CyberGuard SnapGear Скачать руководство пользователя страница 74 | Manualshive

Страница: 74 / 185

background image

Firewall

70

Packet Filtering

By default, your SnapGear appliance allows network traffic as shown in the following
table:

You can configure your SnapGear appliance with additional filter rules to allow or restrict
network traffic. These rules can match traffic based on the source and destination
address, the incoming and outgoing network port, and/or the services.

You can also configure your SnapGear appliance to perform

network address translation

(NAT). This may be in the form of source address NAT, destination address NAT, or 1-
to-1 NAT. Network address translation modifies the IP address and/or port of traffic
traversing the SnapGear appliance.

The most common use of this is for

port forwarding

(aka PAT/Port Address Translation)

from ports on the SnapGear WAN interface to ports on machines on the LAN side. This
is the most common way for internal, masqueraded servers to offer services to the
outside world. Destination NAT rules are used for port forwarding.

Source NAT rules are useful for

masquerading

one or more IP addresses behind a single

other IP address. This is the type of NAT used by the SnapGear appliance to
masquerade your private network behind its public IP address.

1-to-1 NAT creates both Destination NAT and Source NAT rules for full IP address
translation in both directions. This can be useful if you have a range of IP addresses that
have been added as interface aliases on the SnapGear appliance’s WAN interface, and
want to associate one of these external alias IP addresses with a single internal,
masqueraded computer. This effectively allocates the internal computer its own real
world IP address, also known as a

virtual DMZ

.

Function

NAT Method

Port forwarding (PAT)

Destination NAT

Masquerading

Source NAT

Virtual DMZ

1-to-1 NAT

Incoming Interface

Outgoing Interface

Action

LAN/VPN/Dial-In

Any

Accept

DMZ

WAN

Accept

DMZ

Any except WAN

Drop

WAN

Any

Drop

«
...
72
73
74
75
76
...
»

Содержание SnapGear

Страница 1: ...Gear Firewall VPN Appliance User Manual Revision 1 9 1 March 12 2004 SnapGear A CyberGuard Company 7984 South Welby Park Drive 101 Salt Lake City Utah 84084 Email support snapgear com Web www snapgear...

Страница 2: ...Appliance s Internet Connection Settings 17 Set up the PCs on your LAN to Access the Internet 18 SnapGear PCI Appliances 22 Install your SnapGear Appliance in a Spare PCI Slot 22 Install the Network...

Страница 3: ...Basic Intrusion Detection and Blocking 88 Advanced Intrusion Detection 90 8 Web Cache 95 Web Cache Setup 96 Network Shares 97 Peers 100 Set up LAN PCs to Use the Web Cache 100 9 Virtual Private Networ...

Страница 4: ...cs 161 Advanced 163 Technical Support 166 Appendix A IP Address Ranges 167 Appendix B Terminology 168 Appendix C System Log 175 Access Logging 175 Creating Custom Log Rules 177 Rate Limiting 180 Admin...

Страница 5: ...elds your computers from outside threats The SnapGear appliance checks and filters data packets to prevent unauthorized intruders gaining access The SnapGear appliance s NAT masquerading firewall mean...

Страница 6: ...ppliance is recommended for Security conscious businesses that wish to separate firewall and VPN issues from server desktop operating systems Businesses that wish to eliminate the soft center For envi...

Страница 7: ...h in the same range as the LAN as no NAT masquerading is being performed see the chapter entitled Firewall for more information One IP address is used to manage the SnapGear appliance via the SnapGear...

Страница 8: ...This document uses different fonts and typefaces to show specific actions Warning Note Text like this highlights important issues Bold text in procedures indicates text that you type or the name of a...

Страница 9: ...iance Power adaptor Installation CD Printed Quick Install guide Cabling including o 1 normal straight through UTP cable blue color o 1 crossover UTP cable either gray or red color Front panel LEDs The...

Страница 10: ...this LED is on and not flashing an operating error has occurred LAN Activity Flashing Network traffic on the LAN network interface WAN Activity Flashing Network traffic on the Internet network interfa...

Страница 11: ...t modem COM1 and possibly DMZ SME570 SME575 only as well as LAN status LEDs Internet status LEDs the reset button and power inlet The lower LAN Internet status LED indicates the link condition where a...

