there is no single mail server from which most of your internal email clients are retrieving email, leave Default POP server blank and check Allow connections to other POP servers.
Page 180 Once POP3 scanning is functioning properly, you may choose to Reduce syslog output. Click Submit. SMTP email If you have an SMTP mail server on your LAN, the CyberGuard SG can scan emails sent to it by external mail servers. Check Virus check SMTP based email.
Page 181 Check Send keep alive bytes to requesting server to send keep alive traffic to the source SMTP server. This option is only useful on slow network connections where the source server is timing out before the CyberGuard SG appliance has finished its virus checking.
Page 182 Enabling this automatically enables Access Control. Check Virus check web downloads. Check Reject overly large downloads to have the CyberGuard SG appliance treat oversized downloads as potential viruses and reject them. The definition of an overly large download is specified by the Maximum size field on the main Antivirus tab.
Page 183 You may specify the Maximum simultaneous connections to allow. This is the total number of FTP connections allowed from your LAN. Once this number is reached, subsequent FTP connections are rejected until previous FTP connections are disconnected. More resources are consumed by virus scanning when a higher number of simultaneous FTP connections are established.
Page 184: Virtual Private Networking
LAN to the branch office(s). IPSec is generally the most suitable choice in this scenario. With the CyberGuard SG appliance you can establish a VPN tunnel over the Internet using either PPTP, IPSec or L2TP. IPSec provides enterprise-grade security, and is generally used for connecting two or more networks, such as a branch office to a head office.
Page 185: Pptp And L2Tp
PPTP and L2TP The CyberGuard SG appliance includes a PPTP and an L2TP VPN server. These allow remote Windows clients to securely connect to the local network. PPTP or L2TP are also commonly used to secure connections from a Guest network; see the Guest Network section in the chapter entitled Network Setup.
Page 186 Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of free IP addresses, from the network (typically the LAN) that the remote users are assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address to Assign VPN Server pull down menu.
Page 187 Setup the remote PPTP client To connect remote VPN clients to the local network, you need to know the username and password for the PPTP account you added, as well as the CyberGuard SG appliance’s Internet IP address. Virtual Private Networking...
Page 188 If you are using Windows 95 or an older version of Windows 98 (first edition), install the Microsoft DUN update and VPN Client update, available from the Microsoft website. Your CyberGuard SG appliance’s PPTP server interoperates with the standard Windows PPTP clients in all current versions of Windows.
Page 189 Select Connect to a private network through the Internet and click Next. This displays the Destination Address window: Enter the CyberGuard SG appliance’s Internet IP address or fully qualified domain name and click Next. Select the Connection Availability you require on the next window and...
Page 190 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Windows XP PPTP client setup Log in as Administrator or with Administrator privileges. From the Start menu, select Settings and then Network Connections. Click Create New Connection from the Network Tasks menu to the left.
Page 191 Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name for the VPN connection, such as your company name or simply Office. Click Next. Virtual Private Networking...
Page 192 If not, or you wish to manually establish your ISP connection before the VPN connection, select Do not dial the initial connection. Click Next. Enter the CyberGuard SG PPTP appliance’s Internet IP address or fully qualified domain name and click Next. Select whether you wish make this connect available to all users and whether you wish to add a shortcut to your desktop and click Finish.
Page 193: L2Tp Vpn Server
Enable and configure the L2TP VPN server. Configure IPSec tunnel settings. Set up VPN user accounts on the CyberGuard SG appliance and enable the appropriate authentication security. Configure the VPN clients at the remote sites. The client does not require special software, the CyberGuard SG L2TP Server supports the standard L2TP and IPSec client software included with Windows XP.
Page 194 Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of free IP addresses, from the network (typically the LAN) that the remote users are assigned while connected to the CyberGuard SG appliance. If you have configured several network connections, select the one that you want to connect remote users to from the IP Address to Assign VPN Server pull down menu.
Page 195 Users page. Note See the Users section of the chapter entitled System for details on adding user accounts for PPTP access, and configuring the CyberGuard SG appliance to enable authentication against a RADIUS or TACACS+ server. Click Submit. Add an IPSec tunnel Select L2TP VPN Server from the VPN section of the main menu and click the L2TP IPSec Configuration tab.
