background image

System 

166 

You may also upload additional configuration files from your computer to the CyberGuard 
SG appliance under Upload file

To backup to an encrypted file, click save and restore, enter a password and click Save 
under Save Configuration.  To restore from this file, browse for the backup configuration 
file, enter the password you used to save it and click Restore under Restore 
configuration. 

Flash upgrade 

Periodically, CyberGuard may release new versions of firmware for your CyberGuard SG 
appliance.  If a new version fixes an issue you’ve been experiencing, or a new feature 
you wish to utilize, contact CyberGuard SG technical support for information on obtaining 
the latest firmware.  You can then load the new firmware with a flash upgrade. 

Note 

Please read the appendix entitled Firmware Upgrade Practices and Precautions before 
attempting a firmware upgrade. 

There are two methods available for performing a flash upgrade. 

The first is to download the netflash.exe for the appropriate model and version to which 
you will be upgrading.  This is a Windows program that automates the upgrade 
procedure.  Be sure to read the release notes before attempting the upgrade.   

The second is to download the binary image file (.bin).  This can then be transferred from 
a PC on the local network into the CyberGuard SG appliance’s flash memory by way of a 
TFTP server.  This method involves the following steps: 

1.  Download the appropriate .bin file. 

2.  Start up a TFTP server.  Windows users can download a TFTP server program 

from: 

https://www.cyberguard.com/snapgear/downloads/tools/tftpd32j.zip

 

Note 

Although we recommend it, this program is not supported by CyberGuard. 

Summary of Contents for 2.0.1

Page 1: ...CyberGuard SG Firewall VPN Appliance User Manual Revision 2 0 1 June 7 2004 CyberGuard 7984 South Welby Park Drive 101 Salt Lake City Utah 84084 Email support snapgear com Web www cyberguard com...

Page 2: ...14 Set up Internet Connection Settings 18 Set up the PCs on your LAN to Access the Internet 19 CyberGuard SG PCI Appliances 24 Install your CyberGuard SG Appliance in a Spare PCI Slot 24 Install the N...

Page 3: ...Filtering 81 7 Intrusion Detection 89 Basic Intrusion Detection and Blocking 91 Advanced Intrusion Detection 93 8 Web Cache 98 Web Cache Setup 99 Network Shares 100 Peers 103 Set up LAN PCs to Use th...

Page 4: ...Support 168 Appendix A IP Address Ranges 169 Appendix B Terminology 170 Appendix C System Log 177 Access Logging 177 Creating Custom Log Rules 179 Rate Limiting 182 Administrative Access Logging 183...

Page 5: ...shields your computers from outside threats The CyberGuard SG appliance checks and filters data packets to prevent unauthorized intruders gaining access The CyberGuard SG appliance s NAT masquerading...

Page 6: ...pliance is recommended for Security conscious businesses that wish to separate firewall and VPN issues from server desktop operating systems Businesses that wish to eliminate the soft center For envir...

Page 7: ...h in the same range as the LAN as no NAT masquerading is being performed see the chapter entitled Firewall for more information One IP address is used to manage the CyberGuard SG appliance via the Web...

Page 8: ...This document uses different fonts and typefaces to show specific actions Warning Note Text like this highlights important issues Bold text in procedures indicates text that you type or the name of a...

Page 9: ...llation CD Printed Quick Install guide Cabling including o 1 normal straight through UTP cable blue color o 1 crossover UTP cable either gray or red color Note The SG300 model includes two blue straig...

Page 10: ...Internet network interface DMZ Activity Flashing Network traffic on the DMZ network interface Serial Activity Flashing For either of the CyberGuard SG appliance COM ports these LEDs indicate receive...

Page 11: ...aseT LAN port 10 100BaseT 4 port LAN switch SG300 model only Rear panel Ethernet link and activity status LEDs DMZ link features SG570 SG575 only 10 100BaseT DMZ port Real panel Ethernet link and acti...

Page 12: ...g status The two LEDs closest to the network port are network activity upper and network link lower The two other LEDs are power upper and heart beat lower Figure 1 3 Label Activity Description Power...

Page 13: ...Network link features 10 100baseT Ethernet port Ethernet LEDs link activity Environmental features Status LEDs Power Heart Beat Operating temperature between 0 C and 40 C Storage temperature between 2...