Страница 12: ...eT LAN port to connect to the local Ethernet network Rear panel Ethernet link and activity status LEDs DMZ link features SME570 SME575 only 10 100BaseT DMZ port Real panel Ethernet link and activity s...

Страница 13: ...g status The two LEDs closest to the network port are network activity upper and network link lower The two other LEDs are power upper and heart beat lower Figure 1 3 Label Activity Description Power...

Страница 14: ...thernet port that connects to the LAN or Internet using a cable or ADSL modem Ethernet LEDs link activity Environmental features Status LEDs Power Heart Beat Operating temperature between 0 C and 40 C...

Страница 15: ...how to configure your PCs network settings using the examples given for Windows PCs as a guide Installing your SnapGear appliance into a well planned network is easy However network planning is outsid...

Страница 16: ...efore it is connected You may choose to use the SnapGear appliance s initial network settings as a basis for your LAN settings Connect the supplied power adapter to the SnapGear appliance Connect the...

Страница 17: ...Internet Protocol TCP IP and click Properties or in 95 98 Me TCP IP your network card name if there are multiple entries and click Properties Figure 2 1 Select Use the following IP address and enter t...

Страница 18: ...nce User name root Password default Note If you are unable to connect to the Management Console at 192 168 0 1 or the initial username and password are not accepted press the black Reset Erase button...

Страница 19: ...LAN already configured Select this if you wish to use the SnapGear appliance s initial network settings IP address 192 168 0 1 and subnet mask 255 255 255 0 as a basis for your LAN settings You may sk...

Страница 20: ...s the address of 192 168 0 1 The IP address will later be used as the gateway address for the PCs on your LAN To gain access through this gateway the PCs on your LAN must have an IP address within the...

Страница 21: ...r if unsure Analog modem If connecting using a regular analog modem enter the details provided by your ISP DSL modem If connecting using an ADSL modem select Auto detect ADSL connection type and enter...

Страница 22: ...y to your LAN hub using the straight through Ethernet cable blue To access the Internet the PCs on your network must all be set up to use the SnapGear appliance as their default gateway This can be do...

Страница 23: ...settings when they start up If your network does not have a DHCP server you may either manually set up each PC on your network or set up the SnapGear appliance s DHCP server Note If you only have seve...

Страница 24: ...e s DHCP server Launch Internet Explorer or your preferred web browser and navigate to the IP address of the SnapGear appliance s LAN connection The SnapGear Management Console will display Select DHC...

Страница 25: ...nted with multiple connections right click on Local Area Connection or appropriate network connection and select Properties Select Internet Protocol TCP IP and click Properties or in 95 98 Me TCP IP y...

Страница 26: ...Network and Dialup Connections Local Area Connection possibly followed by a number Properties and ensure the adapter is listed in the Connect using field Set up your PC to Connect to the SnapGear Mana...

Страница 27: ...al Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figure 2 7 Select Use the followin...

Страница 28: ...epted press the Reset button on the SnapGear appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twice within two seconds returns the SnapGear appliance to its factory d...

Страница 29: ...o free IP addresses that are part of the subnet range of your LAN as well as your LAN s subnet mask and DNS server address and gateway address used by PCs on your LAN Note Please contact your network...

Страница 30: ...onnections Right click on Local Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figur...

Страница 31: ...other for your PC Note It is highly recommended that you reserve the IP address to be used by the SnapGear Management Console using the SnapGear appliance s MAC address In bridged mode this will be th...

Страница 32: ...or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties and click Properties Figure 2 12 Check Obtain an IP a...

Страница 33: ...h the rear panel Reset button enabled This allows the SnapGear appliance s configuration to be reset to factory defaults From a network security standpoint it may be desirable to disable the Reset swi...

Страница 34: ...e the connection once your Internet connection has been established Connections Under the Connections tab each of the network ports of your SnapGear appliance is displayed alongside its Device Name an...

Страница 35: ...ion mode see Network address translation in the Advanced section of this chapter this will typically be part of a private IP range such as 192 168 0 1 255 255 255 0 Ensure DHCP assigned is unchecked I...

Страница 36: ...thernet ports or bridging between PPPoE ports The first step is setting up a host to host IPSec VPN connection Information regarding setting up a host to host VPN connection can be found in the IPSec...

Страница 37: ...ive it some time to power up If fitted ensure the Ethernet link LEDs are illuminated on both the SnapGear appliance and modem device Internet Connection Methods Select your Internet connection type fr...

Страница 38: ...ction is idle DHCP connections may require a hostname to be specified but otherwise all settings are assigned automatically by your ISP For Manually Assign Settings connections enter the IP Address Ne...

Страница 39: ...bridge between ports you will have to select either Bridged LAN or Bridged DMZ as is appropriate When bridging has been enabled a Bridge br0 port will appear in the Connections menu You may configure...

Страница 40: ...or the telecommunications network may temporarily fail Physically connect modem device Attach the modem serial cable to the SnapGear appliance s serial port COM1 Note To connect to an ISDN line the Sn...

Страница 41: ...llowing options Field Description Idle timeout By default the SnapGear appliance dials on demand i e when there is traffic trying to reach the Internet and disconnects if the connection is inactive i...

Страница 42: ...used to provide better security for your LAN If you place a publicly accessible server on your LAN and an attacker compromises the server then the attacker will immediately have direct access to your...

Страница 43: ...eactivated Set up the connection in the same manner to your primary LAN connection as detailed in the LAN section of this chapter Bridged LAN See the Bridged Internet section earlier in this chapter D...

Страница 44: ...Internet connection for failover Set up a secondary backup Internet connection SnapGear appliance models with a DMZ port SME570 SME575 can use broadband cable DSL direct connection as both their prima...

Страница 45: ...ch to a dialout Internet connection when you primary broadband Internet connection is unavailable from the Connections menu select the appropriate Failover Internet configuration for the COM Modem por...

Страница 46: ...gure a broadband Internet connection Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the SnapGear appliance These routes are additional t...

Страница 47: ...t refer to http www zebra org Advanced The following figure shows the advanced IP configuration Figure 3 8 Hostname The Hostname is a descriptive name for the SnapGear appliance on the network DNS Pro...

Страница 48: ...querading allows insiders to get out without allowing outsiders in By default the Internet port is setup to masquerade Masquerading has the following advantages Added security because machines outside...

Страница 49: ...ll point to your Internet IP address no matter how often it changes Whenever its Internet IP address changes the SnapGear appliance will alert the dynamic DNS service provider so the domain name recor...

Страница 50: ...e to respond to multiple IP addresses on its LAN Internet and DMZ ports For Internet and DMZ aliased ports you must also setup appropriate Packet Filtering and or Port forwarding rules to allow traffi...

Страница 51: ...ng provides a level of control over the relative performance of various types of IP traffic The traffic shaping feature of your SnapGear appliance allows you to allocate High Medium or Low priority to...

Страница 52: ...modem connected to the SnapGear appliance The SnapGear appliance s dialin facility establishes a PPP connection to the remote user or site Dialin requests are authenticated by usernames and passwords...

Страница 53: ...enable the SnapGear appliance s COM port or internal modem for dialin Under Networking select Network Setup From the Connections menu locate the COM port or Modem on which you want to enable dialin an...

Страница 54: ...database is used to verify the username and password received from the dialin client Local means the dialin user accounts created on the SnapGear appliance You will need to created user accounts as de...

Страница 55: ...Account are shown in the following table Field Description Username Username for dialin authentication only The name is case sensitive e g Jimsmith is different to jimsmith Password Password for the...

Страница 56: ...Dialin Setup 52 The following figure shows the user maintenance screen Figure 4 3...

Страница 57: ...count select the account in the Account List and check Delete under the Delete or Change Password for the Selected Account heading If changes to the user account are successful the change is shown on...

Страница 58: ...ce using the standard Windows Dial Up Networking software Set up a new dial out connection on the remote PC to dial the phone number of the modem connected to the SnapGear appliance COM port After the...

Страница 59: ...MSCHAP 2 authentication you also need to check the Require encrypted password checkbox Leave all other Advanced Options unchecked Select the TCP IP network protocols from the Allowed network protocol...

Страница 60: ...the Password that was set up for the SnapGear appliance dial in account Windows 2000 XP To configure a remote access connection on a PC running Windows 2000 XP click Start Settings Network and Dial up...

Страница 61: ...elect Dial up to private network as the connection type and click Next to continue Figure 4 8 Tick Use dialing rules to enable you to select a country code and area code This feature is useful when us...

Страница 62: ...r you This is a security feature that will not allow any other users who log onto your machine to use this remote access connection Figure 4 10 Enter a name for the connection and click Finish to comp...

Страница 63: ...emote access login screen will appear as in the next figure If you did not create a desktop icon click Start Settings Network and Dial up Connections and select the appropriate connection and enter th...

Страница 64: ...mask on the LAN or DMZ port see the chapter entitled Network Connections DHCP Server Configuration The DHCP server allows the automatic distribution of IP gateway DNS and WINS addresses to hosts runni...

Страница 65: ...Time in seconds The lease time is the time that a dynamically assigned IP address is valid Enter the IP address or range of IP addresses see the appendix entitled IP Address Ranges to be issued to DH...

Страница 66: ...sses to hand out if this value is 0 Enable Disable Each subnet can be enabled or disabled by clicking on the Enable or Disable button under the Enable Disable heading Edit The settings for each subnet...

Страница 67: ...addresses the added option to Unreserve the address Unreserving the address will allow it to be handed out to any host The Status field will have three possible states These include Reserved the addr...

Страница 68: ...s both static and dynamic addresses to be given out on the LAN just as running a DHCP server would To enable this feature specify the server which is to receive the forwarded requests in Relay Host Th...

Страница 69: ...l filters packets at the network layer determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for your priva...

Страница 70: ...ment Console web administration pages Web Admin to machines on your local network Disallowing all services is not recommended as this will make future configuration changes impossible unless your Snap...

Страница 71: ...establish secure connections to the SnapGear Management Console web administration pages from SSL enabled browsers Figure 6 2 Note Changing the web server port number is recommended if you are allowin...

Страница 72: ...nclude the new port number in the URL to access the pages For example if you change the web administration to port number 88 the URL to access the web administration will be similar to http 192 168 0...

Страница 73: ...y clicking Upload Alternately you can create self signed certificates internally on the SnapGear unit by following the link to the SSL Certificate page SSL Certificate Setup You can create self signed...

Страница 74: ...r internal masqueraded servers to offer services to the outside world Destination NAT rules are used for port forwarding Source NAT rules are useful for masquerading one or more IP addresses behind a...

Страница 75: ...ty The SnapGear appliance will perform a DNS lookup and fill in the IP Address field If the DNS hostname is invalid you may need to wait while the DNS lookup times out Warning The DNS lookup is only p...

Страница 76: ...vice group is shown in the following figure Figure 6 5 A service group can be used to group together similar services For example you can create a group of services that you wish to allow and then use...

Страница 77: ...Packet Filtering page to change the order The rules are evaluated top to bottom as displayed on the Packet Filtering page Adding or modifying a rule is shown in the following figure Figure 6 6 The Ac...

Страница 78: ...ance performs Source NAT on traffic where the incoming interface is LAN and the outgoing interface is WAN See the Advanced section of the chapter entitled Network Connections for information on config...

Страница 79: ...ices this need not be the same as the Destination Service used to match the packet but often will be Generally leave Create a corresponding ACCEPT firewall rule checked unless you want to manually cre...

Страница 80: ...rnet To Source Service The service to replace Source Services this need not be the same as the Source Service used to match the packet but often will be 1 to 1 NAT This creates both a Source NAT and D...

Страница 81: ...ually create filter rules through Rules Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules To access this page click Rules in t...

Страница 82: ...lled before accessing the Internet ZoneAlarm To enable any of these access controls or content filtering select Access Control then under the Main tab check Enabled and click Apply User authentication...

Страница 83: ...out web proxy access will see a screen similar to the figure below when attempting to access external web content Figure 6 8 Note Each browser on the LAN will now have to be set up to use the SnapGear...

Страница 84: ...d be similar refer to their user documentation for details on using a web proxy From the Internet Options menu select Tools From the LAN Settings tab select LAN Settings Figure 6 9 Check Use a proxy s...

Страница 85: ...d or Allowed by the Source LAN IP address or address range the Destination Internet host s IP address or address range or the Destination Host s name See Appendix A for more information on IP address...

Страница 86: ...address URL that contains text entered in the Block List e g entering xxx will block any URL containing xxx including http xxx example com or www test com xxx index html The Allow List also enables ac...

Страница 87: ...Content Filtering enter your activated License key then continue on to set reporting options and which categories to block Click Apply once these options have been set up to enable content filtering...

Страница 88: ...tified either through User Accounts see User Authentication earlier in this chapter or the IP Address of their machine Click View Reports to connect to the central content filtering server You will be...

Страница 89: ...achines your LAN that are not running the ZoneAlarm Pro personal firewall software Running personal firewall software on each PC offers an extra layer of protection from application level operating sy...

Страница 90: ...outside world which are monitored for connection attempts Clients attempting to connect to these dummy services can be blocked Advanced Intrusion Detection uses complex rulesets to detect known method...

Страница 91: ...other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitored to identify suspect behaviour and help to deal with intruders...

Страница 92: ...ection attempts Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt and the access attempt is denied Because network scans often...

Страница 93: ...e between 0 and 2 o represents an immediate blocking of probing hosts Larger settings mean more attempts are permitted before blocking and although allowing the attacker more latitude these settings w...

Страница 94: ...ng a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but another fails and so on Advanced Intrusion Detection can also detect mal...

Страница 95: ...by type such as DDOS exploit backdoor NETBIOS etc Each type in turn has many subtypes depending on the exact attack signature For example selecting NETBIOS will enable matching subtype signatures for...

Страница 96: ...unchecked results will be output to the SnapGear appliance system log Advanced System Log Advanced Intrusion Detection currently only supports MySQL as the Database Type Enter the name table name of...

Страница 97: ...With these tools installed web pages can be created that display analyze and graph data stored in the MySQL database from the SnapGear appliance running Advanced Instrusion Detection They should be in...

Страница 98: ...t will be running as an IDS sensor on the SnapGear appliance and logging to the MySQL database on the analysis server The following are detailed documents that aid in installing the above tools on the...

Страница 99: ...ad Internet objects over the available Internet connection when several users attempt to access the same web site simultaneously The objects will be available in the cache server memory or disk and qu...

Страница 100: ...ts The maximum amount of memory you can safely reserve will depend on what other services the SnapGear appliance has running such as VPN or a DHCP server If you will be using a Network Share recommend...

Страница 101: ...basic instructions for creating a network share under Windows XP Create a new user account Note We recommend that you create a special user account to be used by the SnapGear appliance for reading and...

Страница 102: ...his folder and note the Share name you may change this to something easier to remember if you wish Select Permissions If you wish to secure the network share click Add and type the user name the accou...

Страница 103: ...um size for the cache in Cache size Warning Cache size should not be more than 90 of the space available to the network share e g if you shared a drive with 1 gigabyte of available storage specify a C...

Страница 104: ...hy Then the caches placed at the Parent level are queried if the replies from sibling caches did not succeed Enter the host or IP address of an ICP capable web cache peer in Host then select its relat...

Страница 105: ...imilarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can also be deployed as a low cost way of securely linking two or more network...

Страница 106: ...This may describe the purpose for the connection The remote PPTP server IP address to connect to A username and password to use when logging in to the remote VPN You may need to obtain this informati...

Страница 107: ...raffic check the Make VPN the Default Route checkbox and click Apply This option is only available when the SnapGear appliance is configured with a single VPN connection only After adding a new VPN tw...

Страница 108: ...up VPN user accounts on the SnapGear appliance and enable the appropriate authentication security Configure the VPN clients at the remote sites The client does not require special software The SnapGe...

Страница 109: ...gure the PPTP VPN server The following figure shows the PPTP server setup Figure 9 3 To enable and configure your SnapGear appliance s VPN server select PPTP VPN Server from the VPN menu on the SnapGe...

Страница 110: ...stablish a PPTP connection to the network The remote client must be set up to use the selected authentication scheme MSCHAPv2 is the most secure SnapGear recommends the use of MSCHAPv2 plus data encry...

Страница 111: ...e remote users can establish VPN tunnels to the SnapGear appliance PPTP server user accounts must be added Note PPTP Accounts are distinct from those added through Users in the System menu and those a...

Страница 112: ...r the remote VPN user Confirm Re enter the password to confirm As new VPN user accounts are added they are displayed on the updated Account List To modify the password of an existing account Select th...

Страница 113: ...liance see Dynamic DNS in the Network Connections section Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking connec...

Страница 114: ...e SnapGear appliance VPN server in the VPN Server field This may change if your ISP uses dynamic IP assignment Click OK and then click Finish Figure 9 6 Right click the new icon and select Properties...

Страница 115: ...ression and Use Default Gateway on Remote Network are all selected and click OK Figure 9 7 Your VPN client is now set up and ready to connect Windows 2000 Log in as Administrator or with Administrator...

Страница 116: ...Figure 9 9 Select Connect to a private network through the Internet and click Next This displays the Destination Address window Figure 9 10 Enter the SnapGear PPTP server s IP address or fully qualif...

Страница 117: ...a Connection Name for the VPN connection such as your company name or simply Office Click Next If you have set up your computer to connect to your ISP using dial up select Automatically dial this ini...

Страница 118: ...of your computer informed you that you are connected You can now check your e mail use the office printer access shared files and and computers on the network as if you were physically on the LAN Note...

Страница 119: ...figure the tunnel with those settings For most applications to connect two offices together a network similar to the following will be used Figure 9 12 To combine the Headquarters and Branch Office ne...

Страница 120: ...lves to the IP address on the Internet port then the DNS hostname address option should be selected In this example select dynamic IP address The Maximum Transmission Unit MTU of the IPSec interface c...

Страница 121: ...not being transmitted Configure a tunnel to connect to the headquarters office To create an IPSec tunnel click the IPSec link on the left side of the SnapGear Management Console web administration pag...

Страница 122: ...llowing types of keying Main mode with Automatic Keying IKE automatically exchanges encryption and authentication keys and protects the identities of the parties attempting to establish the tunnel Agg...

Страница 123: ...select the Preshared Secret option Select the type of private network that is behind the SnapGear appliance The following types of networks are supported Single network is selected when a single subne...

Страница 124: ...default gateway for all traffic to the remote party Be the remote party s default gateway for all traffic is selected when the tunnel will be the default gateway for all traffic from the remote party...

Страница 125: ...ml to determine what form it must take In this example enter branch office Leave the Enable IP Payload Compression checkbox unchecked If compression is selected IPComp compression is applied before en...

Страница 126: ...ng when using SHA1 excluding any underscore characters This field appears when Manual Keying has been selected Encryption Key field is the ESP Encryption Key It must be of the form 0xhex where hex is...

Страница 127: ...s of the remote party in The remote party s IP address field In this example enter 209 0 01 The Endpoint ID is used to authenticate the remote party to the SnapGear appliance The remote party s ID is...

Страница 128: ...party This option will become available if the remote party has been configured to have a DNS hostname address Distinguished Name field is the list of attribute value pairs contained in the certifica...

Страница 129: ...lish and uniquely identify the tunnel It must be of the form 0xhex where hex is one or more hexadecimal digits and be in the range of 0x100 0xfff This field appears when Manual Keying has been selecte...

Страница 130: ...this new key is negotiated before the current key expires can be set in the Rekeymargin field In this example leave the Rekeymargin as the default value of 10 minutes The Rekeyfuzz value refers to th...

Страница 131: ...nding on what has been configured previously Local Public Key field is the public part of the RSA key generated for RSA Digital Signatures authentication These fields are automatically populated and d...

Страница 132: ...also supports extensions to the Diffie Hellman groups to include 2048 3072 and 4096 bit Oakley groups Perfect Forward Secrecy is enabled if a Diffie Hellman group or an extension is chosen Phase 2 ca...

Страница 133: ...ure 9 19 In the Subnet Settings section a local and remote network combination can be added one at a time by entering subnets into the Add Local Network and Add Remote Network fields and then clicking...

Страница 134: ...or start with a number In this example enter Branch_Office Leave checked the Enable this tunnel checkbox Select the Internet interface the IPSec tunnel is to go out on In this example select default g...

Страница 135: ...ecked Click the Continue button to configure the Remote Endpoint Settings Remote endpoint settings page Enter the Required Endpoint ID of the remote party In this example enter the Local Endpoint ID a...

Страница 136: ...page Set the length of time before Phase 2 is renegotiated in the Key lifetime m field In this example leave the Key Lifetime as the default value of 60 minutes Select a Phase 2 Proposal In this exam...

Страница 137: ...he Connection field will be shown Note You may modify a tunnel s settings by clicking on its connection name Click Connection to sort the tunnel list alphabetically by connection name Remote party The...

Страница 138: ...e 1 indicates that IPSec is negotiating Phase 1 to establish the tunnel Aggressive or Main mode packets depending on tunnel configuration are transmitted during this stage of the negotiation process N...

Страница 139: ...AES Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations This will include MD5 and SHA1 otherwise known as SHA Phase 1 Ciphers Loaded lis...

Страница 140: ...ple the policy line has the PFS keyword If PFS is disabled then the keyword will not appear Whether IP Payload Compression is used In this example the policy line does not have the COMPRESS keyword si...

Страница 141: ...cking Enable or Disable under the Tunnel List menu Delete One or more tunnel can be enabled or disabled by checking the checkbox to the right of the tunnel and clicking Delete under the Tunnel List me...

Страница 142: ...tion tool on the SnapGear CD to extract these certificates ensure the cygwin1 dll library is in the same directory as the openssl application To extract the CA certificate enter the following at the W...

Страница 143: ...an 4 characters long and this will be the same pass phrase entered when uploading the private key certificate into the SnapGear appliance The application will then prompt you to verify the pass phrase...

Страница 144: ...te the certificate request openssl req config openssl cnf new keyout cert1 key out cert1 req Enter a PEM pass phrase this is the same pass phrase required when you upload the key to the SnapGear appli...

Страница 145: ...ificates to the SnapGear appliance click the IPSec link on the left side of the SnapGear Management Console web administration pages and then click the Certificate Lists tab at the top of the window A...

Страница 146: ...Certificate Type pull down menu Enter the Certificate Authority s Public Key certificate or CRL file in the Certificate File field Click the Browse button to select the file from the host computer CA...

Страница 147: ...n set correctly on the SnapGear appliance Also ensure that the certificate is in PEM or DER format Enter the Local Private Key certificate in the Private Key Certificate field Click the Browse button...

Страница 148: ...s enabled Possible Cause The tunnel is using Manual Keying and the encryption and or authentication keys are incorrect The tunnel is using Manual Keying and the SnapGear appliance s and or remote part...

Страница 149: ...addresses Check that the CA has signed the certificates Symptom Tunnel is always Negotiating Phase 2 Possible Cause The Phase 2 proposals set for the SnapGear appliance and the remote party do not mat...

Страница 150: ...cur for Manual Keying Symptom Dead Peer Detection does not seem to be working Possible Cause The tunnel has Dead Peer Detection disabled The remote party does not support Dead Peer Detection according...

Страница 151: ...or your computer does not have its default gateway as the SnapGear appliance If you can ping the Internet IP address of the remote party but not the LAN IP address then the remote party s LAN IP addr...

Страница 152: ...g a GRE tunnel that runs over the Internet it is possible for an attacker to put packets onto your network If you want a tunneling mechanism to securely connect to networks then you should use IPSec o...

Страница 153: ...3 45 6 Local Internal Address 192 168 1 1 Click Add Click Add Remove under Remote Networks and enter Remote subnet netmask 10 1 0 0 255 255 0 0 Click Add The Brisbane end is now set up Figure 9 26 On...

Страница 154: ...Add them through Add Remove under Remote Networks GRE over IPSec In this example we will bridge the 10 11 0 0 255 255 0 0 network between Brisbane and Slough endpoints described in the previous sectio...

Страница 155: ...For a complete overview of all available options when setting up an IPSec tunnel please refer to the IPSec section earlier in this chapter Take note of the following important settings Set the local...

Страница 156: ...to_bris Remote External Address 10 254 0 2 Local External Address 10 254 0 1 Local Internal Address Place on Ethernet Bridge Checked For the Brisbane end enter the IP addresses below Leave Local Inte...

Страница 157: ...ace called greX created greX is the same as the Interface Name specified in the table of current GRE tunnels Also ensure that the required routes have been set up on the GRE interface This might not o...

Страница 158: ...r ATM to create tunnels across the Internet backbone The SnapGear L2TP implementation can only run L2TP over Ethernet since it doesn t have an ATM adapter L2TP packets are encapsulated in UDP packets...

Страница 159: ...configured and enabled on the SnapGear appliance as well as the L2TP server before Windows clients can connect The default way for the IPSec connection to be authenticated is to use x 509 RSA certifi...

Страница 160: ...eb browser you will be able to click the top Set Date and Time button to synchronize the time on the SnapGear appliance with that of your PC Alternately you can manually set the Year Month Date Hour a...

Страница 161: ...ensures that the SnapGear appliance s clock in UTC will be accurate soon after the Internet connection is established If NTP is not used the system clock will be set randomly when the SnapGear applia...

Страница 162: ...ia the web interface and whether they can access the Internet via the SnapGear appliance s web proxy There is one special user root who has the role of the final administrative user This user has extr...

Страница 163: ...ny of the configuration on the SnapGear appliance This access control can be granted to technical support users so they can attempt to diagnose but not fix any problems which occur Encrypted save rest...

Страница 164: ...cess controls A user with this access control is permitted controlled access to the web through the SnapGear appliance s web proxy See the Access control and content filtering section in the chapter e...

Страница 165: ...ics Diagnostic information and tests are provided through the SnapGear Management Console web administration pages Diagnostics To access this information click Diagnostics under System This page displ...

Страница 166: ...System 162 Figure 10 3 Network tests Basic network diagnostic tests ping traceroute can be accessed by clicking the Network Tests tab at the top of the Diagnostics page...

Страница 167: ...errors are red The pull down menu underneath the log output allows you to filter the log output to display based on output type Refer to Appendix C for details on configuring and interpreting log out...

Страница 168: ...ogram that automates the upgrade procedure Be sure to read the release notes before attempting the upgrade The second is to download the binary image file bin This can then be transferred from a PC on...

Страница 169: ...boot It will usually take around 10 seconds before it is up and running again Note that if you have enabled bridging the SnapGear appliance may take up to 30 seconds to reboot Reset button The simples...

Страница 170: ...Technical Support Report page is an invaluable resource for the SnapGear technical support team to analyze problems with your SnapGear appliance The information on this page gives the support team imp...

Страница 171: ...ddresses The third form allows the address range to span network and subnet boundaries All addresses including and between the two specified IP addresses are included in the range For example 192 168...

Страница 172: ...to connect or if the SnapGear appliance or the remote party is behind a NAT device Authentication Authentication is the technique by which a process verifies that its communication partner is who it i...

Страница 173: ...operate with the SnapGear appliance it must conform to the draft draft ietf ipsec dpd 00 txt DHCP Dynamic Host Configuration Protocol A communications protocol that assigns IP addresses to computers w...

Страница 174: ...e to be modified then its hash would have changed and would no longer match the original hash value Hub A network device that allows more than one computer to be connected as a LAN usually using UTP c...

Страница 175: ...public part of the public private key pair of the certificate resides on the SnapGear appliance and is used to authenticate against the CA certificate MAC address The hardware address of an Ethernet...

Страница 176: ...ort term keys but he does not automatically get them just by acquiring the long term key Phase 1 Sets up a secure communications channel to establish the encrypted tunnel in IPSec Phase 2 Sets up the...

Страница 177: ...ity than is available from a single DES pass UTC Coordinated Universal Time UTP Unshielded Twisted Pair cabling A type of Ethernet cable that can operate up to 100Mb s Also known as Category 5 or CAT...

Страница 178: ...174...

Страница 179: ...ance creates entries in the syslog var log messages or external syslog server of the following format Date Time klogd prefix IN incoming interface OUT outgoing interface MAC dst src MAC addresses SRC...

Страница 180: ...re also some specific rules to detect various attacks smurf teardrop etc When outbound traffic from LAN to WAN is blocked by custom rules configured in the GUI the resultant dropped packets are also l...

Страница 181: ...RC 10 0 0 2 DST 140 103 74 181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Creating Custom Log Rules Additional log rules can be configured...

Страница 182: ...s 12 Jan 24 17 19 17 2000 klogd Internet PPTP access IN eth0 OUT MAC 00 d0 cf 00 07 03 00 50 bf 20 66 4d 08 00 SRC DST 1 2 3 4 LEN 48 TOS 0x00 PREC 0x00 TTL 127 ID 43470 DF PROTO TCP SPT 4508 DPT 1723...

Страница 183: ...T eth1 It is possible to use the i and o arguments to specify the interface that are to be considered for IN and OUT respectively When the argument is used before the interface name the sense is inver...

Страница 184: ...or day suffix The default is 3 hour limit burst number number is the maximum initial number of packets to match This number gets recharged by one every time the limit specified above is not reached u...

Страница 185: ...thentication attempt failed for root from 10 0 0 2 Jan 30 03 18 40 2000 login Authentication successful for root from 10 0 0 2 Once again showing the same information as a web login attempt Boot Log M...

Отзывы:

Нет отзывов

Похожие инструкции для SnapGear

Бренд: Infoblox Страницы: 16

Personal aXsGUARD

Бренд: Vasco Страницы: 49

Spam Firewall Outbound

Бренд: Barracuda Networks Страницы: 2

Бренд: BESTEK Страницы: 41

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды