finjan Vital Security NG-8000 Setup And Configuration Manual

Hide thumbs Also See for Vital Security NG-8000:

Installation and setup manual (84 pages)

User manual (20 pages)

User manual (18 pages)

Table Of Contents

Table of Contents

Quick Links

Need help?

Do you have a question about the Vital Security NG-8000 and is the answer not in the manual?

Questions and answers

Summary of Contents for finjan Vital Security NG-8000

Page 1 NG-8000 NG-6000 NG-5000 Setup and Configuration Guide Sof tware Release 9.0...
Page 2 © Copyright 1996 - 2008. Finjan Software Inc. and its affiliates and subsidiaries (“Finjan”). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan.
Page 3: Table Of Contents
2 . Finjan Appliances ........
Page 4 S e t u p a n d C o n f i g u r a t i o n G u i d e config_network..........34 config_time.
Page 5 S e t u p a n d C o n f i g u r a t i o n G u i d e vmstat ............55 w .
Page 6 S e t u p a n d C o n f i g u r a t i o n G u i d e Management Access List ........89 Management Console Password .
Page 7: Introduction
Vital Security - Finjan’s Integrated Security Platform - is a complete and integrated Secure Content Management solution in which individual best-of-breed security applications work together in concert to respond proactively to the changing security threats of both today and tomorrow.
Page 8: About This Manual
S e t u p a n d C o n f i g u r a t i o n G u i d e 2 About This Manual Chapter Description Chapter 1 Finjan Overview - An introduction to Finjan's Vital Security. Chapter 2 Finjan Appliances - An introduction to Finjan's Vital Security Appliances, including a brief description of the Vital Security Appliances NG-8000/NG-6000/NG-5000.
Page 9: Finjan Appliances
The Vital Security Appliance NG-8000 is supplied as one or more separate blades. You can assign system roles according to your requirements using each blade as a separate server, or activate more than one service on a single blade. Chapter 2 - Finjan Appliances...
Page 10: Ng-8000 Front Panel
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 2-1: NG-8000 Superformance Appliance NG-8000 Front Panel Figure 2-2: NG-8000 Front Panel Chapter 2 - Finjan Appliances...
Page 11 An LED on one of the components or on a blade server is also lit to further isolate the problem. USB Connector DVD Drive Floppy Disk Drive Chapter 2 - Finjan Appliances...
Page 12: Ng-8000 Rear Panel
DC Power LED - When this LED is lit, the DC output from the power module to the other components and blade servers is present and within specifications. During typical operation this LED is lit. Chapter 2 - Finjan Appliances...
Page 13: Ng-8000 Hardware Specifications
Xeon D 2 x 2.0GHz Gigabit Ethernet NIC Rack Space (7U) 444 x 711.2 x 304.2 mm (WxDxH) 17.5 x 28 x 12 inches (WxDxH) Heat Output (max) Four 2000W power supplies 11111BTU (3256 W) Chapter 2 - Finjan Appliances...
Page 14 BladeCenter unit off: -40° to 60°C (-40° to 140°F) Humidity: Server on/off 8 % to Weight Fully configured with modules and blades: approx 108.86 kg (240 lb) Fully configured without blades: approx 44.91 kg (99lb) Chapter 2 - Finjan Appliances...
Page 15: Vital Security Appliance Series Ng-6000
The different services running on each appliance can be configured according to your organization's network requirements. Figure 2-4: NG-6000 Superformance Appliance NG-6000 Front Panel 1 2 3 4 5 6 Figure 2-5: NG-6000 Front Panel Chapter 2 - Finjan Appliances...
Page 16 - When the LED is lit it indicates that a system error has occured. An LED on the light path diagnostics panel is also lit to help isolate the error. Release latch USB Connector USB Connector Serial Connector Chapter 2 - Finjan Appliances...
Page 17: Ng-6000 Rear Panel
This connector is active only if you have installed a Remote Supervisor Adapter II SlimLine - not supplied by Finjan (and is used only by this). Serial Connector Chapter 2 - Finjan Appliances...
Page 18 - When this LED is lit, it indicates that there is an active link connection on the 10BASE-T, 100BASE-TX or 1000BASE-TX interface for the Ethernet port. USB 3 Connector USB 4 Connector Ethernet Connector (GE3) Ethernet Connector (GE2) Chapter 2 - Finjan Appliances...
Page 19: Ng-6000 Hardware Specifications
(-40° to 140°F) Humidity: Server on/off 8 % to 80%, Shipment 5% to 100% Weight 30kg Heat Output (max) Minimum configuration - 1230 BTU per hour (360 watts) Maximum configuration - 3390 BTU per hour (835 watts) Chapter 2 - Finjan Appliances...
Page 20: Vital Security Appliance Series Ng-5000
The different services running on each appliance can be configured according to your organization's network requirements. Figure 2-7: NG-5000 Superformance Appliance NG-5000 Front Panel Figure 2-8: NG-5000 Front Panel The following table describes the NG-5000 Front Panel: Description LCD Display Menu Display Buttons (up/down) Chapter 2 - Finjan Appliances...
Page 21: Ng-5000 Rear Panel
- Not in use - Not in use Serial Connector RS232 Connector USB Connectors NG-5000 Rear Panel Figure 2-9: NG-5000 Rear Panel The following table describes the NG-5000 Rear Panel: Description Power Connector On / Off Switch Chapter 2 - Finjan Appliances...
Page 22: Ng-5000 Hardware Specifications
CPU, power off the appliance or restore the default IP address of interface GE3. This will restore the IP address of interface Ge3 to 10.0.3.1 with subnet mask 255.255.255.0. For information on older appliances not listed here, please contact Finjan NOTE: Support.
Page 23: Configuring The Vital Security Appliance
H A P T E R ONFIGURING THE ITAL ECURITY PPLIANCE This section contains the following topics: Management Console System Requirements Connecting your Vital Security Appliance (NG-5000/6000/8000) Limited Shell Configuration Commands Update Mechanism Routing Traffic through the Appliance Working with HTTP Working with ICAP 1 Management Console System Requirements Operating Systems...
Page 24: Connecting Your Vital Security Appliance (Ng-5000/6000/8000)
S e t u p a n d C o n f i g u r a t i o n G u i d e Terminal application (such as Microsoft Hyper Terminal) - for accessing the serial console (as well as serial cable) 2 Connecting your Vital Security Appliance (NG-5000/6000/8000) This section includes the following: Limited Shell Connection Procedure...
Page 25: Using A Serial Cable
Initial Setup of your Vital Security Appliance using Limited Shell Continue with For more information on setting up the NG-8000, please contact your NOTE: Finjan representative. 2.1.2 Using a Serial Cable To connect to the Limited Shell using a serial cable (for NG-5000/NG- 6000): Connect the PC to the appliance’s Serial Console, using the serial cable.
Page 26: Initial Setup Of Your Vital Security Appliance Using Limited Shell
SSH access is enabled by default. No other user can log in directly to the system. Privileged access (root level) is achieved only after logging in as Super Administrator from the Limited Shell (this is for Finjan support purposes only).
Page 27: Initial Setup
Active appliance roles that work according to the Ethernet interface and IP that you have selected. A new password of your choice for the initial setup Web interface admin user (the password cannot be finjan or an empty string). 2.2.2 Running the Setup To run the Setup:...
Page 28 S e t u p a n d C o n f i g u r a t i o n G u i d e Enter the setup command. The current configuration is then displayed. During each step of the Setup, the Current Configuration settings are NOTE: updated accordingly.
Page 29 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-5: Set Time Zone The current timezone is displayed. To change this timezone, select y, else select N.The following is displayed: Figure 3-6: Set Time/Date The current date and time is displayed.
Page 30 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-7: Set Interface Select the network interface to be used as the Policy/Scanning Server (1-5) for this appliance.
Page 31 S e t u p a n d C o n f i g u r a t i o n G u i d e If you want to change the network interface auto negotiation IMPORTANT: settings for the NG-5000 /NG-6000, you must do so using the ethconf command.
Page 32 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-9: Set Default Gateway Enter the Default Gateway IP address and press Enter. The following is displayed: Figure 3-10: Set Hostname Enter the new hostname or press Enter to accept the current settings.
Page 33 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-11: Set DNS Server Enter the IP address for the DNS Server or press Enter to accept the current DNS configuration settings.
Page 34 S e t u p a n d C o n f i g u r a t i o n G u i d e Enter the DNS doman names separated by a space or else just press Enter to accept the current settings.
Page 35 S e t u p a n d C o n f i g u r a t i o n G u i d e restore your PC's original TCP/IP settings at this point. If you connected your PC directly to the appliance's GE0 port, you can now plug the appliance and your PC into the corporate network.
Page 36: Limited Shell Commands
S e t u p a n d C o n f i g u r a t i o n G u i d e 3 Limited Shell commands After using the Initial Setup to configure the appliance, the Limited Shell can be used to manage the functionality of the appliance, as well as monitoring it closely.
Page 37 S e t u p a n d C o n f i g u r a t i o n G u i d e Command Description access_list Enables/disables access list Displays arp table change_password Change password config Network or service configuration. Double tab to view the config_network, config_time and config_psweb commands.
Page 38 S e t u p a n d C o n f i g u r a t i o n G u i d e Limited Shell Configuration For more information on configuring the system, refer to Commands For further in-depth analysis and diagnostics of the system, refer to Limited Shell Monitoring Commands Chapter 3 - Configuring the Vital Security Appliance...
Page 39: Limited Shell Configuration Commands
(such as HTTP, FTP, ICAP) or System ports (internal ports). Any IP address not defined in the IP range will then be blocked from accessing these applications on the ports defined by Finjan. The access_list command is used to enable or disable the Access List and is useful for situations when due to a mistaken configuration, or other circumstances, you cannot access the Management Console, and want to disable the Access List feature.
Page 40: Config
S e t u p a n d C o n f i g u r a t i o n G u i d e config The config command enables network, service and Policy Server configuration. Press the tab button twice to display the config_network, config_time and config_psweb commands.
Page 41 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-21: config_network menu View: This command allows you to view the current network configuration: The IP address assigned to each interface, the current DNS configuration and the current hostname configuration.
Page 42 S e t u p a n d C o n f i g u r a t i o n G u i d e Interface: Allows system administrators to modify interface related parameters such as: Add, Remove or Change an IP address from a physical interface; Add, Remove or Change routing information;...
Page 43 DNS settings which allows the appliance to complete the domain name (according to the configured value) in case the host name is not completed. For example, if the search is on http://mize and the search domain is finjan.com, the appliance will try to resolve to http://mize.finjan.com.
Page 44 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-27: config_network - DNS The current DNS configuration is displayed. Select an action, for example, 1 (change search).
Page 45: Config_Time
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-30: config_network - hosts 4.3.2 config_time The config_time command allows system administrators to set the system date and time, the timezone and also the NTP Server.
Page 46: Disable
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-32: config_psweb disable The disable command disables the service. The disable command includes the disable_service_snmp and disable_service_ssh commands.
Page 47: Enable_Service_Snmpd
S e t u p a n d C o n f i g u r a t i o n G u i d e enable_service_snmp and enable_service_ssh commands. Figure 3-36: enable 4.5.1 enable_service_snmpd The enable_service_snmpd command enables the snmpd network service. Enter the enable_service_snmpd command.
Page 48: Flush_Dnscache
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-39: ethconf - interface selection The settings for the selected interface are displayed. Figure 3-40: ethconf - adapter configuration Choose configuration for the adapter and confirm to make the settings permanent.
Page 49: Reset_Config
S e t u p a n d C o n f i g u r a t i o n G u i d e reset_config This command will rebuild the device configuration in extreme situations where the device, for whatever reason, was disconnected for a period of time.
Page 50: Ip2Name
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-44: ifconfig ip2name The ip2name command looks up the hostname associated with an IP address entered by the administrator.
Page 51: Iptraf
S e t u p a n d C o n f i g u r a t i o n G u i d e iptraf The iptraf command is a Linux network statistics utility. It gathers a variety of parameters such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
Page 52: Last
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-47: ip traffic monitor last The last command displays a list of the previous administrators who logged on to the Limited Shell - including those still logged on.
Page 53: Netstat
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-49: name2ip netstat The netstat command is a useful tool for checking your network configuration and activity. It displays the status of network connections on either TCP, UDP, RAW or UNIX sockets to the system.
Page 54: Poweroff
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-51: ping 5.10 poweroff The poweroff command enables you to remotely shut down the appliance. Physical access to the appliance is needed to bring the system back IMPORTANT: online for all models except the NG-8000.
Page 55: Setup
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-53: save_support_logs 5.14 setup The setup command assists you in setting up the device for the first time. It guides you to perform all the necessary steps to establish a working device.
Page 56: Show_Config
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-55: show 5.15.1 show_config The show_config command shows the current configuration. Figure 3-56: Show_config 5.15.2 show_network The show_network command shows the current network configuration.
Page 57: Show_Service
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-57: show_network 5.15.3 show_service The show_service command allows system administrators to view the service configuration status.
Page 58: Show_Dbsize
Figure 3-59: show_service_all show_service_snmpd: This option displays the service configuration status for snmpd. Figure 3-60: show_service_snmpd show_service_ssh: This option displays the service configuration status for ssh. Figure 3-61: show_service_ssh 5.15.4 show_dbsize The show_dbsize command shows the file size of the databases connected with your appliance.
Page 59: Show_Time
Figure 3-64: show_time 5.16 supersh The supersh command enables root access to the appliance. This command is reserved for Finjan Support only. 5.17 tcpdump The tcpdump command allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It writes all the information into a tcpdump file.
Page 60: Top
S e t u p a n d C o n f i g u r a t i o n G u i d e 5.18 top The top command displays all the running processes, and updates the display every few seconds, so that you can interactively see what the appliance is doing.
Page 61: Uptime
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-67: traceroute 5.20 uptime The uptime command produces a single line of output that shows the current time, how long the system has been running (in minutes) since it was booted up, how many user sessions are currently open and the load averages.
Page 62: Wget
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-69: vmstat 5.22 w The w command shows who is currently logged on and the current command they are running.
Page 63: Update Mechanism
S e t u p a n d C o n f i g u r a t i o n G u i d e enters a permanent license key. The Policy Server will update Finjan Headquarters as to the status of the NOTE: License.
Page 64: Installing Updates
7.1.3 Offline Updates Customers who are using the appliance in an isolated network that is not connected to the Internet, can download any updates from the Finjan update site. These updates can be Chapter 3 - Configuring the Vital Security Appliance...
Page 65: Routing Traffic Through The Appliance
Policy Server. From the Management Console, you can install the updates using the Import Local Updates option. This feature requires a special license. Please contact your Finjan representative for further details.
Page 66 To enable working in transparent mode: In the Vital Security Management Console, navigate to Administration System Settings Finjan Devices Scanning Server. In the selected Scanning Server, choose the General node. Click Edit and select the Enable Transparent Proxy Mode. Define the ports to be used for the scanned traffic.
Page 67: Working With Http
S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 3-73: Transparent Proxy 9 Working with HTTP In order for browsers or other appliances to be protected by Vital Security, the Vital Security must be configured as the Proxy Server.
Page 68: Upstream
S e t u p a n d C o n f i g u r a t i o n G u i d e Every request is scanned with the latest security updates, even if the content was cached before the last update.
Page 69: Why Work With Icap
S e t u p a n d C o n f i g u r a t i o n G u i d e 10.1 Why work with ICAP? One of the reasons is that if you are working with a caching proxy that supports the ICAP protocol, you can achieve significant performance benefits from configuring Vital Security as an ICAP server rather than an HTTP proxy.
Page 70: Icap Clients
S e t u p a n d C o n f i g u r a t i o n G u i d e icap://192.168.2.153:1344/Finjan_REQMOD NOTE: When working with RESPMOD, REQMOD must be enabled. Vital Security can also work in REQMOD only, for example, for performing URL filtering, but in this case, the actual incoming content is not scanned.
Page 71: Configuring Icap Clients
To configure NetApp via Vital Security: In the Vital Security Management Console, select Administration System Settings Finjan Devices. In the Devices screen, select the Scanning Server with which you are working, and then select ICAP. Figure 4-1: Devices - ICAP...
Page 72 S e t u p a n d C o n f i g u r a t i o n G u i d e Click on Edit in the right hand pane. Select Enable ICAP for Device. In the Access List tab, click on and select Add Row from the drop-down menu.
Page 73 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-3: ICAP Setup - General Open the Service Farms tab. Press the New Service Farm button to create a new ICAP Service. To configure an ICAP Service Farm: To set a REQMOD service, ensure that the following conditions are met: In the Vectoring Point field, select...
Page 74 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-4: New ICAP Service Farm Once the services have been configured in the Service Farms, Access Control List rules should be defined to include these services.
Page 75: Blue Coat
To configure Blue Coat via Vital Security: In the Vital Security Management Console, select Administration System Settings Finjan Devices. In the Devices screen, select the Scanning Server with which you are working, and then select ICAP. Click on Edit in the right hand pane.
Page 76 S e t u p a n d C o n f i g u r a t i o n G u i d e In the Access List tab, click on and select Add Row from the drop-down menu. Figure 4-6: Blue Coat Configuration Select Blue Coat from the Type drop-down list.
Page 77 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-7: Blue Coat Main Screen Navigate to the Management Console. Figure 4-8: Blue Coat Management Console Chapter 4 - Configuring ICAP Clients...
Page 78 S e t u p a n d C o n f i g u r a t i o n G u i d e NOTE: If, at any time during the session, the Java Plug-in Security Warning appears, select Grant this session to continue.
Page 79 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-10: Edit ICAP Services Chapter 4 - Configuring ICAP Clients...
Page 80 S e t u p a n d C o n f i g u r a t i o n G u i d e The following table describes the field data to be entered: Field Name Field Data to be entered ICAP Version Select 1.0 from the dropdown list Server Type...
Page 81 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-11: Visual Policy Manager Launch Click Launch and the Visual Policy Manager dialog box is displayed. Figure 4-12: Visual Policy Manager Dialog Box From the Main Menu Bar, select Policy Add Web Access Layer, and the Add...
Page 82 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-13: Add New Layer Dialog Box Add in the required name and click OK. The Visual Policy Manager is displayed with a new Web Access Layer.
Page 83 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-15: Edit ICAP Request Service In the Add ICAP Request Service Object window, select the Use ICAP Request Service checkbox.
Page 84 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure 4-16: Add ICAP Request Service Object From the drop-down list, select the REQMOD service you have defined, and click Go back to the Set Action Object dialog box, and click OK.
Page 85: A Installation Details
Attach a bootable USB flash device, and a USB-keyboard and VGA monitor to the appliance whilst it is still switched off. Power on the appliance. The appliance will read automatically from the USB key. When the Finjan screen appears, type yes to continue with the process. Appendix A - Installation Details...
Page 86 Let the installation run – it will take approximately 10 minutes. After this time, the appliance will reboot. When the Finjan installation screen reappears, remove the USB key. Reboot the appliance by pressing Ctrl + Alt + Delete. Set up the configuration as required via the Limited Shell as described in...
Page 87 In the next screen, in the Persistent field, ensure that it says This boot only and press Enter. In a few minutes, the Finjan screen appears, type yes to continue with this process. When the Finjan screen appears, type yes to continue with the process.
Page 88: Remote Installation On Ng-8000
S e t u p a n d C o n f i g u r a t i o n G u i d e Remote Installation on NG-8000 What you need: Java™ 6 installed on your computer DVD reader Internet connection to the BladeCenter Management Module with a valid IP address To install a Release remotely onto a BladeCenter: On your local PC, insert the DVD with the release on it into the DVD slot.
Page 89 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure A-4: Remote Control - Start Remote Control In the Remote Control window, select the required Blade from the Media Tray drop-down list.
Page 90 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure A-6: Selected Resources - Mount All In the Remote Console section, in the KVM field, scroll down to the Blade7 option (See figure above).
Page 91 S e t u p a n d C o n f i g u r a t i o n G u i d e Figure A-7: Restart Blade Switch back over to the Remote Control screen, and wait for the Server to boot up from the DVD.
Page 92: Post-Installation Bonding Script On Ng-8000
Let the installation run – it will take approximately 10 minutes. After this time, the appliance will reboot. When the Finjan installation screen reappears, remove the DVD. Reboot the appliance by pressing Ctrl + Alt + Delete. Set up the configuration as required via the Limited Shell as described in...
Page 93: Policy Server
Once the access list is enabled, all access from unknown IPs is disabled. To configure a Management Access List: Navigate to Administration System Settings Finjan Devices <IP Address> Access List. Click Edit to enable the screen for editing mode. Select Use Access List.
Page 94 S e t u p a n d C o n f i g u r a t i o n G u i d e 1.1.2 Management Console Password The default password provided is “finjan”. It is recommend to change the default password as soon as possible.
Page 95: Post-Installation System Hardening
Scanning Server via the interface that is being used by the end-users. To limit access via a single IP address: In the Management Console, navigate to Administration System Settings Finjan Devices <IP Address> Scanning Server HTTP Proxy IP and Port.
Page 96: Nortel Switches (Applicable Only To Ng-8000 Series)
S e t u p a n d C o n f i g u r a t i o n G u i d e Click Save and click Nortel Switches (Applicable only to NG-8000 Series) Nortel Switch (both Layer 2-3 and Layer 2-7) has to be hardened as well in order to limit unauthorized access to it and also in order to secure the communication between the management station and the switch.

This manual is also suitable for:

Vital security ng-6000 Vital security ng-5000

finjan Vital Security NG-8000 Setup And Configuration Manual

1 Introduction

2 Finjan Appliances

3 Configuring the Vital Security Appliance

4 Configuring ICAP Clients

A Installation Details

Post-Installation System Hardening