Page 196 Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication. Certificates need to be uploaded to the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management in the IPSec section later in this chapter).
Page 197 Distinguished name fields are listed Note Certificates need to be uploaded to the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management in the IPSec section later in this chapter).
Page 198 Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Choose a Connection Name for the VPN connection, such as your company name or simply Office. Click Next. Virtual Private Networking...
Page 199 If not, or you wish to manually establish your ISP connection before the VPN connection, select Do not dial the initial connection. Click Next. Enter the CyberGuard SG PPTP appliance’s Internet IP address or fully qualified domain name and click Next. Select whether you wish make this connect available to all users and whether you wish to add a shortcut to your desktop and click Finish.
Page 200: Pptp And L2Tp Vpn Client
Connect. PPTP and L2TP VPN Client The PPTP and L2TP client enables the CyberGuard SG appliance to establish a VPN to a remote network running a PPTP or L2TP server (usually a Microsoft Windows server). Although the VPN protocols are different, configuration of client tunnels is exactly the same.
Page 201 Check NAT to masquerade your local network behind the IP address on the remote network that the remote PPTP or L2TP server allocates the CyberGuard SG appliance. Check Make VPN the default route (single VPN only) if you have a single VPN and want traffic from your local network to be routed through the tunnel instead of straight out onto the Internet.
Page 202: Ipsec
You can then disconnect from the Internet if you wish. IPSec CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IPSec tunnel. The most common and simplest is described in this section. Additional options are also explained throughout this example, should it become necessary to configure the tunnel with those settings.
Page 203: Set Up The Branch Office
To combine the Headquarters and Branch Office networks together, an IPSec tunnel must be configured on both CyberGuard SG appliances. Set Up the Branch Office Enable IPSec Select IPSec from the VPN section of the main menu. A page similar to the following is displayed.
Page 204 Select the interface the IPSec tunnel is to go out on. The options depend on what is currently configured on the CyberGuard SG appliance. For the vast majority of setups, this is the default gateway interface to the Internet. In this example, select the default gateway interface option.
Page 205 Internet interfaces, and require the IPSec tunnel to run on an interface other than the default gateway. Select the type of keying for the tunnel to use. The CyberGuard SG appliance supports the following types of keying: Main Mode automatically exchanges encryption and authentication keys and protects the identities of the parties attempting to establish the tunnel.
Page 206 Select the type of IPSec endpoint this CyberGuard SG appliance has on the interface on which the tunnel is going out. The CyberGuard SG appliance can either have a static IP, dynamic IP or DNS hostname address. If a dynamic DNS service is to be used or there is a DNS hostname that resolves to the IP address of the port, then the DNS hostname address option should be selected.
Page 207 Leave the Initiate the tunnel from this end checkbox checked. Note This option is not be available when the CyberGuard SG appliance has a static IP address and the remote party has a dynamic IP address. Enter the Required Endpoint ID of the CyberGuard SG appliance. This ID is used to authenticate the CyberGuard SG appliance to the remote party.
Page 208 It becomes optional if the CyberGuard SG appliance has a static IP address and is using Preshared Secrets for authentication. If it is optional and the field is left blank, the Endpoint ID defaults to the static IP address. Note If the remote party is a CyberGuard SG appliance, the ID must have the form abcd@efgh.
Page 209 Block-Chaining mode with authentication provided by HMAC and SHA1 (96-bit authenticator). It uses a 56-bit DES encryption key and a 160-bit HMAC-SHA1 authentication key. Local Network is the network behind the local CyberGuard SG appliance. This field appears when Manual Keying has been selected. Virtual Private Networking...
Page 210 It is optional in this example, because the remote party has a static IP address. If the remote party is a CyberGuard SG appliance, it must have the form abcd@efgh. If the remote party is not a CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG Knowledge Base (http://www.cyberguard.com/snapgear/knowledgebase.html) to determine what form it...
Page 211 This field appears when x.509 Certificates has been selected. RSA Key Length pull down menu allows the length of the CyberGuard SG appliance generated RSA public/private key pair to be specified. The options include 512, 1024, 1536 and 2048 bits.
Page 212 The hex part must be exactly 32 characters long when using MD5 or 40 characters long when using SHA1 (excluding any underscore characters). It must use the same hash as the CyberGuard SG appliance's authentication key. This field appears when Manual Keying has been selected.
Page 213 MD5 and SHA and the supported Diffie Hellman groups are 1 (768 bit), 2 (1024 bit) and 5 (1536 bits). The CyberGuard SG appliance also supports extensions to the Diffie Hellman groups to include 2048, 3072 and 4096 bit Oakley groups.
Page 214 Local Certificate pull down menu contains a list of the local certificates that have been uploaded for x.509 authentication. Select the required certificate to be used to negotiate the tunnel. This field appears when x.509 Certificates has been selected. Phase 2 settings page Specify the Local Networks and Remote Networks to link together with the IPSec tunnel.
Page 215: Configuring The Headquarters
Click the IPSec link on the left side of the web management console. Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet interface. In this example, select static IP address.
Page 216 Leave the Optional Endpoint ID field blank in this example. It is optional because this CyberGuard SG appliance has a static IP address. If the remote party is a CyberGuard SG appliance and an Endpoint ID is used, it must have the form abcd@efgh. If the...
Page 217 100%. Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Secret used at the branch office CyberGuard SG appliance, which was: This secret must be kept confidential Select a Phase 1 Proposal. In this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024 bit) option (same as the Branch Office Phase 1 Proposal).
Page 218: Tunnel List
Tunnel List Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field is shown. Note You may modify, delete or disable/enable a tunnel by clicking on the corresponding Edit, Delete or Enable/Disable icon. Remote party The Remote Party which the tunnel is configured to connect to is defined either by its Endpoint ID, IP Address or Distinguished Name.
Page 219 For tunnels that use Automatic Keying, further negotiation details can be seen by clicking on the status. A window similar to the following is displayed. Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec is using. Phase 2 Ciphers Loaded lists the encryption ciphers that tunnels can be configured with for Phase 2 negotiations.
Page 220 Phase 1 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 1 negotiations. This includes MD5 and SHA. Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiations. Connection Details lists an overview of the tunnel's configuration.
Page 221: Nat Traversal Support
IPSec endpoints having dynamic IP addresses. The two endpoints must, however, be CyberGuard SG appliances and at least one end must have dynamic DNS enabled. The CyberGuard SG appliance supports a number of dynamic DNS providers. When configuring the tunnel, select the DNS hostname address type for the IPSec endpoint that has dynamic DNS supported and enable Dead Peer Detection.
Page 222 (Start -> Run -> type cmd) or Linux shell prompt. A Windows version of OpenSSL is provided in the openssl directory of the CyberGuard SG CD. Ensure that this directory is in your execution path, or copy all files from this directory into a working directory on your hard drive.
Page 223 CRL is a list of certificates that have been revoked by the CA before they have expired. This may be necessary if the private key certificate has been compromised or if the holder of the certificate is to be denied the ability to establish a tunnel to the CyberGuard SG appliance.
Page 224 Enter a PEM pass phrase (this is the same pass phrase required when you upload the key to the CyberGuard SG appliance) and then the certificate details. All but the Common Name are optional and may be omitted. Second, sign the certificate request with the CA: openssl ca -config openssl.cnf -out cert1.pem -notext -infiles...
Page 225 Select Automatically select the certificate store based on the type of certificate. Add certificates To add certificates to the CyberGuard SG appliance, select IPSec from the VPN section of the main menu and then click the Certificate Lists tab at the top of the window. Any previously uploaded certificates are displayed, and may be removed by clicking the corresponding Delete icon.
Page 226: Ipsec Troubleshooting
CyberGuard SG appliance. IPSec Troubleshooting Symptom: IPSec is not running and is enabled. Possible Cause: The CyberGuard SG appliance has not been assigned a default gateway. Solution: Ensure the CyberGuard SG appliance has a default gateway by configuring the Internet connection on the Connect to Internet page or assigning a default gateway on the IP Configuration page.
Page 227 The remote party has disabled IPSec. The remote party has disabled the tunnel. The tunnel on the CyberGuard SG appliance has been configured not to rekey the tunnel. The remote party is not rekeying correctly with the CyberGuard SG appliance.
Page 228 Solution: Enable Dead Peer Detection support for the tunnel. Do not use Dead Peer Detection if the remote party does not support draft-ietf-ipsec-dpd-00.txt. Symptom: Tunnels using x.509 certificate authentication do not work Possible Cause: The date and time settings on the CyberGuard SG appliance has not been configured correctly. The certificates have expired.
Page 229: Port Tunnels
If you cannot ping the Internet IP address of the remote party, either the remote party is not online or your computer does not have its default gateway as the CyberGuard SG appliance. If you can ping the Internet IP address of the remote party but not the LAN IP address, then the remote party's LAN IP address or its default gateway has not been configured properly.
Page 230 SSL Tunnels are port tunnels that send data using an encrypted SSL pipe. In order to use an SSL tunnel, you must first install an SSL certificate using the Upload SSL Certificates page or the Create SSL Certificates page; see the Upload SSL certificates and Create SSL certificates sections of the chapter entitled Firewall.
Page 231 You may specify the Protocol to use when negotiating the SSL connection. Leave this set to Raw when incoming connections are from a tunnel client. Setting Protocol to another value allows the tunnel server to accept connections directly from an SSL client other than a tunnel client, e.g.
Page 232 If the HTTP proxy is a buffering proxy, then enter the Proxy Buffer Size. Otherwise set this field to 0. You may also specific the timeout before sending padding to fill up the buffer size in Proxy Padding Timeout. The following field is displayed for SSL Tunnel Server only: You may specify the Protocol to use when negotiating the SSL connection.
Page 233: Usb
USB mass storage devices can be attached to the CyberGuard SG appliance for use as a print spool or to share with your Windows network as a network attached storage device (NAS). A typical use for NAS is for using the CyberGuard SG appliance as a network file server.
Page 234 This section describes how to set up the CyberGuard SG appliance for network attached storage. For information on using a USB mass storage device as a print spool, refer to the USB Printers section. Share the storage device Select Shares from the Networking section of the main menu. Click the Storage tab.
Page 235 Browsable: Display an icon for the network when browsing the network from a Windows PC. To access the network share when this is unchecked, the user must manually enter the address in the address bar (e.g. \\SG565\public\). Writable: The network share is writable, i.e. users can modify and create new files. Public: A login and password is not required to access the network share.
Page 236 Join a Windows workgroup The next step is to configure your CyberGuard SG appliance to join your Window workgroup or domain. Select Network Setup from the Networking menu. Click the Advanced tab. Under the Unit Workgroup heading, enter the name of your Windows workgroup or domain and click Apply.
Page 237 In this case, the device name is sda. If there is a single USB mass storage device attached, it is typically be assigned sda, otherwise it may by sdb, sdc, etc. telnet or ssh to the CyberGuard SG appliance and log in. Run the fdisk command with the argument /dev/<device name>, e.g.
Page 238 Create a new partition by typing n then p for primary, then the partition number. Note The CyberGuard SG appliance support primary partitions only, so you are limited to four partitions. Enter the cylinder for the partition to start on, generally the default is fine. Enter the cylinder for the partition to end on, or a size for the partition with +(size in mb)M.
Page 239 Last cylinder or +size or +sizeM or +sizeK (1-1024, default 1024): +64M Repeat the process for each partition to want to create. For the last partition, the default last cylinder is generally be fine. Command (m for help): n Command action extended primary partition (1-4) Partition number (1-4): 2...
Page 240: Usb Printers
CyberGuard SG appliance and log in. For each partition, run the appropriate mkfs command. To create FAT32 on our two example partitions, we use: mkfs.vfat –F 32 /dev/sda1 then mkfs.vfat –F 32 /dev/sda2 From the web management console, select Advanced from the System menu, and click Reboot.
Page 241 When a Windows PC sends a document or image to the printer attached to the CyberGuard SG appliance, it first converts it into a format that the printer can read. The resulting file that the CyberGuard SG appliance has to store in memory can be many times larger than the size of the original document or image.
Page 242 Otherwise, attach the USB mass storage device and select the device or device partition on which to store the print spool from the Spool pull down menu under the Printing tab. Note You may simultaneously use a USB mass storage device or device partition as a print spool and a Network Attached Storage device.
Page 243 Select A network printer, or a printer attached to another computer and click Next. Select Browse for a printer and click Next. Locate the CyberGuard SG appliance by expanding your Windows workgroup and locating the CyberGuard SG by its hostname. The hostname is set on the CyberGuard SG appliance under Network Setup Advanced Unit Hostname.
Page 244 You may receive a warning about the CyberGuard SG appliance automatically installing print drivers on your PC. Ignore it, the CyberGuard SG does not install print drivers automatically. If a dialog is displayed to inform you that no appropriate print driver could be found on the CyberGuard SG appliance, click OK.
Page 245 Locate the .inf file for your printer and click Open then OK. Select your printer model and click OK. If your printer model is not listed, click Have Disk and Browse again. Drivers for several different printers and different operating systems are often distributed together by the manufacturer, so there may by several different .inf files.
Page 246: Printer Troubleshooting
Note This information is generally not relevant for Windows network environments. Once the print server has been set up, the CyberGuard SG appliance also listen on the standard LPR / LPD network port (TCP 515) for incoming print jobs. Set up your LPR client to print to a remote LPD queue as specified by your operating system’s documentation.
Page 247: Usb Network Devices And Modems
Download the latest drivers from the manufacturer’s web site. Consult the CyberGuard SG Knowledge Base which may contain specific information on getting your printer to interoperate with the CyberGuard SG appliance. The Knowledge Base is online at: http://www.cyberguard.com/snapgear/knowledgebase.html Search the web for other people’s experiences using this printer with other print...
Page 248: System
System Date and Time We recommend setting the CyberGuard SG appliance’s clock to the correct date and time, otherwise system log message time stamps do not match the time of the event. If you are using certificates for SSL or IPSec, it is especially important that you set the date and time correctly, as all certificates include an expiry date after which they do not function.
Page 249: Backup/Restore Configuration
A copy of your current configuration can also be stored on the CyberGuard SG appliance itself. This is useful for storing multiple configuration profiles, or as a quick snapshot of the “known good”...
Page 250 After configuring your CyberGuard SG appliance it is strongly recommended that you remotely back up your configuration to an encrypted file. Note It is good practice to perform remote configuration back ups regularly. Locally stored configurations are erased by factory resets, and will become unretrievable should the CyberGuard SG appliance become uncontactable.
Page 251 Note Each configuration snapshot stores a single configuration only, existing configuration snapshots on the CyberGuard SG appliance are not saved inside any subsequent snapshots. Restore locally backed up configurations by click its corresponding Restore icon in the Restore or Delete Configuration.
Page 252: Users
(see the Access Control section in the chapter entitled Firewall). Administrative users Administrative user accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to their level of competence and trust.
Page 253 The Encrypted save / restore all control provides the user to with the ability to save and restore the configuration of the CyberGuard unit via the Save/Restore page (see the Save/Restore section earlier in this chapter). This access control may be given to a technician whom you want to be able to restore the unit to a known good configuration but to whom you do not wish to grant full administration rights.
Page 254 Warning A user with Encrypted save / restore all access can conceivably create an encrypted config file with an arbitrary root password that they can restore, thus granting them Administration privileges. Therefore, grant Encrypted save / restore all only to users that you trust with Administration access. The Change Password control provides the user with the ability to change their password.
Page 255 Click Finish to apply your changes. RADIUS The CyberGuard SG appliance may be configured to access a central repository of users and passwords on a RADIUS server to authenticate dial-in, PPTP VPN server and L2TP VPN server connections. Enter the RADIUS Server address from which to obtain client authentication information.
Page 256: Management
TACACS+ The CyberGuard SG appliance may be configured to access a central repository of users and passwords on a TACACS+ server to authenticate dial-in, PPTP VPN server and L2TP VPN server connections. Enter the TACACS+ Server address from which to obtain client authentication information.
Page 257 If you have a secondary Global Command Center server, enter its name in Secondary Host Name so the CyberGuard SG appliance’s firewall can be updated appropriately. Enter the IP address of the secondary Global Command Center server in Secondary IP Address if applicable.
Page 258 In IP Address of CMS, enter the IP address of the host on which CyberGuard CMS is running. Specify the shared Authentication Key with which to authenticates this device against the CMS. This must be the same as the snmp_community configuration setting for CMS.
Page 259: Diagnostics
Enter the name of a community that is allowed read-only access in Read-Only Community. You may optionally include an IP address or network to restrict who is allowed access. You may optionally include an OID to restrict the fields that are accessible.
Page 260: Advanced
Advanced The following options are intended for network administrators and advanced users only. Warning Altering the advanced configuration settings may render your CyberGuard SG appliance inoperable. System log The system log contains debugging information that may be useful in determining whether all services for your CyberGuard SG appliance are operating correctly.
Page 261 Appendix B contains for details on interpreting log output and configuring advanced log rules. Local syslog By default all messages are recoreded in the System Log. Filter Level allows you to control which classes of messages are recorded in the system log. Every message recorded in the System Log includes a basic time stamp.
Page 262 You may also Include extended ISO date, which is prepended to syslog messages before being sent. Click Submit to save your changes. Email delivery Syslog log messages may be sent to an email account. This allows you to keep system log messages persistently.
Page 263: Reboot And Reset
Reset button Another method to clear the CyberGuard SG appliance’s stored configuration information is by pushing the reset button on the back panel of the CyberGuard SG appliance twice. A bent paper clip is a suitable tool for performing this procedure.
Page 264: Flash Upgrade
Pushing the reset button twice clears all stored configuration information, reverts all settings to the factory defaults, and reboots the CyberGuard SG appliance. Note When the CyberGuard SG appliance reboots, it has an IP address of 192.168.0.1, netmask 255.255.255.0. Disabling the reset button on your CyberGuard SG PCI appliance For convenience, the CyberGuard SG appliance ships with the rear panel Reset button enabled.
Page 265 During the upgrade, the front panel LEDs on the CyberGuard SG appliance flash in an in- and-out pattern. The CyberGuard SG appliance retains its configuration information with the new firmware. Warning If the flash upgrade is interrupted (e.g. power down), the CyberGuard SG appliance stops functioning and becomes unusable until its flash is reprogrammed at the factory or a recovery boot is performed.
Page 266: Configuration Files
Place this file in the directory your TFTP is serving files from, usually: /tftpboot/ Establish a telnet or ssh connection to the CyberGuard SG appliance. Login and run the command: flash image <TFTP server address> <image.sgu>...
Page 267: Support
Click Browse to locate the file on your local PC that you want to upload. You may upload it to an alternative file name on the CyberGuard SG appliance by specifying a Destination File Name. Click Submit to begin the upload.
Page 268 Note If you experience a fault with your CyberGuard SG appliance and have to contact the CyberGuard SG technical support team, ensure you include the Technical Support Report with your support request. The Technical Support Report should be generated when the issue is occurring on each of the appliances involved, and attached in plain text format.
Page 269: Appendix A - Terminology
Main mode. Aggressive mode is typically used to allow parties that are configured with a dynamic IP address and a preshared secret to connect or if the CyberGuard SG appliance or the remote party is behind a NAT device.
Page 270 Dead Peer The method of detecting if the remote party has a stale set of keys and Detection if the tunnel requires rekeying. To interoperate with the CyberGuard SG appliance, it must conform to the draft draft-ietf-ipsec-dpd-00.txt DHCP Dynamic Host Configuration Protocol. A communications protocol that assigns IP addresses to computers when they are connected to the network.
Page 271 A method for detecting that the main Internet connection (usually a broadband connection) has failed and the CyberGuard SG apliance cannot communicate with the Internet. If this occurs, the CyberGuard SG appliance automatically moves to a lower speed, secondary Internet connection.
Page 272 The private part of the public/private key pair of the certificate resides Certificate & on the CyberGuard SG appliance. The passphrase is a key that can be Passphrase used to lock and unlock the information in the private key certificate.
Page 273 Network Address Translation. The translation of an IP address used on one network to an IP address on another network. Masquerading is one particular form of NAT. Net mask The way that computers know which part of a TCP/IP address refers to the network, and which part refers to the host range.
Page 274 "intelligent" and can route packets to their final destination. RSA Digital A public/private RSA key pair used for authentication. The CyberGuard Signatures SG appliance can generate these key pairs. The public keys need to be exchanged between the two parties in order to configure the tunnel.
Page 275 Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication. Certificates need to be uploaded into the CyberGuard SG appliance before a tunnel can be configured to use them (see Certificate Management).
Page 276: Appendix B - System Log
Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG appliance. The only logging that is enabled by default is to take note of packets that were dropped.
Page 277 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g. ppp0 or ppp1, a PPP session ipsecX e.g. ipsec0, an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar.
Page 278: Creating Custom Log Rules
TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a packet arriving from the WAN (IN=eth1) and bound for the CyberGuard SG appliance itself (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181), attempting to go to port 139 (DPT=139, Windows file sharing) was dropped.
Page 279 For example, to log all inbound access requests from anywhere on the Internet (0.0.0.0/0) to the PPTP service (port 1723) on the CyberGuard SG appliance (IP address 1.2.3.4): iptables -I INPUT -j LOG -p tcp --syn -s 0.0.0.0/0 -d 1.2.3.4 - -dport 1723 --log-prefix "Internet PPTP access: "...
Page 280 iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This results in log output similar to: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0 Note how the OUT value has now changed to show which interface the access attempt...
Page 281: Rate Limiting
If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there are many more combinations possible. It is therefore possible to write rules that log inbound and outbound traffic, or to construct several rules that differentiate between the two.
Page 282: Administrative Access Logging
10.0.0.2 Once again, showing the same information as a web login attempt. Boot Log Messages The CyberGuard SG appliance’s startup boot time messages are identified by log messages similar to the following: klogd: Linux version 2.4.20-uc0 (jamma@daniel) (gcc version 3.0.4) #4 Mon Feb 3 15:17:50 EST 2003...
Page 283: Appendix C - Firmware Upgrade Practices And Precautions
CyberGuard SG appliance reconfigured from scratch. Note CyberGuard SG firmware revision numbers have the form a.b.c, where a is the major revision number, b is the minor revision number, and c is the patch revision number. An upgrade where the major revision number is incremented is considered a major upgrade, e.g.
Page 284 If you encounter any problems, reset the device to its factory default settings and reconfigure. You may wish to use your backed up old configuration as a guide in this process, but do not restore it directly. If you are upgrading a device that you do not normally have physical access to, e.g. at a remote or client's site, we strongly recommend that following the upgrade, you reset the device to its factory default configuration and reconfigure as a matter of course.
Page 285: Appendix D - Recovering From A Failed Upgrade
CyberGuard SG unit has been written incorrectly or incompletely, or in rare cases it may have become corrupted. In this situation, a recovery boot reprograms the CyberGuard SG to bring it back to a usable state. This can be done using the Netflash executable if you are running Windows, otherwise you have to set up a BOOTP (DHCP) server.
Page 286 Reset/Erase button twice within 2 seconds to restore factory default configuration, power off the unit and restart the recovery procedure from the beginning. If prompted, select your CyberGuard SG unit from the list displayed. Enter your CyberGuard SG unit's password and click OK.
Page 287 Note It takes a few minutes for your CyberGuard SG to finish reprogramming. After it has finished it reboots automatically with its old configuration intact. If it is uncontactable after rebooting, hit the Reset/Erase button twice within 2 seconds to restore factory default configuration, then follow the instructions in the chapter entitled Getting Started to begin reconfiguration of your unit.
Page 288 (Re)start the BOOTP server. Attach the CyberGuard SG unit's LAN port or switch directly to your PC using a crossover cable. Note If you are using an older LITE(2)/LITE(2)+, you may have to attach the unit's WAN port directly to your PC using a crossover cable for the first stage of the recovery procedure Accordingly, your BOOTP server requires an entry specifying the CyberGuard SG unit’s...

This manual is also suitable for:

Sg530 Sg550 Sg565 Sg570 Sg575 Sg580 ... Show all

CyberGuard SG300 User Manual

1 Introduction

2 Getting Started

3 Network Setup

4 Firewall

5 Virtual Private Networking

6 Usb

7 System

Appendix A - Terminology

Appendix B - System Log

Appendix C - Firmware Upgrade Practices and Precautions

Appendix D - Recovering from a Failed Upgrade

Quick Links

Troubleshooting

Related Manuals for CyberGuard SG300

Summary of Contents for CyberGuard SG300

This manual is also suitable for:

Table of Contents