Page 14: ...installed You may need to be logged in with administrator privileges Instructions are not given for other operating systems refer to your operating system documentation on how to configure your PCs ne...

Page 15: ...directly to a LAN with an existing DHCP server before performing the initial setup steps described below the LAN interface will automatically obtain an additional address In this case it will be reach...

Page 16: ...et switch using a straight through cable blue Note It is recommended that you perform the initial setup steps with the CyberGuard SG appliance connected to a single PC only However you may choose to c...

Page 17: ...double click Network Right click on Local Area Connection and select Properties Note If there is more than one existing network connection select the one corresponding to the network interface card to...

Page 18: ...dresses and enter Preferred DNS server 192 168 0 1 Note If you wish to retain your existing IP settings for this network connection click Advanced and Add the secondary IP address of 192 168 0 100 sub...

Page 19: ...on on the CyberGuard SG appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twice within 2 seconds returns the CyberGuard SG appliance to its factory default settings En...

Page 20: ...LAN already configured Select this if you wish to use the CyberGuard SG appliance s initial network settings IP address 192 168 0 1 and subnet mask 255 255 255 0 as a basis for your LAN settings You m...

Page 21: ...he address of 192 168 0 1 The IP address will later be used as the gateway address for the PCs on your LAN To gain access through this gateway the PCs on your LAN must have an IP address within the bo...

Page 22: ...Analog modem If connecting using a regular analog modem enter the details provided by your ISP DSL modem If connecting using an ADSL modem select Auto detect ADSL connection type and enter the details...

Page 23: ...access the CyberGuard SG appliance and the Internet If you haven t already connect your CyberGuard SG appliance s LAN Ethernet port directly to your LAN hub using the straight through Ethernet cable...

Page 24: ...r Restart all the PCs on the network this will reset their gateway and DNS addresses Note The purpose of restarting the computers is to force them to gain a new DHCP lease Alternatively you can use a...

Page 25: ...re are multiple entries Enter the following details IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance s LAN connection e g if using the default settings...

Page 26: ...on or leave it blank WINS Address optional is the IP address of any existing WINS server on your LAN Default Lease Time and Maximum Lease Time should generally be left at their default values Initial...

Page 27: ...work card name if there are multiple entries and click Properties in 95 98 Me you may also have to click the IP Address tab Figure 2 6 Check Obtain an IP address automatically check Obtain DNS server...

Page 28: ...gs Network and Dialup Connections Local Area Connection possibly followed by a number Properties and ensure the adapter is listed in the Connect using field Set up your PC to Connect to the Web Manage...

Page 29: ...Local Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figure 2 7 Select Use the follo...

Page 30: ...at 192 168 0 1 or the initial username and password are not accepted press the Reset button on the CyberGuard SG appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twic...

Page 31: ...erver you may set up your CyberGuard SG appliance and PC for auto configuration Otherwise you must manually set up your CyberGuard SG appliance s and PC s network settings To manually set up your Cybe...

Page 32: ...more DNS Server s to be used by the CyberGuard SG appliance not your PC for Internet name resolution Click Apply and Reboot Next configure your PC with the second IP address in the same manner you wo...

Page 33: ...he subnet range of your LAN Subnet mask is the subnet mask of your LAN Default gateway is the IP address of your LAN s default gateway Preferred DNS server is the IP address of the DNS server used by...

Page 34: ...the Web Management Console using the CyberGuard SG appliance s MAC address In bridged mode this will be the top MAC address of the three displayed on the CyberGuard SG appliance itself Figure 2 11 Ch...

Page 35: ...appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties and click Properties Figure 2 12 Check Obtain an IP add...

Page 36: ...ton enabled This allows the CyberGuard SG appliance s configuration to be reset to factory defaults From a network security standpoint it may be desirable to disable the Reset switch after initial set...

Page 37: ...he connection once your Internet connection has been established Connections Under the Connections tab each of the network ports of your CyberGuard SG appliance is displayed alongside its Device Name...

Page 38: ...ion mode see Network address translation in the Advanced section of this chapter this will typically be part of a private IP range such as 192 168 0 1 255 255 255 0 Ensure DHCP assigned is unchecked I...

Page 39: ...ernet ports or bridging between PPPoE ports The first step is setting up a host to host IPSec VPN connection Information regarding setting up a host to host VPN connection can be found in the IPSec se...

Page 40: ...ive it some time to power up If fitted ensure the Ethernet link LEDs are illuminated on both the CyberGuard SG appliance and modem device Internet Connection Methods Select your Internet connection ty...

Page 41: ...ction is idle DHCP connections may require a hostname to be specified but otherwise all settings are assigned automatically by your ISP For Manually Assign Settings connections enter the IP Address Ne...

Page 42: ...ernet connection Bridged Internet Select this enable bridging on the Internet port For the CyberGuard SG appliance to bridge between ports you will have to select either Bridged LAN or Bridged DMZ as...

Page 43: ...er Dialout Internet connection that will be activated when your primary Internet connection becomes unavailable e g ISP equipment or the telecommunications network may temporarily fail Physically conn...

Page 44: ...ly handed out by your ISP will take precedence over the addresses specified here Username and password Enter the unique username and password allocated by your ISP The Password and Confirm Password fi...

Page 45: ...an be configured as a second LAN connection a DMZ connection a secondary Internet connection or as a secondary failover Internet connection that will be activated should your primary Internet connecti...

Page 46: ...t to configure your CyberGuard SG appliance to allow access from servers on your DMZ to servers on your LAN By default all network traffic from the DMZ to the LAN is dropped See the section called Pac...

Page 47: ...lure Failures can be caused by removing the wrong plug from the wall typing in the wrong ISP password or many other reasons Regardless of the cause of a failure it can potentially be very expensive Wh...

Page 48: ...stics Network Tests Ping Test Figure 3 6 Enter the IP address of this host in IP Address to ping Ping Interval is the number of seconds to wait between sending pings Number of times to attempt this co...

Page 49: ...for failover above for details on enabling your primary broadband Internet connection for failover Figure 3 7 Next configure the failover connection as you would a normal Internet connection See the D...

Page 50: ...e can be configured to automatically exchange routing information with other routers Note that this feature is intended for network administrators adept at configuring route management services Check...

Page 51: ...appliance on the network DNS Proxy The CyberGuard SG appliance can also be configured to run as a Domain Name Server The CyberGuard SG appliance acts as a DNS Proxy and passes incoming DNS requests to...

Page 52: ...is setup to masquerade Masquerading has the following advantages Added security because machines outside the local network only know the gateway address All machines on the local network can access t...

Page 53: ...changes the CyberGuard SG appliance will alert the dynamic DNS service provider so the domain name records can be updated appropriately First create an account with the dynamic DNS service provider of...

Page 54: ...nce to respond to multiple IP addresses on its LAN Internet and DMZ ports For Internet and DMZ aliased ports you must also setup appropriate Packet Filtering and or Port forwarding rules to allow traf...

Page 55: ...ing provides a level of control over the relative performance of various types of IP traffic The traffic shaping feature of your CyberGuard SG appliance allows you to allocate High Medium or Low prior...

Page 56: ...onnected to the CyberGuard SG appliance The CyberGuard SG appliance s dialin facility establishes a PPP connection to the remote user or site Dialin requests are authenticated by usernames and passwor...

Page 57: ...able the CyberGuard SG appliance s COM port or internal modem for dialin Under Networking select Network Setup From the Connections menu locate the COM port or Modem on which you want to enable dialin...

Page 58: ...database is used to verify the username and password received from the dialin client Local means the dialin user accounts created on the CyberGuard SG appliance You will need to created user accounts...

Page 59: ...ew Account are shown in the following table Field Description Username Username for dialin authentication only The name is case sensitive e g Jimsmith is different to jimsmith Password Password for th...

Page 60: ...he Account List and enter the new password in the New Password and Confirm fields Click Apply under the Delete or Change Password for the Selected Account heading or click Reset if you make a mistake...

Page 61: ...riate item from the Network or System menus You can also apply packet filtering to the dialin service as detailed in the chapter entitled Firewall Warning If you have enabled a CyberGuard SG appliance...

Page 62: ...ources as if they were a local user Windows 95 98 Me From the Dial Up Networking folder double click Make New Connection and enter the Connection Name for your new dialin connection Select the modem t...

Page 63: ...Warning Do not select NetBEUI or IPX If an unsupported protocol is selected an error message is returned when attempting to connect Click TCP IP Settings and confirm that the Server Assigned IP Addre...

Page 64: ...click Start Settings Network and Dial up Connections and select Make New Connection The network connection wizard will guide you through setting up a remote access connection Figure 4 5 Click Next to...

Page 65: ...ure is useful when using remote access in another area code or overseas Click Next to continue Figure 4 8 Select the option Only for myself to make the connection only available for you This is a secu...

Page 66: ...he desktop To launch the new connection double click on the new icon on the desktop and the remote access login screen will appear as in the next figure If you did not create a desktop icon click Star...

Page 67: ...d netmask on the LAN or DMZ port see the chapter entitled Network Connections DHCP Server Configuration The DHCP server allows the automatic distribution of IP gateway DNS and WINS addresses to hosts...

Page 68: ...d Maximum Lease Time in seconds The lease time is the time that a dynamically assigned IP address is valid Enter the IP address or range of IP addresses see the appendix entitled IP Address Ranges to...

Page 69: ...sses to hand out if this value is 0 Enable Disable Each subnet can be enabled or disabled by clicking on the Enable or Disable button under the Enable Disable heading Edit The settings for each subnet...

Page 70: ...addresses the added option to Unreserve the address Unreserving the address will allow it to be handed out to any host The Status field will have three possible states These include Reserved the addr...

Page 71: ...ows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would To enable this feature specify the server which is to receive the forwarded requests in Relay Host...

Page 72: ...l filters packets at the network layer determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for your priva...

Page 73: ...Console web administration pages Web Admin to machines on your local network Disallowing all services is not recommended as this will make future configuration changes impossible unless your CyberGuar...

Page 74: ...tion to establish secure connections to the Web Management Console web administration pages from SSL enabled browsers Figure 6 2 Note Changing the web server port number is recommended if you are allo...

Page 75: ...e the new port number in the URL to access the pages For example if you change the web administration to port number 88 the URL to access the web administration will be similar to http 192 168 0 1 88...

Page 76: ...g Upload Alternately you can create self signed certificates internally on the CyberGuard SG appliance by following the link to the SSL Certificate page SSL Certificate Setup You can create self signe...

Page 77: ...mmon way for internal masqueraded servers to offer services to the outside world Destination NAT rules are used for port forwarding Source NAT rules are useful for masquerading one or more IP addresse...

Page 78: ...The CyberGuard SG appliance will perform a DNS lookup and fill in the IP Address field If the DNS hostname is invalid you may need to wait while the DNS lookup times out Warning The DNS lookup is onl...

Page 79: ...vice group is shown in the following figure Figure 6 5 A service group can be used to group together similar services For example you can create a group of services that you wish to allow and then use...

Page 80: ...Packet Filtering page to change the order The rules are evaluated top to bottom as displayed on the Packet Filtering page Adding or modifying a rule is shown in the following figure Figure 6 6 The Ac...

Page 81: ...appliance performs Source NAT on traffic where the incoming interface is LAN and the outgoing interface is WAN See the Advanced section of the chapter entitled Network Connections for information on c...

Page 82: ...is need not be the same as the Destination Service used to match the packet but often will be Generally leave Create a corresponding ACCEPT firewall rule checked unless you want to manually create a m...

Page 83: ...nternet To Source Service The service to replace Source Services this need not be the same as the Source Service used to match the packet but often will be 1 to 1 NAT This creates both a Source NAT an...

Page 84: ...create filter rules through Rules Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules To access this page click Rules in the Fir...

Page 85: ...talled before accessing the Internet ZoneAlarm To enable any of these access controls or content filtering select Access Control then under the Main tab check Enabled and click Apply User authenticati...

Page 86: ...web proxy access will see a screen similar to the figure below when attempting to access external web content Figure 6 8 Note Each browser on the LAN will now have to be set up to use the CyberGuard...

Page 87: ...d be similar refer to their user documentation for details on using a web proxy From the Internet Options menu select Tools From the LAN Settings tab select LAN Settings Figure 6 9 Check Use a proxy s...

Page 88: ...locked or Allowed by the Source LAN IP address or address range the Destination Internet host s IP address or address range or the Destination Host s name See Appendix A for more information on IP add...

Page 89: ...address URL that contains text entered in the Block List e g entering xxx will block any URL containing xxx including http xxx example com or www test com xxx index html The Allow List also enables ac...

Page 90: ...eck Enable Content Filtering enter your activated License key then continue on to set reporting options and which categories to block Click Apply once these options have been set up to enable content...

Page 91: ...tified either through User Accounts see User Authentication earlier in this chapter or the IP Address of their machine Click View Reports to connect to the central content filtering server You will be...

Page 92: ...achines your LAN that are not running the ZoneAlarm Pro personal firewall software Running personal firewall software on each PC offers an extra layer of protection from application level operating sy...

Page 93: ...e outside world which are monitored for connection attempts Clients attempting to connect to these dummy services can be blocked Advanced Intrusion Detection uses complex rulesets to detect known meth...

Page 94: ...other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitored to identify suspect behaviour and help to deal with intruders...

Page 95: ...ection attempts Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt and the access attempt is denied Because network scans often...

Page 96: ...This option only takes effect when one of the previous blocking options is enabled The trigger count value should be between 0 and 2 o represents an immediate blocking of probing hosts Larger setting...

Page 97: ...ng a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but another fails and so on Advanced Intrusion Detection can also detect mal...

Page 98: ...ouped by type such as DDOS exploit backdoor NETBIOS etc Each type in turn has many subtypes depending on the exact attack signature For example selecting NETBIOS will enable matching subtype signature...

Page 99: ...tem log Advanced System Log Advanced Intrusion Detection currently only supports MySQL as the Database Type Enter the name table name of the remote database in Database Name Enter the IP address of re...

Page 100: ...ze and graph data stored in the MySQL database from the CyberGuard SG appliance running Advanced Instrusion Detection They should be installed in the following order MySQL database http www mysql com...

Page 101: ...will be running as an IDS sensor on the CyberGuard SG appliance and logging to the MySQL database on the analysis server The following are detailed documents that aid in installing the above tools on...

Page 102: ...d Internet objects over the available Internet connection when several users attempt to access the same web site simultaneously The objects will be available in the cache server memory or disk and qui...

Page 103: ...The maximum amount of memory you can safely reserve will depend on what other services the CyberGuard SG appliance has running such as VPN or a DHCP server If you will be using a Network Share recomm...

Page 104: ...ome basic instructions for creating a network share under Windows XP Create a new user account Note We recommend that you create a special user account to be used by the CyberGuard SG appliance for re...

Page 105: ...hare the folder Right click on the folder and select Sharing and Security Select Share this folder and note the Share name you may change this to something easier to remember if you wish Finally to se...

Page 106: ...ximum size for the cache in Cache size Warning Cache size should not be more than 90 of the space available to the network share e g if you shared a drive with 1 gigabyte of available storage specify...

Page 107: ...en the caches placed at the Parent level are queried if the replies from sibling caches did not succeed Enter the host or IP address of an ICP capable web cache peer in Host then select its relationsh...

Page 108: ...y telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can also be deployed as a low cost way of securely linking two or more networks such...

Page 109: ...he purpose for the connection The remote PPTP server IP address to connect to A username and password to use when logging in to the remote VPN You may need to obtain this information from the system a...

Page 110: ...raffic check the Make VPN the Default Route checkbox and click Apply This option is only available when the CyberGuard SG appliance is configured with a single VPN connection only After adding a new V...

Page 111: ...up VPN user accounts on the CyberGuard SG appliance and enable the appropriate authentication security Configure the VPN clients at the remote sites The client does not require special software The C...

Page 112: ...gure the PPTP VPN server The following figure shows the PPTP server setup Figure 9 3 To enable and configure your CyberGuard SG appliance s VPN server select PPTP VPN Server from the VPN menu on the W...

Page 113: ...nting to establish a PPTP connection to the network The remote client must be set up to use the selected authentication scheme MSCHAPv2 is the most secure MSCHAPv2 plus data encryption is strongly rec...

Page 114: ...emote users can establish VPN tunnels to the CyberGuard SG appliance PPTP server user accounts must be added Note PPTP Accounts are distinct from those added through Users in the System menu and those...

Page 115: ...r the remote VPN user Confirm Re enter the password to confirm As new VPN user accounts are added they are displayed on the updated Account List To modify the password of an existing account Select th...

Page 116: ...G appliance see Dynamic DNS in the Network Connections section Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking c...

Page 117: ...e CyberGuard SG appliance VPN server in the VPN Server field This may change if your ISP uses dynamic IP assignment Click OK and then click Finish Figure 9 6 Right click the new icon and select Proper...

Page 118: ...ression and Use Default Gateway on Remote Network are all selected and click OK Figure 9 7 Your VPN client is now set up and ready to connect Windows 2000 Log in as Administrator or with Administrator...

Page 119: ...gure 9 9 Select Connect to a private network through the Internet and click Next This displays the Destination Address window Figure 9 10 Enter the CyberGuard SG PPTP server s IP address or fully qual...

Page 120: ...Connection Name for the VPN connection such as your company name or simply Office Click Next If you have set up your computer to connect to your ISP using dial up select Automatically dial this initia...

Page 121: ...your computer informed you that you are connected You can now check your e mail use the office printer access shared files and and computers on the network as if you were physically on the LAN Note De...

Page 122: ...it become necessary to configure the tunnel with those settings For most applications to connect two offices together a network similar to the following will be used Figure 9 12 To combine the Headqu...

Page 123: ...that resolves to the IP address on the Internet port then the DNS hostname address option should be selected In this example select dynamic IP address The Maximum Transmission Unit MTU of the IPSec i...

Page 124: ...the IPSec link on the left side of the Web Management Console web administration pages and then click the Add New Tunnel tab at the top of the window A window similar to the following will be displaye...

Page 125: ...es less messages in the exchange when compared to Main mode Aggressive mode is typically used to allow parties that are configured with a dynamic IP address and a preshared secret to connect or if the...

Page 126: ...te party will have access to Masqueraded network is selected when all traffic behind the CyberGuard SG appliance is seen as originating from its Internet IP address by the remote party The remote part...

Page 127: ...In this example select the be a route to the remote party option Click the Continue button to configure the Local Endpoint Settings Local endpoint settings Figure 9 15 Leave the Initiate the tunnel f...

Page 128: ...om snapgear knowledgebase html to determine what form it must take In this example enter branch office Leave the Enable IP Payload Compression checkbox unchecked If compression is selected IPComp comp...

Page 129: ...ng when using SHA1 excluding any underscore characters This field appears when Manual Keying has been selected Encryption Key field is the ESP Encryption Key It must be of the form 0xhex where hex is...

Page 130: ...te party in The remote party s IP address field In this example enter 209 0 01 The Endpoint ID is used to authenticate the remote party to the CyberGuard SG appliance The remote party s ID is optional...

Page 131: ...party This option will become available if the remote party has been configured to have a DNS hostname address Distinguished Name field is the list of attribute value pairs contained in the certifica...

Page 132: ...sh and uniquely identify the tunnel It must be of the form 0xhex where hex is one or more hexadecimal digits and be in the range of 0x100 0xfff This field appears when Manual Keying has been selected...

Page 133: ...this new key is negotiated before the current key expires can be set in the Rekeymargin field In this example leave the Rekeymargin as the default value of 10 minutes The Rekeyfuzz value refers to th...

Page 134: ...depending on what has been configured previously Local Public Key field is the public part of the RSA key generated for RSA Digital Signatures authentication These fields are automatically populated...

Page 135: ...SG appliance also supports extensions to the Diffie Hellman groups to include 2048 3072 and 4096 bit Oakley groups Perfect Forward Secrecy is enabled if a Diffie Hellman group or an extension is chose...

Page 136: ...isplayed Figure 9 19 In the Subnet Settings section a local and remote network combination can be added one at a time by entering subnets into the Add Local Network and Add Remote Network fields and t...

Page 137: ...s or start with a number In this example enter Branch_Office Leave checked the Enable this tunnel checkbox Select the Internet interface the IPSec tunnel is to go out on In this example select default...

Page 138: ...end checkbox checked Click the Continue button to configure the Remote Endpoint Settings Remote endpoint settings page Enter the Required Endpoint ID of the remote party In this example enter the Loca...

Page 139: ...Set the length of time before Phase 2 is renegotiated in the Key lifetime m field In this example leave the Key Lifetime as the default value of 60 minutes Select a Phase 2 Proposal In this example s...

Page 140: ...he Connection field will be shown Note You may modify a tunnel s settings by clicking on its connection name Click Connection to sort the tunnel list alphabetically by connection name Remote party The...

Page 141: ...e 1 indicates that IPSec is negotiating Phase 1 to establish the tunnel Aggressive or Main mode packets depending on tunnel configuration are transmitted during this stage of the negotiation process N...

Page 142: ...and AES Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations This will include MD5 and SHA1 otherwise known as SHA Phase 1 Ciphers Loaded...

Page 143: ...ple the policy line has the PFS keyword If PFS is disabled then the keyword will not appear Whether IP Payload Compression is used In this example the policy line does not have the COMPRESS keyword si...

Page 144: ...or Disable under the Tunnel List menu Delete One or more tunnel can be enabled or disabled by checking the checkbox to the right of the tunnel and clicking Delete under the Tunnel List menu NAT Traver...

Page 145: ...tool on the CyberGuard SG Installation CD to extract these certificates ensure the cygwin1 dll library is in the same directory as the openssl application To extract the CA certificate enter the foll...

Page 146: ...characters long and this will be the same pass phrase entered when uploading the private key certificate into the CyberGuard SG appliance The application will then prompt you to verify the pass phrase...

Page 147: ...e certificate request openssl req config openssl cnf new keyout cert1 key out cert1 req Enter a PEM pass phrase this is the same pass phrase required when you upload the key to the CyberGuard SG appli...

Page 148: ...ificates to the CyberGuard SG appliance click the IPSec link on the left side of the Web Management Console web administration pages and then click the Certificate Lists tab at the top of the window A...

Page 149: ...rtificate Type pull down menu Enter the Certificate Authority s Public Key certificate or CRL file in the Certificate File field Click the Browse button to select the file from the host computer CA Ce...

Page 150: ...et correctly on the CyberGuard SG appliance Also ensure that the certificate is in PEM or DER format Enter the Local Private Key certificate in the Private Key Certificate field Click the Browse butto...

Page 151: ...though IPSec is running and the tunnel is enabled Possible Cause The tunnel is using Manual Keying and the encryption and or authentication keys are incorrect The tunnel is using Manual Keying and the...

Page 152: ...and have Internet IP addresses Check that the CA has signed the certificates Symptom Tunnel is always Negotiating Phase 2 Possible Cause The Phase 2 proposals set for the CyberGuard SG appliance and...

Page 153: ...for Manual Keying Symptom Dead Peer Detection does not seem to be working Possible Cause The tunnel has Dead Peer Detection disabled The remote party does not support Dead Peer Detection according to...

Page 154: ...our computer does not have its default gateway as the CyberGuard SG appliance If you can ping the Internet IP address of the remote party but not the LAN IP address then the remote party s LAN IP addr...

Page 155: ...a GRE tunnel that runs over the Internet it is possible for an attacker to put packets onto your network If you want a tunneling mechanism to securely connect to networks then you should use IPSec or...

Page 156: ...3 45 6 Local Internal Address 192 168 1 1 Click Add Click Add Remove under Remote Networks and enter Remote subnet netmask 10 1 0 0 255 255 0 0 Click Add The Brisbane end is now set up Figure 9 26 On...

Page 157: ...d them through Add Remove under Remote Networks GRE over IPSec In this example we will bridge the 10 11 0 0 255 255 0 0 network between Brisbane and Slough endpoints described in the previous section...

Page 158: ...For a complete overview of all available options when setting up an IPSec tunnel please refer to the IPSec section earlier in this chapter Take note of the following important settings Set the local...

Page 159: ...to_bris Remote External Address 10 254 0 2 Local External Address 10 254 0 1 Local Internal Address Place on Ethernet Bridge Checked For the Brisbane end enter the IP addresses below Leave Local Inte...

Page 160: ...ace called greX created greX is the same as the Interface Name specified in the table of current GRE tunnels Also ensure that the required routes have been set up on the GRE interface This might not o...

Page 161: ...to create tunnels across the Internet backbone The CyberGuard SG L2TP implementation can only run L2TP over Ethernet since it doesn t have an ATM adapter L2TP packets are encapsulated in UDP packets...

Page 162: ...d and enabled on the CyberGuard SG appliance as well as the L2TP server before Windows clients can connect The default way for the IPSec connection to be authenticated is to use x 509 RSA certificates...

Page 163: ...ppliance NTP time server The CyberGuard SG appliance can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring the NTP time server ensures that the Cybe...

Page 164: ...ck will subsequently show local time Without setting this the system clock will show UTP Setting a time zone is only relevant if you are synchronizing with an NTP server or your CyberGuard SG applianc...

Page 165: ...a capabilities beyond any other user Note The root user is the only user permitted to telnet to a CyberGuard SG appliance Web administration access controls are grouped into four broad categories Admi...

Page 166: ...n be allocated to a technician whom you want to be able to restore units to a known good configuration but to whom you do not wish to grant full administration rights User settings A user with this ac...

Page 167: ...A potential security issue may be introduced by having a network connected CyberGuard SG appliance accessible using the factory default password To prevent this the password for the CyberGuard SG app...

Page 168: ...System 164 Figure 10 3 Network tests Basic network diagnostic tests ping traceroute can be accessed by clicking the Network Tests tab at the top of the Diagnostics page...

Page 169: ...errors are red The pull down menu underneath the log output allows you to filter the log output to display based on output type Refer to Appendix C for details on configuring and interpreting log out...

Page 170: ...with a flash upgrade Note Please read the appendix entitled Firmware Upgrade Practices and Precautions before attempting a firmware upgrade There are two methods available for performing a flash upgr...

Page 171: ...ntil its flash is reprogrammed at the factory or a recovery boot is performed User care is advised Reboot Clicking this link will cause the CyberGuard SG appliance to perform a soft reboot It will usu...

Page 172: ...age is an invaluable resource for the CyberGuard SG technical support team to analyze problems with your CyberGuard SG appliance The information on this page gives the support team important informati...

Page 173: ...ddresses The third form allows the address range to span network and subnet boundaries All addresses including and between the two specified IP addresses are included in the range For example 192 168...

Page 174: ...connect or if the CyberGuard SG appliance or the remote party is behind a NAT device Authentication Authentication is the technique by which a process verifies that its communication partner is who it...

Page 175: ...operate with the CyberGuard SG appliance it must conform to the draft draft ietf ipsec dpd 00 txt DHCP Dynamic Host Configuration Protocol A communications protocol that assigns IP addresses to comput...

Page 176: ...demonstrate that it has not been modified If a message were to be modified then its hash would have changed and would no longer match the original hash value Hub A network device that allows more than...

Page 177: ...ssphrase is a key that can be used to lock and unlock the information in the private key certificate Local Public Key Certificate The public part of the public private key pair of the certificate resi...

Page 178: ...ely having the long term key does not allow him to infer those Of course it may allow him to conduct another attack such as man in the middle which gives him some short term keys but he does not autom...

Page 179: ...ow to route Internet packets A switch increases LAN efficiency by utilizing bandwidth more effectively TCP IP Transmission Control Protocol Internet Protocol The basic protocol for Internet communicat...

Page 180: ...public key of the entity requesting the certificate and the CA s signature x 509 certificates are used to authenticate the remote party against a Certificate Authority s CA certificate The CA certific...

Page 181: ...appliance creates entries in the syslog var log messages or external syslog server of the following format Date Time klogd prefix IN incoming interface OUT outgoing interface MAC dst src MAC addresses...

Page 182: ...ions however is dropped There are also some specific rules to detect various attacks smurf teardrop etc When outbound traffic from LAN to WAN is blocked by custom rules configured in the GUI the resul...

Page 183: ...te network to the public come in eth0 and out eth1 e g Mar 27 10 02 51 2003 klogd IN eth0 OUT eth1 SRC 10 0 0 2 DST 140 103 74 181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT...

Page 184: ...r example site 192 0 1 2 attempted to access the CyberGuard SG appliance s PPTP port the resultant log message would look something like this 12 Jan 24 17 19 17 2000 klogd Internet PPTP access IN eth0...

Page 185: ...hat it was an inbound request since eth0 is the LAN port and eth1 is usually the WAN port An outbound request would have IN eth0 and OUT eth1 It is possible to use the i and o arguments to specify the...

Page 186: ...of service issues arising out of logging these access attempts To achieve this use the following option limit rate rate is the maximum average matching rate specified as a number with an optional seco...

Page 187: ...this case root and the IP address from which the attempt was made Telnet Command Line Interface login attempts appear as Jan 30 03 18 37 2000 login Authentication attempt failed for root from 10 0 0...

Page 188: ...umber is incremented is considered a major upgrade e g 1 8 5 1 9 2 or 1 9 2 2 0 0 whereas a patch upgrade increments the patch revision number only e g 1 9 0 1 9 1 or 1 9 0 1 9 2 Warning If the flash...

Page 189: ...guide in this process but do not restore it directly If you are upgrading a device that you do not normally have physical access to e g at a remote or client s site we strongly recommend that followi...

Reviews: