CyberGuard 2.0.1 Скачать руководство пользователя

Страница: 1 / 189

CyberGuard SG



Firewall VPN Appliance

User Manual

Revision 2.0.1

June 7, 2004

CyberGuard
7984 South Welby Park Drive #101
Salt Lake City, Utah 84084
Email: [email protected]
Web: www.cyberguard.com

Содержание 2.0.1

Страница 1: ...CyberGuard SG Firewall VPN Appliance User Manual Revision 2 0 1 June 7 2004 CyberGuard 7984 South Welby Park Drive 101 Salt Lake City Utah 84084 Email support snapgear com Web www cyberguard com...

Страница 2: ...14 Set up Internet Connection Settings 18 Set up the PCs on your LAN to Access the Internet 19 CyberGuard SG PCI Appliances 24 Install your CyberGuard SG Appliance in a Spare PCI Slot 24 Install the N...

Страница 3: ...Filtering 81 7 Intrusion Detection 89 Basic Intrusion Detection and Blocking 91 Advanced Intrusion Detection 93 8 Web Cache 98 Web Cache Setup 99 Network Shares 100 Peers 103 Set up LAN PCs to Use th...

Страница 4: ...Support 168 Appendix A IP Address Ranges 169 Appendix B Terminology 170 Appendix C System Log 177 Access Logging 177 Creating Custom Log Rules 179 Rate Limiting 182 Administrative Access Logging 183...

Страница 5: ...shields your computers from outside threats The CyberGuard SG appliance checks and filters data packets to prevent unauthorized intruders gaining access The CyberGuard SG appliance s NAT masquerading...

Страница 6: ...pliance is recommended for Security conscious businesses that wish to separate firewall and VPN issues from server desktop operating systems Businesses that wish to eliminate the soft center For envir...

Страница 7: ...h in the same range as the LAN as no NAT masquerading is being performed see the chapter entitled Firewall for more information One IP address is used to manage the CyberGuard SG appliance via the Web...

Страница 8: ...This document uses different fonts and typefaces to show specific actions Warning Note Text like this highlights important issues Bold text in procedures indicates text that you type or the name of a...

Страница 9: ...llation CD Printed Quick Install guide Cabling including o 1 normal straight through UTP cable blue color o 1 crossover UTP cable either gray or red color Note The SG300 model includes two blue straig...

Страница 10: ...Internet network interface DMZ Activity Flashing Network traffic on the DMZ network interface Serial Activity Flashing For either of the CyberGuard SG appliance COM ports these LEDs indicate receive...

Страница 11: ...aseT LAN port 10 100BaseT 4 port LAN switch SG300 model only Rear panel Ethernet link and activity status LEDs DMZ link features SG570 SG575 only 10 100BaseT DMZ port Real panel Ethernet link and acti...

Страница 12: ...g status The two LEDs closest to the network port are network activity upper and network link lower The two other LEDs are power upper and heart beat lower Figure 1 3 Label Activity Description Power...

Страница 13: ...Network link features 10 100baseT Ethernet port Ethernet LEDs link activity Environmental features Status LEDs Power Heart Beat Operating temperature between 0 C and 40 C Storage temperature between 2...

Страница 14: ...installed You may need to be logged in with administrator privileges Instructions are not given for other operating systems refer to your operating system documentation on how to configure your PCs ne...

Страница 15: ...directly to a LAN with an existing DHCP server before performing the initial setup steps described below the LAN interface will automatically obtain an additional address In this case it will be reach...

Страница 16: ...et switch using a straight through cable blue Note It is recommended that you perform the initial setup steps with the CyberGuard SG appliance connected to a single PC only However you may choose to c...

Страница 17: ...double click Network Right click on Local Area Connection and select Properties Note If there is more than one existing network connection select the one corresponding to the network interface card to...

Страница 18: ...dresses and enter Preferred DNS server 192 168 0 1 Note If you wish to retain your existing IP settings for this network connection click Advanced and Add the secondary IP address of 192 168 0 100 sub...

Страница 19: ...on on the CyberGuard SG appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twice within 2 seconds returns the CyberGuard SG appliance to its factory default settings En...

Страница 20: ...LAN already configured Select this if you wish to use the CyberGuard SG appliance s initial network settings IP address 192 168 0 1 and subnet mask 255 255 255 0 as a basis for your LAN settings You m...

Страница 21: ...he address of 192 168 0 1 The IP address will later be used as the gateway address for the PCs on your LAN To gain access through this gateway the PCs on your LAN must have an IP address within the bo...

Страница 22: ...Analog modem If connecting using a regular analog modem enter the details provided by your ISP DSL modem If connecting using an ADSL modem select Auto detect ADSL connection type and enter the details...

Страница 23: ...access the CyberGuard SG appliance and the Internet If you haven t already connect your CyberGuard SG appliance s LAN Ethernet port directly to your LAN hub using the straight through Ethernet cable...

Страница 24: ...r Restart all the PCs on the network this will reset their gateway and DNS addresses Note The purpose of restarting the computers is to force them to gain a new DHCP lease Alternatively you can use a...

Страница 25: ...re are multiple entries Enter the following details IP address is an IP address that is part of the same subnet range as the CyberGuard SG appliance s LAN connection e g if using the default settings...

Страница 26: ...on or leave it blank WINS Address optional is the IP address of any existing WINS server on your LAN Default Lease Time and Maximum Lease Time should generally be left at their default values Initial...

Страница 27: ...work card name if there are multiple entries and click Properties in 95 98 Me you may also have to click the IP Address tab Figure 2 6 Check Obtain an IP address automatically check Obtain DNS server...

Страница 28: ...gs Network and Dialup Connections Local Area Connection possibly followed by a number Properties and ensure the adapter is listed in the Connect using field Set up your PC to Connect to the Web Manage...

Страница 29: ...Local Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figure 2 7 Select Use the follo...

Страница 30: ...at 192 168 0 1 or the initial username and password are not accepted press the Reset button on the CyberGuard SG appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twic...

Страница 31: ...erver you may set up your CyberGuard SG appliance and PC for auto configuration Otherwise you must manually set up your CyberGuard SG appliance s and PC s network settings To manually set up your Cybe...

Страница 32: ...more DNS Server s to be used by the CyberGuard SG appliance not your PC for Internet name resolution Click Apply and Reboot Next configure your PC with the second IP address in the same manner you wo...

Страница 33: ...he subnet range of your LAN Subnet mask is the subnet mask of your LAN Default gateway is the IP address of your LAN s default gateway Preferred DNS server is the IP address of the DNS server used by...

Страница 34: ...the Web Management Console using the CyberGuard SG appliance s MAC address In bridged mode this will be the top MAC address of the three displayed on the CyberGuard SG appliance itself Figure 2 11 Ch...

Страница 35: ...appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties and click Properties Figure 2 12 Check Obtain an IP add...

Страница 36: ...ton enabled This allows the CyberGuard SG appliance s configuration to be reset to factory defaults From a network security standpoint it may be desirable to disable the Reset switch after initial set...

Страница 37: ...he connection once your Internet connection has been established Connections Under the Connections tab each of the network ports of your CyberGuard SG appliance is displayed alongside its Device Name...

Страница 38: ...ion mode see Network address translation in the Advanced section of this chapter this will typically be part of a private IP range such as 192 168 0 1 255 255 255 0 Ensure DHCP assigned is unchecked I...

Страница 39: ...ernet ports or bridging between PPPoE ports The first step is setting up a host to host IPSec VPN connection Information regarding setting up a host to host VPN connection can be found in the IPSec se...

Страница 40: ...ive it some time to power up If fitted ensure the Ethernet link LEDs are illuminated on both the CyberGuard SG appliance and modem device Internet Connection Methods Select your Internet connection ty...

Страница 41: ...ction is idle DHCP connections may require a hostname to be specified but otherwise all settings are assigned automatically by your ISP For Manually Assign Settings connections enter the IP Address Ne...

Страница 42: ...ernet connection Bridged Internet Select this enable bridging on the Internet port For the CyberGuard SG appliance to bridge between ports you will have to select either Bridged LAN or Bridged DMZ as...

Страница 43: ...er Dialout Internet connection that will be activated when your primary Internet connection becomes unavailable e g ISP equipment or the telecommunications network may temporarily fail Physically conn...

Страница 44: ...ly handed out by your ISP will take precedence over the addresses specified here Username and password Enter the unique username and password allocated by your ISP The Password and Confirm Password fi...

Страница 45: ...an be configured as a second LAN connection a DMZ connection a secondary Internet connection or as a secondary failover Internet connection that will be activated should your primary Internet connecti...

Страница 46: ...t to configure your CyberGuard SG appliance to allow access from servers on your DMZ to servers on your LAN By default all network traffic from the DMZ to the LAN is dropped See the section called Pac...

Страница 47: ...lure Failures can be caused by removing the wrong plug from the wall typing in the wrong ISP password or many other reasons Regardless of the cause of a failure it can potentially be very expensive Wh...

Страница 48: ...stics Network Tests Ping Test Figure 3 6 Enter the IP address of this host in IP Address to ping Ping Interval is the number of seconds to wait between sending pings Number of times to attempt this co...

Страница 49: ...for failover above for details on enabling your primary broadband Internet connection for failover Figure 3 7 Next configure the failover connection as you would a normal Internet connection See the D...

Страница 50: ...e can be configured to automatically exchange routing information with other routers Note that this feature is intended for network administrators adept at configuring route management services Check...

Страница 51: ...appliance on the network DNS Proxy The CyberGuard SG appliance can also be configured to run as a Domain Name Server The CyberGuard SG appliance acts as a DNS Proxy and passes incoming DNS requests to...

Страница 52: ...is setup to masquerade Masquerading has the following advantages Added security because machines outside the local network only know the gateway address All machines on the local network can access t...

Страница 53: ...changes the CyberGuard SG appliance will alert the dynamic DNS service provider so the domain name records can be updated appropriately First create an account with the dynamic DNS service provider of...

Страница 54: ...nce to respond to multiple IP addresses on its LAN Internet and DMZ ports For Internet and DMZ aliased ports you must also setup appropriate Packet Filtering and or Port forwarding rules to allow traf...

Страница 55: ...ing provides a level of control over the relative performance of various types of IP traffic The traffic shaping feature of your CyberGuard SG appliance allows you to allocate High Medium or Low prior...

Страница 56: ...onnected to the CyberGuard SG appliance The CyberGuard SG appliance s dialin facility establishes a PPP connection to the remote user or site Dialin requests are authenticated by usernames and passwor...

Страница 57: ...able the CyberGuard SG appliance s COM port or internal modem for dialin Under Networking select Network Setup From the Connections menu locate the COM port or Modem on which you want to enable dialin...

Страница 58: ...database is used to verify the username and password received from the dialin client Local means the dialin user accounts created on the CyberGuard SG appliance You will need to created user accounts...

Страница 59: ...ew Account are shown in the following table Field Description Username Username for dialin authentication only The name is case sensitive e g Jimsmith is different to jimsmith Password Password for th...

Страница 60: ...he Account List and enter the new password in the New Password and Confirm fields Click Apply under the Delete or Change Password for the Selected Account heading or click Reset if you make a mistake...

Страница 61: ...riate item from the Network or System menus You can also apply packet filtering to the dialin service as detailed in the chapter entitled Firewall Warning If you have enabled a CyberGuard SG appliance...

Страница 62: ...ources as if they were a local user Windows 95 98 Me From the Dial Up Networking folder double click Make New Connection and enter the Connection Name for your new dialin connection Select the modem t...

Страница 63: ...Warning Do not select NetBEUI or IPX If an unsupported protocol is selected an error message is returned when attempting to connect Click TCP IP Settings and confirm that the Server Assigned IP Addre...

Страница 64: ...click Start Settings Network and Dial up Connections and select Make New Connection The network connection wizard will guide you through setting up a remote access connection Figure 4 5 Click Next to...

Страница 65: ...ure is useful when using remote access in another area code or overseas Click Next to continue Figure 4 8 Select the option Only for myself to make the connection only available for you This is a secu...

Страница 66: ...he desktop To launch the new connection double click on the new icon on the desktop and the remote access login screen will appear as in the next figure If you did not create a desktop icon click Star...

Страница 67: ...d netmask on the LAN or DMZ port see the chapter entitled Network Connections DHCP Server Configuration The DHCP server allows the automatic distribution of IP gateway DNS and WINS addresses to hosts...

Страница 68: ...d Maximum Lease Time in seconds The lease time is the time that a dynamically assigned IP address is valid Enter the IP address or range of IP addresses see the appendix entitled IP Address Ranges to...

Страница 69: ...sses to hand out if this value is 0 Enable Disable Each subnet can be enabled or disabled by clicking on the Enable or Disable button under the Enable Disable heading Edit The settings for each subnet...

Страница 70: ...addresses the added option to Unreserve the address Unreserving the address will allow it to be handed out to any host The Status field will have three possible states These include Reserved the addr...

Страница 71: ...ows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would To enable this feature specify the server which is to receive the forwarded requests in Relay Host...

Страница 72: ...l filters packets at the network layer determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for your priva...

Страница 73: ...Console web administration pages Web Admin to machines on your local network Disallowing all services is not recommended as this will make future configuration changes impossible unless your CyberGuar...

Страница 74: ...tion to establish secure connections to the Web Management Console web administration pages from SSL enabled browsers Figure 6 2 Note Changing the web server port number is recommended if you are allo...

Страница 75: ...e the new port number in the URL to access the pages For example if you change the web administration to port number 88 the URL to access the web administration will be similar to http 192 168 0 1 88...

Страница 76: ...g Upload Alternately you can create self signed certificates internally on the CyberGuard SG appliance by following the link to the SSL Certificate page SSL Certificate Setup You can create self signe...

Страница 77: ...mmon way for internal masqueraded servers to offer services to the outside world Destination NAT rules are used for port forwarding Source NAT rules are useful for masquerading one or more IP addresse...

Страница 78: ...The CyberGuard SG appliance will perform a DNS lookup and fill in the IP Address field If the DNS hostname is invalid you may need to wait while the DNS lookup times out Warning The DNS lookup is onl...

Страница 79: ...vice group is shown in the following figure Figure 6 5 A service group can be used to group together similar services For example you can create a group of services that you wish to allow and then use...

Страница 80: ...Packet Filtering page to change the order The rules are evaluated top to bottom as displayed on the Packet Filtering page Adding or modifying a rule is shown in the following figure Figure 6 6 The Ac...

Страница 81: ...appliance performs Source NAT on traffic where the incoming interface is LAN and the outgoing interface is WAN See the Advanced section of the chapter entitled Network Connections for information on c...

Страница 82: ...is need not be the same as the Destination Service used to match the packet but often will be Generally leave Create a corresponding ACCEPT firewall rule checked unless you want to manually create a m...

Страница 83: ...nternet To Source Service The service to replace Source Services this need not be the same as the Source Service used to match the packet but often will be 1 to 1 NAT This creates both a Source NAT an...

Страница 84: ...create filter rules through Rules Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules To access this page click Rules in the Fir...

Страница 85: ...talled before accessing the Internet ZoneAlarm To enable any of these access controls or content filtering select Access Control then under the Main tab check Enabled and click Apply User authenticati...

Страница 86: ...web proxy access will see a screen similar to the figure below when attempting to access external web content Figure 6 8 Note Each browser on the LAN will now have to be set up to use the CyberGuard...

Страница 87: ...d be similar refer to their user documentation for details on using a web proxy From the Internet Options menu select Tools From the LAN Settings tab select LAN Settings Figure 6 9 Check Use a proxy s...

Страница 88: ...locked or Allowed by the Source LAN IP address or address range the Destination Internet host s IP address or address range or the Destination Host s name See Appendix A for more information on IP add...

Страница 89: ...address URL that contains text entered in the Block List e g entering xxx will block any URL containing xxx including http xxx example com or www test com xxx index html The Allow List also enables ac...

Страница 90: ...eck Enable Content Filtering enter your activated License key then continue on to set reporting options and which categories to block Click Apply once these options have been set up to enable content...

Страница 91: ...tified either through User Accounts see User Authentication earlier in this chapter or the IP Address of their machine Click View Reports to connect to the central content filtering server You will be...

Страница 92: ...achines your LAN that are not running the ZoneAlarm Pro personal firewall software Running personal firewall software on each PC offers an extra layer of protection from application level operating sy...

Страница 93: ...e outside world which are monitored for connection attempts Clients attempting to connect to these dummy services can be blocked Advanced Intrusion Detection uses complex rulesets to detect known meth...

Страница 94: ...other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitored to identify suspect behaviour and help to deal with intruders...

Страница 95: ...ection attempts Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt and the access attempt is denied Because network scans often...

Страница 96: ...This option only takes effect when one of the previous blocking options is enabled The trigger count value should be between 0 and 2 o represents an immediate blocking of probing hosts Larger setting...

Страница 97: ...ng a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but another fails and so on Advanced Intrusion Detection can also detect mal...

Страница 98: ...ouped by type such as DDOS exploit backdoor NETBIOS etc Each type in turn has many subtypes depending on the exact attack signature For example selecting NETBIOS will enable matching subtype signature...

Страница 99: ...tem log Advanced System Log Advanced Intrusion Detection currently only supports MySQL as the Database Type Enter the name table name of the remote database in Database Name Enter the IP address of re...

Страница 100: ...ze and graph data stored in the MySQL database from the CyberGuard SG appliance running Advanced Instrusion Detection They should be installed in the following order MySQL database http www mysql com...

Страница 101: ...will be running as an IDS sensor on the CyberGuard SG appliance and logging to the MySQL database on the analysis server The following are detailed documents that aid in installing the above tools on...

Страница 102: ...d Internet objects over the available Internet connection when several users attempt to access the same web site simultaneously The objects will be available in the cache server memory or disk and qui...

Страница 103: ...The maximum amount of memory you can safely reserve will depend on what other services the CyberGuard SG appliance has running such as VPN or a DHCP server If you will be using a Network Share recomm...

Страница 104: ...ome basic instructions for creating a network share under Windows XP Create a new user account Note We recommend that you create a special user account to be used by the CyberGuard SG appliance for re...

Страница 105: ...hare the folder Right click on the folder and select Sharing and Security Select Share this folder and note the Share name you may change this to something easier to remember if you wish Finally to se...

Страница 106: ...ximum size for the cache in Cache size Warning Cache size should not be more than 90 of the space available to the network share e g if you shared a drive with 1 gigabyte of available storage specify...

Страница 107: ...en the caches placed at the Parent level are queried if the replies from sibling caches did not succeed Enter the host or IP address of an ICP capable web cache peer in Host then select its relationsh...

Страница 108: ...y telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can also be deployed as a low cost way of securely linking two or more networks such...

Страница 109: ...he purpose for the connection The remote PPTP server IP address to connect to A username and password to use when logging in to the remote VPN You may need to obtain this information from the system a...

Страница 110: ...raffic check the Make VPN the Default Route checkbox and click Apply This option is only available when the CyberGuard SG appliance is configured with a single VPN connection only After adding a new V...

Страница 111: ...up VPN user accounts on the CyberGuard SG appliance and enable the appropriate authentication security Configure the VPN clients at the remote sites The client does not require special software The C...

Страница 112: ...gure the PPTP VPN server The following figure shows the PPTP server setup Figure 9 3 To enable and configure your CyberGuard SG appliance s VPN server select PPTP VPN Server from the VPN menu on the W...

Страница 113: ...nting to establish a PPTP connection to the network The remote client must be set up to use the selected authentication scheme MSCHAPv2 is the most secure MSCHAPv2 plus data encryption is strongly rec...

Страница 114: ...emote users can establish VPN tunnels to the CyberGuard SG appliance PPTP server user accounts must be added Note PPTP Accounts are distinct from those added through Users in the System menu and those...

Страница 115: ...r the remote VPN user Confirm Re enter the password to confirm As new VPN user accounts are added they are displayed on the updated Account List To modify the password of an existing account Select th...

Страница 116: ...G appliance see Dynamic DNS in the Network Connections section Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking c...

Страница 117: ...e CyberGuard SG appliance VPN server in the VPN Server field This may change if your ISP uses dynamic IP assignment Click OK and then click Finish Figure 9 6 Right click the new icon and select Proper...

Страница 118: ...ression and Use Default Gateway on Remote Network are all selected and click OK Figure 9 7 Your VPN client is now set up and ready to connect Windows 2000 Log in as Administrator or with Administrator...

Страница 119: ...gure 9 9 Select Connect to a private network through the Internet and click Next This displays the Destination Address window Figure 9 10 Enter the CyberGuard SG PPTP server s IP address or fully qual...

Страница 120: ...Connection Name for the VPN connection such as your company name or simply Office Click Next If you have set up your computer to connect to your ISP using dial up select Automatically dial this initia...

Страница 121: ...your computer informed you that you are connected You can now check your e mail use the office printer access shared files and and computers on the network as if you were physically on the LAN Note De...

Страница 122: ...it become necessary to configure the tunnel with those settings For most applications to connect two offices together a network similar to the following will be used Figure 9 12 To combine the Headqu...

Страница 123: ...that resolves to the IP address on the Internet port then the DNS hostname address option should be selected In this example select dynamic IP address The Maximum Transmission Unit MTU of the IPSec i...

Страница 124: ...the IPSec link on the left side of the Web Management Console web administration pages and then click the Add New Tunnel tab at the top of the window A window similar to the following will be displaye...

Страница 125: ...es less messages in the exchange when compared to Main mode Aggressive mode is typically used to allow parties that are configured with a dynamic IP address and a preshared secret to connect or if the...

Страница 126: ...te party will have access to Masqueraded network is selected when all traffic behind the CyberGuard SG appliance is seen as originating from its Internet IP address by the remote party The remote part...

Страница 127: ...In this example select the be a route to the remote party option Click the Continue button to configure the Local Endpoint Settings Local endpoint settings Figure 9 15 Leave the Initiate the tunnel f...

Страница 128: ...om snapgear knowledgebase html to determine what form it must take In this example enter branch office Leave the Enable IP Payload Compression checkbox unchecked If compression is selected IPComp comp...

Страница 129: ...ng when using SHA1 excluding any underscore characters This field appears when Manual Keying has been selected Encryption Key field is the ESP Encryption Key It must be of the form 0xhex where hex is...

Страница 130: ...te party in The remote party s IP address field In this example enter 209 0 01 The Endpoint ID is used to authenticate the remote party to the CyberGuard SG appliance The remote party s ID is optional...

Страница 131: ...party This option will become available if the remote party has been configured to have a DNS hostname address Distinguished Name field is the list of attribute value pairs contained in the certifica...

Страница 132: ...sh and uniquely identify the tunnel It must be of the form 0xhex where hex is one or more hexadecimal digits and be in the range of 0x100 0xfff This field appears when Manual Keying has been selected...

Страница 133: ...this new key is negotiated before the current key expires can be set in the Rekeymargin field In this example leave the Rekeymargin as the default value of 10 minutes The Rekeyfuzz value refers to th...

Страница 134: ...depending on what has been configured previously Local Public Key field is the public part of the RSA key generated for RSA Digital Signatures authentication These fields are automatically populated...

Страница 135: ...SG appliance also supports extensions to the Diffie Hellman groups to include 2048 3072 and 4096 bit Oakley groups Perfect Forward Secrecy is enabled if a Diffie Hellman group or an extension is chose...

Страница 136: ...isplayed Figure 9 19 In the Subnet Settings section a local and remote network combination can be added one at a time by entering subnets into the Add Local Network and Add Remote Network fields and t...

Страница 137: ...s or start with a number In this example enter Branch_Office Leave checked the Enable this tunnel checkbox Select the Internet interface the IPSec tunnel is to go out on In this example select default...

Страница 138: ...end checkbox checked Click the Continue button to configure the Remote Endpoint Settings Remote endpoint settings page Enter the Required Endpoint ID of the remote party In this example enter the Loca...

Страница 139: ...Set the length of time before Phase 2 is renegotiated in the Key lifetime m field In this example leave the Key Lifetime as the default value of 60 minutes Select a Phase 2 Proposal In this example s...

Страница 140: ...he Connection field will be shown Note You may modify a tunnel s settings by clicking on its connection name Click Connection to sort the tunnel list alphabetically by connection name Remote party The...

Страница 141: ...e 1 indicates that IPSec is negotiating Phase 1 to establish the tunnel Aggressive or Main mode packets depending on tunnel configuration are transmitted during this stage of the negotiation process N...

Страница 142: ...and AES Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations This will include MD5 and SHA1 otherwise known as SHA Phase 1 Ciphers Loaded...

Страница 143: ...ple the policy line has the PFS keyword If PFS is disabled then the keyword will not appear Whether IP Payload Compression is used In this example the policy line does not have the COMPRESS keyword si...

Страница 144: ...or Disable under the Tunnel List menu Delete One or more tunnel can be enabled or disabled by checking the checkbox to the right of the tunnel and clicking Delete under the Tunnel List menu NAT Traver...

Страница 145: ...tool on the CyberGuard SG Installation CD to extract these certificates ensure the cygwin1 dll library is in the same directory as the openssl application To extract the CA certificate enter the foll...

Страница 146: ...characters long and this will be the same pass phrase entered when uploading the private key certificate into the CyberGuard SG appliance The application will then prompt you to verify the pass phrase...

Страница 147: ...e certificate request openssl req config openssl cnf new keyout cert1 key out cert1 req Enter a PEM pass phrase this is the same pass phrase required when you upload the key to the CyberGuard SG appli...

Страница 148: ...ificates to the CyberGuard SG appliance click the IPSec link on the left side of the Web Management Console web administration pages and then click the Certificate Lists tab at the top of the window A...

Страница 149: ...rtificate Type pull down menu Enter the Certificate Authority s Public Key certificate or CRL file in the Certificate File field Click the Browse button to select the file from the host computer CA Ce...

Страница 150: ...et correctly on the CyberGuard SG appliance Also ensure that the certificate is in PEM or DER format Enter the Local Private Key certificate in the Private Key Certificate field Click the Browse butto...

Страница 151: ...though IPSec is running and the tunnel is enabled Possible Cause The tunnel is using Manual Keying and the encryption and or authentication keys are incorrect The tunnel is using Manual Keying and the...

Страница 152: ...and have Internet IP addresses Check that the CA has signed the certificates Symptom Tunnel is always Negotiating Phase 2 Possible Cause The Phase 2 proposals set for the CyberGuard SG appliance and...

Страница 153: ...for Manual Keying Symptom Dead Peer Detection does not seem to be working Possible Cause The tunnel has Dead Peer Detection disabled The remote party does not support Dead Peer Detection according to...

Страница 154: ...our computer does not have its default gateway as the CyberGuard SG appliance If you can ping the Internet IP address of the remote party but not the LAN IP address then the remote party s LAN IP addr...

Страница 155: ...a GRE tunnel that runs over the Internet it is possible for an attacker to put packets onto your network If you want a tunneling mechanism to securely connect to networks then you should use IPSec or...

Страница 156: ...3 45 6 Local Internal Address 192 168 1 1 Click Add Click Add Remove under Remote Networks and enter Remote subnet netmask 10 1 0 0 255 255 0 0 Click Add The Brisbane end is now set up Figure 9 26 On...

Страница 157: ...d them through Add Remove under Remote Networks GRE over IPSec In this example we will bridge the 10 11 0 0 255 255 0 0 network between Brisbane and Slough endpoints described in the previous section...

Страница 158: ...For a complete overview of all available options when setting up an IPSec tunnel please refer to the IPSec section earlier in this chapter Take note of the following important settings Set the local...

Страница 159: ...to_bris Remote External Address 10 254 0 2 Local External Address 10 254 0 1 Local Internal Address Place on Ethernet Bridge Checked For the Brisbane end enter the IP addresses below Leave Local Inte...

Страница 160: ...ace called greX created greX is the same as the Interface Name specified in the table of current GRE tunnels Also ensure that the required routes have been set up on the GRE interface This might not o...

Страница 161: ...to create tunnels across the Internet backbone The CyberGuard SG L2TP implementation can only run L2TP over Ethernet since it doesn t have an ATM adapter L2TP packets are encapsulated in UDP packets...

Страница 162: ...d and enabled on the CyberGuard SG appliance as well as the L2TP server before Windows clients can connect The default way for the IPSec connection to be authenticated is to use x 509 RSA certificates...

Страница 163: ...ppliance NTP time server The CyberGuard SG appliance can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring the NTP time server ensures that the Cybe...

Страница 164: ...ck will subsequently show local time Without setting this the system clock will show UTP Setting a time zone is only relevant if you are synchronizing with an NTP server or your CyberGuard SG applianc...

Страница 165: ...a capabilities beyond any other user Note The root user is the only user permitted to telnet to a CyberGuard SG appliance Web administration access controls are grouped into four broad categories Admi...

Страница 166: ...n be allocated to a technician whom you want to be able to restore units to a known good configuration but to whom you do not wish to grant full administration rights User settings A user with this ac...

Страница 167: ...A potential security issue may be introduced by having a network connected CyberGuard SG appliance accessible using the factory default password To prevent this the password for the CyberGuard SG app...

Страница 168: ...System 164 Figure 10 3 Network tests Basic network diagnostic tests ping traceroute can be accessed by clicking the Network Tests tab at the top of the Diagnostics page...

Страница 169: ...errors are red The pull down menu underneath the log output allows you to filter the log output to display based on output type Refer to Appendix C for details on configuring and interpreting log out...

Страница 170: ...with a flash upgrade Note Please read the appendix entitled Firmware Upgrade Practices and Precautions before attempting a firmware upgrade There are two methods available for performing a flash upgr...

Страница 171: ...ntil its flash is reprogrammed at the factory or a recovery boot is performed User care is advised Reboot Clicking this link will cause the CyberGuard SG appliance to perform a soft reboot It will usu...

Страница 172: ...age is an invaluable resource for the CyberGuard SG technical support team to analyze problems with your CyberGuard SG appliance The information on this page gives the support team important informati...

Страница 173: ...ddresses The third form allows the address range to span network and subnet boundaries All addresses including and between the two specified IP addresses are included in the range For example 192 168...

Страница 174: ...connect or if the CyberGuard SG appliance or the remote party is behind a NAT device Authentication Authentication is the technique by which a process verifies that its communication partner is who it...

Страница 175: ...operate with the CyberGuard SG appliance it must conform to the draft draft ietf ipsec dpd 00 txt DHCP Dynamic Host Configuration Protocol A communications protocol that assigns IP addresses to comput...

Страница 176: ...demonstrate that it has not been modified If a message were to be modified then its hash would have changed and would no longer match the original hash value Hub A network device that allows more than...

Страница 177: ...ssphrase is a key that can be used to lock and unlock the information in the private key certificate Local Public Key Certificate The public part of the public private key pair of the certificate resi...

Страница 178: ...ely having the long term key does not allow him to infer those Of course it may allow him to conduct another attack such as man in the middle which gives him some short term keys but he does not autom...

Страница 179: ...ow to route Internet packets A switch increases LAN efficiency by utilizing bandwidth more effectively TCP IP Transmission Control Protocol Internet Protocol The basic protocol for Internet communicat...

Страница 180: ...public key of the entity requesting the certificate and the CA s signature x 509 certificates are used to authenticate the remote party against a Certificate Authority s CA certificate The CA certific...

Страница 181: ...appliance creates entries in the syslog var log messages or external syslog server of the following format Date Time klogd prefix IN incoming interface OUT outgoing interface MAC dst src MAC addresses...

Страница 182: ...ions however is dropped There are also some specific rules to detect various attacks smurf teardrop etc When outbound traffic from LAN to WAN is blocked by custom rules configured in the GUI the resul...

Страница 183: ...te network to the public come in eth0 and out eth1 e g Mar 27 10 02 51 2003 klogd IN eth0 OUT eth1 SRC 10 0 0 2 DST 140 103 74 181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT...

Страница 184: ...r example site 192 0 1 2 attempted to access the CyberGuard SG appliance s PPTP port the resultant log message would look something like this 12 Jan 24 17 19 17 2000 klogd Internet PPTP access IN eth0...

Страница 185: ...hat it was an inbound request since eth0 is the LAN port and eth1 is usually the WAN port An outbound request would have IN eth0 and OUT eth1 It is possible to use the i and o arguments to specify the...

Страница 186: ...of service issues arising out of logging these access attempts To achieve this use the following option limit rate rate is the maximum average matching rate specified as a number with an optional seco...

Страница 187: ...this case root and the IP address from which the attempt was made Telnet Command Line Interface login attempts appear as Jan 30 03 18 37 2000 login Authentication attempt failed for root from 10 0 0...

Страница 188: ...umber is incremented is considered a major upgrade e g 1 8 5 1 9 2 or 1 9 2 2 0 0 whereas a patch upgrade increments the patch revision number only e g 1 9 0 1 9 1 or 1 9 0 1 9 2 Warning If the flash...

Страница 189: ...guide in this process but do not restore it directly If you are upgrading a device that you do not normally have physical access to e g at a remote or client s site we strongly recommend that followi...

Результаты поиска

Содержание 2.0.1

Отзывы:

Похожие инструкции для 2.0.1

Бренды по названию

Популярные бренды

CyberGuard 2.0.1, Руководство пользователя

Результаты поиска

Содержание 2.0.1

Отзывы:

Похожие инструкции для 2.0.1

Бренды по названию

Популярные бренды