Sidewinder G2 6.1.1 Administration Guide - Glossary of Technical ...
Sidewinder G2 6.1.1 Administration Guide - Glossary of Technical ...
Sidewinder G2 6.1.1 Administration Guide - Glossary of Technical ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ADMINISTRATION GUIDE
ADMINISTRATION GUIDE
Copyright<br />
© 2005 Secure Computing Corporation. All rights reserved. No part <strong>of</strong> this publication may be reproduced, transmitted,<br />
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written<br />
permission <strong>of</strong> Secure Computing Corporation.<br />
Trademarks<br />
Secure Computing, SafeWord, <strong>Sidewinder</strong>, <strong>Sidewinder</strong> <strong>G2</strong>, SmartFilter, Type Enforcement, S<strong>of</strong>Token, Enterprise Strong,<br />
Mobile Pass, <strong>G2</strong> Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks <strong>of</strong> Secure<br />
Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. <strong>G2</strong> Enterprise<br />
Manager, SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people,<br />
applications and networks are trademarks <strong>of</strong> Secure Computing Corporation. All other trademarks, tradenames, service<br />
marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.<br />
S<strong>of</strong>tware License Agreement<br />
The following is a copy <strong>of</strong> the S<strong>of</strong>tware License Agreement as shown in the s<strong>of</strong>tware:<br />
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING<br />
"I ACCEPT" BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING<br />
THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. IF YOU DO NOT AGREE WITH THIS<br />
AGREEMENT, THEN CLICK "I DO NOT ACCEPT" BELOW AND RETURN ALL COPIES OF THE SOFTWARE AND<br />
DOCUMENTATION TO SECURE COMPUTING CORPORATION ("SECURE COMPUTING") OR THE RESELLER FROM<br />
WHOM YOU OBTAINED THE SOFTWARE.<br />
If this S<strong>of</strong>tware is being installed by a third party (for example, a value-added reseller, consultant, employee, or agent),<br />
such third party represents that it has the authority to bind the person or entity for whom the S<strong>of</strong>tware is being<br />
installed, and that its acceptance <strong>of</strong> this Agreement in the manner set forth above does bind such person or entity.<br />
1. Grant <strong>of</strong> License. Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license<br />
(without right to sub-license) to use the S<strong>of</strong>tware Products as defined herein on a single machine.<br />
2. S<strong>of</strong>tware Products. "S<strong>of</strong>tware Product(s)" means (i) the machine-readable object-code versions <strong>of</strong> the S<strong>of</strong>tware <strong>of</strong><br />
Secure Computing contained in the media (the "S<strong>of</strong>tware"), (ii) the published user manuals and documentation that are<br />
made available for the S<strong>of</strong>tware (the "Documentation") and (iii) any updates or revisions <strong>of</strong> the S<strong>of</strong>tware or<br />
Documentation that you may receive (the "Update"). Under no circumstances will you receive any source code <strong>of</strong> the<br />
S<strong>of</strong>tware. S<strong>of</strong>tware Products provided for use as "backup" in the event <strong>of</strong> failure <strong>of</strong> a primary unit may be used only to<br />
replace the primary unit after a failure in fact occurs. They may not be used to provide any capability in addition to the<br />
functioning primary system that they backup.<br />
3. Limitation <strong>of</strong> Use. You may not: 1) copy, except to make one copy <strong>of</strong> the S<strong>of</strong>tware solely for back-up or archival<br />
purposes; 2) transfer, distribute, rent, lease or sublicense all or any portion <strong>of</strong> the S<strong>of</strong>tware Product to any third party;<br />
3) translate, modify, adapt, decompile, disassemble, or reverse engineer any S<strong>of</strong>tware Product in whole or in part; or 4)<br />
modify or prepare derivative works <strong>of</strong> the S<strong>of</strong>tware Products.<br />
4. Limited Warranty and Remedies. Secure Computing warrants that the medium/media on which its S<strong>of</strong>tware is<br />
recorded is/are free from defects in material and workmanship under normal use and service for a period <strong>of</strong> ninety<br />
(90) days from the date <strong>of</strong> shipment to you.<br />
Secure Computing does not warrant that the functions contained in the S<strong>of</strong>tware will meet your requirements or that<br />
operation <strong>of</strong> the program will be uninterrupted or error-free. The S<strong>of</strong>tware is furnished "AS IS" and without warranty as<br />
to the performance or results you may obtain by using the S<strong>of</strong>tware. The entire risk as to the results and performance<br />
<strong>of</strong> the S<strong>of</strong>tware is assumed by you. If you do not receive media which is free from defects in materials and<br />
workmanship during the 90-day warranty period, you will receive a refund for the amount paid for the S<strong>of</strong>tware<br />
Product returned.<br />
5. Limitation Of Warranty And Remedies. THE WARRANTIES STATED HEREIN ARE IN LIEU OF ALL OTHER<br />
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A<br />
PARTICULAR PURPOSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE EXCLUSION OF IMPLIED<br />
WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC<br />
LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH VARY BY STATE OR COUNTRY.<br />
i
ii<br />
SECURE COMPUTING'S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF<br />
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT<br />
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR<br />
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE<br />
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES<br />
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.<br />
6. Term and Termination. This license is effective until terminated. You may terminate it at any time by destroying<br />
the S<strong>of</strong>tware Product, including all computer programs and documentation, and erasing any copies residing on<br />
computer equipment. This Agreement also will automatically terminate if you do not comply with any terms or<br />
conditions <strong>of</strong> this Agreement. Upon such termination you agree to destroy the S<strong>of</strong>tware Product and erase all copies<br />
residing on computer equipment.<br />
7. Ownership. This S<strong>of</strong>tware is licensed (not sold) to you. All intellectual property rights including trademarks, service<br />
marks, patents, copyrights, trade secrets, and other proprietary rights in or related to the S<strong>of</strong>tware Products are and will<br />
remain the property <strong>of</strong> Secure Computing or its licensors, whether or not specifically recognized or protected under<br />
local law. You will not remove any product identification, copyright notices, or other legends set forth on the S<strong>of</strong>tware<br />
Product.<br />
8. Export Restrictions. You agree to comply with all applicable United States export control laws and regulations,<br />
including without limitation, the laws and regulations administered by the United States Department <strong>of</strong> Commerce and<br />
the United States Department <strong>of</strong> State.<br />
9. U.S. Government Rights. S<strong>of</strong>tware Products furnished to the U.S. Government are provided on these commercial<br />
terms and conditions as set forth in DFARS 227.7202-1(a).<br />
10. Entire Agreement. This Agreement is our <strong>of</strong>fer to license the S<strong>of</strong>tware Product to you exclusively on the terms set<br />
forth in this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have<br />
submitted (or hereafter submit) different, additional, or other alternative terms to Secure Computing or any reseller or<br />
authorized dealer, whether through a purchase order or otherwise, we object to and reject those terms. Without<br />
limiting the generality <strong>of</strong> the foregoing, to the extent that you have submitted a purchase order for the S<strong>of</strong>tware<br />
Product, any shipment to you <strong>of</strong> the S<strong>of</strong>tware Product is not an acceptance <strong>of</strong> your purchase order, but rather is a<br />
counter<strong>of</strong>fer subject to your acceptance <strong>of</strong> this Agreement without any objections or modifications by you. To the<br />
extent that we are deemed to have formed a contract with you related to the S<strong>of</strong>tware Product prior to your acceptance<br />
<strong>of</strong> this Agreement, this Agreement shall govern and shall be deemed to be a modification <strong>of</strong> any prior terms in their<br />
entirety.<br />
11. General. Any waiver <strong>of</strong> or modification to the terms <strong>of</strong> this Agreement will not be effective unless executed in<br />
writing and signed by Secure Computing. If any provision <strong>of</strong> this Agreement is held to be unenforceable, in whole or<br />
in part, such holding shall not affect the validity <strong>of</strong> the other provisions <strong>of</strong> this Agreement. You may not assign this<br />
License or any associated transactions without the written consent <strong>of</strong> Secure Computing. This License shall be<br />
governed by and construed in accordance with the laws <strong>of</strong> California, without regard to its conflicts <strong>of</strong> laws provisions.
Other Terms and Conditions<br />
This product contains s<strong>of</strong>tware developed by the Net-SNMP project. Copyright © 1989, 1991, 1992 by Carnegie Mellon<br />
University. Copyright © 1996, 1998-2000 The Regents <strong>of</strong> the University <strong>of</strong> California. All Rights Reserved. Copyright ©<br />
2001-2002, Networks Associates Technology, Inc. All rights reserved. Portions <strong>of</strong> this code are copyright © 2001-2002,<br />
Cambridge Broadband Ltd. All rights reserved.<br />
This product contains s<strong>of</strong>tware developed through the Internet S<strong>of</strong>tware Consortium (http://www.isc.org). Copyright ©<br />
1996-2001 Internet S<strong>of</strong>tware Consortium. Portions Copyright © 1996-2001 Nominum, Inc.<br />
This product contains s<strong>of</strong>tware developed by Sendmail, Inc. Copyright © 1998-2001 Sendmail, Inc. All rights reserved.<br />
This product includes s<strong>of</strong>tware and algorithms developed by RSA Data Security Inc.<br />
This product includes cryptographic s<strong>of</strong>tware written by Eric Young (eay@crypts<strong>of</strong>t.com).<br />
This product includes s<strong>of</strong>tware developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://<br />
www.openssl.org) Copyright © 1998-2000 The OpenSSL Project. All rights reserved.<br />
This product includes s<strong>of</strong>tware developed by the Apache Group for use in the Apache HTTP server project (http://<br />
www.apache.org/).<br />
This product utilizes MySQL (http://www.mysql.com/). Copyright © 1995, 1996, 2000 TcX AB & Monty Program KB &<br />
Detron Stockholm SWEDEN, Helsingfors FINLAND and Uppsala SWEDEN. All rights reserved.<br />
This product incorporates compression code from the Info-ZIP group. There are no extra charges or costs due to the use<br />
<strong>of</strong> this code, and the original compression sources are freely available from http://www.cdrom.com/pub/infozip/ or ftp:/<br />
/ftp.cdrom.com/pub/infozip/ on the Internet.<br />
This product includes s<strong>of</strong>tware developed at the Information Technology Division, US Naval Research Laboratory.<br />
Copyright 1995 US Naval Research Laboratory (NRL). All Rights Reserved.<br />
This product includes s<strong>of</strong>tware developed by the University <strong>of</strong> California, Berkeley and its contributors. Copyright ©<br />
1991, 1992, 1993, 1994, 1995, 1996 Berkeley S<strong>of</strong>tware Design Inc. Copyright © 1997, 1998, 1999, 2000, 2001 Berkeley<br />
S<strong>of</strong>tware Design Inc. All rights reserved. Copyright © 2001 Wind River Systems, Inc. All rights reserved.<br />
This product uses unmodified GNU s<strong>of</strong>tware. GNU source code is available on request by contacting Secure Computing.<br />
Pine and Pico are registered trademarks <strong>of</strong> the University <strong>of</strong> Washington. No commercial use <strong>of</strong> these trademarks may be<br />
made without prior written permission <strong>of</strong> the University <strong>of</strong> Washington. Pine, Pico, and Pilot s<strong>of</strong>tware and its included<br />
text are Copyright 1989-1996 by the University <strong>of</strong> Washington.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> <strong>Guide</strong>d Tour contains an embedded TechSmith® Screen Capture Codec that is required to view the<br />
<strong>Guide</strong>d Tour.. The embedded TechSmith Screen Capture Codec is distributed without charge, royalty, or licensing<br />
requirement.<br />
iii
iv<br />
<strong>Technical</strong> Support information<br />
Secure Computing works closely with our Channel Partners to <strong>of</strong>fer worldwide <strong>Technical</strong> Support services. If you<br />
purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support<br />
needs.<br />
To contact Secure Computing <strong>Technical</strong> Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer,<br />
send an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our "Contact<br />
Secure" Web page for the latest information at www.securecomputing.com.<br />
Customer Advocate information<br />
To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a<br />
Customer Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com.<br />
If you have comments or suggestions you would like to make regarding this document or any other Secure Computing<br />
document, please send an e-mail to techpubs@securecomputing.com.<br />
Printing history<br />
Date Part number S<strong>of</strong>tware release<br />
February 2004 SWOP-MN-ADMN61-A <strong>Sidewinder</strong> <strong>G2</strong>, Version 6.1<br />
May 2004 SWOP-MN-ADMN61-B <strong>Sidewinder</strong> <strong>G2</strong>, Version 6.1.0.02<br />
February 2005 SWOP-MN-ADMN61-C <strong>Sidewinder</strong> <strong>G2</strong>, Version <strong>6.1.1</strong>
Table <strong>of</strong> Contents<br />
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1<br />
What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance? . . . . . . . . . . . . . 1-1<br />
<strong>Sidewinder</strong> <strong>G2</strong> management options . . . . . . . . . . . . . . . . . . . . . 1-3<br />
The Type Enforced environment . . . . . . . . . . . . . . . . . . . . . . . . . 1-4<br />
<strong>Sidewinder</strong> <strong>G2</strong> kernels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4<br />
How Type Enforcement works . . . . . . . . . . . . . . . . . . . . . . . . 1-5<br />
Type Enforcement’s effects . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics . . . . . . . . . . 1-9<br />
Burbs and network stack separation . . . . . . . . . . . . . . . . . . . . 1-9<br />
Proxy s<strong>of</strong>tware and access control . . . . . . . . . . . . . . . . . . . . 1-11<br />
IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12<br />
daemond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12<br />
Network Services Sentry (NSS) . . . . . . . . . . . . . . . . . . . . . . 1-16<br />
Chapter 2: Administrator’s Overview . . . . . . . . . . . . . . . . 2-1<br />
<strong>Administration</strong> interface options . . . . . . . . . . . . . . . . . . . . . . . . . 2-2<br />
Admin Console basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3<br />
Starting and exiting the Admin Console . . . . . . . . . . . . . . . . . 2-3<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console . . . . . . . . . . . 2-4<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console . . . . . 2-5<br />
About the main Admin Console window . . . . . . . . . . . . . . . . . 2-8<br />
Admin Console conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11<br />
Using the Admin Console File Editor . . . . . . . . . . . . . . . . . . . . 2-12<br />
Opening and saving files in the File Editor . . . . . . . . . . . . . . 2-13<br />
Creating a backup file in the File Editor . . . . . . . . . . . . . . . . 2-14<br />
Restoring a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15<br />
Using the Find/Replace option . . . . . . . . . . . . . . . . . . . . . . . 2-16<br />
Remote administration using Secure Shell . . . . . . . . . . . . . . . . 2-17<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server . . . . . . . . 2-17<br />
Configuring and using the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client . 2-20<br />
Configuring the SSH Admin Console windows . . . . . . . . . . . 2-22<br />
Tips on using SSH with <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . 2-24<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet . . . . . . . . . . . . . . . . 2-24<br />
T<br />
Table <strong>of</strong> Contents v
T<br />
Table <strong>of</strong> Contents<br />
vi Table <strong>of</strong> Contents<br />
Setting up an internal (trusted) Telnet server . . . . . . . . . . . . 2-24<br />
Setting up an external Telnet server . . . . . . . . . . . . . . . . . . . 2-25<br />
Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using Telnet . . . . . . . . . . . 2-26<br />
Chapter 3: General System Tasks . . . . . . . . . . . . . . . . . . . 3-1<br />
Restarting or shutting down the system . . . . . . . . . . . . . . . . . . . 3-2<br />
Powering-on the system to the Operational kernel . . . . . . . . . 3-2<br />
Rebooting or shutting down using the Admin Console . . . . . . 3-3<br />
Rebooting or shutting down using a command line interface . 3-4<br />
Setting up and maintaining administrator accounts . . . . . . . . . . 3-5<br />
Adding or modifying an administrator account . . . . . . . . . . . . 3-7<br />
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9<br />
Setting the system date and time . . . . . . . . . . . . . . . . . . . . . . . . 3-9<br />
Viewing/changing the date and time . . . . . . . . . . . . . . . . . . . . 3-9<br />
Changing the date or time using the config_time utility . . . . . 3-10<br />
Using system roles to access type enforced domains . . . . . . . 3-11<br />
Checking which kernel you are running (uname) . . . . . . . . . 3-11<br />
Checking which domain you are using (whereami) . . . . . . . . 3-12<br />
Changing your domain access using the system role (srole)<br />
command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12<br />
Configuration file backup and restore . . . . . . . . . . . . . . . . . . . . 3-13<br />
Backing up and restoring configuration files using the Admin<br />
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license . . . . . . . . . . . . . . . . . . . . 3-19<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> connected to the Internet . 3-20<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> on an isolated network . . . 3-20<br />
Configuring the Firewall License tabs . . . . . . . . . . . . . . . . . . 3-22<br />
Displaying the status <strong>of</strong> features on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . 3-27<br />
Protected host licensing and the Host Enrollment List . . . . . . . 3-27<br />
How hosts are calculated . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28<br />
Displaying and modifying the Host Enrollment List . . . . . . . . 3-29<br />
Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . 3-30<br />
Configuring the synchronization server . . . . . . . . . . . . . . . . . . . 3-33<br />
Configuring scanning services . . . . . . . . . . . . . . . . . . . . . . . . . 3-34<br />
Configuring the shund server . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39<br />
Loading and installing patches . . . . . . . . . . . . . . . . . . . . . . . . . 3-41<br />
Viewing currently installed patches . . . . . . . . . . . . . . . . . . . . 3-42<br />
Loading a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43<br />
Installing a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45<br />
Modifying the burb configuration . . . . . . . . . . . . . . . . . . . . . . . . 3-48<br />
Modifying the interface configuration . . . . . . . . . . . . . . . . . . . . 3-50<br />
Modifying the static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54<br />
Configuring remote Admin Console management . . . . . . . . . . 3-56
Table <strong>of</strong> Contents<br />
Enabling and disabling multi-processor mode . . . . . . . . . . . . . 3-57<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS . . . . . . . . . . . . . . 3-58<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS . . . . . . . . . . . . 3-59<br />
Enabling/disabling the UPS server . . . . . . . . . . . . . . . . . . . . 3-60<br />
Chapter 4: Understanding Policy Configuration . . . . . . . 4-1<br />
Policy configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1<br />
An example <strong>of</strong> traffic being processed by the active rules . . . 4-4<br />
Ordering proxy rules within a rule group . . . . . . . . . . . . . . . . . 4-5<br />
Rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6<br />
Planning for rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7<br />
Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8<br />
Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9<br />
Service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12<br />
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14<br />
Using Application Defense groups and service groups to<br />
minimize rule creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16<br />
Proxy rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17<br />
Basic criteria used to allow or deny a connection . . . . . . . . . 4-17<br />
Optional criteria used to allow or deny a connection . . . . . . . 4-18<br />
Using NAT and redirection in proxy rules . . . . . . . . . . . . . . . 4-19<br />
Simple proxy rule examples . . . . . . . . . . . . . . . . . . . . . . . . . 4-20<br />
Example <strong>of</strong> proxy rules using netgroups . . . . . . . . . . . . . . . . 4-22<br />
Advanced proxy rule example using service groups . . . . . . . 4-24<br />
Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25<br />
IP Filter rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28<br />
Using IP Filter to filter non-TCP/UDP traffic . . . . . . . . . . . . . 4-29<br />
Using IP Filter to filter TCP/UDP traffic . . . . . . . . . . . . . . . . . 4-30<br />
Using NAT and redirection for IP Filter rules . . . . . . . . . . . . . 4-31<br />
Sharing IP Filter sessions in an HA cluster . . . . . . . . . . . . . . 4-36<br />
Specifying the number <strong>of</strong> TCP or UDP IP Filter sessions . . . 4-36<br />
Chapter 5: Creating Rule Elements . . . . . . . . . . . . . . . . . . 5-1<br />
Creating users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . 5-1<br />
Configuring users or user groups . . . . . . . . . . . . . . . . . . . . . . 5-3<br />
Managing user group membership . . . . . . . . . . . . . . . . . . . . . 5-8<br />
Creating network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10<br />
Displaying network objects and netgroups . . . . . . . . . . . . . . 5-10<br />
Configuring domain objects . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12<br />
Configuring host objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13<br />
Configuring IP address objects . . . . . . . . . . . . . . . . . . . . . . . 5-15<br />
Configuring netmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16<br />
Configuring subnet objects . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17<br />
Table <strong>of</strong> Contents vii
Table <strong>of</strong> Contents<br />
viii Table <strong>of</strong> Contents<br />
Configuring netgroup object . . . . . . . . . . . . . . . . . . . . . . . . . 5-18<br />
Managing netgroup membership . . . . . . . . . . . . . . . . . . . . . 5-20<br />
Creating service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21<br />
Chapter 6: Configuring Application Defenses . . . . . . . . . 6-1<br />
Viewing Application Defense information . . . . . . . . . . . . . . . . . . 6-1<br />
Overview <strong>of</strong> the Application Defense windows . . . . . . . . . . . . 6-2<br />
Creating Web or Secure Web Application Defenses . . . . . . . . . 6-4<br />
Configuring the Web/Secure Web Enforcements tab . . . . . . . 6-5<br />
Configuring the Web/Secure Web URL Control tab . . . . . . . . 6-8<br />
Configuring the Web/Secure Web HTTP Request tab . . . . . 6-10<br />
Configuring Web/Secure Web HTTP Reply tab . . . . . . . . . . 6-11<br />
Configuring the Web/Secure Web MIME/Virus tab . . . . . . . . 6-13<br />
Configuring the Web/Secure Web Content Control tab . . . . 6-17<br />
Configuring the Web/Secure Web Connection tab . . . . . . . . 6-18<br />
Creating Web Cache Application Defenses . . . . . . . . . . . . . . . 6-19<br />
Configuring the Web Cache Application Defense window . . 6-19<br />
Creating Mail Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-21<br />
Configuring the Mail Control tab . . . . . . . . . . . . . . . . . . . . . . 6-22<br />
Configuring the Mail Size tab . . . . . . . . . . . . . . . . . . . . . . . . 6-23<br />
Configuring the Mail Keyword Search tab . . . . . . . . . . . . . . . 6-24<br />
Configuring the Mail MIME/Virus tab . . . . . . . . . . . . . . . . . . . 6-26<br />
Creating Citrix Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-31<br />
Configuring the Citrix Enforcements tab . . . . . . . . . . . . . . . . 6-32<br />
Configuring the Citrix Filters tab . . . . . . . . . . . . . . . . . . . . . . 6-32<br />
Configuring the Citrix Connections tab . . . . . . . . . . . . . . . . . 6-33<br />
Creating FTP Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-33<br />
Configuring the FTP Filter tab . . . . . . . . . . . . . . . . . . . . . . . . 6-33<br />
Configuring the FTP Connection tab . . . . . . . . . . . . . . . . . . . 6-34<br />
Creating IIOP Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-34<br />
Configuring the IIOP Connection tab . . . . . . . . . . . . . . . . . . 6-35<br />
Creating Multimedia Application Defenses . . . . . . . . . . . . . . . . 6-36<br />
Configuring the Multimedia General tab . . . . . . . . . . . . . . . . 6-36<br />
Configuring the H.323 Filter tab . . . . . . . . . . . . . . . . . . . . . . 6-36<br />
Configuring the T120 Filter tab . . . . . . . . . . . . . . . . . . . . . . . 6-38<br />
Configuring the Multimedia Connection tab . . . . . . . . . . . . . 6-38<br />
Creating Oracle Application Defenses . . . . . . . . . . . . . . . . . . . 6-38<br />
Configuring the Enforcements tab . . . . . . . . . . . . . . . . . . . . . 6-39<br />
Configuring the Service Name (SID) tab . . . . . . . . . . . . . . . . 6-40<br />
Configuring the Oracle Connection tab . . . . . . . . . . . . . . . . . 6-40<br />
Creating SOCKS Application Defenses . . . . . . . . . . . . . . . . . . 6-41<br />
Configuring the SOCKS 5 Filter tab . . . . . . . . . . . . . . . . . . . 6-41<br />
Configuring the SOCKS Connections tab . . . . . . . . . . . . . . . 6-41
Table <strong>of</strong> Contents<br />
Creating SNMP Application Defenses . . . . . . . . . . . . . . . . . . . 6-42<br />
Configuring the SNMP Filter tab . . . . . . . . . . . . . . . . . . . . . . 6-42<br />
Configuring the SNMP v1 tab . . . . . . . . . . . . . . . . . . . . . . . . 6-43<br />
Configuring the SNMP Connection tab . . . . . . . . . . . . . . . . . 6-45<br />
Creating Standard Application Defenses . . . . . . . . . . . . . . . . . 6-45<br />
Configuring the Standard Connections tab . . . . . . . . . . . . . . 6-46<br />
Configuring Application Defense groups . . . . . . . . . . . . . . . . . . 6-46<br />
Configuring the Application Defense groups window . . . . . . 6-47<br />
Configuring connection properties . . . . . . . . . . . . . . . . . . . . . . 6-48<br />
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . 6-50<br />
Chapter 7: Creating Rules and Groups . . . . . . . . . . . . . . . 7-1<br />
Viewing rules and rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1<br />
Creating proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4<br />
Creating IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12<br />
Creating and managing rule groups . . . . . . . . . . . . . . . . . . . . . 7-19<br />
Creating a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19<br />
Managing rules and nested groups within a rule group . . . . 7-20<br />
Selecting your active policy rules . . . . . . . . . . . . . . . . . . . . . . . 7-22<br />
Viewing the active policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22<br />
Modifying the active rule groups . . . . . . . . . . . . . . . . . . . . . . 7-24<br />
Viewing and modifying general IP Filter properties . . . . . . . . 7-25<br />
Chapter 8: Configuring Proxies . . . . . . . . . . . . . . . . . . . . . 8-1<br />
Proxy basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1<br />
Configuring advanced proxy parameters on a per-rule basis<br />
using Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3<br />
Improving performance using Fast Path Sessions . . . . . . . . . 8-3<br />
Proxy session limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4<br />
Redirected proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5<br />
Address redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6<br />
Port redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies . . . . . . . . . . . . . . . . . . . . . . . . 8-9<br />
Using other proxies on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . 8-13<br />
Transparent & non-transparent proxies . . . . . . . . . . . . . . . . . . 8-14<br />
Notes on selected proxy configurations . . . . . . . . . . . . . . . . . . 8-15<br />
Notes on using the Telnet proxy . . . . . . . . . . . . . . . . . . . . . . 8-15<br />
Notes on using the FTP proxy . . . . . . . . . . . . . . . . . . . . . . . . 8-17<br />
HTTP/HTTPS considerations . . . . . . . . . . . . . . . . . . . . . . . . 8-18<br />
ICA proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18<br />
Sun RPC proxy considerations . . . . . . . . . . . . . . . . . . . . . . . 8-19<br />
Usenet News proxy configurations . . . . . . . . . . . . . . . . . . . . 8-19<br />
T.120 and H.323 proxy considerations . . . . . . . . . . . . . . . . . 8-22<br />
Table <strong>of</strong> Contents ix
Table <strong>of</strong> Contents<br />
x Table <strong>of</strong> Contents<br />
Generic TCP proxy considerations . . . . . . . . . . . . . . . . . . . . 8-26<br />
Notes on using the DNS proxy . . . . . . . . . . . . . . . . . . . . . . . 8-27<br />
Configuring proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28<br />
Configuring proxy properties . . . . . . . . . . . . . . . . . . . . . . . . . 8-28<br />
Setting up a new proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31<br />
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . 8-33<br />
TCP maximum segment size . . . . . . . . . . . . . . . . . . . . . . . . 8-33<br />
Chapter 9: Setting Up Authentication . . . . . . . . . . . . . . . . 9-1<br />
Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1<br />
Proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2<br />
Administrator authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3<br />
Weak versus strong authentication . . . . . . . . . . . . . . . . . . . . . 9-3<br />
Supported authentication methods . . . . . . . . . . . . . . . . . . . . . . . 9-5<br />
Standard password authentication . . . . . . . . . . . . . . . . . . . . . 9-6<br />
SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6<br />
LDAP/Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7<br />
Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8<br />
SNK (SecureNet Key)/Symantec Defender authentication . . . 9-8<br />
SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8<br />
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8<br />
Authentication process overview . . . . . . . . . . . . . . . . . . . . . . . . . 9-9<br />
Users, groups, and authentication . . . . . . . . . . . . . . . . . . . . . . 9-11<br />
Configuring authentication services . . . . . . . . . . . . . . . . . . . . . 9-11<br />
Setting up LDAP authentication . . . . . . . . . . . . . . . . . . . . . . 9-16<br />
Setting up password authentication . . . . . . . . . . . . . . . . . . . 9-18<br />
Setting up RADIUS authentication . . . . . . . . . . . . . . . . . . . . 9-19<br />
Setting up SafeWord authentication . . . . . . . . . . . . . . . . . . . 9-21<br />
Setting up SecurID authentication . . . . . . . . . . . . . . . . . . . . . 9-22<br />
Setting up SecureNet Key (SNK) authentication . . . . . . . . . . 9-24<br />
Setting up Windows Domain authentication . . . . . . . . . . . . . 9-26<br />
Configuring SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27<br />
Accessing the Web login and logout pages . . . . . . . . . . . . . 9-30<br />
Setting up authentication for services . . . . . . . . . . . . . . . . . . . . 9-30<br />
Special authentication notes . . . . . . . . . . . . . . . . . . . . . . . . . 9-31<br />
Setting up authentication for Web sessions . . . . . . . . . . . . . . . 9-32<br />
Setting up authentication for administrators . . . . . . . . . . . . . . . 9-33<br />
Allowing users to change their passwords . . . . . . . . . . . . . . . . 9-34<br />
How users can change their own password . . . . . . . . . . . . . . . 9-36<br />
Chapter 10: Domain Name System (DNS) . . . . . . . . . . . . 10-1<br />
What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1<br />
About transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Table <strong>of</strong> Contents<br />
About <strong>Sidewinder</strong> hosted DNS . . . . . . . . . . . . . . . . . . . . . . . 10-2<br />
About mail exchanger records . . . . . . . . . . . . . . . . . . . . . . . . . 10-4<br />
Configuring the internal network to use hosted DNS . . . . . . . . 10-5<br />
Enabling and disabling your DNS server(s) . . . . . . . . . . . . . . . 10-6<br />
Using master and slave servers in your network . . . . . . . . . 10-6<br />
Determining the number <strong>of</strong> DNS servers currently defined on<br />
<strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7<br />
Enabling and disabling hosted DNS servers . . . . . . . . . . . . . 10-7<br />
Advanced configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8<br />
Managing your current DNS configuration . . . . . . . . . . . . . . . . 10-9<br />
Configuring transparent name servers . . . . . . . . . . . . . . . . . . . 10-9<br />
Configuring hosted DNS servers . . . . . . . . . . . . . . . . . . . . . . . 10-11<br />
Configuring the Server Configuration tab . . . . . . . . . . . . . . 10-12<br />
Configuring the Zones tab . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16<br />
Using the Master Zone Attributes tab . . . . . . . . . . . . . . . . . 10-20<br />
Using the Master Zone Contents tab . . . . . . . . . . . . . . . . . 10-25<br />
Reconfiguring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29<br />
Reconfiguring transparent DNS . . . . . . . . . . . . . . . . . . . . . 10-31<br />
Reconfiguring single server hosted DNS . . . . . . . . . . . . . . 10-32<br />
Reconfiguring split server hosted DNS . . . . . . . . . . . . . . . . 10-33<br />
Manually editing DNS configuration files . . . . . . . . . . . . . . . . . 10-35<br />
DNS message logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36<br />
Chapter 11: Electronic Mail. . . . . . . . . . . . . . . . . . . . . . . . 11-1<br />
Overview <strong>of</strong><br />
e-mail on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1<br />
Mail server configuration options . . . . . . . . . . . . . . . . . . . . . 11-1<br />
Mail filtering services on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . 11-4<br />
Sendmail differences on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . 11-5<br />
Administering mail on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . 11-6<br />
Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong> . . . 11-6<br />
Managing sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7<br />
Reconfiguring mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9<br />
Editing the mail configuration files . . . . . . . . . . . . . . . . . . . . . . 11-10<br />
Configuring advanced anti-spam options . . . . . . . . . . . . . . . . 11-13<br />
Configuring the whitelist.cfg files . . . . . . . . . . . . . . . . . . . . . 11-13<br />
Configuring the policy.cfg file . . . . . . . . . . . . . . . . . . . . . . . . 11-15<br />
Redirecting mail to a different destination . . . . . . . . . . . . . . . . 11-20<br />
Creating a .forward file in a user’s home directory . . . . . . . 11-20<br />
Creating a .forward file in the root directory . . . . . . . . . . . . 11-21<br />
Other sendmail features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22<br />
Configuring sendmail to strip message headers . . . . . . . . . 11-22<br />
Configuring sendmail to use the RealTime Blackhole list . . 11-24<br />
Table <strong>of</strong> Contents xi
Table <strong>of</strong> Contents<br />
xii Table <strong>of</strong> Contents<br />
Sendmail and promiscuous relaying . . . . . . . . . . . . . . . . . . 11-24<br />
Allowing or denying mail on a user basis . . . . . . . . . . . . . . 11-25<br />
Changing mail aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26<br />
Managing mail queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27<br />
Chapter 12: Setting Up Web Services . . . . . . . . . . . . . . . 12-1<br />
An overview <strong>of</strong> Web Services on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . 12-1<br />
Web access for users on your internal network . . . . . . . . . . 12-1<br />
Access to your Web server by untrusted external users . . . . 12-2<br />
Access to your internal network by trusted external users . . 12-3<br />
Implementation options for Web access . . . . . . . . . . . . . . . . . . 12-3<br />
Using the HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6<br />
Setting up Web access using the HTTP proxy . . . . . . . . . . . 12-7<br />
Setting up clientless VPN access for trusted remote users . 12-8<br />
Using the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10<br />
Setting up Web access using the Web proxy server . . . . . . 12-11<br />
Error messages when using the Web proxy server . . . . . . 12-12<br />
Configuring the Web proxy server . . . . . . . . . . . . . . . . . . . . . . 12-12<br />
Configuring caching options . . . . . . . . . . . . . . . . . . . . . . . . 12-15<br />
Configuring HTTP filtering options . . . . . . . . . . . . . . . . . . . 12-16<br />
Manually editing the configuration file . . . . . . . . . . . . . . . . . 12-17<br />
Configuring browsers for the Web proxy server . . . . . . . . . . . 12-19<br />
Mozilla Firefox 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20<br />
Internet Explorer 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20<br />
Internet Explorer 5.x/6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21<br />
Netscape version 6.x/7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21<br />
Certain browsers on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . 12-22<br />
Chapter 13: Configuring Virtual Private Networks . . . . . 13-1<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1<br />
An introduction to IPSec technology . . . . . . . . . . . . . . . . . . . 13-2<br />
VPN configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4<br />
Configuring hardware acceleration for VPN . . . . . . . . . . . . . 13-7<br />
Configuring a VPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7<br />
Extended Authentication for VPN . . . . . . . . . . . . . . . . . . . . . 13-8<br />
What type <strong>of</strong> VPN authentication should I use? . . . . . . . . . . 13-9<br />
Configuring the ISAKMP server . . . . . . . . . . . . . . . . . . . . . . . 13-11<br />
Allowing access to the ISAKMP server . . . . . . . . . . . . . . . . 13-13<br />
Configuring the Certificate server . . . . . . . . . . . . . . . . . . . . . . 13-13<br />
Understanding virtual burbs . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15<br />
Creating and using a virtual burb with a VPN . . . . . . . . . . . 13-17<br />
Configuring client address pools . . . . . . . . . . . . . . . . . . . . . . . 13-18<br />
Configuring a new client address pool . . . . . . . . . . . . . . . . 13-19
Table <strong>of</strong> Contents<br />
Configuring the Subnets tab . . . . . . . . . . . . . . . . . . . . . . . . 13-20<br />
Configuring the DNS and/or WINS servers . . . . . . . . . . . . . 13-22<br />
Configuring the fixed IP map . . . . . . . . . . . . . . . . . . . . . . . . 13-24<br />
Configuring Certificate Management . . . . . . . . . . . . . . . . . . . . 13-27<br />
Understanding Distinguished Name syntax . . . . . . . . . . . . 13-28<br />
Selecting a trusted source . . . . . . . . . . . . . . . . . . . . . . . . . . 13-31<br />
Configuring and displaying CA root certificates . . . . . . . . . 13-32<br />
Configuring and displaying Remote Identities . . . . . . . . . . . 13-35<br />
Configuring and displaying firewall certificates . . . . . . . . . . 13-37<br />
Configuring and displaying remote certificates . . . . . . . . . . 13-40<br />
Assigning new certificates for Admin Console and<br />
synchronization services . . . . . . . . . . . . . . . . . . . . . . . . . . 13-43<br />
Importing and exporting certificates . . . . . . . . . . . . . . . . . . . . 13-44<br />
Loading manual remote or firewall certificates . . . . . . . . . . 13-44<br />
Importing a firewall certificate . . . . . . . . . . . . . . . . . . . . . . . 13-46<br />
Importing a remote certificate . . . . . . . . . . . . . . . . . . . . . . . 13-47<br />
Exporting remote or firewall certificates . . . . . . . . . . . . . . . 13-48<br />
Configuring VPN Security Associations . . . . . . . . . . . . . . . . . 13-51<br />
Displaying and configuring a VPN Security Association . . . 13-52<br />
Defining a VPN Security Association . . . . . . . . . . . . . . . . . 13-53<br />
Example VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-65<br />
Scenario 1: <strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong> VPN via shared<br />
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-66<br />
Scenario 2: Simple deployment <strong>of</strong> remote users . . . . . . . . 13-68<br />
Scenario 3: Large scale deployment <strong>of</strong> clients . . . . . . . . . . 13-72<br />
Chapter 14: Configuring the SNMP Agent. . . . . . . . . . . . 14-1<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1<br />
SNMP basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . 14-8<br />
Enabling/disabling the SNMP server . . . . . . . . . . . . . . . . . . 14-10<br />
About the management station . . . . . . . . . . . . . . . . . . . . . . . . 14-10<br />
Communication with systems in an external network . . . . . . . 14-11<br />
Chapter 15: One-To-Many Clusters . . . . . . . . . . . . . . . . . 15-1<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1<br />
Considerations when using One-To-Many . . . . . . . . . . . . . . 15-2<br />
Example scenario using a One-To-Many cluster . . . . . . . . . . . 15-4<br />
Example scenario requirements . . . . . . . . . . . . . . . . . . . . . . 15-4<br />
Configuring One-To-Many . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5<br />
Configuring a dedicated cluster burb for each<br />
<strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5<br />
Configuring the primary in a new One-To-Many cluster . . . . 15-6<br />
Table <strong>of</strong> Contents xiii
Table <strong>of</strong> Contents<br />
xiv Table <strong>of</strong> Contents<br />
Adding a secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7<br />
Joining a secondary to an existing One-To-Many cluster . . . 15-9<br />
Viewing the status <strong>of</strong> a One-To-Many cluster . . . . . . . . . . . 15-10<br />
Changing the primary in a One-To-Many cluster . . . . . . . . 15-11<br />
Removing <strong>Sidewinder</strong> <strong>G2</strong>s from a One-To-Many cluster . . 15-12<br />
Understanding the One-To-Many tree structure . . . . . . . . . . . 15-13<br />
Chapter 16: High Availability . . . . . . . . . . . . . . . . . . . . . . 16-1<br />
How High Availability works . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1<br />
HA configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3<br />
Load sharing HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3<br />
Failover HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4<br />
Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6<br />
Configuring the heartbeat burbs . . . . . . . . . . . . . . . . . . . . . . 16-7<br />
Configuring <strong>Sidewinder</strong> <strong>G2</strong> for HA . . . . . . . . . . . . . . . . . . . . 16-8<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster . . . . . . . 16-13<br />
Enabling and disabling load sharing for an HA cluster . . . . 16-15<br />
Removing a <strong>Sidewinder</strong> <strong>G2</strong> from an HA cluster . . . . . . . . . 16-16<br />
Managing an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17<br />
Understanding the HA cluster tree structure . . . . . . . . . . . . 16-18<br />
Modifying HA common parameters . . . . . . . . . . . . . . . . . . . 16-20<br />
Modifying HA local parameters . . . . . . . . . . . . . . . . . . . . . . 16-25<br />
Scheduling a s<strong>of</strong>t shutdown for an HA cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-27<br />
Connecting directly to a secondary/standby . . . . . . . . . . . . 16-29<br />
Chapter 17: Alarm Events and Responses . . . . . . . . . . . 17-1<br />
Configuring alarm events and event responses . . . . . . . . . . . . 17-1<br />
Configuring alarm events . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2<br />
Displaying and configuring event responses . . . . . . . . . . . . . 17-8<br />
Changing other options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12<br />
Example alarm event scenario . . . . . . . . . . . . . . . . . . . . . . . . 17-13<br />
Sample Strikeback results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15<br />
Ignoring network probe attempts . . . . . . . . . . . . . . . . . . . . . . . 17-17<br />
Configuring the ignore list . . . . . . . . . . . . . . . . . . . . . . . . . . 17-18<br />
Checking system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19<br />
CPU usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19<br />
Process status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-20<br />
Disk usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-21<br />
who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-21<br />
finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-22<br />
Checking network status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-22<br />
Active network connections . . . . . . . . . . . . . . . . . . . . . . . . . 17-22
Table <strong>of</strong> Contents<br />
Active connections/services . . . . . . . . . . . . . . . . . . . . . . . . 17-22<br />
Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23<br />
Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23<br />
route get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23<br />
nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-24<br />
dig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-24<br />
whois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25<br />
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-26<br />
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-26<br />
Chapter 18: Monitoring, Auditing, and Reporting . . . . . 18-1<br />
Overview <strong>of</strong> the audit process . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status . . . . . . . . . . . . . . . . . . . . . . . 18-3<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . 18-5<br />
Understanding audit file names . . . . . . . . . . . . . . . . . . . . . . . 18-6<br />
Viewing audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7<br />
Exporting audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11<br />
Filtering audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-12<br />
Creating custom audit filters . . . . . . . . . . . . . . . . . . . . . . . . 18-16<br />
Understanding audit messages . . . . . . . . . . . . . . . . . . . . . . 18-19<br />
Logging application messages using Syslog . . . . . . . . . . . . . 18-21<br />
Redirecting audit output . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-22<br />
Viewing syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . 18-23<br />
Generating and viewing reports using the Admin Console . . . 18-23<br />
Viewing auto-generated reports . . . . . . . . . . . . . . . . . . . . . . . 18-30<br />
Generating exportable reports . . . . . . . . . . . . . . . . . . . . . . . . 18-30<br />
Using third party reporting tools . . . . . . . . . . . . . . . . . . . . . . . 18-31<br />
Formatting & exporting audit data for use with external<br />
tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-31<br />
Sample WebTrends report . . . . . . . . . . . . . . . . . . . . . . . . . 18-33<br />
Appendix A: Command Line Reference . . . . . . . . . . . . . .A-1<br />
Overview <strong>of</strong> cf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1<br />
Summary <strong>of</strong> cf structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . .A-10<br />
Changing your default editor . . . . . . . . . . . . . . . . . . . . . . . . .A-10<br />
About editing <strong>Sidewinder</strong> <strong>G2</strong> files . . . . . . . . . . . . . . . . . . . . .A-11<br />
Checking file and directory permissions (ls) . . . . . . . . . . . . .A-12<br />
Changing a file’s type (chtype) . . . . . . . . . . . . . . . . . . . . . . .A-13<br />
Creating your own scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .A-14<br />
Understanding automatic (cron) jobs . . . . . . . . . . . . . . . . . . . .A-15<br />
/etc/daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-15<br />
/etc/weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16<br />
Table <strong>of</strong> Contents xv
Table <strong>of</strong> Contents<br />
xvi Table <strong>of</strong> Contents<br />
/etc/monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16<br />
Rollaudit cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16<br />
SmartFilter cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-17<br />
Monitor data retrieval cron job . . . . . . . . . . . . . . . . . . . . . . . .A-17<br />
Report generating cron jobs . . . . . . . . . . . . . . . . . . . . . . . . .A-17<br />
Squid log rotation cron job . . . . . . . . . . . . . . . . . . . . . . . . . .A-18<br />
CRL and certificate retrieval cron job . . . . . . . . . . . . . . . . . .A-18<br />
Anti-virus DAT file cron job . . . . . . . . . . . . . . . . . . . . . . . . . .A-18<br />
Package download cron job . . . . . . . . . . . . . . . . . . . . . . . . .A-18<br />
Export utility cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18<br />
Logcheck cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18<br />
Appendix B: Setting Up Network Time Protocol. . . . . . . .B-1<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1<br />
NTP servers and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client . . . . . . . . . . . . . . . . . . .B-2<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server . . . . . . . . . . . . . . . . . .B-3<br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . .B-5<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client . . . . . . . . . .B-5<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server . . . . . . . . .B-6<br />
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8<br />
Internet Request For Comments (RFC) . . . . . . . . . . . . . . . . .B-8<br />
Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8<br />
On-line manual (man) pages . . . . . . . . . . . . . . . . . . . . . . . . . .B-8<br />
Appendix C: Configuring Dynamic Routing with OSPF. .C-1<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1<br />
A closer look at OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-2<br />
OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-3<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . .C-4<br />
<strong>Sidewinder</strong> <strong>G2</strong> in an OSPF network topology . . . . . . . . . . . . .C-5<br />
Interoperability with other OSPF routers . . . . . . . . . . . . . . . . .C-6<br />
Other routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-6<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . .C-6<br />
Configuring OSPF properties . . . . . . . . . . . . . . . . . . . . . . . . .C-7<br />
Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-8<br />
Configuring Advanced options . . . . . . . . . . . . . . . . . . . . . . .C-12<br />
Configuring "passive" OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . .C-13<br />
Other implementation details . . . . . . . . . . . . . . . . . . . . . . . . . .C-13<br />
Appendix D: Configuring Dynamic Routing with RIP . . .D-1<br />
RIP with standard IP routers . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-1<br />
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . .D-3
Table <strong>of</strong> Contents<br />
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing . .D-5<br />
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent<br />
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-8<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . .D-12<br />
Rule list support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-15<br />
Enabling/disabling the routed server . . . . . . . . . . . . . . . . . . . . .D-15<br />
Trace and log information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-16<br />
A note about flushing filter routes . . . . . . . . . . . . . . . . . . . . .D-16<br />
Appendix E: Setting Up SmartFilter Services. . . . . . . . . . E-1<br />
Controlling Web access using the SmartFilter Control List . . . . .E-1<br />
Evaluating the SmartFilter Control List . . . . . . . . . . . . . . . . . . . .E-2<br />
Evaluating the full Control List . . . . . . . . . . . . . . . . . . . . . . . . .E-2<br />
Evaluating the sample Control List . . . . . . . . . . . . . . . . . . . . .E-2<br />
Subscribing to the SmartFilter Control List . . . . . . . . . . . . . . . . .E-3<br />
Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . .E-3<br />
Setting up SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . .E-3<br />
Downloading and installing the SmartFilter Control List . . . . .E-4<br />
Configuring advanced SmartFilter options . . . . . . . . . . . . . . .E-6<br />
Testing your SmartFilter Configuration . . . . . . . . . . . . . . . . . .E-8<br />
Editing the SmartFilter files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-8<br />
Editing the SmartFilter configuration file . . . . . . . . . . . . . . . . .E-8<br />
Editing the smartfilter.site file . . . . . . . . . . . . . . . . . . . . . . . . .E-9<br />
Adding a URL to one or more Control List categories . . . . . .E-10<br />
Exempting a site, path, or URL from restriction . . . . . . . . . .E-12<br />
Appendix F: Basic Troubleshooting . . . . . . . . . . . . . . . . . F-1<br />
Powering-up the system to the Administrative kernel . . . . . . . . . F-2<br />
Enabling and disabling authentication for the administrative<br />
kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-3<br />
Restoring access to the Admin Console . . . . . . . . . . . . . . . . . . . F-3<br />
Backing up system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-4<br />
Performing a full system backup (level0) . . . . . . . . . . . . . . . . F-5<br />
Performing an incremental backup . . . . . . . . . . . . . . . . . . . . . F-6<br />
Restoring system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-8<br />
Performing a full system restore . . . . . . . . . . . . . . . . . . . . . . . F-9<br />
Performing an incremental restore via the do.restore script . F-11<br />
Restoring configuration files using the command line . . . . . . F-14<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . F-14<br />
What to do if the boot process fails . . . . . . . . . . . . . . . . . . . . . . F-16<br />
System reboot messages . . . . . . . . . . . . . . . . . . . . . . . . . . . F-17<br />
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . F-17<br />
If you forget your administrator password . . . . . . . . . . . . . . . . . F-19<br />
Table <strong>of</strong> Contents xvii
Table <strong>of</strong> Contents<br />
xviii Table <strong>of</strong> Contents<br />
Changing your password in the administrative kernel . . . . . . F-19<br />
Using maintenance mode to disable authentication when you<br />
have forgotten your password . . . . . . . . . . . . . . . . . . . . . . . F-20<br />
Manually clearing an authentication failure lockout . . . . . . . . F-21<br />
Interpreting beep patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-21<br />
If a patch installation fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-23<br />
Troubleshooting proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . F-23<br />
Failed connection requests . . . . . . . . . . . . . . . . . . . . . . . . . . F-24<br />
Monitoring allow and deny rule audit events . . . . . . . . . . . . . F-26<br />
Active rules and the DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . F-28<br />
Understanding FTP and Telnet connection failure messages . F-28<br />
Troubleshooting High Availability . . . . . . . . . . . . . . . . . . . . . . . F-29<br />
Viewing configuration-specific information . . . . . . . . . . . . . . F-29<br />
Viewing status information . . . . . . . . . . . . . . . . . . . . . . . . . . F-30<br />
Identifying load sharing addresses in netstat and ifconfig . . . F-32<br />
Interface configuration issues with HA . . . . . . . . . . . . . . . . . F-34<br />
Troubleshooting remote interface test failover for<br />
peer-to-peer HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-34<br />
Troubleshooting NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-34<br />
Why did NTP stop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-35<br />
Why does NTP appear to be inaccurate? . . . . . . . . . . . . . . . F-35<br />
NTP clients will not synchronize with the <strong>Sidewinder</strong> <strong>G2</strong> . . . F-35<br />
Restarting NTP from the UNIX prompt . . . . . . . . . . . . . . . . . F-35<br />
VPN troubleshooting commands . . . . . . . . . . . . . . . . . . . . . . . . F-36<br />
<strong>Glossary</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .G-1<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In-1
Who should read<br />
this guide<br />
What is covered in<br />
this guide<br />
P R E F A C E<br />
About this <strong>Guide</strong><br />
This guide is intended for a <strong>Sidewinder</strong> <strong>G2</strong> administrator. You should<br />
read this guide if you are responsible for configuring and managing a<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security Appliance.<br />
This guide assumes you have:<br />
A working knowledge <strong>of</strong> UNIX and Windows operating systems.<br />
A basic understanding <strong>of</strong> system administration.<br />
A working knowledge <strong>of</strong> the Internet and its associated terms and<br />
applications.<br />
An understanding <strong>of</strong> networks and network terminology, including<br />
TCP/IP protocols.<br />
This guide provides complete administration information on all<br />
<strong>Sidewinder</strong> <strong>G2</strong> security appliance functions and features. If you are<br />
already responsible for the network to which the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
be connected, you will find that you perform the same basic<br />
administrative tasks on the <strong>Sidewinder</strong> <strong>G2</strong>. However, some <strong>of</strong> these<br />
tasks will differ from standard UNIX systems because <strong>of</strong> the extra<br />
security mechanisms that are included with <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Because it is much easier to administer the <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console<br />
rather than by entering commands, this document focuses on using the Admin Console<br />
whenever possible.<br />
Each chapter in this guide describes the use and general configuration<br />
<strong>of</strong> one or more related <strong>Sidewinder</strong> <strong>G2</strong> features. Each chapter also<br />
includes background information to describe how the underlying<br />
technology relates to a <strong>Sidewinder</strong> <strong>G2</strong> configuration.<br />
Table 1 provides a description for each chapter included in this guide.<br />
P<br />
Preface: About this <strong>Guide</strong> xix
P<br />
What is covered in this guide<br />
Table 1. Chapter summaries<br />
Chapter title Description<br />
Chapter 1:<br />
Introduction<br />
Chapter 2:<br />
Administrator’s Overview<br />
Chapter 3:<br />
General System Tasks<br />
Chapter 4:<br />
Understanding Policy Configuration<br />
Chapter 5:<br />
Creating Rule Elements<br />
Chapter 6:<br />
Configuring Application Defenses<br />
Chapter 7:<br />
Creating Rules and Groups<br />
Chapter 8:<br />
Configuring Proxies<br />
Chapter 9:<br />
Setting Up Authentication<br />
Chapter 10:<br />
Domain Name System (DNS)<br />
Chapter 11:<br />
Electronic Mail<br />
Chapter 12:<br />
Setting Up Web Services<br />
Chapter 13:<br />
Configuring Virtual Private<br />
Networks<br />
xx Preface: About this <strong>Guide</strong><br />
Demonstrates how <strong>Sidewinder</strong> <strong>G2</strong> fits into your network and introduces<br />
key operating characteristics.<br />
Provides an overview <strong>of</strong> the administration interfaces available to you on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, including the Admin Console, the primary<br />
administration tool.<br />
Provides information on performing system tasks such as setting up<br />
additional administrator accounts, making configuration backups, and<br />
applying system patch s<strong>of</strong>tware.<br />
Provides an overview <strong>of</strong> the basic policy configuration components on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, including rules and their building blocks.<br />
Provides information on creating users and user groups, network objects,<br />
and service groups.<br />
Provides information on creating Application Defenses.<br />
Provides information on creating rules and groups, and how to select the<br />
active rule groups.<br />
Describes proxy connection services and explains how to configure and<br />
administer them.<br />
Defines what authentication is, describes the various authentication<br />
methods available on <strong>Sidewinder</strong> <strong>G2</strong>, and explains how to configure<br />
authentication for Telnet, FTP, and Web sessions.<br />
Explains how to administer the Domain Name System (DNS) on<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If needed, you can change your DNS configuration or<br />
configure the network to use <strong>Sidewinder</strong> <strong>G2</strong> DNS.<br />
Explains how to administer mail on <strong>Sidewinder</strong> <strong>G2</strong>. If needed, you can<br />
change e-mail aliases or the e-mail configuration.<br />
Describes the Web options that are available on <strong>Sidewinder</strong> <strong>G2</strong> to control<br />
connections between your internal networks and the Web.<br />
Explains how the virtual private network (VPN) security on <strong>Sidewinder</strong> <strong>G2</strong><br />
can be used to protect data travelling between two <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Appliances, or between the <strong>Sidewinder</strong> <strong>G2</strong> and a remote client<br />
workstation.<br />
More...
Chapter title Description<br />
Chapter 14:<br />
Configuring the SNMP Agent<br />
Chapter 15:<br />
One-To-Many Clusters<br />
Chapter 16:<br />
High Availability<br />
Chapter 17:<br />
Alarm Events and Responses<br />
Chapter 18:<br />
Monitoring, Auditing, and<br />
Reporting<br />
Appendix A:<br />
Command Line Reference<br />
Appendix B:<br />
Setting Up Network Time Protocol<br />
Appendix C:<br />
Configuring Dynamic Routing with<br />
OSPF<br />
Appendix D:<br />
Configuring Dynamic Routing with<br />
RIP<br />
Appendix E:<br />
Setting Up SmartFilter Services<br />
Appendix F:<br />
Basic Troubleshooting<br />
What is covered in this guide<br />
Introduces Simple Network Management Protocol (SNMP) network<br />
management and defines how to configure and use the SNMP agent on<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow communication with SNMP management<br />
stations.<br />
Describes how to set up One-To-Many clustering, a feature that allows<br />
you to manage multiple <strong>Sidewinder</strong> <strong>G2</strong>s at the same time.<br />
Describes how to set up the optional High Availability feature, which<br />
allows you to configure load sharing between two <strong>Sidewinder</strong> <strong>G2</strong>s, or<br />
configure a hot backup in your network.<br />
Describes how to configure alarm events and responses.<br />
Describes how to monitor activity on <strong>Sidewinder</strong> <strong>G2</strong>. This chapter also<br />
describes how to view audit information and generate reports.<br />
Contains a summary <strong>of</strong> various <strong>Sidewinder</strong> <strong>G2</strong> commands (including cf<br />
commands) that you can use to configure and administer your system.<br />
Describes how to configure and implement the Network Time Protocol<br />
(NTP) on <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Describes how to set up routing capability on <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Open Shortest Path First (OSPF) protocol.<br />
Describes how to set up dynamic routing on <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
routing information protocol (RIP).<br />
Describes how to control Web access using SmartFilter.<br />
Describes basic troubleshooting methods for <strong>Sidewinder</strong> <strong>G2</strong>.<br />
<strong>Glossary</strong> Provides definitions <strong>of</strong> important terms used in this guide.<br />
Index Provides a cross-reference to important items used in this guide.<br />
Preface: About this <strong>Guide</strong> xxi
Where to find additional information<br />
Where to find<br />
additional<br />
information<br />
xxii Preface: About this <strong>Guide</strong><br />
The Management Tools CD includes the <strong>Sidewinder</strong> <strong>G2</strong><br />
documentation in .pdf format. When you install the Management<br />
Tools on a Windows-based system, the documents are automatically<br />
loaded onto your hard drive. You can view them by selecting Start -><br />
Programs -> Secure Computing -> <strong>Sidewinder</strong> <strong>G2</strong> 3.0 Admin Console -><br />
Documentation.<br />
Note: To view <strong>Sidewinder</strong> <strong>G2</strong> documents prior to installing the Windows-based tools,<br />
browse to the \Manuals directory on the Management Tools CD.<br />
Table 2. Summary <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong> documentation<br />
Document Description<br />
Perimeter Security<br />
Planning <strong>Guide</strong><br />
Educates you about network perimeter security and the<br />
basic issues relevant to integrating a <strong>Sidewinder</strong> <strong>G2</strong> into<br />
your network. It will help you determine the security pr<strong>of</strong>ile<br />
that best matches your existing network and future security<br />
goals, and then prepare you for your integration project. This<br />
document is a PDF file located in the Start -> Program Files -><br />
Secure Computing -> <strong>Sidewinder</strong> <strong>G2</strong> Admin Console 3.0 -><br />
Documentation folder.<br />
Startup <strong>Guide</strong> Steps you through setting up your initial <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration.<br />
<strong>Administration</strong><br />
<strong>Guide</strong><br />
Enterprise Manager<br />
Startup <strong>Guide</strong><br />
Enterprise Manager<br />
<strong>Administration</strong><br />
<strong>Guide</strong><br />
This is the guide you are currently reading. It provides<br />
complete administration information on all <strong>Sidewinder</strong> <strong>G2</strong><br />
functions and features. You should read this guide if you are<br />
responsible for configuring and managing a <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Appliance.<br />
Steps you through setting up your initial <strong>Sidewinder</strong> <strong>G2</strong><br />
Enterprise Manager configuration. You should read this<br />
guide if you are responsible for configuring and managing a<br />
<strong>G2</strong> Enterprise Manager.<br />
Provides complete administration information on all<br />
<strong>Sidewinder</strong> <strong>G2</strong> Enterprise Manager functions and features.<br />
You should read this guide if you are responsible for<br />
configuring and managing <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Enterprise Manager.<br />
Online Help Online help is built into the <strong>Sidewinder</strong> <strong>G2</strong> Management<br />
Tools. The Configuration Wizard provides help for each<br />
configuration window. The Admin Console program<br />
provides both screen-based and topic-based online help.<br />
For the latest information regarding <strong>Sidewinder</strong> <strong>G2</strong> and other Secure<br />
Computing products, refer to our Web site at:<br />
www.securecomputing.com.
Online help<br />
Where to find additional information<br />
The <strong>Sidewinder</strong> <strong>G2</strong> graphical user interface (known as the Admin<br />
Console) provides comprehensive online help. To access online help,<br />
click the help icon in the toolbar.<br />
Man (or “manual”) pages provide additional help on <strong>Sidewinder</strong> <strong>G2</strong>specific<br />
commands, file formats, and system routines. To view the<br />
available information for a specific topic, enter one <strong>of</strong> the following<br />
commands:<br />
man -k topic<br />
or<br />
apropos topic<br />
where topic is the subject that you want to look up.<br />
Reference materials<br />
If you are new to system administration, you may find the following<br />
resources useful:<br />
Note: Some <strong>of</strong> these resources are referenced throughout this guide.<br />
UNIX System <strong>Administration</strong> Handbook, 3rd Edition, by Nemeth, et<br />
al. (Prentice Hall).<br />
Managing Internet Information Services by Liu, et al. (O’Reilly and<br />
Associates, Inc.)<br />
A standard reference on computer security is Firewalls and<br />
Internet Security by Cheswick and Bellovin (Addison-Wesley).<br />
For network management information, see TCP/IP Network<br />
<strong>Administration</strong> by Craig Hunt (O’Reilly & Associates, Inc.).<br />
For information on handling mail on UNIX networks, see<br />
Sendmail by Bryan Costales, with Eric Allman and Neil Rickert<br />
(O’Reilly & Associates, Inc.).<br />
For Domain Name System information, see DNS and Bind by<br />
Cricket Liu and Paul Albitz (O’Reilly & Associates, Inc.).<br />
For information about Internet Review for Comment (RFC)<br />
documents, refer to one <strong>of</strong> the following Web sites:<br />
http://www.cis.ohio-state.edu/hypertext/information/rfc.html<br />
http://www.ietf.org/rfc.html<br />
Preface: About this <strong>Guide</strong> xxiii
Typographical conventions<br />
Typographical<br />
conventions<br />
xxiv Preface: About this <strong>Guide</strong><br />
This guide uses the following typographic conventions:<br />
Table 3. Conventions used in this guide<br />
Convention Description<br />
boldface courier Commands and keywords you type at a system<br />
prompt are in boldface.<br />
courier italic Place holders for text you type. Words that appear in<br />
square brackets [and] are place holders for optional<br />
text.<br />
courier plain Text displayed by this product on a computer screen.<br />
plain text italics Names <strong>of</strong> files and directories.<br />
Body Text Highlight Button and field names as shown on a graphical user<br />
interface.<br />
Note: Means reader take note. Notes contain helpful<br />
suggestions or references to material not covered<br />
elsewhere in the guide.<br />
Tip: Means the following information will describe a timesaving<br />
action or help you solve a problem.<br />
Important: Means the following text will point out something<br />
you need to know about to ensure the success <strong>of</strong> a<br />
procedure or a key Admin Console screen.<br />
Caution: Means reader be careful. In this situation, you might<br />
do something that could result in loss <strong>of</strong> data or<br />
unpredictable outcome.<br />
Security Alert: Emphasizes information that is critical to maintaining<br />
product integrity or security.
C HAPTER 1<br />
Introduction<br />
About this chapter This chapter briefly describes the security that the <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Appliance adds to your network, and introduces the<br />
administration options available to you. It also provides information<br />
on how your <strong>Sidewinder</strong> <strong>G2</strong> operating system differs from a standard<br />
UNIX ® system.<br />
What is the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Security<br />
Appliance?<br />
This chapter includes the following topics:<br />
“What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance?” on page 1-1<br />
“<strong>Sidewinder</strong> <strong>G2</strong> management options” on page 1-3<br />
“The Type Enforced environment” on page 1-4<br />
“Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics” on page 1-9<br />
The <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance is a network security gateway<br />
that allows you to connect your organization to the Internet while<br />
protecting your network from unauthorized users and network<br />
attackers. It includes an application-layer firewall, as well as IPSec<br />
VPN capabilities and clientless VPN access, anti-spam and anti-virus<br />
filtering engines, and SSL decryption.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a high level <strong>of</strong> security by using<br />
SecureOS ® , an enhanced UNIX operating system that employs Secure<br />
Computing’s patented Type Enforcement ® security technology.<br />
SecureOS removes the inherent security risks <strong>of</strong>ten found in a<br />
network application running on commercial operating systems,<br />
resulting in superior network security.<br />
1<br />
Introduction 1-1
1<br />
1-2 Introduction<br />
What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance?<br />
Figure 1-1.<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
protecting your<br />
organization’s network<br />
The <strong>Sidewinder</strong> <strong>G2</strong> prevents host identification masquerading (IP<br />
spo<strong>of</strong>ing), making it very difficult for attackers to infiltrate your<br />
protected network(s). The <strong>Sidewinder</strong> <strong>G2</strong> also <strong>of</strong>fers advanced<br />
authentication and encryption s<strong>of</strong>tware. Encryption allows authorized<br />
users on the Internet access to your protected network without fear <strong>of</strong><br />
attackers eavesdropping (IP sniffing) or stealing access credentials and<br />
other valuable information.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows public services such as e-mail, a public file<br />
archive (FTP), and World Wide Web (Web) access while protecting the<br />
other computers on your protected network(s). The <strong>Sidewinder</strong> <strong>G2</strong><br />
also provides powerful configuration options that allow you to control<br />
access by your employees to almost any publicly available service on<br />
the Internet.<br />
<strong>Sidewinder</strong> <strong>G2</strong> runs on a Pentium-based computer that resides<br />
between your Internet router and your protected network(s). Because<br />
the <strong>Sidewinder</strong> <strong>G2</strong> runs on standard hardware platforms and supports<br />
standard network interfaces, you can integrate the <strong>Sidewinder</strong> <strong>G2</strong> into<br />
almost any network configuration.<br />
Tip: For up-to-date hardware considerations regarding the <strong>Sidewinder</strong> <strong>G2</strong>, refer to our<br />
Web page at: www.securecomputing.com/hardware<br />
protected network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
router<br />
Internet<br />
A minimum <strong>Sidewinder</strong> <strong>G2</strong> configuration supports two network<br />
interfaces. However, you can add additional network interfaces for a<br />
total <strong>of</strong> up to 24 network connections.<br />
The configuration shown in Figure 1-2 is useful in providing<br />
protection for two otherwise separate networks within your<br />
organization, or between your organization and a strategic business<br />
partner. This configuration uses three network interfaces.<br />
R<br />
?
Figure 1-2. Protecting<br />
multiple networks with<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
management<br />
options<br />
your<br />
network<br />
protected networks<br />
trusted<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong> management options<br />
R<br />
router<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides interface flexibility that allows multiple<br />
management options:<br />
Admin Console—You can install and utilize the graphical user<br />
interface s<strong>of</strong>tware, referred to as the “Admin Console,” on a<br />
Windows ® operating system, allowing you to easily connect to<br />
and manage your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: The Admin Console is occasionally referred to as “Cobra” in command line<br />
tools.<br />
SSH session—You can establish a secure shell (SSH) session on a<br />
remote Admin Console (outside <strong>of</strong> your network) using a<br />
command-line interface.<br />
Telnet session—You can establish a Telnet connection to administer<br />
the <strong>Sidewinder</strong> <strong>G2</strong> via the command-line interface from a<br />
Windows, UNIX, or other workstation capable <strong>of</strong> running a Telnet<br />
client.<br />
Tip: See Chapter 2 for details on using each management option.<br />
Internet<br />
?<br />
Introduction 1-3
1-4 Introduction<br />
The Type Enforced environment<br />
The Type Enforced<br />
environment<br />
As mentioned earlier in this chapter, <strong>Sidewinder</strong> <strong>G2</strong> runs under<br />
SecureOS, a version <strong>of</strong> BSD/OS that Secure Computing has enhanced<br />
with a patented security technology called Type Enforcement. Type<br />
Enforcement was originally developed by Secure Computing<br />
Corporation for the Secure Network Server, a product which meets<br />
strict U.S. government standards for computer security. For the most<br />
part, Type Enforcement does not require any extra effort on your part.<br />
The following subsections describe areas that affect how you use the<br />
system and access files <strong>of</strong> which you should be aware.<br />
<strong>Sidewinder</strong> <strong>G2</strong> kernels<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains two separate UNIX kernels that each<br />
serve a specific purpose:<br />
Operational kernel<br />
This is the kernel that is running during normal operation. By<br />
default, the system boots to the Operational kernel. In this mode,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> is connected to the Internet and to your internal<br />
networks, and all network services are operational. Most<br />
importantly, the system is fully protected by the Type Enforcement<br />
security s<strong>of</strong>tware.<br />
Note: For information on booting to the Operational kernel, refer to “Restarting or<br />
shutting down the system” on page 3-2.<br />
Administrative kernel<br />
This kernel is used only when an administrator needs to perform<br />
special tasks on the <strong>Sidewinder</strong> <strong>G2</strong>, such as installing or restoring<br />
<strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware. When the Administrative kernel is running,<br />
all network connections are disabled and Internet services<br />
are not available; the Type Enforcement security s<strong>of</strong>tware is also<br />
disabled. Access to the Administrative kernel is tightly controlled<br />
and cannot be granted remotely.<br />
Important: When you boot to the Administrative kernel, the system can be<br />
accessed only by attaching a monitor and keyboard (or a laptop) directly to your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. For information on booting to the Administrative kernel, refer to<br />
“Powering-up the system to the Administrative kernel” on page F-2.
The Type Enforced environment<br />
Table 1-1 lists the major differences between the two kernels. The<br />
Operational kernel features are described in the section immediately<br />
following this table.<br />
Table 1-1. <strong>Sidewinder</strong> <strong>G2</strong> kernels<br />
Operational kernel Administrative kernel<br />
SecureOS is protected by Type<br />
Enforcement. (Type Enforcement is<br />
used at every critical system call and<br />
cannot be turned <strong>of</strong>f.)<br />
Normal operating state—The<br />
<strong>Sidewinder</strong> <strong>G2</strong> will automatically boot<br />
to this kernel.<br />
Network connections are enabled;<br />
Internet services are available.<br />
Divided into many application<br />
domains; domain restrictions are<br />
enforced.<br />
Administrator access is controlled by<br />
authenticated login and access rules.<br />
Access to files by a process is restricted<br />
based on Domain Definition Table.<br />
How Type Enforcement works<br />
Type Enforcement is disabled. File<br />
types and domains exist, but are not<br />
enforced.<br />
Used when performing certain<br />
administrative tasks or installing<br />
s<strong>of</strong>tware on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Network connections are disabled;<br />
Internet services are not available.<br />
Domain restrictions are not enforced.<br />
Administrator access is limited to a<br />
keyboard and monitor attached<br />
directly to the <strong>Sidewinder</strong> <strong>G2</strong>. By<br />
default, login and access rules do not<br />
apply. (You can configure the<br />
administrative kernel to require<br />
authentication, if desired.)<br />
Access to files by a process is restricted<br />
only by standard UNIX permissions.<br />
UNIX is not known to be a particularly secure operating system.<br />
Logging in as super-user (root) gives you access to all system files; an<br />
intruder who knows how to acquire root privileges can access any<br />
files or applications on a system. In addition, UNIX does not have<br />
tight control over how data files are shared among the processes<br />
running on a system. This means that an intruder who managed to<br />
break into one area <strong>of</strong> a system, such as e-mail, may be able to easily<br />
gain access to other files on the system.<br />
Introduction 1-5
1-6 Introduction<br />
The Type Enforced environment<br />
The Type Enforcement s<strong>of</strong>tware in the <strong>Sidewinder</strong> <strong>G2</strong> Operational<br />
kernel is designed to plug these security holes. This is done by using<br />
the following mechanisms (each <strong>of</strong> the mechanisms is described<br />
below):<br />
provides maximum network protection<br />
provides Type Enforced domain processes<br />
controls Type Enforced attributes applied to files and sockets<br />
controls inter-domain operations, such as signals<br />
controls access to system calls<br />
controls the files a process can access<br />
Maximum network protection<br />
Secure Computing's patented Type Enforcement technology provides<br />
network security protection that is unique to the industry. By using<br />
Type Enforcement within the operating system, the <strong>Sidewinder</strong> <strong>G2</strong><br />
provides the highest level <strong>of</strong> security.<br />
Type Enforcement is based on the security principle <strong>of</strong> least privilege:<br />
any program executing on the system is given only the resources and<br />
privileges it needs to accomplish its tasks. On the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
there is no concept <strong>of</strong> a root super-user. Type Enforcement controls<br />
all interactions between domains and file types. Domains must have<br />
explicit permission to access specific file types, communicate with<br />
other domains, or access system functions. Any attempts to the<br />
contrary fail as though the files do not exist.<br />
Type Enforced domain processes<br />
A standard UNIX system separates processes with user and group<br />
identities. Therefore, UNIX identities can be completely subverted by<br />
users who obtain root privileges. The <strong>Sidewinder</strong> <strong>G2</strong> prevents this by<br />
providing separate, Type-Enforced domains for each process running<br />
on the system. Type-enforced domains provide more intricate control<br />
over what each process is allowed to do (see Figure 1-3).
Figure 1-3. Example <strong>of</strong><br />
domain separation<br />
structure on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Type Enforced attributes<br />
The Type Enforced environment<br />
When an administrator initially logs into the <strong>Sidewinder</strong> <strong>G2</strong> at a<br />
command line prompt, they are automatically placed in the User<br />
domain, which allows no access to sensitive files. An administrator<br />
may then switch to their defined administrative role’s domain using<br />
the srole command (for Admn) or srole adminro (for AdRO). The<br />
Admn domain allows an administrator to access to all administrative<br />
functions. The AdRO domain allows read-only access to the system<br />
configuration areas, as well as the ability to generate reports. An<br />
administrator with read-only access cannot make system<br />
modifications.<br />
For information on assigning administrator roles, see “Setting up and<br />
maintaining administrator accounts” on page 3-5.<br />
Inter-domain operations<br />
Interactions between domains, such as signalling, are also controlled<br />
by Type Enforcement. For example, a process running in the SMTP<br />
domain cannot send a signal to the Telnet server running in the Telnet<br />
domain.<br />
Access to system calls<br />
SMTP Audit<br />
User Kernel Network<br />
News Telnet<br />
A typical UNIX system has many privileged system calls that could<br />
enable malicious users to access the kernel directly and compromise<br />
the system. The <strong>Sidewinder</strong> <strong>G2</strong> solves this problem with a set <strong>of</strong> flags<br />
for each domain that indicate which system calls can be made from<br />
that domain.<br />
Introduction 1-7
1-8 Introduction<br />
The Type Enforced environment<br />
Files available to a process<br />
Process-to-file access is controlled by a Domain Definition Table that<br />
maps out the various classes <strong>of</strong> data files and processes that may be<br />
running on the <strong>Sidewinder</strong> <strong>G2</strong>. The table specifies which process<br />
domains can access different types <strong>of</strong> files and what type <strong>of</strong> access is<br />
allowed (such as read/write/execute). This table cannot be<br />
circumvented.<br />
Your system is pre-configured so that domains have access only to the<br />
files they need. The Domain Definition Table cannot be changed<br />
while the Operational kernel is running. This prevents intruders from<br />
tricking the kernel into modifying the table. Also, Type Enforcement<br />
prevents intruders from installing s<strong>of</strong>tware that may be used to<br />
circumvent <strong>Sidewinder</strong> <strong>G2</strong> security mechanisms.<br />
Type Enforcement’s effects<br />
The previous section outlined how Type Enforcement works. Listed<br />
below are the major ways in which Type Enforcement affects you and<br />
other users:<br />
Non-administrative users will not be aware <strong>of</strong> Type Enforcement<br />
(unless they try to perform unauthorized activities).<br />
In the Operational kernel, there is no concept <strong>of</strong> a super-user who<br />
can have complete system control. The “root” account has no<br />
special privileges. The Admin role operating in the Admn domain<br />
has access to most system files, but is still not as powerful as root<br />
on a standard UNIX system.<br />
Domains make it difficult for an intruder to do damage. Breaking<br />
into the domain in which an application is executing does not<br />
provide access to the files required for administering that<br />
application.<br />
Some system administration cannot be performed in the<br />
Operational kernel and must be done in the Administrative kernel.<br />
While in the Administrative kernel, the <strong>Sidewinder</strong> <strong>G2</strong> is not<br />
accessible to any other user or the Internet. When the<br />
Administrative kernel is running, Type Enforcement is turned <strong>of</strong>f,<br />
which allows you to perform procedures such as a s<strong>of</strong>tware<br />
upgrade or a full system backup and restore.
Additional<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
operating<br />
characteristics<br />
Figure 1-4. Multiple Type<br />
Enforced areas (burbs)<br />
on <strong>Sidewinder</strong> <strong>G2</strong><br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
This section lists additional significant differences between <strong>Sidewinder</strong><br />
<strong>G2</strong> and a standard UNIX system.<br />
Burbs and network stack separation<br />
While installing or managing the <strong>Sidewinder</strong> <strong>G2</strong>, you will notice the<br />
use <strong>of</strong> the term "burb." Burb is a term that refers to a set <strong>of</strong> one or<br />
more interfaces that are to be treated the same from a system security<br />
policy point <strong>of</strong> view. Each burb has a unique name (for example,<br />
internal, external) that you assign during initial configuration.<br />
As an example <strong>of</strong> how burbs are used, suppose your organization has<br />
two internal (protected) networks that need to be connected to the<br />
external network (Internet), but the corporate security policy requires<br />
that there be limited or no information flow between the two internal<br />
networks. In this scenario, you would configure three burbs for your<br />
<strong>Sidewinder</strong> <strong>G2</strong>, as shown in Figure 1-4. The security policy must be<br />
defined to enforce the required control over information flow<br />
between the two internal security burbs and between the external<br />
burb and the individual internal burbs, while also protecting the<br />
internal burbs from unauthorized access from the Internet.<br />
trusted networks<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
showing Type<br />
Enforced network<br />
areas (burbs)<br />
R<br />
router<br />
Internet<br />
Introduction 1-9
1-10 Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
Figure 1-5. Logical<br />
network protocol stacks<br />
provide network<br />
separation<br />
One <strong>of</strong> the unique aspects <strong>of</strong> the SecureOS is the use <strong>of</strong> multiple<br />
logical network stacks to strengthen the enforcement <strong>of</strong> the inter-burb<br />
aspects <strong>of</strong> the system security policy. A network stack consists <strong>of</strong><br />
different layers <strong>of</strong> s<strong>of</strong>tware responsible for different aspects <strong>of</strong> the<br />
communications. For example, one layer checks a message’s routing<br />
information to ensure that it is transmitted to the correct network.<br />
Normal computing systems, and firewalls that operate on an<br />
unsecured OS, have only one network stack.<br />
The SecureOS includes modifications that provide stronger separation<br />
<strong>of</strong> communication between different burbs. There are checks at all<br />
layers <strong>of</strong> the s<strong>of</strong>tware to ensure that the network stack data from one<br />
burb is not mixed with, or impacted by, data associated with another<br />
burb. This logical separation <strong>of</strong> the network stacks by the security<br />
burb is augmented by the Type Enforcement security policy, which is<br />
integral to SecureOS. It controls all operational aspects <strong>of</strong> the system,<br />
including enforcement <strong>of</strong> the separation data processing by the<br />
security burb. This ensures that information passes from one burb to<br />
another only if the network security policy says the specific<br />
information flow is allowed.<br />
Figure 1-5 shows this logical network separation and the processing<br />
elements involved in the transfer <strong>of</strong> data between the network stacks<br />
associated with each burb. Before a process can interact with a<br />
network stack, the Type Enforcement security policy must indicate<br />
that the process is allowed to interact with that burb’s network stack.<br />
trusted<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
logical network<br />
protocol stacks<br />
Internet
Proxy s<strong>of</strong>tware and access control<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses special programs, called proxies, to forward<br />
application data between your network and the Internet. Proxies<br />
essentially provide a go-between that can communicate with the<br />
burbs on <strong>Sidewinder</strong> <strong>G2</strong>. For example, when a user on an internal<br />
burb tries to establish an Internet connection, <strong>Sidewinder</strong> <strong>G2</strong><br />
intercepts the connection attempt and opens the connection on the<br />
user’s behalf. All Internet connections are made by the <strong>Sidewinder</strong> <strong>G2</strong><br />
so that the internal network never communicates directly with the<br />
Internet burb. You can configure transparency on a per-rule basis,<br />
allowing it to appear from a user’s perspective as if they are<br />
connecting directly to the destination and not connecting to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> first.<br />
Important: Proxies communicate between two Type Enforced network areas in<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Therefore, proxies are not used to control an external (Internet) user’s<br />
access to the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. For example, when an external user<br />
accesses a Telnet server that you have made publicly available on the external side <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, there will be no proxy to intervene. For users on the Internet, proxies are<br />
only used when they try to access an internal burb on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports Web (HTTP), Telnet, and many other<br />
TCP-based proxies. The <strong>Sidewinder</strong> <strong>G2</strong> also supports proxies for<br />
routing SNMP, NTP, DNS, and other types <strong>of</strong> services that require UDP<br />
transmissions. You can also create your own special proxies for other<br />
services. In addition, the <strong>Sidewinder</strong> <strong>G2</strong> provides proxies that use<br />
multiple TCP and/or UDP sessions such as FTP, Real Media, and<br />
Oracle SQLNet.<br />
Note: See Chapter 8 for a detailed description <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> proxies and<br />
procedures for configuring them.<br />
You configure which internal users can use each type <strong>of</strong> proxy by<br />
creating proxy rules and organizing them into rule groups that enforce<br />
your site’s security policy. For example, you can configure rules that<br />
allow all internal users to access all Internet Web sites, or you can<br />
prohibit users from accessing the Web from specific internal systems<br />
or from accessing specific Web sites. You can configure advanced,<br />
application-specific properties for your proxy rules using Application<br />
Defenses.<br />
Note: See Chapter 4 for a detailed description <strong>of</strong> proxy rules and Application Defenses.<br />
Introduction 1-11
1-12 Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
IP filtering<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to securely forward IP packets<br />
between networks using IP Filter. Unlike proxies, which operate at<br />
the application layer and in most cases on TCP or UDP traffic, IP Filter<br />
operates directly on IP packets allowing non-TCP/UDP (as well as<br />
TCP/UDP) traffic to pass between the networks. For example, with IP<br />
Filter you can pass encrypted VPN sessions through the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
IP Filter works by inspecting many <strong>of</strong> the fields within a packet,<br />
including the source and destination IP address, port, and protocol.<br />
Each packet that arrives at the <strong>Sidewinder</strong> <strong>G2</strong> will be inspected and<br />
compared to an active IP Filter rule group that you have configured.<br />
Matching packets will then be forwarded on to the destination<br />
network.<br />
You can configure IP Filter to inspect TCP, UDP, and many other<br />
protocols. With the TCP protocol, the <strong>Sidewinder</strong> <strong>G2</strong> actively tracks<br />
individual sessions by performing stateful inspection. This ensures<br />
that only packets valid for a portion <strong>of</strong> a specific TCP session are sent<br />
on to the actual destination. In addition, the <strong>Sidewinder</strong> <strong>G2</strong> supports<br />
the ability to perform Network Address Translation (NAT) and<br />
redirection when using IP Filter.<br />
Using NAT, the source address <strong>of</strong> outgoing IP packets are translated<br />
from the client's IP address to the external address <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Using redirection, the destination address <strong>of</strong> an incoming packet<br />
is rewritten to a redirect host. Using NAT and/or redirection allows the<br />
IP addresses <strong>of</strong> machines behind the <strong>Sidewinder</strong> <strong>G2</strong> to be hidden.<br />
You can also allow a private, non-routeable network (such as<br />
10.0.0.0) to access the Internet using NAT.<br />
Note: See Chapter 4 for information on using IP Filter rules.<br />
daemond<br />
The daemond (pronounced demon-dee) process is a powerful<br />
component that enhances overall security. It monitors and controls all<br />
<strong>of</strong> the major s<strong>of</strong>tware components on <strong>Sidewinder</strong> <strong>G2</strong>. It also detects<br />
and audits some classes <strong>of</strong> attacks against the <strong>Sidewinder</strong> <strong>G2</strong>.
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
For example, should someone try to attack a <strong>Sidewinder</strong> <strong>G2</strong> service<br />
(such as sendmail), causing the component to crash, the daemond<br />
process will detect the failure, immediately restart the failed<br />
component, and create a critical event audit entry (allowing the<br />
administrator to be notified and respond to the attack).<br />
daemond starts during the <strong>Sidewinder</strong> <strong>G2</strong> boot process. On start up, it<br />
reads the /etc/sidewinder/daemond.conf file to determine its<br />
configuration options. As a <strong>Sidewinder</strong> <strong>G2</strong> administrator, there are<br />
two daemond options you should be aware <strong>of</strong>: default memory size<br />
and failure mode.<br />
About the default memory size option<br />
If no memory size is specified for a service in the /etc/server.conf or<br />
/etc/sidewinder/nss.common.conf files, the default memory size option<br />
specifies the size (in MB) that daemond will give each <strong>of</strong> the services it<br />
starts. The default size is 128 MB. If there is no value present in the<br />
daemond configuration file, it will use the default value from<br />
/etc/login.conf.<br />
About the failure (safe) mode option<br />
By default, daemond will run in its normal mode (that is, failure mode<br />
is not configured and daemond will run in its normal, operational<br />
mode). This means that daemond will attempt to start all enabled<br />
components in the /etc/server.conf and<br />
/etc/sidewinder/nss.common.conf files. When failure mode is enabled<br />
in the /etc/sidewinder/daemond.conf file, and a failure event has<br />
occurred, daemond will start in failure mode (also called safe mode).<br />
This means that daemond will only start the components that are<br />
enabled for failure mode in the /etc/server.conf and<br />
/etc/sidewinder/nss.common.conf files. Components that are NOT<br />
enabled for failure mode will not be started.<br />
Introduction 1-13
1-14 Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
Failure mode is set under any <strong>of</strong> the following circumstances:<br />
a license check fails<br />
the audit partition overflows<br />
an error occurs while installing a patch<br />
Note: If a patch fails for any reason, the patch process will configure daemond to<br />
start in failure mode. This is done in order to secure the system and provide only<br />
necessary administrator access to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If you configure a failover High Availability (HA) cluster, the standby<br />
<strong>Sidewinder</strong> <strong>G2</strong> will run in failure mode. If the primary <strong>Sidewinder</strong> <strong>G2</strong><br />
becomes unavailable and the standby is required to take over as the<br />
primary <strong>Sidewinder</strong> <strong>G2</strong>, daemond will start all services for that<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
If the primary <strong>Sidewinder</strong> <strong>G2</strong> in an HA cluster goes into failure mode<br />
and the secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> is not available, the<br />
primary <strong>Sidewinder</strong> <strong>G2</strong> will remain as the primary <strong>Sidewinder</strong> <strong>G2</strong>, but<br />
the priority value for that <strong>Sidewinder</strong> <strong>G2</strong> will change to one, ensuring<br />
that if a secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> becomes available, it can<br />
take over as the primary <strong>Sidewinder</strong> <strong>G2</strong>. For information on HA, see<br />
Chapter 16.<br />
daemond and run levels<br />
When running in either normal mode or failure mode, daemond starts<br />
components according to their run level. After each component in a<br />
run level has started, daemond "sleeps" for the run level interval<br />
specified in the /etc/daemond.conf file. After the sleep completes,<br />
daemond starts the components in the next run level. There are five<br />
different run levels. Each run level contains the following<br />
components:<br />
Table 1-2. daemond run levels<br />
Run level Component<br />
0 auditd, auditsql, aclsql, swedesql<br />
1 acld, auditbotd, resolverd, upsd<br />
2 auditdbd, named-unbound, named-internet, randomd<br />
3 nss<br />
4 All remaining proxies and servers. This is also the default run level.
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
There are four key components that must be enabled and running<br />
before daemond will successfully boot the <strong>Sidewinder</strong> <strong>G2</strong>. These are:<br />
auditd, auditsql, aclsql, and acld.<br />
Whether running in normal or failure mode, daemond will fail to bring<br />
the <strong>Sidewinder</strong> <strong>G2</strong> up completely if any <strong>of</strong> the following situations<br />
occur:<br />
a configuration file error exists in any <strong>of</strong> the three files daemond<br />
parses: /etc/daemond.conf, /etc/server.conf, and<br />
/etc/sidewinder/nss.common.conf<br />
the system has not been properly licensed or activated<br />
a key component failed to start up or was not properly enabled<br />
a patch installation failed<br />
If one <strong>of</strong> these error conditions occur, a message appears notifying<br />
you that your system has booted to failure mode along with the<br />
reason why it booted to failure mode. The reason for the failure will<br />
be logged in /var/log/daemond.log. If none <strong>of</strong> the above situations<br />
occur, daemond will bring the system up without error.<br />
Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished booting and the system is<br />
operational, daemond becomes responsible for monitoring, stopping<br />
and starting all the components in /etc/server.conf and<br />
/etc/sidewinder/nss.common.conf. While daemond is monitoring the<br />
enabled and running components, it is also responsible for keeping<br />
an instance <strong>of</strong> that component running.<br />
Restarting processes<br />
If a component dies unexpectedly, daemond will restart that<br />
component and audit the event in both the audit log and the daemond<br />
log. The message in /var/log/daemond.log will look similar to this:<br />
Nov 7 16:05:22 fiji : restarting /usr/libexec/syncd<br />
(2686) due to unexpected death<br />
If a component quits within five seconds <strong>of</strong> starting three times in a<br />
row, daemond will not attempt to restart it until the next time daemond<br />
rereads its configuration files. This event will also be audited to both<br />
the audit log and the daemond log. The message in /var/log/<br />
daemond.log will look similar to this:<br />
Nov 5 18:13:03 fiji : /usr/contrib/sbin/sshd will<br />
not be restarted due to possible startup errors<br />
Introduction 1-15
1-16 Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
Stopping processes<br />
daemond is also responsible for stopping processes. If a <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator chooses to disable a process (using the Admin Console<br />
or cf commands), the configuration files are changed and a SIGHUP<br />
command is sent to daemond. The SIGHUP command signals daemond<br />
to reread the configuration files. If daemond finds an entry associated<br />
with a currently running process that is now marked as disabled,<br />
daemond will stop that process. The process will not be started again<br />
until it is re-enabled by an administrator. Re-enabling a process will<br />
cause another SIGHUP command to be sent to daemond, which will<br />
reread the configuration files and attempt to restart the process.<br />
All component failure events are logged in the /var/log/daemond.log<br />
file. If daemond fails during system start-up, the daemond log file will<br />
record the reason for this failure. It will also record information each<br />
time daemond restarts a process that died unexpectedly. This is useful<br />
for tracking attacks on a particular component.<br />
Network Services Sentry (NSS)<br />
If you have administered a standard UNIX system, you are probably<br />
familiar with inetd, which manages daemons for network services.<br />
Daemons are server processes that run continuously in the<br />
background and wait until they are needed. On the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
inetd has been replaced with the Network Services Sentry (NSS),<br />
which manages most <strong>of</strong> the server and proxy services. There is an NSS<br />
configuration file for each burb defined on your <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
NSS configuration files are updated for you when you make changes<br />
to services. For example, the files are updated whenever you enable<br />
or disable a proxy.<br />
NSS regulation <strong>of</strong> valid ports for the Admin Console<br />
For the Admin Console and synchronization services, NSS regulates<br />
the ability to change the default port. You may use the Admin Console<br />
or the command line to edit the default ports for these services. For<br />
example, you might want to alter ports when the default conflicts with<br />
the port <strong>of</strong> another service, or when you want to create a portlist with<br />
non-continuous numbers.
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
You can edit the port fields using the Admin Console Firewall<br />
<strong>Administration</strong> -> UI Access Control window. See “Backing up and<br />
restoring configuration files using the Admin Console” on page 3-15<br />
and “Configuring remote Admin Console management” on page 3-56<br />
for details.<br />
When changing the port for a service, be sure to consider the criteria<br />
listed in Table 1-3 below.<br />
Table 1-3. Criteria for modifying a service port<br />
Port type Criteria<br />
Valid ports must be . . . between 1–65535 when using the Admin<br />
Console, and for all other services<br />
unique within ports assigned to other services<br />
<strong>of</strong> the same type (server, t_proxy, nt_proxy)<br />
Valid port ranges must be . . . two valid ports separated by a single hyphen<br />
(may be non-continuous)<br />
listed in ascending order<br />
a maximum <strong>of</strong> 1995 ports<br />
between 1–65535 when using the Admin<br />
Console, and for all other services<br />
unique within ports assigned to other services<br />
<strong>of</strong> the same type (server, t_proxy, nt_proxy)<br />
Valid portlists must be. . . valid ports and/or valid ranges separated by<br />
spaces<br />
Introduction 1-17
1-18 Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics
C HAPTER 2<br />
Administrator’s Overview<br />
About this chapter This chapter provides an overview <strong>of</strong> the administration options<br />
available to you. This chapter includes the following topics:<br />
“<strong>Administration</strong> interface options” on page 2-2<br />
“Admin Console basics” on page 2-3<br />
“Admin Console conventions” on page 2-11<br />
“Using the Admin Console File Editor” on page 2-12<br />
“Remote administration using Secure Shell” on page 2-17<br />
“Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet” on page 2-24<br />
2<br />
Administrator’s Overview 2-1
2<br />
<strong>Administration</strong> interface options<br />
<strong>Administration</strong><br />
interface options<br />
2-2 Administrator’s Overview<br />
You can manage <strong>Sidewinder</strong> <strong>G2</strong> in one <strong>of</strong> two ways:<br />
Admin Console—The <strong>Administration</strong> Console (or Admin Console) is<br />
the graphical s<strong>of</strong>tware program that runs on a Windows system<br />
within your network. The Admin Console is installed using the<br />
Management Tools CD. This CD also installs the Configuration<br />
Wizard, which is used to create your configuration diskette on a<br />
Windows system. The graphical windows that comprise the Admin<br />
Console allow you to use a mouse and keyboard to configure and<br />
manage <strong>Sidewinder</strong> <strong>G2</strong>. (For information on installing the Admin<br />
Console s<strong>of</strong>tware, see the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong>.)<br />
Note: The Admin Console is occasionally referred to as “cobra” in some command<br />
line tools. For information on using the Admin Console, see “Admin Console basics”<br />
on page 2-3.<br />
command line interface—If you are experienced with UNIX, you can<br />
also use the command line interface to configure and manage<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Command line interface refers to any UNIX<br />
prompt. The command line interface supports many <strong>Sidewinder</strong><br />
<strong>G2</strong>-specific commands as well as standard UNIX commands you<br />
can enter at a UNIX prompt. For example, the cf (configurator)<br />
command can perform a wide range <strong>of</strong> configuration tasks.<br />
Tip: For help using command line interface instead <strong>of</strong> the Admin Console to manage your<br />
<strong>Sidewinder</strong> <strong>G2</strong>, refer to Appendix A. You can also use the extensive manual (man) pages<br />
included on <strong>Sidewinder</strong> <strong>G2</strong>. To do so, log in to <strong>Sidewinder</strong> <strong>G2</strong> at a command prompt, type<br />
man followed by the name <strong>of</strong> a command, and then press Enter.<br />
For most administrative tasks you can use the Admin Console as the<br />
primary <strong>Sidewinder</strong> <strong>G2</strong> interface. If you prefer, you can connect via<br />
SSH or Telnet, and utilize the command line interface to perform<br />
administrative tasks.<br />
Tip: Because it is much easier to administer <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console<br />
rather than by entering commands, this document focuses on using the Admin Console<br />
whenever possible.<br />
Whether you use the Admin Console or the command line interface,<br />
you can manage <strong>Sidewinder</strong> <strong>G2</strong> from a number <strong>of</strong> locations. Figure 2-<br />
1 highlights the administration interface options available to you.<br />
Note: Normal administration is possible only when the Operational kernel is booted.<br />
When the Administrative kernel is running, all administration must be done directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> by connecting a monitor and keyboard (or laptop).
Figure 2-1. <strong>Sidewinder</strong><br />
<strong>G2</strong> administration<br />
options<br />
Admin Console<br />
basics<br />
Admin Console<br />
running<br />
on a Windows<br />
workstation<br />
Command line<br />
interface via a<br />
Telnet connection<br />
on a Windows or<br />
UNIX workstation<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
Admin Console basics<br />
This section describes how to start the Admin Console, and explains<br />
how to add a new <strong>Sidewinder</strong> <strong>G2</strong>. It also provides general guidelines<br />
for using the Admin Console. For information on installing the Admin<br />
Console s<strong>of</strong>tware on a Windows PC, see the <strong>Sidewinder</strong> <strong>G2</strong> Startup<br />
<strong>Guide</strong>.<br />
Note: This version <strong>of</strong> the Admin Console supports backwards compatibility. Therefore, if<br />
you have a current version <strong>of</strong> the Admin Console installed, you can still connect to a<br />
remote <strong>Sidewinder</strong> <strong>G2</strong> that is running at 6.0.0.00 or higher, and the window will<br />
automatically update to display the earlier version <strong>of</strong> the Admin Console. You will also<br />
receive online help that is appropriate to the version at which the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
running.<br />
Starting and exiting the Admin Console<br />
Remote Admin<br />
Console or command<br />
line interface via an<br />
SSH connection<br />
To access the Admin Console from a Windows workstation within<br />
your network, the <strong>Sidewinder</strong> <strong>G2</strong> must be configured to allow secure<br />
sessions for the burb in which you will be connecting to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. (This is normally defined during the installation and<br />
configuration process.) For information on enabling administration on<br />
an active <strong>Sidewinder</strong> <strong>G2</strong>, see “Configuring remote Admin Console<br />
management” on page 3-56.<br />
Administrator’s Overview 2-3
Admin Console basics<br />
2-4 Administrator’s Overview<br />
Starting the Admin Console<br />
To start the Admin Console on a Windows workstation, do one <strong>of</strong> the<br />
following:<br />
click the <strong>Sidewinder</strong> <strong>G2</strong> <strong>Administration</strong> icon<br />
located on the desktop.<br />
select Start -> Programs -> Secure Computing -> <strong>Sidewinder</strong> <strong>G2</strong> Admin<br />
Console 3.0 -> Firewall Admin Console.<br />
If you are starting the Admin Console for the first time, you will need<br />
to add the <strong>Sidewinder</strong> <strong>G2</strong>(s) that you want to manage. See “Adding a<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 2-4 for information on<br />
creating a new <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Exiting the Admin Console<br />
To exit the Admin Console, do one <strong>of</strong> the following:<br />
Important: If you have any active connections when you exit the Admin Console, those<br />
connections, as well as any unsaved changes, will be lost. You will not be prompted to save<br />
before exiting.<br />
In the File menu, select Exit.<br />
Simultaneously press Alt+x.<br />
Click the icon in the upper right corner <strong>of</strong> the Admin Console<br />
window.<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console<br />
Before you can manage a <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console,<br />
you must first identify it in the Admin Console. Follow the steps<br />
below.<br />
1. In the Admin Console window, click the icon, (or click File -> New<br />
Firewall). The Add Firewall window appears.<br />
2. In the Name field, type a descriptive name for the <strong>Sidewinder</strong> <strong>G2</strong> you are<br />
adding. For example, you might specify the host name you used during<br />
the installation process. Only alphanumeric characters and dashes can<br />
be used; spaces are not allowed.
Figure 2-2. Admin<br />
Console Login window<br />
Admin Console basics<br />
3. In the IP Address field, type the IP address you want to use to access the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The address must be a valid IP address for an interface<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Also, the interface must be contained within a<br />
burb for which remote administration has been enabled.<br />
To view the current mapping <strong>of</strong> interfaces and burbs, refer to the<br />
Interface Configuration and UI Access Control windows in the Admin<br />
Console (you can also use ifconfig -a via the command line).<br />
4. Click Add to save the information and exit this window. Each <strong>Sidewinder</strong><br />
<strong>G2</strong> you add is displayed in the Admin Console tree (in the left portion <strong>of</strong><br />
the window).<br />
5. Click on the appropriate icon listed under Firewalls. The properties<br />
appear in the right portion <strong>of</strong> the window.<br />
6. [Conditional] The Port field displays the default port number (9003) on<br />
which the <strong>Sidewinder</strong> <strong>G2</strong> will listen. You will generally not need to<br />
modify this field.<br />
7. To log in and connect to a <strong>Sidewinder</strong> <strong>G2</strong>, see “Connecting to a<br />
<strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console” on page 2-5.<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console<br />
To connect to a specific <strong>Sidewinder</strong> <strong>G2</strong>, select the appropriate icon<br />
from the Admin Console tree and then click Connect. The login<br />
window appears.<br />
Administrator’s Overview 2-5
Admin Console basics<br />
2-6 Administrator’s Overview<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong><br />
The first time you attempt to connect to a <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Admin Console, a pop-up window appears presenting you with the<br />
firewall certificate that will be used for all subsequent administrative<br />
connections. To accept the certificate, click Yes.<br />
If you want to verify the certificate before accepting it, you will need<br />
to obtain the certificate fingerprint before you log in to the Admin<br />
Console. To obtain the certificate fingerprint, log into the <strong>Sidewinder</strong><br />
<strong>G2</strong> via command line and enter the srole command to change to the<br />
admin role. (If you have not configured remote access, you will need<br />
to attach a monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.) Enter the<br />
following command:<br />
cf cert view fw name=cert_name<br />
The contents <strong>of</strong> the certificate are displayed. The certificate fingerprint<br />
is located at the bottom <strong>of</strong> the certificate directly beneath the<br />
END CERTIFICATE identifier. This fingerprint can be used to verify the<br />
fingerprint that is displayed when you initially connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console.<br />
To log in to a <strong>Sidewinder</strong> <strong>G2</strong>, follow the steps below.<br />
1. In the Username field, enter your <strong>Sidewinder</strong> <strong>G2</strong> user name.<br />
2. In the Authentication Method drop-down list, select the appropriate<br />
authentication method for the <strong>Sidewinder</strong> <strong>G2</strong> to which you are<br />
connecting.<br />
Valid options include a simple password or a more sophisticated<br />
method such as SafeWord, SecurID, SNK, RADIUS, LDAP or Micros<strong>of</strong>t NT.<br />
Note: All methods other than the password method require access to a separate<br />
authentication server.<br />
3. Click OK. An authentication window appears. Enter the appropriate<br />
response, and then click OK. When you connect for the first time, the<br />
Feature Notification window appears displaying the status <strong>of</strong> each<br />
licensed feature.
Figure 2-3. Feature<br />
Notification window<br />
Admin Console basics<br />
Note: If you do not want this window to appear each time you connect, select the<br />
Don’t show this again check box.<br />
4. When you are finished viewing the window, click Close.<br />
The main Admin Console window appears. (See “About the main<br />
Admin Console window” on page 2-8 for information on using the main<br />
Admin Console window.)<br />
Note: For an overview <strong>of</strong> the tasks you can perform using the Admin Console, see<br />
“Admin Console conventions” on page 2-11.<br />
Disconnecting from the <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console<br />
To end an Admin Console session for a <strong>Sidewinder</strong> <strong>G2</strong>, do one <strong>of</strong> the<br />
following:<br />
Right-click on the <strong>Sidewinder</strong> <strong>G2</strong> icon, and select Disconnect from<br />
the menu that appears.<br />
Select the <strong>Sidewinder</strong> <strong>G2</strong> icon, and click Disconnect in the main<br />
Admin Console window.<br />
Administrator’s Overview 2-7
Admin Console basics<br />
Figure 2-4. Main Admin<br />
Console menu<br />
Main Admin Console<br />
window<br />
2-8 Administrator’s Overview<br />
About the main Admin Console window<br />
When you start the Admin Console and connect to a <strong>Sidewinder</strong> <strong>G2</strong>, a<br />
window similar to the following appears.<br />
From this window you can connect to and manage one or more<br />
<strong>Sidewinder</strong> <strong>G2</strong>s.<br />
Admin Console windows are divided into three areas: top, left, and<br />
right, as described in the sections below.
About the top portion <strong>of</strong> the Admin Console window<br />
Admin Console basics<br />
The top portion <strong>of</strong> the Admin Console window contains five icons<br />
that represent various shortcut actions, shown in the table below.<br />
Click this icon to add a <strong>Sidewinder</strong> <strong>G2</strong> that you can manage<br />
using the Admin Console. For more information on adding a<br />
new <strong>Sidewinder</strong> <strong>G2</strong>, see “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin<br />
Console” on page 2-4.<br />
Click this icon to save changes you make in the Admin Console<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Click this icon to cancel (or ‘rollback’) any unsaved changes in the<br />
Admin Console.<br />
Click this icon to refresh (or update) the screen.<br />
Click this icon to launch the State Change Wizard. (If you are<br />
connected to an HA or One-To-Many cluster, clicking this button<br />
will take you to the appropriate cluster management window.)<br />
Click this icon to access context-sensitive online help for the<br />
current Admin Console window that is displayed.<br />
The top portion <strong>of</strong> the window also contains the following menu<br />
options.<br />
File—The following options are available under this menu:<br />
— New Firewall: Add a <strong>Sidewinder</strong> <strong>G2</strong> that can be managed using<br />
the Admin Console.<br />
— Exit: Exit the Admin Console application.<br />
Help—The following options are available under this menu:<br />
— Context-sensitive Help: Display specific information for an<br />
Admin Console window. The title for this option correlates to<br />
the specific window for which you will receive help.<br />
— About Help: Display information about the current version <strong>of</strong><br />
the Admin Console s<strong>of</strong>tware.<br />
Administrator’s Overview 2-9
Admin Console basics<br />
2-10 Administrator’s Overview<br />
About the left portion <strong>of</strong> the Admin Console window<br />
The left portion <strong>of</strong> the window contains the Admin Console tree. The<br />
Admin Console tree is not active unless you are connected to a<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Once you are connected to a specific <strong>Sidewinder</strong> <strong>G2</strong>,<br />
you can click on any <strong>of</strong> the items in the Admin Console tree to<br />
manage that area <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
You can also right-click on a <strong>Sidewinder</strong> <strong>G2</strong> in the Admin Console<br />
tree to perform the following actions:<br />
expand or collapse the branch items beneath a <strong>Sidewinder</strong> <strong>G2</strong><br />
icon<br />
delete a <strong>Sidewinder</strong> <strong>G2</strong> from the Admin Console<br />
connect or disconnect a <strong>Sidewinder</strong> <strong>G2</strong> from the Admin Console<br />
The lower left portion <strong>of</strong> the Admin Console provides a History<br />
button that displays regarding a feature’s history.<br />
About the right portion <strong>of</strong> the Admin Console window<br />
The right portion <strong>of</strong> the Admin Console window initially displays<br />
configuration information for the <strong>Sidewinder</strong> <strong>G2</strong> to which you are<br />
currently connected, as follows:<br />
Name—Defines the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to which you are<br />
connected.<br />
IP Address—Identifies the IP address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to which<br />
you are connected.<br />
Port—Identifies the port number that will be used to connect to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Version—This is a read-only field that displays the current<br />
<strong>Sidewinder</strong> <strong>G2</strong> version after connecting to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
<strong>Sidewinder</strong> <strong>G2</strong> State—This is a read-only field that displays the<br />
current <strong>Sidewinder</strong> <strong>G2</strong> state (whether it is a standalone, part <strong>of</strong> an<br />
HA or One-To-Many cluster, or part <strong>of</strong> an enterprise managed<br />
environment).
Admin Console<br />
conventions<br />
Admin Console conventions<br />
State Change Wizard—This button launches the State Change<br />
Wizard. The State Change Wizard allows you to do the following<br />
(options vary depending on the current state):<br />
— Create or join a High Availability cluster.<br />
— Create or join a One-To-Many cluster.<br />
— Become part <strong>of</strong> an enterprise managed environment.<br />
— Revert to a standalone.<br />
Connect/Disconnect—Establishes or breaks a connection with the<br />
selected <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: When you click on the different areas <strong>of</strong> the Admin Console tree, this portion <strong>of</strong> the<br />
window changes to display information specific to that area.<br />
When using the Admin Console, the following conventions and tips<br />
will help you avoid common mistakes:<br />
To filter a table based on the contents <strong>of</strong> a single column, right<br />
click on a column heading and select the filter criteria for which<br />
you want to filter. (To customize a filter, select the Custom Filter<br />
option.) To view all items in a table, select the No Filter option.<br />
You can also reverse the order <strong>of</strong> the table within a column by<br />
clicking the appropriate column heading. To return the table to its<br />
original order, click the column heading a second time.<br />
— Right–click a column heading and use the Filter By option to<br />
filter on a particular item or create a custom filter.<br />
— Click the appropriate column heading to sort rules by a<br />
particular field (column). Click the heading a second time to<br />
sort the list in reverse order. You can select an item to modify<br />
from a list by double clicking on it or by clicking on it once to<br />
highlight it, and then clicking Modify.<br />
When a box preceding an option is filled in or contains a check<br />
mark, it is enabled or selected. When the box is empty (a check<br />
mark does not appear), the option is disabled.<br />
On some windows, you need to use the scroll bar to view all <strong>of</strong><br />
the information or options.<br />
In the Rules window, you can reposition rules and groups by<br />
clicking and dragging an entry to a new location.<br />
Administrator’s Overview 2-11
Using the Admin Console File Editor<br />
Using the Admin<br />
Console File Editor<br />
2-12 Administrator’s Overview<br />
To delete an item from a list or table in an Admin Console<br />
window, click on the item to select it, and then click Delete.<br />
When you leave a window that you have modified, you will<br />
automatically be prompted to save your changes before you exit<br />
the window. You can also save your modifications at any time by<br />
clicking the Save icon in the toolbar (or an OK button for some<br />
pop-up windows).<br />
When you exit a window and do not want to save your changes,<br />
click No when prompted to save your changes. You can also<br />
cancel your changes at any time by clicking the Rollback icon (or<br />
the Cancel button in some windows) to restore the current<br />
window’s settings to the last saved version.<br />
For assistance on any <strong>of</strong> the Admin Console windows, click the<br />
Help icon located in the top portion <strong>of</strong> the window. The online<br />
help provides information about each <strong>of</strong> the Admin Console<br />
windows. To view the entire list <strong>of</strong> available help topics, click the<br />
TOC button from within the help system.<br />
While administering <strong>Sidewinder</strong> <strong>G2</strong>, you may find it necessary to<br />
modify a text file or a configuration file. Although the typical UNIX<br />
editors are available for you to use (vi, emacs, and pico), you may<br />
find it easier to use the File Editor provided with the Admin Console.<br />
The File Editor is an easy-to-use editor that is available directly from<br />
the Admin Console. The File Editor simplifies the editing process,<br />
enabling you to perform virtually every necessary editing task from<br />
the Admin Console instead <strong>of</strong> using a command line.<br />
The File Editor also provides some additional conveniences such as<br />
unique file backup and restore features. (Of course, UNIX aficionados<br />
are still welcome to use the editor <strong>of</strong> their choice if they prefer.) In<br />
addition, using the File Editor through the Admin Console provides a<br />
secure connection.<br />
To access the File Editor, log in to the Admin Console, select File<br />
Editor, and then click Start File Editor. The following window appears:
Figure 2-5. File Editor<br />
window<br />
About the File Editor<br />
window<br />
Using the Admin Console File Editor<br />
The File Editor window contains three different menu options.<br />
File—This menu contains the basic action options. Use it to open<br />
new or existing files, and to save files. The File menu also provides<br />
two unique capabilities: it enables you to create a backup copy <strong>of</strong><br />
a file, and it enables you to restore a file from a previously saved<br />
backup copy. See “Creating a backup file in the File Editor” on<br />
page 2-14 and “Restoring a file” on page 2-15 for details.<br />
Edit—This menu enables you to perform typical functions such as<br />
cutting, copying, pasting, and finding/replacing text. See “Using<br />
the Find/Replace option” on page 2-16 for information on finding<br />
and replacing text.<br />
Help—The following options are available under this menu:<br />
— File Editor Help: Displays specific information for the File Editor<br />
window.<br />
— About Help: Displays information about the current version <strong>of</strong><br />
the Admin Console s<strong>of</strong>tware.<br />
Opening and saving files in the File Editor<br />
When you select File -> Open or File -> Save As a window similar to the<br />
following appears.<br />
Administrator’s Overview 2-13
Using the Admin Console File Editor<br />
Figure 2-6. Open File<br />
window<br />
Opening or saving a file<br />
using File Editor window<br />
2-14 Administrator’s Overview<br />
To open or save a file, follow the steps below.<br />
1. [Conditional] In the Source field, specify where the source is located. The<br />
options are:<br />
Local File—Indicates the file is located on the local Windows<br />
workstation or on a network connected to the workstation.<br />
Firewall File—Indicates the file is located on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the File field, type the full path name <strong>of</strong> the file.<br />
If you do not know the full path name, click Browse to browse the<br />
available directories. When you locate the file, click OK. The file name<br />
appears in the File field.<br />
3. Click OK to open or save the file, or click Cancel to cancel the request.<br />
Creating a backup file in the File Editor<br />
When modifying the <strong>Sidewinder</strong> <strong>G2</strong> configuration files, it is normally<br />
a good practice to create a backup copy <strong>of</strong> the file before you begin<br />
editing the file. That way, if you make a mistake while editing the file<br />
you have the option to revert to the original file. The File Editor<br />
provides an easy method for creating a backup copy <strong>of</strong> a file. You can<br />
even make a backup after you begin modifying a file. The key is to<br />
create the backup before you save your changes. Once you save your<br />
changes you will not be able to create a backup file that mirrors the<br />
original file.<br />
To make a backup copy <strong>of</strong> a file, open the file with the File Editor, then<br />
select File -> Backup. The following window appears:
Figure 2-7. Backup File<br />
window<br />
Entering information on the<br />
Backup File window<br />
Figure 2-8. Restore<br />
window<br />
Entering information in the<br />
Restore File window<br />
Using the Admin Console File Editor<br />
To make a backup copy <strong>of</strong> the last saved version <strong>of</strong> the file currently<br />
open within the File Editor, follow the steps below.<br />
1. In the Name <strong>of</strong> Backup File field, specify a name for the backup file. By<br />
default, the file is given the same name as the original file but with a<br />
.bak extension.<br />
The backup file will be created in the directory listed in the Current<br />
Directory field. This is the directory in which the original file currently<br />
resides, and cannot be modified.<br />
2. Click OK to save the information and exit the window, or click Cancel to<br />
exit the window without saving the backup file.<br />
Restoring a file<br />
In order to restore a file, the file must be open within the File Editor.<br />
Select File -> Restore and the following window appears.<br />
This window enables you to restore a file to its original contents. You<br />
can do this only if you have previously created a backup copy <strong>of</strong> the<br />
file. Follow the steps below.<br />
1. In the Restore From File field, specify the name <strong>of</strong> the backup file to use<br />
when restoring the file to its original condition. If you do not know the<br />
name <strong>of</strong> the backup file, click Select to browse the available files. When<br />
you locate the file, click Open. The file name appears in the Restore From<br />
File field.<br />
Administrator’s Overview 2-15
Using the Admin Console File Editor<br />
Figure 2-9. Find/Replace<br />
window<br />
Entering information on the<br />
Find/Replace window<br />
2-16 Administrator’s Overview<br />
Note: If a backup file exists, it will appear in the same directory as the current file,<br />
because you are only allowed to create a backup in the same directory. The Current<br />
Directory field displays the name <strong>of</strong> that directory and cannot be modified.<br />
2. Click OK to save the information and exit the window, or click Cancel to<br />
exit the window without saving the backup file.<br />
Using the Find/Replace option<br />
You can use the Find/Replace option on the Edit menu to perform<br />
advanced editing <strong>of</strong> files. To use the Find/Replace option, select<br />
Edit -> Find/Replace. The following window appears.<br />
This window enables you to locate a character string within the file<br />
and to replace the character string with a different character string.<br />
Follow the steps below.<br />
1. In the Find what field, specify the character string you want to search for<br />
within the file.<br />
2. [Optional] If you want to replace the character string specified in the<br />
Find what field with a different character string, type the new string in<br />
the Replace with field.<br />
3. In the Search field, specify which direction in the file the search should<br />
be performed. There are two options:<br />
Down—From your current position within the file, the File Editor<br />
will search down (forward) in the file for the specified character<br />
string.<br />
Up—From your current position within the file, the File Editor will<br />
search up (backward) in the file for the specified character string.
Remote<br />
administration<br />
using Secure Shell<br />
Remote administration using Secure Shell<br />
4. In the Case field, specify whether the File Editor should find any<br />
matching character string, or if it should consider upper and lower case<br />
when performing the search. There are two options:<br />
Match—Find only those character strings that exactly match the<br />
case as specified in the Find what field.<br />
Ignore—Find all matching character strings regardless <strong>of</strong> upper<br />
and lower case.<br />
5. Click Find Next to initiate the character search and to locate the next<br />
occurrence within the file.<br />
6. [Optional] If the character search locates a match, you can click Replace<br />
to replace the found character string with the character string specified<br />
in the Replace with field. To replace all occurrences <strong>of</strong> the character<br />
string, click Replace All. An Info window will appear indicating how<br />
many times the character string was replaced. Click OK to close the Info<br />
window.<br />
7. To find additional occurrences <strong>of</strong> the character string, continue to click<br />
Find Next for each occurrence. When there are no additional<br />
occurrences, a message will appear telling you that the search is<br />
complete.<br />
8. When you are finished searching, click Close to exit this window.<br />
Secure Shell (SSH) provides secure encrypted communication<br />
between two hosts over an insecure network, allowing you to<br />
remotely manage your <strong>Sidewinder</strong> <strong>G2</strong>. This section describes how to<br />
configure and use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server and/or an SSH<br />
client.<br />
Note: The procedures covered in the following sections are based on openssh version<br />
3.0.2p1. It provides support for SSH version 1.5 and 2.0 sessions.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, SSH is typically used by administrators to log<br />
in to the <strong>Sidewinder</strong> <strong>G2</strong> securely from a remote machine. In this case<br />
the <strong>Sidewinder</strong> <strong>G2</strong> acts as the SSH server.<br />
Administrator’s Overview 2-17
Remote administration using Secure Shell<br />
2-18 Administrator’s Overview<br />
When configuring the SSH server you have the option to use<br />
RSA/DSA authentication. If you use RSA/DSA authentication, the<br />
authentication is accomplished via an exchange <strong>of</strong> public and private<br />
keys between the server and the client. The downside <strong>of</strong> RSA/DSA<br />
authentication is that it requires a bit more <strong>of</strong> an administrative effort.<br />
If you elect NOT to use RSA/DSA authentication, the SSH clients must<br />
enter their <strong>Sidewinder</strong> <strong>G2</strong> user name and authentication information<br />
when initiating the SSH connection.<br />
The following sub-sections provide specific information on<br />
configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server using RSA or DSA<br />
authentication, as well as general information on configuring the SSH<br />
server.<br />
Configuring SSH when not using RSA/DSA authentication<br />
If you are not using RSA/DSA authentication, follow the steps below<br />
to configure SSH.<br />
1. In the Admin Console, select Services Configuration -> Servers.<br />
2. Select sshd in the list <strong>of</strong> server names, and click the Configuration tab.<br />
3. Ensure that the Allow RSA Authentication field is disabled.<br />
Rather than using RSA authentication, each client will be required to log<br />
in using their <strong>Sidewinder</strong> <strong>G2</strong> user name and authentication information.<br />
4. Click the Control tab.<br />
5. Enable the SSH server in the desired burbs, then click the Save icon.<br />
6. [Conditional] If a Host Key Pair does not exist, you will be prompted by<br />
the Admin Console to confirm that the Admin Console will create an<br />
SSH host key. Click Yes.<br />
7. Configure and enable the authentication method you want to use to<br />
authenticate SSH sessions. See Chapter 9 for information.<br />
8. Create an SSHD rule that allows SSH clients to log into this <strong>Sidewinder</strong><br />
<strong>G2</strong> using SSH.<br />
In the rule, select the following options: Service Type= server,<br />
Service = sshd. You will also need to select the authentication method<br />
you enabled in step 7. See “Creating proxy rules” on page 7-4 for<br />
information on creating a proxy rule using the Admin Console.<br />
Note: If the client has previously established an SSH connection to the <strong>Sidewinder</strong><br />
<strong>G2</strong>, the information associated with the previous connection must be deleted from<br />
the client.
Remote administration using Secure Shell<br />
The <strong>Sidewinder</strong> <strong>G2</strong> is now ready to accept SSH connection requests.<br />
Remember that a client must have an administrator account on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> in order to log in.<br />
Configuring SSH when using RSA authentication<br />
If you are using RSA authentication to configure SSH, follow the steps<br />
below.<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Select Services Configuration -> Servers.<br />
3. Select sshd in the list <strong>of</strong> server names, and click the Configuration tab.<br />
4. Enable the Allow RSA Authentication field.<br />
5. If you do not currently have an SSH host key pair, click on Generate New<br />
Host Key. Click OK to acknowledge that the new key pair has been<br />
created.<br />
You must have at least one SSH host key pair for the SSH daemon to<br />
operate. If you have an existing key pair, you do not need to create a<br />
new one. The host key pairs are stored in the /etc/ssh directory and have<br />
the following filenames:<br />
ssh_host_key<br />
ssh_host_key.pub<br />
ssh_host_rsa_key<br />
ssh_host_rsa_key.pub<br />
ssh_host_dsa_key<br />
ssh_host_dsa_key.pub<br />
6. Click the Control tab.<br />
SSH version 1.5 rsa private key<br />
SSH version 1.5 rsa public key<br />
SSH version 2.0 rsa private key<br />
SSH version 2.0 rsa public key<br />
SSH version 2.0 dsa private key<br />
SSH version 2.0 dsa public key<br />
7. Enable the SSH server in the desired burbs, and then click the Save icon.<br />
8. From a command line prompt, create a subdirectory named /.ssh in<br />
each administrator’s home directory.<br />
Example: If an administrator named lloyd has a home directory named<br />
/home/lloyd, create the /.ssh subdirectory by typing the following<br />
commands:<br />
Administrator’s Overview 2-19
Remote administration using Secure Shell<br />
2-20 Administrator’s Overview<br />
Note: If you are a read-only administrator, type srole AdmnRO in place <strong>of</strong> srole.<br />
srole<br />
cd /home/lloyd<br />
mkdir .ssh<br />
9. Use a text editor to create a file named authorized_keys in each<br />
administrator’s /.ssh directory.<br />
Do this using the File Editor provided in the Admin Console, or your<br />
favorite UNIX editor.<br />
10. Paste each user’s public key into the respective authorized_keys file.<br />
The method you use to get the public keys onto the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
up to you. You might use FTP, or you might copy/paste from one<br />
window to another.<br />
11. Create an SSHd rule that allows SSH clients to log into this <strong>Sidewinder</strong><br />
<strong>G2</strong> using SSH. See “Creating proxy rules” on page 7-4 for information on<br />
creating a rule using the Admin Console.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> is now ready to accept connections from SSH<br />
clients. Remember that an administrator must have an account on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> in order to log in.<br />
Configuring and using the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH<br />
client<br />
It is also possible for the <strong>Sidewinder</strong> <strong>G2</strong> to act as an SSH client. For<br />
example, you might want to establish an SSH connection between<br />
two <strong>Sidewinder</strong> <strong>G2</strong>s. In this case one <strong>Sidewinder</strong> <strong>G2</strong> operates as the<br />
server (via the SSH daemon), and the other operates as an SSH client.<br />
You have the option to use RSA authentication with the SSH client.<br />
Note: On non-<strong>Sidewinder</strong> <strong>G2</strong> systems, an SSH client that is run from root will bind to a<br />
reserved port. As a security feature, the <strong>Sidewinder</strong> <strong>G2</strong> SSH client is not allowed to bind to a<br />
reserved port. This is prevented by Type Enforcement.<br />
If not using RSA authentication<br />
There is nothing to configure on the <strong>Sidewinder</strong> <strong>G2</strong> if you are not<br />
using RSA authentication. To use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client,<br />
follow the steps below:
Remote administration using Secure Shell<br />
1. Log in to the <strong>Sidewinder</strong> <strong>G2</strong> and type the following command to switch<br />
to the Admn domain.<br />
srole<br />
Note: If you are a read-only administrator, enter srole AdmnRO.<br />
2. Establish the connection with the SSH server by typing one <strong>of</strong> the<br />
following commands.<br />
ssh login_name address<br />
or<br />
ssh login_name@address<br />
where:<br />
login_name = the name used when logging onto the SSH server.<br />
address = the address <strong>of</strong> the host with which you are establishing an<br />
SSH connection.<br />
Note: You have the option to use an authentication method other than the default<br />
method when connecting to another <strong>Sidewinder</strong> <strong>G2</strong>. Type a colon and the name <strong>of</strong><br />
the authentication method after the login_name field. For example, to use<br />
SafeWord you would type:<br />
ssh login_name:safeword address<br />
If using RSA authentication<br />
To use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client while using RSA<br />
authentication, you must perform several configuration steps before<br />
initiating the SSH connection.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Select Services Configuration -> Servers.<br />
3. Highlight sshd in the list <strong>of</strong> server names, then click the Configuration<br />
tab.<br />
4. Click Generate New Client Key to generate a public and private key pair<br />
that the <strong>Sidewinder</strong> <strong>G2</strong> can use when acting as an SSH client.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> SSH client public and private keys are created in the<br />
/home/username/.ssh directory, where username = the user name you used when<br />
connecting to the Admin Console. The client key file names are identity.pub and<br />
identity, respectively.<br />
Administrator’s Overview 2-21
Remote administration using Secure Shell<br />
2-22 Administrator’s Overview<br />
5. [Conditional] If the SSH server that you will be connecting to is another<br />
<strong>Sidewinder</strong> <strong>G2</strong>, connect to that <strong>Sidewinder</strong> <strong>G2</strong> using the Admin<br />
Console at this time.<br />
If needed, click the New Firewall button in the top portion <strong>of</strong> the Admin<br />
Console and add the other <strong>Sidewinder</strong> <strong>G2</strong>(s) to the list <strong>of</strong> <strong>Sidewinder</strong><br />
<strong>G2</strong>s you can administer.<br />
6. If the SSH server that you will be connecting to is another <strong>Sidewinder</strong><br />
<strong>G2</strong>, click Export Client Key to export the public client key to the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>(s). Otherwise, use the best available method (FTP, cut<br />
and paste, etc.) to export the public client key to the SSH server.<br />
7. Select the <strong>Sidewinder</strong> <strong>G2</strong> to export to, and click OK.<br />
Using the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command<br />
to switch to the admn role:<br />
srole<br />
Note: If you are a read-only administrator, enter srole AdmnRO.<br />
2. Establish the connection with the SSH server by typing the following<br />
command.<br />
ssh -l login_name -o "RSAAuthentication yes" address<br />
where:<br />
login_name = the user name used when logging onto the SSH server<br />
address = the address <strong>of</strong> the host with which you are establishing an<br />
SSH connection<br />
See the ssh man page for more details.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, the SSH client must be run from the Admn<br />
domain. Many SSH daemons, however, do not allow root users to<br />
connect to the SSH daemon. To get around this, be sure to use the -l<br />
option when logging in. This allows you to login as a different user.<br />
Configuring the SSH Admin Console windows<br />
SSH is configured from the Admin Console by selecting Services<br />
Configuration -> Servers. Select sshd from the list <strong>of</strong> servers. Select the<br />
appropriate check box(es) to enable the server for one or more burbs.<br />
To configure the SSH server, select the Configuration tab. The following<br />
window appears:
Figure 2-10. sshd Server<br />
Configuration tab<br />
Configuring the sshd Server<br />
Configuration tab<br />
Remote administration using Secure Shell<br />
The SSH Server Configuration tab enables you to generate host and<br />
client keys, and to specify whether RSA authentication is allowed.<br />
Follow the steps below.<br />
1. If you want to allow SSH connections to be authenticated using RSA<br />
authentication, select the Allow RSA Authentication check box.<br />
RSA authentication is a common encryption and authentication system<br />
that uses an exchange <strong>of</strong> public and private keys between the server<br />
and the client. It is based on the RSA algorithm. If this check box is not<br />
enabled, all SSH connections must be authenticated using a password.<br />
2. To generate an SSH host authentication key that will be used when the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is acting as the server in an SSH connection, click<br />
Generate New Host Key.<br />
Note: When you click Generate New Host Key, the system will automatically<br />
generate the following three authentication keys: RSA1, RSA, and DSA.<br />
3. To generate the SSH version 1.5 client authentication key that will be<br />
used when the <strong>Sidewinder</strong> <strong>G2</strong> is acting as a client in an SSH connection,<br />
click Generate New Client Key.<br />
4. [Conditional] To export the client key to another <strong>Sidewinder</strong> <strong>G2</strong>, click<br />
Export Client Key. You can only export the client key if one has been<br />
generated and if you have an active Admin Console connection with<br />
one or more additional <strong>Sidewinder</strong> <strong>G2</strong>s (the <strong>Sidewinder</strong> <strong>G2</strong>[s] that will<br />
act as the SSH server).<br />
5. Click the Save icon to save your changes.<br />
Administrator’s Overview 2-23
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
Configuring the Export<br />
Client Key window<br />
Administering<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
using Telnet<br />
2-24 Administrator’s Overview<br />
The Export Client Key window is used to select the <strong>Sidewinder</strong> <strong>G2</strong>(s)<br />
to which you want to export the public client key. After selecting the<br />
desired <strong>Sidewinder</strong> <strong>G2</strong>(s), click OK to initiate the export process.<br />
Note: The SSH Admin Console windows currently support SSH version 1.5 session<br />
configurations. If you are using SSH version 2.0, you must manually generate the Client Key<br />
Pairs using a command line interface.<br />
Tips on using SSH with <strong>Sidewinder</strong> <strong>G2</strong><br />
Please note the following information about SSH on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
There are two configuration files associated with SSH:<br />
— For the SSH daemon: /etc/sshd_config<br />
— For the SSH client: /etc/ssh_config<br />
See the ssh, sshd, and ssh-keygen man pages for additional details.<br />
The <strong>Sidewinder</strong> <strong>G2</strong>'s SSH daemon and client are based on the<br />
openssh implementation. See http://www.openssh.com for more<br />
information.<br />
If you prefer to administer <strong>Sidewinder</strong> <strong>G2</strong> using a command line<br />
interface rather than the Admin Console, you can configure Telnet<br />
services that allow you to provide administration from a system within<br />
your network. You can also allow trusted users to use a Telnet client<br />
to log in to Internet systems remotely.<br />
Setting up an internal (trusted) Telnet server<br />
Telnet provides a way to log in to a system in your network from<br />
another system. All you need to know is the name <strong>of</strong> the system in<br />
which you want to log in. Once you have established a connection,<br />
you are logged in just as you would be if you were physically located<br />
at that system.<br />
A Telnet server is defined for each burb on your <strong>Sidewinder</strong> <strong>G2</strong>: one<br />
for the external (Internet) burb and one for each <strong>of</strong> the internal (or<br />
trusted) burbs. This gives you the capability to Telnet to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> from any system on an internal burb so you can<br />
perform administrative tasks remotely.<br />
Note: For security reasons, the Telnet servers are not initially enabled.
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
To access the trusted Telnet server, follow the steps below:<br />
1. Create a proxy rule that allows access to the Telnet server and add it to<br />
the active rule group. See “Creating proxy rules” on page 7-4.<br />
2. Enable the Telnet server as follows:<br />
a. Select Services Configuration -> Servers.<br />
b. Select telnet from the list <strong>of</strong> server names.<br />
c. Select the burb(s) in which you want the Telnet server to be<br />
enabled. A check mark appears when the server is enabled for a<br />
burb.<br />
d. Click the Save icon in the toolbar.<br />
Important: All users accessing a Telnet server must be authenticated. If the proxy<br />
rule that allows entry for a Telnet connection does not specify authentication, users<br />
will not be able to log in.<br />
To perform <strong>Sidewinder</strong> <strong>G2</strong> administration tasks, you must have an<br />
account on the <strong>Sidewinder</strong> <strong>G2</strong> as described on “Setting up and<br />
maintaining administrator accounts” on page 3-5. Aside from your<br />
account and authentication information, all you need to log in to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is the name. To log in to the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
Telnet, see “Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using Telnet” on page<br />
2-26.<br />
Setting up an external Telnet server<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to enable an external Telnet server. An<br />
external server resides on the external network side <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>, and is available to Internet users once you set up the appropriate<br />
“allow” proxy rules and add them to the active rule group. (The other<br />
Telnet servers reside on the internal side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> and are<br />
available only to trusted users.)<br />
Security Alert: Setting up a Telnet server on the external side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong><br />
can raise security issues—contact Secure Computing Customer Support before<br />
attempting this.<br />
Administrator’s Overview 2-25
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
2-26 Administrator’s Overview<br />
Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
Note: You must enable the Telnet server in the appropriate burb(s) before you will be<br />
allowed to Telnet. See “Setting up an internal (trusted) Telnet server” on page 2-24.<br />
1. Telnet to the <strong>Sidewinder</strong> <strong>G2</strong> and log in by typing the following<br />
command, using your <strong>Sidewinder</strong> <strong>G2</strong> host name.<br />
telnet hostname<br />
When prompted, enter your <strong>Sidewinder</strong> <strong>G2</strong> authentication information.<br />
Depending on the authentication method configured for you on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, you must now provide a valid password or a special<br />
passcode or personal identification number (PIN) before you are logged<br />
on to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Enter the following command:<br />
srole<br />
Note: To change to the AdmnRO domain, enter srole AdmnRO.<br />
Enter commands from the UNIX prompt as required. Refer to<br />
Appendix A or the man pages for information on using individual<br />
commands.
C HAPTER 3<br />
General System Tasks<br />
About this chapter This chapter contains information on performing basic <strong>Sidewinder</strong> <strong>G2</strong><br />
procedures such as setting up administrator accounts, setting the date<br />
and time, and saving system configuration information. This chapter<br />
includes the following topics:<br />
“Restarting or shutting down the system” on page 3-2<br />
“Setting up and maintaining administrator accounts” on page 3-5<br />
“Changing passwords” on page 3-9<br />
“Setting the system date and time” on page 3-9<br />
“Using system roles to access type enforced domains” on page 3-<br />
11<br />
“Configuration file backup and restore” on page 3-13<br />
“Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19<br />
“Protected host licensing and the Host Enrollment List” on page 3-<br />
27<br />
“Enabling and disabling servers” on page 3-30<br />
“Configuring the synchronization server” on page 3-33<br />
“Configuring scanning services” on page 3-34<br />
“Configuring the shund server” on page 3-39<br />
“Loading and installing patches” on page 3-41<br />
“Modifying the burb configuration” on page 3-48<br />
“Modifying the interface configuration” on page 3-50<br />
“Modifying the static route” on page 3-54<br />
“Configuring remote Admin Console management” on page 3-56<br />
“Enabling and disabling multi-processor mode” on page 3-57<br />
“Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS” on page 3-58<br />
3<br />
General System Tasks 3-1
3<br />
Restarting or shutting down the system<br />
Restarting or<br />
shutting down the<br />
system<br />
3-2 General System Tasks<br />
You can boot the <strong>Sidewinder</strong> <strong>G2</strong> to start up in one <strong>of</strong> two kernels:<br />
Operational or Administrative (see “<strong>Sidewinder</strong> <strong>G2</strong> kernels” on page<br />
1-4 for descriptions <strong>of</strong> each kernel). This section describes how to<br />
power up the <strong>Sidewinder</strong> <strong>G2</strong> to the Operational kernel when the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is powered <strong>of</strong>f, and how to reboot or shut down the<br />
system when the <strong>Sidewinder</strong> <strong>G2</strong> is running.<br />
Important: The Administrative kernel is used only when an administrator needs to<br />
perform special tasks (such as installing s<strong>of</strong>tware or restoring <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware<br />
from a backup tape), or under certain circumstances for troubleshooting purposes. For<br />
information on powering on the system in the Administrative kernel, see “Powering-up the<br />
system to the Administrative kernel” on page F-2.<br />
When you power up the <strong>Sidewinder</strong> <strong>G2</strong>, it will boot to the<br />
Operational kernel by default. You can perform the same tasks in the<br />
Operational kernel as you can in the Administrative kernel. However,<br />
you will almost always run the <strong>Sidewinder</strong> <strong>G2</strong> in the Operational<br />
kernel, unless you need to perform a full system backup or restore, or<br />
to install hardware or s<strong>of</strong>tware. All procedures that require the<br />
Administrative kernel are discussed in Appendix F “Basic<br />
Troubleshooting”.<br />
The procedures to power-up, reboot, or shut down the <strong>Sidewinder</strong> <strong>G2</strong><br />
in the Operational kernel are described in the following subsections.<br />
Important: When the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted or shutdown, a record <strong>of</strong> who issued<br />
the action is logged in the /var/log/messages file. This applies to a reboot or shutdown<br />
issued from the Admin Console or using the shutdown command.<br />
Powering-on the system to the Operational kernel<br />
Note: For information on powering-on the system to the Administrative kernel, see<br />
“Powering-up the system to the Administrative kernel” on page F-2.<br />
Because the Operational kernel is the default kernel, you can boot<br />
your <strong>Sidewinder</strong> <strong>G2</strong> to the Operational kernel by pressing the power<br />
button. Once the system has booted, you can start the Admin Console<br />
and log in to your <strong>Sidewinder</strong> <strong>G2</strong>. Once you are logged in, you can<br />
perform the Operational kernel tasks described in this manual.<br />
Note: If the boot process fails, see “What to do if the boot process fails” on page F-16.
Figure 3-1. System<br />
Shutdown window<br />
Entering information on the<br />
System Shutdown window<br />
.<br />
Restarting or shutting down the system<br />
Rebooting or shutting down using the Admin Console<br />
The following procedure allows you to reboot or shut down the<br />
system using the Admin Console.<br />
In the Admin Console, select Firewall <strong>Administration</strong> -> System Shutdown.<br />
The following window appears.<br />
This window is used to either reboot the <strong>Sidewinder</strong> <strong>G2</strong> or to shut<br />
down the system completely. Follow the steps below.<br />
1. In the Shutdown Options area, select the action you want to perform:<br />
Reboot to Operational Kernel—Restarts the system in the<br />
Operational kernel.<br />
Reboot to Administrative Kernel—Restarts the system in the<br />
Administrative kernel and displays the # prompt at the <strong>Sidewinder</strong><br />
<strong>G2</strong>, indicating that you are in a login shell and can start issuing<br />
<strong>Sidewinder</strong> <strong>G2</strong> or UNIX commands. (You will be prompted to<br />
mount the file systems.)<br />
Important: You must connect a keyboard and monitor to the <strong>Sidewinder</strong> <strong>G2</strong><br />
before you can administer the system in the Administrative kernel. See “Powering-up<br />
the system to the Administrative kernel” on page F-2 for more information.<br />
Halt System—Shuts down the <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware without<br />
restarting. Run this command before you move your <strong>Sidewinder</strong><br />
<strong>G2</strong> to a new location or make hardware changes.<br />
General System Tasks 3-3
Restarting or shutting down the system<br />
3-4 General System Tasks<br />
2. [Optional] If you want a shutdown message to appear informing users<br />
<strong>of</strong> a pending shutdown, type the message text in the Shutdown<br />
Message field.<br />
3. In the Shutdown Time field, select the shutdown time from the<br />
following options.<br />
Immediately—The system will shutdown immediately when you<br />
click Execute Shutdown.<br />
Delay Shutdown for—The shutdown will be delayed for the<br />
amount <strong>of</strong> time specified in the Hours and Minutes fields. You can<br />
enter values in these fields that will delay the shutdown for up to<br />
24 hours and 59 minutes.<br />
4. Click Execute Shutdown to implement the shutdown.<br />
Note: Any connections to the Admin Console will be lost when the <strong>Sidewinder</strong> <strong>G2</strong><br />
shuts down. New connections to the <strong>Sidewinder</strong> <strong>G2</strong> will not be allowed once the<br />
shutdown process has been executed.<br />
Rebooting or shutting down using a command line<br />
interface<br />
Enter one <strong>of</strong> the following shutdown commands to reboot or<br />
shutdown the system from a command line interface. The shutdown<br />
process for a <strong>Sidewinder</strong> <strong>G2</strong> that belongs to an HA cluster is slightly<br />
different. See “Scheduling a s<strong>of</strong>t shutdown for an HA cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong>” on page 16-27 for information on shutting down a<br />
<strong>Sidewinder</strong> <strong>G2</strong> that belongs to an HA cluster.<br />
Note: To view the options to specify when the <strong>Sidewinder</strong> <strong>G2</strong> will shutdown or reboot,<br />
type man shutdown and press Enter.<br />
To restart the system in the Operational kernel, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -r time_in_minutes<br />
To restart the system to the Administrative kernel, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -g time_in_minutes<br />
Important: You must connect a keyboard and monitor to the <strong>Sidewinder</strong> <strong>G2</strong> before you<br />
can administer the system in the Administrative kernel. See “Powering-up the system to the<br />
Administrative kernel” on page F-2 for details.
Setting up and<br />
maintaining<br />
administrator<br />
accounts<br />
Setting up and maintaining administrator accounts<br />
To shut down the <strong>Sidewinder</strong> <strong>G2</strong> without restarting, enter the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -h time_in_minutes<br />
Each <strong>Sidewinder</strong> <strong>G2</strong> administrator must have an account created on<br />
the system. When you installed your <strong>Sidewinder</strong> <strong>G2</strong>, you created an<br />
initial administrator account by entering a login name and password.<br />
This section describes how to set up and maintain <strong>Sidewinder</strong> <strong>G2</strong><br />
accounts for other administrators.<br />
Note: Only administrators have accounts directly on the <strong>Sidewinder</strong> <strong>G2</strong>. People who use<br />
<strong>Sidewinder</strong> <strong>G2</strong> networking services have “user” (or network login) accounts, not<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator accounts. See “Creating users and user groups” on page 5-1<br />
for information on creating non-administrative user accounts.<br />
When you add an administrator account, you will also assign the new<br />
administrator a role. The following table describes the available<br />
administrator roles.<br />
Table 3-1. Administrator roles<br />
Role Authorized to:<br />
admin Access all windows, menus, and commands within the<br />
Admin Console.<br />
Add and remove users and assign roles.<br />
Do incremental back-ups and restore the system. (Full<br />
back-ups and restores are done in the Administrative<br />
kernel.)<br />
Use all other system functions and commands.<br />
adminro Read access to all windows, menus, and commands within<br />
the Admin Console (including monitoring, reporting, and<br />
auditing). This role is generally used as an auditor role.<br />
Use the following process to add, edit, or delete administrator account<br />
information or change role assignments.<br />
Start the Admin Console and select Firewall <strong>Administration</strong> -> Firewall<br />
Accounts. A window similar to the following appears.<br />
General System Tasks 3-5
Setting up and maintaining administrator accounts<br />
About the Firewall<br />
Accounts window<br />
Figure 3-2.<br />
Firewall Accounts<br />
window<br />
3-6 General System Tasks<br />
This window displays the administrator accounts currently established<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Each row in the table defines one user<br />
account, and contains the following information:<br />
Username—This column identifies the name used by each<br />
administrator when logging into the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Full Name—This column identifies the full name <strong>of</strong> each user.<br />
Role—This column identifies the authorized role for each user.<br />
Directory—This column identifies the home directory path that is<br />
created for that user.<br />
You can also specify the following information, which applies to all<br />
user accounts:<br />
Delete home directory upon deletion <strong>of</strong> user—Select this check box to<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to automatically delete a user’s home<br />
directory if a user’s account is deleted from the system.<br />
Administrator Authentication Default Method—Select the default<br />
authentication method that will be used by administrators to log<br />
in to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: This is different from the default authentication method that is specified<br />
within individual proxy rules, which are only for proxy users.
Figure 3-3.<br />
Administrator<br />
Information tab<br />
Setting up and maintaining administrator accounts<br />
To create or modify a user account, click New or Modify, and see<br />
“Adding or modifying an administrator account” on page 3-7 for<br />
details.<br />
To delete a user account, highlight the user account you want to<br />
delete and click Delete. A confirmation message appears. Select Yes to<br />
delete the account or No to cancel. (When you delete an administrator<br />
account, the user database entry for that administrator is also<br />
removed.)<br />
Adding or modifying an administrator account<br />
When you click New or Modify in the Firewall Accounts window, the<br />
following window appears.<br />
Note: The information shown in the Firewall Accounts window is stored in the<br />
/etc/sidewinder/roles.conf file.<br />
General System Tasks 3-7
Setting up and maintaining administrator accounts<br />
Entering information on the<br />
Firewall Accounts - New/<br />
Modify window<br />
3-8 General System Tasks<br />
To create a new <strong>Sidewinder</strong> <strong>G2</strong> administrator account or to modify an<br />
existing account, follow the steps below.<br />
1. In the Username field, type the user name for the administrator. The<br />
name can consist <strong>of</strong> up to 16 alpha-numeric characters. However, a user<br />
name must begin with an alphabetic character.<br />
Important: Do NOT use uppercase characters in the username field, because<br />
sendmail will automatically convert the user name to lowercase before mail is<br />
delivered. Therefore, any mail addressed to a username that contains uppercase<br />
characters will not be forwarded.<br />
Note: If you are editing an existing account, you cannot change the user name.<br />
2. In the Password field, type a password for this administrator. This is the<br />
password the administrator must enter when logging into the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Use the following guidelines to create a strong<br />
password:<br />
Use passwords that are at least 7 or 8 characters in length.<br />
Use a mix <strong>of</strong> upper and lowercase letters, and non-alphabetic<br />
characters such as symbols and numbers.<br />
Do not use any easily guessed words or words found in a<br />
dictionary, including foreign languages.<br />
Note: If you are modifying the account, the encrypted password is displayed in this<br />
field.<br />
3. [Optional] In the Full Name field, type the full name <strong>of</strong> the administrator.<br />
4. [Optional] In the Office field, type the <strong>of</strong>fice address <strong>of</strong> the administrator.<br />
5. [Optional] In the Office Phone field, type the <strong>of</strong>fice phone number <strong>of</strong> the<br />
administrator.<br />
6. [Optional] In the Home Phone field, type the home phone number <strong>of</strong><br />
the administrator.<br />
7. In the Directory field, specify the home directory for this administrator.<br />
The default value for this field is /home/username. (This field can only<br />
be modified if you are creating a new administrator account.)<br />
8. In the Login Shell drop-down list, specify the UNIX shell that will be used<br />
when this administrator logs in.
Changing<br />
passwords<br />
Setting the system<br />
date and time<br />
Changing passwords<br />
9. In the Roles drop-down list, select the authorized role for this<br />
administrator.<br />
admin—Select this option if you want the user to have<br />
administrator privileges for all areas on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
adminro—Select this option to allow read privileges only. This role<br />
will allow an administrator to view all system information, as well as<br />
create and run audit reports. An administrator with read-only<br />
privileges cannot commit changes to any area <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
10. Click Add to save the changes (or OK if modifying an account), or click<br />
Cancel to exit the window without saving the changes.<br />
To change an administrator account password (also known as a UNIX<br />
account password), do the following:<br />
Note: If you forget your password, you can still access the administrative kernel to change<br />
your password. See “If you forget your administrator password” on page F-19.<br />
1. In the Admin Console, select Firewall <strong>Administration</strong> -> Firewall<br />
Accounts. The Administrator Accounts window appears.<br />
2. Click on the administrator account whose password you want to<br />
change, then click Modify. The Firewall Accounts: Modify window<br />
appears.<br />
3. In the Password field, enter the new administrator account password.<br />
4. Click OK.<br />
Use the following procedures to check the <strong>Sidewinder</strong> <strong>G2</strong> system<br />
clock or change the system clock from the Admin Console.<br />
Viewing/changing the date and time<br />
To check and/or change the system date and time settings, start the<br />
Admin Console and select Firewall <strong>Administration</strong> -> Date and Time. The<br />
Date and Time window appears.<br />
General System Tasks 3-9
Setting the system date and time<br />
Figure 3-4. Date and<br />
Time window<br />
About the Date and Time<br />
window<br />
3-10 General System Tasks<br />
To change the date and time, follow the steps below.<br />
Important: Applying changes to the date and time will cause the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
automatically reboot. Therefore, you should only modify date and/or time settings during<br />
<strong>of</strong>f-hours. Also note that the reboot will cause you to lose your Admin Console connection.<br />
Important: The Admin Console allows you to set the clock ahead a maximum <strong>of</strong> 31<br />
days. The Admin Console does NOT allow you to set the system clock back in time. To set<br />
the clock back, reboot to the Administrative kernel and run the config_time utility. See<br />
“Changing the date or time using the config_time utility” on page 3-10 for details.<br />
1. In the Location drop-down list, select the world-wide location <strong>of</strong> this<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the Time Zone drop-down list, select the time zone in which this<br />
<strong>Sidewinder</strong> <strong>G2</strong> is located.<br />
3. In the Date field, select the current date from the Month, Day, and Year<br />
drop-down lists.<br />
4. In the Time drop-down list, select the current time (hours, minutes,<br />
AM/PM).<br />
5. Click the Save icon to save your changes.<br />
Changing the date or time using the config_time utility<br />
To change the system date or time setting on <strong>Sidewinder</strong> <strong>G2</strong> use the<br />
config_time utility, as follows.<br />
1. Reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the Administrative kernel. For information<br />
on rebooting to the Administrative kernel, see “Powering-up the system<br />
to the Administrative kernel” on page F-2.
Using system roles<br />
to access type<br />
enforced domains<br />
Using system roles to access type enforced domains<br />
2. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command:<br />
config_time<br />
The first date and time configuration window appears.<br />
3. Specify the correct time zone.<br />
When you are prompted to set the time zone, type yes or no (default),<br />
then press Enter.<br />
If you respond no, proceed to step 4.<br />
If you respond yes, a list <strong>of</strong> time zone options appears and you<br />
must type in the exact spelling for the time zone option you want<br />
and then press Enter.<br />
4. Specify the correct system clock settings.<br />
At the screen asking if you want to set the system clock, type yes or no<br />
(default), then press Enter.<br />
If you respond no, the config_time script stops.<br />
If you respond yes, you will be prompted to enter the current<br />
date, then the current time. Specify the date and time in the format<br />
shown on the screen.<br />
Important: If you increment the system date by more than a few days, you may<br />
cause passwords to expire. For example, if a user’s password is set to expire in six days<br />
and you increment the date setting by seven days, that user’s password will<br />
automatically expire.<br />
5. Reboot to the Operational kernel by entering the following command:<br />
shutdown -r now<br />
The following information provides command line information that<br />
will assist you in determining the kernel, domain, and system role in<br />
which you are currently running.<br />
Note: For more information on any <strong>of</strong> the commands described below, see the<br />
appropriate man page.<br />
Checking which kernel you are running (uname)<br />
To find out whether you are operating in the Administrative or<br />
Operational kernel, type the following command:<br />
uname -a<br />
General System Tasks 3-11
Using system roles to access type enforced domains<br />
3-12 General System Tasks<br />
Using the -a parameter in this command specifies to print the kernel<br />
name as well as other system identifying attributes, such as hardware<br />
platform information. SW_OPS indicates you are running in the<br />
Operational kernel. SW_ADMIN indicates you are running in the<br />
Administrative kernel.<br />
Checking which domain you are using (whereami)<br />
To check which domain you are currently executing in, type the<br />
following command:<br />
whereami<br />
A response similar to the following will appear:<br />
domain=User<br />
The domain in the response indicates in which domain you are<br />
operating.<br />
Changing your domain access using the system role<br />
(srole) command<br />
When you initially log in to the <strong>Sidewinder</strong> <strong>G2</strong> using a command<br />
prompt, you are logged into the User domain by default. The User<br />
domain allows very little access, including no access to sensitive files.<br />
To change to the Admn domain, which allows access to all<br />
<strong>Sidewinder</strong> <strong>G2</strong> domains (based on your administrative role), enter the<br />
following command:<br />
srole<br />
Note: If you are a read-only administrator, enter srole adminro to change to the<br />
AdRO domain.<br />
To return to the previous domain role and shell, enter the following<br />
command:<br />
exit<br />
You are returned to the User domain.
Configuration file<br />
backup and<br />
restore<br />
Configuration file backup and restore<br />
Note: For information on performing a full or incremental system backup or restore, see<br />
“Backing up system files” on page F-4 and “Restoring system files” on page F-8.<br />
Note: For information on performing a configuration restore using the command line,<br />
see “Restoring configuration files using the command line” on page F-14.<br />
This feature enables you to backup and restore <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration files. Backing up the configuration files enables you to<br />
quickly restore a <strong>Sidewinder</strong> <strong>G2</strong> to its desired operational state. Note<br />
that this is different from the full system file backup and restore<br />
capabilities described in the Troubleshooting appendix. Table 3-2<br />
shows the difference between a configuration backup and a system<br />
file backup.<br />
Note: Use a full system file backup after adding new hardware. See “Performing a full<br />
system backup (level0)” on page F-5.<br />
Table 3-2. Configuration backup/restore vs. system file backup/restore<br />
Configuration backup and restore System file backup and restore<br />
Backs up and restores just the<br />
<strong>Sidewinder</strong> <strong>G2</strong> configuration files.<br />
Backs up the files to diskette, to itself, or<br />
to the hard drive <strong>of</strong> another <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Does not allow for incremental<br />
backups.<br />
You backup and restore from within the<br />
Operational kernel. This enables you to<br />
perform the backup and restore on<br />
another <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Can be performed on either a local or a<br />
remote <strong>Sidewinder</strong> <strong>G2</strong>, using the<br />
Admin Console.<br />
Enables you to restore a <strong>Sidewinder</strong> <strong>G2</strong><br />
without having to re-install from<br />
scratch.<br />
Backs up and restores the entire<br />
<strong>Sidewinder</strong> <strong>G2</strong> hard drive.<br />
Backs up the <strong>Sidewinder</strong> <strong>G2</strong> hard<br />
drive to a DAT.<br />
Allows for incremental backups.<br />
Requires you to boot to the<br />
Administrative kernel to perform the<br />
backup and restore. This means you<br />
cannot perform this backup and<br />
restore on another <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Can only be performed locally using<br />
the Installation Wizard.<br />
Requires you to re-install from scratch<br />
using the DAT.<br />
More . . .<br />
General System Tasks 3-13
Configuration file backup and restore<br />
Figure 3-5. Configuration file backup options<br />
Option 1)<br />
Back up your local<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
configuration files to<br />
diskette<br />
Option 2)<br />
Back up your <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration files to its own hard<br />
drive (used to allow you to FTP<br />
the configuration backup to<br />
another location, for instance).<br />
Option 3)<br />
Back up a <strong>Sidewinder</strong> <strong>G2</strong><br />
to a different <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
3-14 General System Tasks<br />
Configuration backup and restore System file backup and restore<br />
Restores only the configuration files.<br />
Mail queues, audit trails, etc., are not<br />
restored.<br />
Does not backup site-specific changes<br />
made to non-configuration files.<br />
The backup and restore process is<br />
quick.<br />
Restores the entire system as it<br />
existed at the time <strong>of</strong> the backup. This<br />
includes old mail queues, audit trail<br />
information, etc.<br />
Backs up all site-specific changes.<br />
The backup and restore process is not<br />
as quick.<br />
Figure 3-5 displays the various options you have when using the<br />
configuration backup process.<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
local <strong>Sidewinder</strong> <strong>G2</strong><br />
SSL<br />
connection<br />
local <strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
Remote<br />
<strong>Sidewinder</strong> <strong>G2</strong>
What is backed up and<br />
restored<br />
What is not backed up or<br />
restored<br />
Configuration file backup and restore<br />
There are two files that determine which configuration files will be<br />
backed up and restored. The files are located in the<br />
/etc/backups/config_backup directory and are named:<br />
backup_file_list—Contains the list <strong>of</strong> files and directories that will<br />
be included in the configuration backup/restore process. Wild<br />
cards can be used when specifying names in this file.<br />
exclude_file_list—Defines the files within backup_file_list that<br />
should be excluded from the configuration backup/restore<br />
process. For example, files that contain graphics are located in<br />
some <strong>of</strong> the directories specified in backup_file_list that should not<br />
be included in the configuration backup/restore process. You<br />
cannot specify directory names or use wild cards in this file.<br />
Caution: While it is possible to modify these two files, do so with caution. To prevent<br />
accidental modification, these files are defined as read-only. If you absolutely must modify<br />
one <strong>of</strong> these files, use the Admin Console.<br />
The general rule is, if it is not a configuration file it will not be backed<br />
up. For example, the configuration backup/restore process will not<br />
process the mail queues, the audit trail, the log files, any executable<br />
files, etc. As such, modifications you make to non-configuration files<br />
will not be backed up and restored.<br />
Backing up and restoring configuration files using the<br />
Admin Console<br />
To back up or restore your configuration files using the Admin<br />
Console, start the Admin Console and select Firewall <strong>Administration</strong> -><br />
Configuration Backup. The Configuration Backup window appears.<br />
Note: See “Restoring configuration files using the command line” on page F-14 for details<br />
on restoring configuration files when the Admin Console is not accessible.<br />
General System Tasks 3-15
Configuration file backup and restore<br />
Figure 3-6. Configuration<br />
Backup window<br />
About the Configuration<br />
Backup window<br />
3-16 General System Tasks<br />
The Configuration Backup window allows you to backup and restore<br />
your <strong>Sidewinder</strong> <strong>G2</strong> configuration files. Configuration files can be<br />
backed up to either a floppy diskette, the <strong>Sidewinder</strong> <strong>G2</strong> hard drive,<br />
or the hard drive <strong>of</strong> another <strong>Sidewinder</strong> <strong>G2</strong>. You can restore the<br />
backup configuration files using this window when your system is<br />
operational.<br />
Important: If you will be performing a configuration backup to or restore from a<br />
remote <strong>Sidewinder</strong> <strong>G2</strong>, you must first configure the synchronization server information<br />
(see “Configuring the synchronization server” on page 3-33). You must also enable the<br />
Synchronization proxy rule on the remote <strong>Sidewinder</strong> <strong>G2</strong>. See “Creating proxy rules” on<br />
page 7-4.<br />
Backing up configuration files using the Admin Console<br />
To back up your configuration files using the Admin Console, follow<br />
the steps below.<br />
1. In the Configuration Action field, select Backup.
Configuration file backup and restore<br />
2. In the Backup To or Restore From field, select the type <strong>of</strong> backup you<br />
want to make:<br />
Floppy Diskette—Select this option to back up to a floppy diskette.<br />
Local <strong>Sidewinder</strong>—Select this option to back up to the <strong>Sidewinder</strong><br />
<strong>G2</strong> hard drive (the backup can then be transferred to another<br />
location using FTP).<br />
Remote <strong>Sidewinder</strong>—Select this option to back up to a different<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If you select this option, you must first ensure that<br />
both the synchronization server and Synchronization rule have<br />
been configured and enabled on the remote <strong>Sidewinder</strong> <strong>G2</strong><br />
(where the backup will reside). See “Configuring the<br />
synchronization server” on page 3-33.<br />
[Conditional] If you selected Remote <strong>Sidewinder</strong> or Local<br />
<strong>Sidewinder</strong> in the previous step, do the following:<br />
a. [Remote <strong>Sidewinder</strong> only] In the Address field, type the IP address <strong>of</strong><br />
the remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
b. [Remote <strong>Sidewinder</strong> only] In the Port field, type the port that will be<br />
used to connect to the remote <strong>Sidewinder</strong> <strong>G2</strong>. The port number<br />
specified in this field must match the port number used for the<br />
remote <strong>Sidewinder</strong> <strong>G2</strong>. The default for this field is 9005 and should<br />
not be modified.<br />
Note: The Port field does not support port lists. The remote <strong>Sidewinder</strong> <strong>G2</strong> must be<br />
listening on the specified port for the transfer to occur.<br />
c. [Remote <strong>Sidewinder</strong> only] In the Shared Sync Key field, enter a<br />
synchronization key that you created when you configured the<br />
synchronization server. (You can view the synchronization key for<br />
the synchronization server by going to Services Configuration -><br />
Servers -> Synchronization -> Configuration tab.)<br />
d. In the Filename field, type the filename that the current<br />
configuration is stored as on the specified <strong>Sidewinder</strong> <strong>G2</strong> in the<br />
/var/backups/repository directory. This is needed in case there are<br />
multiple configurations on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Remote backups will be stored in directories and file names with the<br />
format filename.hostname (where the filename is the user-specified<br />
value and the hostname is the fully qualified domain name <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> being backed up or restored.<br />
General System Tasks 3-17
Configuration file backup and restore<br />
3-18 General System Tasks<br />
3. To edit the list <strong>of</strong> files that will be included in the backup, click Edit<br />
Include List. A file editor window is displayed, containing a list <strong>of</strong> the files<br />
and directories that will be backed up. In this window, you can add or<br />
delete files or directories to include in the backup.<br />
Note: By default, previous backups are not included in a new backup. If you want to<br />
include previous backup files in a current backup, you must add the<br />
/var/backups/repository file path to the Include List.<br />
4. To edit the list <strong>of</strong> files that will be excluded from the backup, click Edit<br />
Exclude List. A file editor window is displayed, containing a list <strong>of</strong> the<br />
files that will NOT be backed up. You can add or delete files from the<br />
exclude list as desired. (Only individual files can be added or deleted<br />
from the Exclude list. You cannot include directories in the Exclude list.)<br />
5. The Local Backup Files area provides a list <strong>of</strong> current configuration<br />
backups stored on the local <strong>Sidewinder</strong> <strong>G2</strong> hard disk repository. To<br />
delete a backup file from the list, highlight one or more backups that<br />
you want to delete and click Delete.<br />
6. To begin the backup process, click the Save.<br />
Important: You must remove the diskette before the <strong>Sidewinder</strong> <strong>G2</strong> reboots or the<br />
reboot process will fail.<br />
Restoring configuration files using the Admin Console<br />
To restore configuration files using the Admin Console, follow the<br />
steps below.<br />
Note: You must restore configuration files from a backup file that was created at the<br />
same version as the system to which you are restoring (for example, if your system is<br />
currently running at version <strong>6.1.1</strong>.00, you can only perform a restore using a version<br />
<strong>6.1.1</strong>.00 configuration backup file).<br />
1. In the Configuration Action field, select Restore.<br />
2. In the Backup To or Restore From field, select the type <strong>of</strong> restore you<br />
want to perform:<br />
Floppy Diskette—Select this option to restore from a floppy<br />
diskette.<br />
Local <strong>Sidewinder</strong>—Select this option to restore from the<br />
<strong>Sidewinder</strong> <strong>G2</strong> hard drive.<br />
Remote <strong>Sidewinder</strong>—Select this option to restore from a different<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: The Local Backup Files area provides a list <strong>of</strong> current configuration backups<br />
stored on the <strong>Sidewinder</strong> <strong>G2</strong> hard disk repository.
Activating the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
license<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
3. [Conditional] If you selected Remote <strong>Sidewinder</strong> or Local <strong>Sidewinder</strong> in<br />
the previous step, do the following:<br />
a. [Remote <strong>Sidewinder</strong> only] In the IP address field, type the IP address<br />
<strong>of</strong> the remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
b. [Remote <strong>Sidewinder</strong> only] In the Port field, type the port that will be<br />
used to connect to the remote <strong>Sidewinder</strong> <strong>G2</strong>. The port number<br />
specified in this field must match the port number used for the<br />
remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: The Port field does not support port lists. The remote <strong>Sidewinder</strong> <strong>G2</strong> must be<br />
listening on the specified port for the transfer to occur.<br />
c. [Remote <strong>Sidewinder</strong> only] In the Shared Sync Key field, enter a<br />
synchronization key that you created when you configured the<br />
synchronization server on the remote <strong>Sidewinder</strong> <strong>G2</strong> (where the<br />
backup resides). You can view the synchronization key for the<br />
synchronization server by going to Services Configuration -> Servers<br />
-> Synchronization -> Configuration tab.<br />
d. In the Filename field, type the filename that the current<br />
configuration is stored as on the <strong>Sidewinder</strong> <strong>G2</strong> in the<br />
/var/backups/repository directory. This is needed in case there are<br />
multiple configurations on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. To begin the restore process, click the Save. The system will<br />
automatically reboot when the restore process is complete.<br />
Important: If you selected the diskette method, you will be prompted to insert a<br />
diskette into the <strong>Sidewinder</strong> <strong>G2</strong> diskette drive. You must remove the diskette before<br />
the <strong>Sidewinder</strong> <strong>G2</strong> reboots or the reboot process will fail.<br />
In most cases, you will license your <strong>Sidewinder</strong> <strong>G2</strong> and any licensed<br />
features during the initial configuration process. When you initially<br />
connect to a <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console, a window<br />
appears displaying a list <strong>of</strong> features that are currently licensed for that<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
If you need to relicense or license a feature after initial configuration,<br />
you can use this section to activate a license using the Admin Console.<br />
Note: When the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted or shutdown, a record <strong>of</strong> who issued the<br />
action is logged in the /var/log/messages file. This applies to a reboot or shutdown issued<br />
from the Admin Console or by using the shutdown command.<br />
Important: See “Protected host licensing and the Host Enrollment List” on page 3-27 for<br />
information on how the <strong>Sidewinder</strong> <strong>G2</strong> enforces the host license limits.<br />
General System Tasks 3-19
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
From the Admin Console<br />
(on the isolated network):<br />
3-20 General System Tasks<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> connected to the<br />
Internet<br />
If you are working on a <strong>Sidewinder</strong> <strong>G2</strong> that is connected to the<br />
Internet, you can use the following general steps to provide the<br />
necessary information for your company and obtain an activation key.<br />
1. Locate the serial number for your <strong>Sidewinder</strong> <strong>G2</strong>. The serial number<br />
should appear on your Activation Certificate.<br />
2. In the Admin Console, enter your company and contact information in<br />
the Firewall <strong>Administration</strong> -> Firewall License -> Contact and Company<br />
tabs. The information you provide in each tab is submitted when you<br />
obtain your activation key, and is used for technical support assistance.<br />
For details on providing information in the Contact and Company tabs,<br />
see “Configuring the Firewall License tabs” on page 3-22.<br />
3. In the Admin Console, complete the information in the Firewall<br />
<strong>Administration</strong> -> Firewall License -> Firewall tab. Be sure to submit the<br />
data to receive your activation key. See “Entering information on the<br />
Firewall tab” on page 3-24 for details on completing the information<br />
and receiving your activation key.<br />
Note: You will need the serial number that you located in step 1.<br />
4. Reboot the system.<br />
Note: For information on rebooting to the Operational kernel, see “Restarting or<br />
shutting down the system” on page 3-2.<br />
When your system reboots, your <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware and any<br />
features you licensed will be activated.<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> on an isolated network<br />
If you are on an isolated network and do not have access to the<br />
Secure Computing activation server, you can request an activation key<br />
using the following method.<br />
1. Locate the serial number for your <strong>Sidewinder</strong> <strong>G2</strong> on the Activation<br />
Certificate. The serial number is a 16-digit alpha-numeric code.<br />
2. In the Admin Console, select Firewall <strong>Administration</strong> -> Firewall License,<br />
and select the Firewall tab.<br />
3. In the Serial Number field, enter the serial number.
From a workstation that has<br />
Web access:<br />
From the Admin Console<br />
(on the isolated network):<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
4. In the Firewall ID field, enter the MAC address you want to use as your<br />
firewall ID.<br />
There will be one MAC address listed for each NIC on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. You need only to select one <strong>of</strong> the MAC addresses.<br />
5. Go to any workstation with Web access and use a Web browser to<br />
access the <strong>Sidewinder</strong> <strong>G2</strong> activation Web page.<br />
https://www.securecomputing.com/cgi-bin/sidewinder-activation.cgi<br />
6. Complete the form on the Web site and click Submit.<br />
A new Web page appears that displays the activation key.<br />
7. Save the Web page to an html file.<br />
8. Copy the file to a location that is accessible either by the <strong>Sidewinder</strong> <strong>G2</strong><br />
or by the system you are using to manage the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
You can copy the file using any <strong>of</strong> the following options:<br />
FTP the file<br />
E-mail the file<br />
Save the file to a diskette<br />
9. In the Admin Console, select Firewall <strong>Administration</strong> -> Firewall License,<br />
and then select the Firewall tab.<br />
10. Click Import Key.<br />
11. Select one <strong>of</strong> the following:<br />
Local File—Select this option if the activation key resides on a<br />
diskette or hard drive on either a local machine or on a network<br />
drive.<br />
Firewall File—Select this option if the activation key resides in a<br />
directory located on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
12. Navigate to the location <strong>of</strong> the file you saved in steps 6 and 7, select the<br />
file, then click OK.<br />
The activation key located within the file is read and stored in the<br />
Activation Key field.<br />
13. In the Admin Console menu, select Firewall <strong>Administration</strong> -> System<br />
Shutdown and reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the Operational kernel.<br />
Note: For information on rebooting to the Operational kernel, see “Restarting or<br />
shutting down the system” on page 3-2.<br />
Your <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware and the features you licensed are now<br />
activated.<br />
General System Tasks 3-21
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
Figure 3-7. Firewall<br />
License: Contact tab<br />
Entering information in the<br />
Contact tab<br />
3-22 General System Tasks<br />
14. To complete the licensing process, fill in the information fields in the<br />
Firewall License windows. See “Entering information in the Contact tab”<br />
on page 3-22 and “Entering information in the Company tab” on page<br />
3-23 for details.<br />
Configuring the Firewall License tabs<br />
To configure license information, select Firewall <strong>Administration</strong> -><br />
Firewall License in the Admin Console. The Firewall License window<br />
appears. The window contains four tabs used to collect various<br />
licensing information.<br />
The Contact tab is used to enter contact information for the<br />
administrator <strong>of</strong> this particular <strong>Sidewinder</strong> <strong>G2</strong>. This information is<br />
needed so that you can receive important customer bulletins and<br />
renewable support licenses. Follow the steps below.<br />
Note: The fields shown in parentheses are optional.<br />
1. In the First Name field, type the first name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.<br />
2. In the Last Name field, type the last name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.<br />
3. In the E-mail field, type the e-mail address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.
Figure 3-8. Firewall<br />
License: Company tab<br />
Entering information in the<br />
Company tab<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
4. In the Primary Phone field, type the phone number <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> administrator, including the area code.<br />
5. [Optional] In the Alternate Phone field, type an alternate phone number<br />
in case the first number is unavailable.<br />
6. [Optional] In the Fax field, type a fax number for your organization.<br />
7. [Optional] In the Job Title field, type the job title <strong>of</strong> the person<br />
responsible for administering this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
8. [Optional] In the Purchased From field, type the name <strong>of</strong> the company<br />
that sold you this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
9. [Optional] In the Comments field, type record miscellaneous information<br />
about your site.<br />
10. Click the Save icon.<br />
11. Click the Company tab to enter information about your company. The<br />
Company tab appears.<br />
The Company tab is used to enter information about the company<br />
that has purchased this particular <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps<br />
below.<br />
1. In the Company Name field, type the full name <strong>of</strong> the company that<br />
purchased this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the Industry Classification drop-down list, select the classification that<br />
most closely matches your industry.<br />
General System Tasks 3-23
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
Figure 3-9. Firewall<br />
License: Firewall tab<br />
Entering information on the<br />
Firewall tab<br />
3-24 General System Tasks<br />
3. Fill in the requested address information fields on the Company Address<br />
tab and on the Billing Address tab. If the information is the same on<br />
both tabs, enter the information on the Company Address tab, then<br />
switch to the Billing Address tab and click Copy From Company Address.<br />
4. Click the Save icon.<br />
5. Click the Firewall tab to provide the information necessary to license<br />
your <strong>Sidewinder</strong> <strong>G2</strong>. The Firewall tab appears.<br />
This tab is used to enter information about the <strong>Sidewinder</strong> <strong>G2</strong> you are<br />
attempting to license. Follow the steps below.<br />
Note: For information on the Current Features area, see “Displaying the status <strong>of</strong> features<br />
on <strong>Sidewinder</strong> <strong>G2</strong>” on page 3-27.<br />
1. In the Serial Number field, type the 16-digit alpha-numeric serial<br />
number for this <strong>Sidewinder</strong> <strong>G2</strong>. The serial number is located on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> Activation Certificate.<br />
2. In the Firewall ID drop-down list, select a MAC address to use as your<br />
firewall ID. There will be one MAC address listed for each NIC in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Select the first MAC address in the list.<br />
The Activation URL field displays the URL <strong>of</strong> the Web site to which the<br />
<strong>Sidewinder</strong> <strong>G2</strong> licensing information will be sent. If you are required to<br />
modify the URL, click Edit to modify the activation URL. The Edit<br />
Activation URL window appears. See “Entering information on the Edit<br />
Activation URL window” on page 3-26.
Figure 3-10. Firewall<br />
License: Enrollment List<br />
tab<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
3. Click Submit Data to submit the data to the Secure Computing<br />
Corporation licensing Web site. The license information is sent using an<br />
encrypted HTTPS session. If the data is complete, the request will be<br />
granted and a new activation key will be written to the Activation Key<br />
field. This key is used by the <strong>Sidewinder</strong> <strong>G2</strong> to activate or deactivate the<br />
various s<strong>of</strong>tware features available on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
After receiving a new activation key, a message will appear prompting<br />
you to reboot the <strong>Sidewinder</strong> <strong>G2</strong>. The new activation key will not take<br />
effect until you perform a reboot.<br />
The current status <strong>of</strong> the various <strong>Sidewinder</strong> <strong>G2</strong> features is displayed in<br />
the Current Features area. If a feature you want to use is currently not<br />
licensed, you must obtain a different activation key in order to enable<br />
that feature.<br />
4. [Optional] If you need to import an activation key that has been saved<br />
to a file, click Import Key. You will typically use this button if your<br />
<strong>Sidewinder</strong> <strong>G2</strong> or local network does not have access to the URL<br />
defined in the Activation URL field. The activation key is retrieved by a<br />
different machine, saved to an HTML file, then moved to a location that<br />
is accessible by either the <strong>Sidewinder</strong> <strong>G2</strong> or by the Windows machine<br />
you are using to run the Admin Console.<br />
5. Select the Enrollment List tab to enter information regarding the host<br />
enrollment list. The Enrollment List tab appears.<br />
General System Tasks 3-25
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
Entering information on the<br />
Enrollment List tab<br />
3-26 General System Tasks<br />
The he Licensed host limit field displays the number <strong>of</strong> hosts for which<br />
you are licensed. The Number <strong>of</strong> hosts in enrollment list field displays the<br />
current number <strong>of</strong> hosts that are contained in the enrollment list. The<br />
Host Enrollment List displays the actual IP addresses <strong>of</strong> hosts that are in<br />
the enrollment list. To delete a host, highlight the host you want to<br />
delete, and click Delete. To refresh the window to reflect updated<br />
information, click Refresh.<br />
See “Protected host licensing and the Host Enrollment List” on page 3-<br />
27 for an in-depth discussion about the Host Enrollment List.<br />
Entering information on the Edit Activation URL window<br />
To edit the activation URL, follow the steps below.<br />
Note: Do not edit the activation URL unless instructed to do so by Secure Computing<br />
<strong>Technical</strong> Support.<br />
In Edit Activation URL window you can restore the default web-based<br />
URL by clicking Restore Default URL. You can also click in the URL field<br />
and manually type a new URL address. Click OK to save your changes<br />
and return to the Firewall tab.<br />
Entering information on the Import Key window<br />
1. In the Source field, select either Local File or Firewall File.<br />
Local File—Select this option if the activation key resides on a<br />
diskette or hard drive on either a local machine or on a network<br />
drive.<br />
Firewall File—Select this option if the activation key resides in a<br />
directory located on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the File field, type the name <strong>of</strong> the file that contains the activation<br />
key, or click Browse to search the available drives for the file that<br />
contains the activation key. When you locate the file, select the file, then<br />
click Open. The file name appears in the File field.<br />
3. Click OK to approve the specified file. The activation key is extracted<br />
from the file and written to the Activation Key field.<br />
Note: You must reboot the <strong>Sidewinder</strong> <strong>G2</strong> in order for the new activation key to take<br />
effect.
Protected host<br />
licensing and the<br />
Host Enrollment<br />
List<br />
Protected host licensing and the Host Enrollment List<br />
Displaying the status <strong>of</strong> features on <strong>Sidewinder</strong> <strong>G2</strong><br />
To display the status <strong>of</strong> the features installed on <strong>Sidewinder</strong> <strong>G2</strong>, in the<br />
Admin Console select Firewall <strong>Administration</strong> -> Firewall License and then<br />
select the Firewall tab. The Current Features field at the bottom <strong>of</strong> the<br />
tab displays the features currently available for <strong>Sidewinder</strong> <strong>G2</strong>, and<br />
the status <strong>of</strong> each feature on your particular <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Host Enrollment List is a dynamic list that is used to record each<br />
unique IP address (host) that makes an outbound connection to the<br />
Internet. The <strong>Sidewinder</strong> <strong>G2</strong> uses this list to verify compliance with<br />
the IP address license "cap"—the portion <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong><br />
license that dictates the number <strong>of</strong> hosts the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
support.<br />
Important: You may ignore this section if you have an unlimited license. All license<br />
processing is bypassed if you have an unlimited license.<br />
Tip: In general, a host is a client on an internal or external network that is being protected<br />
by the <strong>Sidewinder</strong> <strong>G2</strong>. For accounting purposes, a host is any unique host IP address that<br />
originates a connection through the <strong>Sidewinder</strong> <strong>G2</strong>. See “How hosts are calculated” on<br />
page 3-28 for more details.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides administrators the capability to display<br />
and modify the enrollment list. This allows you to identify which IP<br />
addresses are currently counted against your protected host license<br />
cap. It also enables you to delete IP address entries that you do not<br />
want counted against your host cap. For example, you might do this if<br />
a connection is initiated from a test system in your lab and you do not<br />
want that system to count against the host license cap.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> strictly enforces the maximum IP address (host)<br />
license number, meaning only the number <strong>of</strong> IP addresses authorized<br />
by the protected host license will be allowed to make connections<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>. If the number <strong>of</strong> IP addresses in the<br />
enrollment list exceeds 75% <strong>of</strong> the number allowed by your protected<br />
host license, an audit will occur. informing you that you are<br />
approaching the maximum number <strong>of</strong> hosts. The audit will also<br />
display the current number <strong>of</strong> hosts and the maximum number <strong>of</strong><br />
hosts that are allowed for your license.<br />
General System Tasks 3-27
Protected host licensing and the Host Enrollment List<br />
3-28 General System Tasks<br />
If the enrollment list becomes full, additional audits will occur each<br />
time a new IP address attempts to make a connection to the Internet.<br />
However, only the IP addresses contained in the enrollment list will<br />
be allowed. IP addresses not already listed in the enrollment list will<br />
be unable to make a connection to the Internet. A user attempting to<br />
make a connection using a browser will receive a standard policy<br />
denial message. If a user is attempting to make a connection using a<br />
non-browser application (for example, FTP) the connection will<br />
simply be blocked and they will not receive an error message.<br />
You can configure the licexceed alarm event to email the administrator<br />
when the enrollment list reaches the maximum number allowed, and<br />
IP addresses are denied access due to a protected host license<br />
violation. See Chapter 17 for details on configuring alarms.<br />
If you reach the host enrollment maximum and you want to allow<br />
access to additional hosts, you will need to modify the host<br />
enrollment list to remove hosts entries that no longer need to be<br />
listed, upgrade your license, or upgrade to a larger <strong>Sidewinder</strong> <strong>G2</strong><br />
appliance. See “Displaying and modifying the Host Enrollment List”<br />
on page 3-29 for information on managing the host enrollment list.<br />
How hosts are calculated<br />
In general, a host is defined as a workstation that is protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and uses the <strong>Sidewinder</strong> <strong>G2</strong> to connect to the Internet.<br />
Any host that contains a unique IP address and that initiates a<br />
connection from a non-Internet burb is counted as a new host.<br />
The manner in which remote hosts access the <strong>Sidewinder</strong> <strong>G2</strong> may<br />
affect the host count. For example:<br />
Remote hosts that use dynamic addressing rather than static<br />
addressing may have multiple IP addresses added to the Host<br />
Enrollment List.<br />
Hosts accessing the <strong>Sidewinder</strong> <strong>G2</strong> via a VPN will be added to the<br />
Host Enrollment List if the VPN uses proxies to move the traffic<br />
from a non-Internet burb to another burb. Figure 3-11 illustrates<br />
this idea.
Figure 3-11. Determining<br />
which VPN clients count<br />
against the host license<br />
cap<br />
Client A<br />
Client B<br />
= VPN tunnel<br />
= Data<br />
Protected host licensing and the Host Enrollment List<br />
Internet<br />
VPN<br />
VPN<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
internal<br />
network<br />
Client A = Not counted against the host license cap.<br />
Client B = Counted against the host license cap.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> counts total hosts, not concurrent hosts. It is<br />
important to understand the distinction. Assume you have a 25 host<br />
license. If you have 30 hosts, but only 20 are in use or online at any<br />
one time, you will still exceed the license cap because the <strong>Sidewinder</strong><br />
<strong>G2</strong> will eventually detect a 26th host, putting you over the limit.<br />
Displaying and modifying the Host Enrollment List<br />
To display and modify the contents <strong>of</strong> the Host Enrollment List using<br />
the Admin Console, select Firewall <strong>Administration</strong> -> Firewall License and<br />
click the Enrollment List tab. In this window, you can do the following:<br />
View the number <strong>of</strong> hosts authorized by your current <strong>Sidewinder</strong><br />
<strong>G2</strong> license in the Licensed host limit field. This is your host license<br />
"cap."<br />
View the current number <strong>of</strong> hosts listed in the Number <strong>of</strong> hosts in<br />
enrollment list field. This number is important because if it exceeds<br />
the number <strong>of</strong> hosts authorized by the <strong>Sidewinder</strong> <strong>G2</strong> license, you<br />
will be considered to be in violation <strong>of</strong> your license cap. If you<br />
have an unrestricted host license, the term Unlimited will appear<br />
in this field.<br />
The Host Enrollment List is cleared automatically if you upgrade<br />
your protected host license.<br />
Delete hosts from the Host Enrollment List by highlighting the host<br />
and clicking Delete. To select multiple hosts to delete, hold the<br />
Shift key while selecting the hosts.<br />
Note: You can update the contents <strong>of</strong> the Host Enrollment List field by clicking<br />
Refresh.<br />
e<br />
x<br />
t<br />
i<br />
n<br />
t<br />
proxies<br />
virtual<br />
General System Tasks 3-29
Enabling and disabling servers<br />
Enabling and<br />
disabling servers<br />
Figure 3-12. Servers<br />
window<br />
3-30 General System Tasks<br />
Consider the following information when deleting entries from the<br />
enrollment list:<br />
— If the host you delete has a current connection through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, that connection will be preserved.<br />
— If the host severs the connection and attempts a new<br />
connection, the new connection request may or may not be<br />
approved.<br />
— A new connection request will be permitted only if there is<br />
still room available within the enrollment list.<br />
The Admin Console allows you to view the status <strong>of</strong> each server and<br />
to enable or disable each server from one central location. You can<br />
also configure some <strong>of</strong> the servers in this window. To view the status<br />
<strong>of</strong> a server or to enable/disable a server, select Services Configuration -><br />
Servers.<br />
About the Servers window The Server window displays a list <strong>of</strong> the available servers in the left<br />
portion <strong>of</strong> the window. A green circle appears in front <strong>of</strong> a server if<br />
the server is currently enabled. A red circle with a slash indicates that<br />
the server is disabled. When you select a server, the properties for that<br />
server appear in the right portion <strong>of</strong> the window.
Table 3-3. <strong>Sidewinder</strong> <strong>G2</strong> servers<br />
Server Name Notes<br />
Enabling and disabling servers<br />
You can enable or disable some servers for the entire <strong>Sidewinder</strong> <strong>G2</strong>,<br />
while other servers can be enabled or disabled for individual burbs on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. The fields and buttons that appear in the right<br />
portion <strong>of</strong> the window will change depending on the type <strong>of</strong> server<br />
that is selected. If the selected server can be enabled for individual<br />
burbs, the Enabled For field will also appear. To enable or disable a<br />
server, select the Control check box for that server for each burb. (A<br />
check mark appears for each burb in which the server is enabled.)<br />
The following table provides some helpful information on specific<br />
servers.<br />
auditdbd The audit database daemon server. By default, this server is not enabled. See Chapter 18.<br />
changepw The Change Password server. See Chapter 9.<br />
cmd Certificate Management Daemon server. The CMD server must be enabled before<br />
configuring the certificate server. See Chapter 13.<br />
entrelayd The entrelayd server is used for managing standalone <strong>Sidewinder</strong> <strong>G2</strong>s, as well as multiple<br />
<strong>Sidewinder</strong> <strong>G2</strong>s in an HA cluster or One-To-Many cluster. See Chapter 15 and Chapter 16.<br />
fixclock The basic clock synchronization server that is used to ensure that the <strong>Sidewinder</strong> <strong>G2</strong> clock<br />
remains up-to-date. This server cannot be enabled if you have configured and enabled NTP<br />
on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
gated-unbound The server used in conjunction with OSPF (Dynamic) routing. See Appendix C.<br />
isakmp The ISAKMP server is used by the <strong>Sidewinder</strong> <strong>G2</strong> to generate and exchange keys for VPN<br />
sessions. See Chapter 13.<br />
kmvfilter The kmvfilter (keyword, MIME, and virus filter) server enables the <strong>Sidewinder</strong> <strong>G2</strong> to perform<br />
keyword, MIME, and anti-virus mail filtering. For information on configuring mail filtering, see<br />
“Creating Mail Application Defenses” on page 6-21.<br />
named-internet A DNS server. Available only if two DNS servers (Split DNS mode) are defined. This server<br />
services the Internet burb. See Chapter 10.<br />
named-unbound A DNS server. If one DNS server is defined, this server services all the burbs on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If two DNS servers (Split DNS mode) are defined, this server services all burbs<br />
except the Internet burb. See Chapter 10.<br />
ntp The Network Time Protocol (NTP) server. See Appendix B.<br />
More . . .<br />
General System Tasks 3-31
Enabling and disabling servers<br />
Server Name Notes<br />
routed The server used in conjunction with RIP routing. See Appendix D.<br />
sendmail The SMTP server. See Chapter 11.<br />
shund The shund server accepts shunning requests from Intrusion Detection Servers (IDS), and<br />
verifies the signature on the data that the IDS has generated.<br />
snmpd Simple Network Management Protocol daemon. The SNMP server can only be enabled for<br />
one burb, and it cannot be enabled for the Internet burb. See Chapter 14.<br />
spamfilter This server allows you to enable anti-spam mail filtering for the burbs that you specify, as well<br />
as configure whitelists for internal and external burbs. For information on configuring antispam<br />
mail filter rules, see “Creating Mail Application Defenses” on page 6-21. For information<br />
on configuring advanced spamfilter properties and whitelist configuration, see “Configuring<br />
advanced anti-spam options” on page 11-13.<br />
sshd The Secure Shell daemon server. The SSHd server provides secure encrypted communication<br />
between two hosts. See Chapter 2.<br />
sso The Single Sign-On (SSO) server allows you to configure SSO. SSO allows users access to<br />
multiple services with a single successful authentication to the <strong>Sidewinder</strong> <strong>G2</strong>. See<br />
“Configuring SSO” on page 9-27.<br />
Note: If you disable the SSO server, the SSO authenticated user cache will be emptied (that is, all<br />
cached users will be removed). When the SSO server is enabled again, all users will need to<br />
authenticate before being added back into the cache.<br />
synchronization The synchronization server is used to synchronize configuration information among<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that are participating in a One-To-Many cluster or an HA cluster. It also allows<br />
you to perform a configuration backup or restore to/from a remote <strong>Sidewinder</strong> <strong>G2</strong>. See<br />
“Configuring the synchronization server” on page 3-33.<br />
telnet If you disable the Telnet server, all future connections will be denied. Any users who are<br />
currently logged in to the server will not be affected. See Chapter 2.<br />
upsd The Uninterruptible Power Supply daemon server. See “Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use<br />
a UPS” on page 3-58 for more information.<br />
WebProxy The Web Proxy server. Certain <strong>Sidewinder</strong> <strong>G2</strong> features such as SmartFilter will not work if the<br />
Web Proxy server is disabled. See Chapter 12.<br />
3-32 General System Tasks
Configuring the<br />
synchronization<br />
server<br />
Figure 3-13. Synchronization<br />
server:<br />
Configuration tab<br />
About the synchronization<br />
server Configuration tab<br />
Configuring the synchronization server<br />
The synchronization server is used to synchronize configuration<br />
information among <strong>Sidewinder</strong> <strong>G2</strong>s that are participating in a One-To-<br />
Many cluster or an HA cluster. It also allows you to perform a<br />
configuration backup or restore to/from a remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
To configure the synchronization server, log in to the Admin Console,<br />
select Services Configuration -> Servers and then select synchronization<br />
from the Server Name list. The synchronization server Control tab<br />
appears. To enable or disable a server, select the Control check box for<br />
that server for each burb. (A check mark appears for each burb in<br />
which the server is enabled.) To configure the synchronization server,<br />
select the Configuration tab. The following window appears.<br />
This tab allows you to configure the shared synchronization key and<br />
port number, and allows you to select the SSL certificate for the<br />
synchronization server. Follow the steps below.<br />
Note: The synchronization server is automatically configured for you when you create a<br />
High Availability or One-To-Many cluster.<br />
1. In the Shared Sync Key field, type the shared key. The shared key is any<br />
10 character, alphanumeric string (for example, 12345abcde). You will<br />
need to enter this key again if you configure HA or One-To-Many, or if<br />
you perform a configuration backup or restore from a remote<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the Port field, specify the port on which the synchronization server<br />
will listen. The default is 9005 and should not be changed.<br />
3. In the SSL Certificate drop-down list, select the certificate to use for the<br />
synchronization server. The certificate will be one <strong>of</strong> the following:<br />
the default certificate<br />
a self-signed, RSA certificate that is defined on the Firewall<br />
Certificates tab <strong>of</strong> the Certificate Management window.<br />
Important: Before assigning a new certificate, you must first create a new<br />
certificate.<br />
General System Tasks 3-33
Configuring scanning services<br />
Configuring<br />
scanning services<br />
3-34 General System Tasks<br />
4. [Conditional] To go to the Firewall Certificates window, click Certificates.<br />
The Firewall Certificates window is used to define new certificates. After<br />
creating a new certificate you can return to the Configuration tab and<br />
assign the new certificate to the synchronization server.<br />
For detailed information on certificates, refer to “Configuring and<br />
displaying firewall certificates” on page 13-37.<br />
5. Enable the Synchronization rule. See “Creating proxy rules” on page 7-4.<br />
6. Click the Save icon to save your changes.<br />
The scanner service is a licensed feature that utilizes virus scanning<br />
services that allow you to configure and enable system-level MIME<br />
and virus scanning on the <strong>Sidewinder</strong> <strong>G2</strong> for HTTP and mail. When<br />
you enable scanning services, you can specify the number <strong>of</strong> server<br />
processes that will be dedicated to various data sizes, allowing the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to process data more efficiently. You can also<br />
configure how <strong>of</strong>ten the subscription list will be updated.<br />
To utilize scanning services on <strong>Sidewinder</strong> <strong>G2</strong>, you must also ensure<br />
the following conditions have been met:<br />
The Anti-Virus feature must be licensed. To verify that the feature<br />
has been licensed, see “Displaying the status <strong>of</strong> features on<br />
<strong>Sidewinder</strong> <strong>G2</strong>” on page 3-27. If you are not licensed for Anti-<br />
Virus, contact your sales representative.<br />
The kmvfilter server must be enabled for the appropriate burbs if<br />
you are scanning mail messages. (This server is not required to be<br />
enabled for HTTP scanning services.) For information on enabling<br />
the kmvfilter server, see “Enabling and disabling servers” on page<br />
3-30.<br />
The appropriate Application Defenses must be configured and<br />
contained in proxy rules that are included in the active proxy rule<br />
list.<br />
Note: For information on configuring scanning for Web services, see “Creating Web or<br />
Secure Web Application Defenses” on page 6-4. For information on configuring scanning<br />
for mail services, see “Creating Mail Application Defenses” on page 6-21.<br />
To configure and enable scanning services, in the Admin Console<br />
select Services Configuration -> Scanner. The Scanner window appears<br />
with the Control tab displayed.
Figure 3-14. Scanner:<br />
Advanced tab<br />
About the Scanner Control tab<br />
Configuring scanning services<br />
This tab allows you to enable or disable the scanning services. This<br />
feature must be enabled if you are planning to configure MIME and/or<br />
anti-virus filtering for Web and/or mail services. To enable scanning<br />
services, click Enable. To disable scanning services, click Disable. To<br />
configure the scanner feature, click the Advanced tab and see “About<br />
the Scanner Advanced tab” on page 3-35.<br />
Important: The MIME/anti-virus scanning service is a licensed feature. While scanning<br />
services can be enabled and configured, they will not function unless the feature been<br />
licensed. For information on licensing a feature, see “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license”<br />
on page 3-19.<br />
About the Scanner Advanced tab<br />
This tab allows you to configure how the scanner processes on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> will be distributed for incoming and outgoing traffic.<br />
This is done by configuring the scanner groups that are defined in the<br />
distribution table. There are four groups (or types) <strong>of</strong> traffic, each with<br />
a specific size category. For each size category, you can specify how<br />
many scanner processes will be dedicated to processing traffic for that<br />
size range. (You cannot modify the size values or configure additional<br />
size categories.)<br />
The File Size Range column displays the size limits for each group. The<br />
Scanners column displays the number <strong>of</strong> scanner processes that will<br />
be dedicated to that size range. The number <strong>of</strong> scanner processes that<br />
you specify for each group will depend on the type <strong>of</strong> traffic your<br />
<strong>Sidewinder</strong> <strong>G2</strong> processes.<br />
General System Tasks 3-35
Configuring scanning services<br />
About the Edit Scanners<br />
window<br />
3-36 General System Tasks<br />
For example, if your <strong>Sidewinder</strong> <strong>G2</strong> processes a large amount <strong>of</strong><br />
traffic that is under 40kB, you may dedicate a larger number <strong>of</strong><br />
scanner processes to that group. If your <strong>Sidewinder</strong> <strong>G2</strong> processes only<br />
a small amount <strong>of</strong> traffic that exceeds 40kB, you may dedicate only<br />
one scanner process to that group. There is also a default Unlimited<br />
group that processes all traffic that is over 1MB.<br />
This tab also allows you to view the current virus scanner engine<br />
version. To configure the Scanner Advanced tab, follow the steps<br />
below.<br />
1. To configure the number <strong>of</strong> scanner processes for a particular group,<br />
highlight the group in the table and click Modify. The Edit Scanners<br />
window appears. See “About the Edit Scanners window” on page 3-36<br />
for information on configuring the number <strong>of</strong> scanner processes for a<br />
group.<br />
2. In the Scan Buffer Size field, specify the size <strong>of</strong> information (in kB) that<br />
can be held in the memory buffer before a backup file is created to<br />
temporarily hold the traffic for processing. This value must be between<br />
8kB and 64kB. The default value is 50kB.<br />
3. In the Archive Scan Buffer Size field, specify the amount <strong>of</strong> memory that<br />
will be used to contain the contents <strong>of</strong> archive files before the anti-virus<br />
engine will temporarily write the contents to disk to perform the virus<br />
scan. The default is 64MB.<br />
4. To view the virus scanner engine version number that is currently<br />
installed, click Show Installed Engine Version Number Now. A pop-up<br />
window appears displaying the current version. To close the pop-up<br />
window, click OK.<br />
5. To continue configuring the scanner feature, click the Signatures tab<br />
and see “About the Scanner Signature tab” on page 3-37.<br />
The Edit Scanners window allows you to specify the number <strong>of</strong><br />
scanner processes that will be available for processing traffic that falls<br />
within the size limits <strong>of</strong> the selected group. You must dedicate at least<br />
one scanner process to each group.<br />
1. In the Scanners field, specify the number <strong>of</strong> scanner processes you want<br />
to dedicate for the selected group. The number <strong>of</strong> scanner processes<br />
should not exceed a combined total <strong>of</strong> 20 processes for all groups that<br />
are configured. (Configuring more than 20 total processes may have a<br />
negative impact on performance.)<br />
2. Click OK to update the group and return to the Scanner Advanced tab.
Figure 3-15. Scanner:<br />
Signature tab<br />
About the Scanner Signature tab<br />
Configuring scanning services<br />
This tab allows you to configure the properties for anti-virus updates.<br />
You can download and install virus updates manually, or you can<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to automatically download and install<br />
updates at intervals that you determine. Follow the steps below.<br />
Important: Secure Computing recommends downloading the latest signature files<br />
prior to enabling Anti-Virus services on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1. In the Source area, verify/modify the following fields:<br />
FTP Site—The name <strong>of</strong> the FTP site from which the package will be<br />
downloaded.<br />
Note: If the download fails, verify that the name resolves to an IP address and<br />
is reachable from the <strong>Sidewinder</strong> <strong>G2</strong> host.<br />
Username—The name to use when logging onto the FTP site. The<br />
default user name is anonymous.<br />
Password—The password must be used when logging onto the<br />
FTP site. The password is your e-mail address.<br />
Directory—The path name on the FTP site that contains the<br />
update. The default directory is /pubs/antivirus/datfiles/4.x/.<br />
2. [Conditional] To configure automatic virus updates, follow the sub-steps<br />
below. To manually update the virus definitions immediately, go to step<br />
3. (The download process validates the new signature files against the<br />
currently installed engine.)<br />
a. Select the Enable Automated Download and Install check box to<br />
configure the download and install properties.<br />
General System Tasks 3-37
Configuring scanning services<br />
3-38 General System Tasks<br />
b. In the Frequency field, specify how frequently you want to<br />
download and install updated information. To download and install<br />
every day, select Daily. To download and install once a week, select<br />
Weekly.<br />
c. [Conditional] If you selected Weekly in the previous step, in the Day<br />
field, specify the day <strong>of</strong> the week that you want to download and<br />
install updates. You can use the up and down arrows to select the<br />
day, or you can type the first few letters <strong>of</strong> the day to display the<br />
appropriate day.<br />
d. In the Time field, specify the time <strong>of</strong> day you want the <strong>Sidewinder</strong><br />
<strong>G2</strong> to download and install the updates. Select the portion <strong>of</strong> the<br />
time you want to change (hours, minutes, seconds) and then use<br />
the up and down arrows to navigate to the desired value.<br />
Note: Downloading and installing updates has a minimal impact on your system.<br />
Traffic that is received while the download and installation are in process will be<br />
scanned using the current version. Once installation is complete, all traffic will be<br />
scanned using the updated scanner information.<br />
e. If you want to receive e-mail notification when the updates are<br />
downloaded and installed, select the Enable Email Notification check<br />
box. If you select this option, you will also need to specify an e-mail<br />
address in the Recipient field.<br />
f. Proceed to step 5.<br />
3. [Conditional] To update the virus definition manually, follow the substeps<br />
below.<br />
a. Click Download and Install Signatures Now. A pop-up window<br />
appears.<br />
b. Click Background to perform the update in the background, or click<br />
Wait to receive a notification and status pop-up when the update is<br />
complete. Proceed to step 5.<br />
4. To view the current version <strong>of</strong> the signature file you are using, click<br />
Show Installed Signatures File Version Number Now. An Info window<br />
appears displaying the current installed version. When you are finished<br />
viewing the version, click OK.<br />
5. Click the Save icon to save your changes.
Configuring the<br />
shund server<br />
Figure 3-16. Shun server:<br />
IDS Configuration tab<br />
Configuring the IDS<br />
Configuration tab<br />
Configuring the shund server<br />
The shund server accepts shunning requests from Intrusion Detection<br />
Servers (IDS), and verifies the signature on the data that the IDS has<br />
generated. If the signature is valid, a blackhole command is executed<br />
to shun the IP address as requested.<br />
To configure the shund server, follow the instructions below.<br />
In the Admin Console, select Services Configuration -> Servers and select<br />
shund from the server list. The shund server Control tab appears.<br />
Configuring the Control tab<br />
A check mark will appear in front <strong>of</strong> each burb for which the shund<br />
server is enabled. To enable the shund server for one or more burbs,<br />
select the appropriate check box(es) in the Enabled For area. To<br />
disable the shund server in one <strong>of</strong> more burbs, deselect the<br />
appropriate check box(es). Click the Save icon to save your changes.<br />
To configure the IDS properties, select the IDS Configuration tab. The<br />
following window appears.<br />
The IDS Configuration tab allows you to configure the IDS servers<br />
from which the shund server will accept requests. The IDS Server Port<br />
field identifies the IDS Server Port. The default port is 8111. To modify<br />
the port, type the new port number in the IDS Server Port field, and<br />
click the Save icon. To revert to the default port (8111), click Restore<br />
Default.<br />
General System Tasks 3-39
Configuring the shund server<br />
Figure 3-17. IDS Server<br />
window<br />
About the IDS<br />
Configuration: IDS Server<br />
window<br />
About the Shunned IPs<br />
window<br />
3-40 General System Tasks<br />
To view currently shunned IP addresses, click Current Shunned IP<br />
addresses, and see “About the Shunned IPs window” on page 3-40.<br />
To delete an existing IDS server, highlight the server and click Delete.<br />
You will be prompted to confirm the deletion. Click Yes to delete the<br />
IDS server, or No to Cancel.<br />
To add a new IDS server, click New. To modify an existing IDS server,<br />
highlight the server and click Modify. To create a duplicate an IDS<br />
server, click Duplicate. The IDS Configuration: IDS Server window<br />
appears.<br />
The IDS Server window allows you a create or modify an IDS server.<br />
Follow the steps below to create or modify an IDS server.<br />
1. In the IDS Server IP address field, enter the IP address for the IDS server.<br />
2. In the Shared secret field, enter a text string that the IDS server uses to<br />
generate a signature for shun packets.<br />
3. In the Default time to shun an IP address field, specify the amount <strong>of</strong><br />
time for which the IP addresses will be shunned, as follows:<br />
a. In the drop-down list, specify the time format to use by selecting<br />
either Seconds, Minutes, Hours, or Days.<br />
b. In the text field, enter the number <strong>of</strong> seconds, minutes, hours, or<br />
days.<br />
4. Click OK to save your changes and return to the Configuration tab. (To<br />
cancel your changes, click Cancel.)<br />
The Shunned IPs window allows you to view and modify the<br />
currently shunned IP addresses.
Figure 3-18. IDS<br />
Configuration: Shunned<br />
IPs window<br />
Loading and<br />
installing patches<br />
Loading and installing patches<br />
Each entry in the table displays the IP address, burb, and the date and<br />
time at which the IP address will no longer be shunned. You can<br />
perform the following actions in this window:<br />
Delete one or more IP addresses—To remove one or more IP<br />
addresses from the list, highlight the IP address(es) you want to<br />
delete and click Delete IP(s). (To select multiple addresses, press<br />
and hold the Ctrl key as you select the addresses.)<br />
Delete all IP addresses—To remove all <strong>of</strong> the IP addresses that are<br />
listed in the table, click Delete All IPs.<br />
Update the window—To retrieve an updated list <strong>of</strong> shunned IP<br />
addresses, click Refresh. The date and time when displayed data<br />
was captured is listed in the upper portion <strong>of</strong> the window.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides the ability to patch your s<strong>of</strong>tware by<br />
installing s<strong>of</strong>tware patches or "packages" on your system. The<br />
s<strong>of</strong>tware packages are available via Secure Computing’s FTP site. You<br />
can view, load, and install s<strong>of</strong>tware packages using the Admin<br />
Console.<br />
Tip: If your site requires physical patch media, you can burn a patch to a CD using the CD<br />
burning s<strong>of</strong>tware <strong>of</strong> your choice (such as Roxio Easy CD Creator). Refer to the CD burning<br />
s<strong>of</strong>tware’s instructions for information on burning the patch file to CD. (You can also<br />
contact Customer Service for general instructions.)<br />
General System Tasks 3-41
Loading and installing patches<br />
Figure 3-19. S<strong>of</strong>tware<br />
Management: Summary<br />
tab<br />
3-42 General System Tasks<br />
Viewing currently installed patches<br />
To view the patches currently installed on your system, start the<br />
Admin Console and select Firewall <strong>Administration</strong> -> S<strong>of</strong>tware<br />
Management, and select the Summary tab. A window similar to the<br />
following appears.<br />
About the Summary tab The Summary tab displays information about the patches currently<br />
installed on the <strong>Sidewinder</strong> <strong>G2</strong>. This window also enables you to do<br />
the following:<br />
Details—To display a detailed description <strong>of</strong> a particular patch,<br />
highlight the patch in the list and click Details.<br />
Verify—To verify the signature on a particular patch, highlight the<br />
patch in the list and click Verify.<br />
Export—To export a particular patch to a diskette, highlight the<br />
patch in the list and click Export.<br />
View Log—Click this button to display the Package Installation log.<br />
The log contains a list <strong>of</strong> all patches that have been installed.
Figure 3-20. S<strong>of</strong>tware<br />
Management: Import<br />
tab<br />
Entering information on the<br />
Import tab<br />
Loading a patch<br />
Loading and installing patches<br />
You will generally load patches onto the <strong>Sidewinder</strong> <strong>G2</strong> via the<br />
network (via the FTP site). All patches are encrypted and digitally<br />
signed. You must have a current support license in order to decrypt<br />
and load a patch. Patches that are loaded onto the <strong>Sidewinder</strong> <strong>G2</strong> are<br />
stored in the /var/spool/packages directory.<br />
Note: Loading a patch on the <strong>Sidewinder</strong> <strong>G2</strong> is NOT the same as installing it. Loading a<br />
patch only makes that patch available for installation on the <strong>Sidewinder</strong> <strong>G2</strong>. To install a<br />
patch on the <strong>Sidewinder</strong> <strong>G2</strong>, see “Installing a patch” on page 3-45.<br />
To load a s<strong>of</strong>tware package, select Firewall <strong>Administration</strong> -> S<strong>of</strong>tware<br />
Management, and select the Import tab. A window similar to the<br />
following appears.<br />
The Import tab is used to load a patch on the <strong>Sidewinder</strong> <strong>G2</strong>. You can<br />
load patches via the network (using Secure Computing’s FTP site), or<br />
using physical media that you create. Follow the instructions below.<br />
General System Tasks 3-43
Loading and installing patches<br />
3-44 General System Tasks<br />
To import a patch from the network (via Secure Computing’s FTP site):<br />
1. In the Import from Network area verify/modify the following fields:<br />
Note: To modify any <strong>of</strong> the fields, click Edit and modify the information as needed.<br />
FTP Site—The name <strong>of</strong> the FTP site from which the package will be<br />
downloaded. The default name is<br />
ftp.activations.securecomputing.com. To edit this information, click<br />
Edit.<br />
Username—The name to use when logging onto the FTP site. The<br />
default user name is anonymous.<br />
Password—The password must be used when logging onto the<br />
FTP site. If no password is set, the <strong>Sidewinder</strong> <strong>G2</strong> serial number will<br />
be sent as the password.<br />
Directory—The path name on the FTP site that contains the<br />
desired patch(es).<br />
Note: To restore the system default values to all <strong>of</strong> these fields, click Edit and then<br />
click Restore Defaults.<br />
Note: This information is stored in the /etc/sidewinder/package.conf file.<br />
2. Click Import Now to load the patch(es).<br />
3. To enable the <strong>Sidewinder</strong> <strong>G2</strong> to automatically download the latest<br />
patches from the defined FTP site on a periodic basis, select Enable<br />
Periodic Automated Imports. The automated download process will<br />
compare the files on Secure Computing’s FTP site to the files currently<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Only those patches not already present on your<br />
system will be loaded.<br />
In the Frequency field, specify how <strong>of</strong>ten the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
automatically access the FTP site and download the latest patches. The<br />
options are:<br />
daily—Checks for new patches to download every day.<br />
weekly—Checks for new patches to download every seven days.<br />
monthly—Checks for new patches to download every 30 days.<br />
bimonthly—Checks for new patches to download every 60 days.<br />
Note: A cron job defines the exact day and time the download will occur. By default<br />
the download will occur very early in the morning.<br />
4. To have a report e-mailed to the <strong>Sidewinder</strong> <strong>G2</strong> administrator each time<br />
the <strong>Sidewinder</strong> <strong>G2</strong> attempts an automatic import from the FTP site,<br />
select Generate E-mail Report. A report is generated regardless <strong>of</strong><br />
whether a patch is actually downloaded. The report is e-mailed to the<br />
root e-mail alias on the <strong>Sidewinder</strong> <strong>G2</strong>.
Loading and installing patches<br />
5. Click the Save icon to save any information you entered, or click Cancel<br />
to reset changes to their original values.<br />
To import a patch from CD-ROM or diskette:<br />
Typically, patches are downloaded via the network (using FTP). If<br />
your site requires patch installation using physical media, you can<br />
burn a patch to a CD using the CD burning s<strong>of</strong>tware <strong>of</strong> your choice<br />
(such as Roxio Easy CD Creator). Refer to the CD burning s<strong>of</strong>tware’s<br />
instructions for information on burning the patch file to CD. (You can<br />
also contact Customer Service for general instructions.)<br />
1. In the Import from CDROM/Diskette area select the location <strong>of</strong> the patch<br />
you want to load. The options are:<br />
CDROM—Select this option if the patch resides on CD.<br />
Diskette—Select this option if the patch resides on diskette.<br />
2. Insert the CD-ROM or diskette into the appropriate drive on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and click Import Now.<br />
Note: If the patch resides on multiple diskettes, insert the first diskette, click Import<br />
Now, and follow the on-screen prompts.<br />
The patch(es) are loaded onto the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Installing a patch<br />
Patches that you load or download are not automatically installed.<br />
Rather, you can install them at a time that is convenient for you. This<br />
is important because the <strong>Sidewinder</strong> <strong>G2</strong> must be rebooted during the<br />
installation process. The Admin Console allows you to define exactly<br />
when you want patch installation to occur.<br />
Important: If you have an existing HA or One-To-Many cluster, refer to the appropriate<br />
patch Release Notes for information on installing a patch on an HA or One-To-Many<br />
cluster. Release Notes for each patch (as well as a Documentation Addendum, when<br />
applicable) are available on the Secure Computing Web site.<br />
To install a patch, select Firewall <strong>Administration</strong> -> S<strong>of</strong>tware Management,<br />
then select the Install tab. A window similar to the following appears:<br />
Important: It is recommended that you perform a system backup before installing any<br />
patches. See “Backing up system files” on page F-4 for details.<br />
General System Tasks 3-45
Loading and installing patches<br />
Figure 3-21. S<strong>of</strong>tware<br />
Management: Install tab<br />
Entering information on the<br />
Install tab<br />
3-46 General System Tasks<br />
The Install tab is used to install a patch that is already loaded on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To install a patch, follow the steps below.<br />
Important: If you have an existing HA or One-To-Many cluster, refer to the appropriate<br />
patch Release Notes for information on installing a patch on an HA or One-To-Many<br />
cluster. Release Notes for each patch (as well as a Documentation Addendum, when<br />
applicable) are available on the Secure Computing Web site.<br />
1. Select the patch(es) you want to install from the Package table. This<br />
table lists all the patches currently installed or available for installation<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. To select multiple patches, press the Ctrl key as<br />
you select the patch names.<br />
2. Select the Enable Automated Package Install check box to activate the<br />
installation options. (A check mark appears when the field is enabled.)<br />
You cannot select an installation option unless this check box is<br />
selected.<br />
Note: To cancel a scheduled automated patch installation, disable this field and<br />
click the Save icon.
Loading and installing patches<br />
3. Select an installation option for the patch(es) you selected. The<br />
following options are available:<br />
Install Immediately—Select this option if you want to install the<br />
selected patch(es) as soon as you click the Save icon.<br />
Note: The Admin Console will be disconnected when the <strong>Sidewinder</strong> <strong>G2</strong> begins its<br />
reboot process. Wait a few minutes for the reboot process to complete, then try<br />
reconnecting.<br />
Install Later—Select this option to specify a date and time in the<br />
future that you want to automatically install the selected patch(es).<br />
4. [Conditional] If you selected Install Later in the previous step, fill in the<br />
following information:<br />
Date—Specify the date the automatic patch installation will be<br />
performed. A typical practice is to define a date when you expect<br />
very little network traffic (for example, a holiday).<br />
Time—Specify the time <strong>of</strong> day that the patch installation will be<br />
performed. A typical practice is to define a time when you expect<br />
very little network traffic (for example, 2:00 a.m.).<br />
5. [Optional] If you want a report e-mailed to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator each time a patch is automatically installed, select the<br />
Generate E-mail Report check box. If this check box is selected, the<br />
report is e-mailed to the root e-mail alias on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
6. Click the Save icon to save the changes and to implement the install.<br />
Note: In the unlikely event that the patch installation fails, refer to “If a patch installation<br />
fails” on page F-23 for troubleshooting information.<br />
7. Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished installing the patch and has been<br />
rebooted, launch the Admin Console. You will be prompted to load and<br />
install the Admin Console update for the patch. To upgrade the Admin<br />
Console, follow the prompts that appear.<br />
Note: The Admin Console program will exit automatically during the update<br />
process.<br />
General System Tasks 3-47
Modifying the burb configuration<br />
Modifying the<br />
burb<br />
configuration<br />
Figure 3-22. Burb<br />
Configuration window<br />
Entering information on the<br />
Burb Configuration window<br />
3-48 General System Tasks<br />
.<br />
A burb is a type enforced network area used to isolate network<br />
interfaces from each other. The burbs in your <strong>Sidewinder</strong> <strong>G2</strong> are<br />
initially defined during the installation process. Using the Admin<br />
Console you can create new, modify, and delete burbs.<br />
To modify your burb configuration, start the Admin Console and<br />
select Firewall <strong>Administration</strong> -> Burb Configuration. The following<br />
window appears.<br />
This window allows you to add, modify, or delete burbs within your<br />
current configuration. Follow the steps below.<br />
Note: You can configure a maximum <strong>of</strong> 24 burbs on a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1. Do one <strong>of</strong> the following:<br />
To create a new burb, click New. In the Create New Burb window,<br />
enter a name for the new burb. Click OK to return to the Burb<br />
Configuration window and configure the burb.<br />
To modify a burb, highlight the burb in the Burbs list. The settings<br />
for that burb will appear in the right portion <strong>of</strong> the window.<br />
To delete a burb, highlight the burb in the Burbs list and click<br />
Delete.<br />
Note: You cannot delete a burb that is currently referenced elsewhere on the<br />
system (for example, a rule or interface configuration). To determine whether a<br />
burb is currently being referenced, highlight the burb and click Usage.<br />
To view all areas where a burb is currently being used, highlight<br />
the burb in the Burbs list and click Usage. The Burb Usage window<br />
appears listing every area in which the burb is currently used.<br />
When you are finished viewing the information, click Close to<br />
return to the Burb Configuration window.
Modifying the burb configuration<br />
2. The following settings may be enabled or disabled for each burb:<br />
Hide port unreachables—If this parameter is enabled, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will give no response if a node on the network<br />
attempts to connect to a port on which the <strong>Sidewinder</strong> <strong>G2</strong> is not<br />
listening. This increases security by not divulging configuration<br />
information to potential hackers.<br />
Intra-burb packet forwarding—If enabled, traffic will be forwarded<br />
between network interfaces located within this burb. Disabling<br />
this parameter in a burb with two or more network interfaces has<br />
the effect <strong>of</strong> separating the interfaces. This parameter should be<br />
disabled in burbs with only one network interface.<br />
Note: There is an interaction between the Intra-burb packet forwarding<br />
parameter and NAT. NAT changes the source address <strong>of</strong> outbound packets to<br />
the IP address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> in the external (outgoing) burb. If multiple<br />
interfaces exist in the same burb, that <strong>Sidewinder</strong> <strong>G2</strong> has to select an<br />
appropriate address based upon how it routes packets. By enabling this option,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> must choose one <strong>of</strong> the interfaces for the source address. In<br />
this case the <strong>Sidewinder</strong> <strong>G2</strong> will always choose the address <strong>of</strong> the first interface<br />
in the burb. Problems could occur if the destination is not defined to use the<br />
same route back to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Honor ICMP redirects—ICMP messages are used to optimize the<br />
routes for getting IP traffic to the proper destination. On a trusted<br />
network, honoring ICMP redirects can improve the throughput <strong>of</strong><br />
the system. On an untrusted network, ICMP redirects can be used<br />
by hackers to examine, reroute, or steal network traffic. Enabling<br />
this parameter allows the <strong>Sidewinder</strong> <strong>G2</strong> to honor ICMP redirects.<br />
Respond to ICMP echo and timestamp—ICMP echo and timestamp<br />
messages (also known as ping messages) are used to test<br />
addresses on a network. The messages are a handy diagnostic tool,<br />
but can also be used by hackers to probe for weaknesses. Enabling<br />
this parameter allows the <strong>Sidewinder</strong> <strong>G2</strong> to respond to these<br />
messages.<br />
3. In the Internet burb drop-down list, specify which <strong>of</strong> the burbs defined<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> is the Internet burb. The Internet burb is unique<br />
because it is the only burb that communicates directly with the outside<br />
world.<br />
4. Click the Save icon to save your changes.<br />
General System Tasks 3-49
Modifying the interface configuration<br />
Modifying the<br />
interface<br />
configuration<br />
Figure 3-23. Interface<br />
Configuration window<br />
3-50 General System Tasks<br />
.<br />
The network interfaces defined for your <strong>Sidewinder</strong> <strong>G2</strong> are initially<br />
defined during the installation process. The <strong>Sidewinder</strong> <strong>G2</strong> supports<br />
up to 24 interfaces. (If you have more than 24 interfaces on your<br />
system, the <strong>Sidewinder</strong> <strong>G2</strong> will use the first 24 interfaces that are<br />
detected.) Using the Admin Console you can configure the media<br />
type, the IP address, the subnet mask associated with an interface,<br />
and the burb assigned to an interface. You can also enable hardware<br />
acceleration and TCP checksum <strong>of</strong>floading.<br />
To modify your interface configuration, start the Admin Console and<br />
select Firewall <strong>Administration</strong> -> Interface Configuration. The following<br />
window appears.<br />
About the Interface Configuration main window<br />
The Interface Configuration main window contains an Interfaces tab<br />
(in the upper portion <strong>of</strong> the window) that displays the configuration<br />
settings for each interface on the <strong>Sidewinder</strong> <strong>G2</strong> in a table format. The<br />
Configuration tab (in the lower portion <strong>of</strong> the window) displays the<br />
configuration information for the interface that is selected in the<br />
Interfaces table. For a description <strong>of</strong> each interface field, see<br />
“Modifying the Configuration tab” on page 3-51. You can perform the<br />
following actions in the Interface Configuration window:<br />
Note: The Hardware Acceleration tab will only appear if you are using a supported<br />
hardware accelerator. For information on the Hardware Accelerator tab, see “About the<br />
Hardware Acceleration tab” on page 3-53.
Modifying the<br />
Configuration tab<br />
Modifying the interface configuration<br />
To view the status <strong>of</strong> all interfaces, click Media Status. The Media<br />
Status window provides a table listing all <strong>of</strong> the available<br />
interfaces, the corresponding IP address, and the status <strong>of</strong> each<br />
interface (connected or disconnected). When you are finished<br />
viewing the status, click Close.<br />
To delete an interface, highlight the interface and click Delete.<br />
Note: You can only delete interfaces that are disabled and have the NIC removed.<br />
To modify an interface, highlight that interface in the table. The<br />
configuration information appears in the Configuration tab in the<br />
lower portion <strong>of</strong> the window. (You can also highlight the<br />
appropriate table row and click Modify to access the configuration<br />
information in a separate window.)<br />
To switch the interface configuration settings between two<br />
interfaces, highlight the two interfaces for which you want to swap<br />
properties (you will need to press and hold the Ctrl key to select<br />
multiple interfaces), and then click Swap Parameters. You will<br />
receive a warning message indicating that the system may not<br />
function properly until it is rebooted. To swap the parameters,<br />
click Yes and be sure to reboot your system. To cancel, click No.<br />
Caution: Swapping interface parameters after you have initially configured your<br />
<strong>Sidewinder</strong> <strong>G2</strong> could have unexpected results. This process should only be used<br />
immediately after installation, or when an interface has been added or replaced.<br />
The Configuration tab displays the interface name and MAC address<br />
that you are modifying. The following interface settings can be<br />
modified:<br />
Enabled—To enable an interface, select On. To disable an interface,<br />
select Off.<br />
Note: You must select a burb in the Burb field before you can enable an interface.<br />
IP Address—To modify the IP address, enter the new IP address in<br />
this field.<br />
Network Mask—To modify the Network Mask, enter the new<br />
network mask in this field. The value specified is used to identify<br />
the significant portion <strong>of</strong> the IP address.<br />
Burb—To modify the burb, select the appropriate burb for this<br />
interface from the drop-down list.<br />
General System Tasks 3-51
Modifying the interface configuration<br />
3-52 General System Tasks<br />
Media Type—To modify the media type, select the appropriate<br />
media type from the drop-down list.<br />
Hardware Capabilities—This option will only appear if the interface<br />
you are modifying has hardware capabilities that can be<br />
configured. To select all <strong>of</strong> the available options, click Select All. To<br />
deselect all options, click Deselect All. The following options may<br />
be available for selection:<br />
— rxcsum: Enable transmission <strong>of</strong> checksum <strong>of</strong>fload for IPv4<br />
packets.<br />
— txcsum: Enable reception <strong>of</strong> checksum <strong>of</strong>fload for IPv4<br />
packets.<br />
— tcpseg: Enable TCP/IPv4 segmentation <strong>of</strong>fload for large<br />
packets.<br />
When you are finished modifying the interface, click the Save icon to<br />
save your changes. (If you modified the interface in a separate<br />
window, you will need to click OK to return to the Interface<br />
Configuration window.)<br />
About the Aliases tab<br />
The Interface Configuration Aliases tab contains an Interface Aliases<br />
table that displays any alias IP addresses defined for the selected<br />
network interface. Alias IP addresses are used in Multiple Address<br />
Translation (MAT). Adding alias IP addresses to a network interface<br />
can be used for a number <strong>of</strong> purposes:<br />
Specific logical networks connected to one interface can be<br />
consistently mapped to specific IP aliases on another interface<br />
when address hiding is used.<br />
The NIC can accept connection requests for any defined alias.<br />
The NIC can communicate with more than one logical network<br />
without the need for a router.<br />
The NIC can have more than one address on the same network<br />
and have DNS resolve different domains to each host address.<br />
To delete an alias IP address, select the item, and click Delete.<br />
To add or modify an alias IP address, select the item, click New or<br />
Modify, and see “About the Aliases: New/Modify Network Alias<br />
window” below.
About the Aliases: New/<br />
Modify Network Alias<br />
window<br />
Modifying the interface configuration<br />
To add or modify an alias IP address in the Interface Configuration:<br />
Aliases window, follow the steps below.<br />
1. In the Network Address field, select the appropriate network address for<br />
the interface you want to configure.<br />
2. In the Alias Address field, type the alias IP address that will be associated<br />
with the network interface selected in the Interface Configuration<br />
window.<br />
3. In the Network Mask field, type a network mask. The value specified is<br />
used to identify the significant portion <strong>of</strong> the IP address.<br />
4. Click OK to add the alias IP address, or click Cancel to return to the<br />
Interface Configuration window without saving your changes.<br />
After adding or modifying an entry you should be able to ping the<br />
address from an external device, unless the Respond to ICMP echo and<br />
timestamp parameter is disabled for this burb. See “Entering information<br />
on the Burb Configuration window” on page 3-48.<br />
5. Click the Save icon to save the changes.<br />
About the Hardware Acceleration tab<br />
The Hardware Acceleration tab will only appear if you are using a<br />
supported hardware accelerator. The Hardware Acceleration tab<br />
contains a table listing the supported hardware accelerators that are<br />
currently installed on the <strong>Sidewinder</strong> <strong>G2</strong>. The following table columns<br />
appear:<br />
Hardware Accelerator—This column lists the type <strong>of</strong> hardware<br />
accelerator (for example, Cavium).<br />
Accelerator Type—This column lists the type <strong>of</strong> hardware<br />
acceleration (for example, SSL).<br />
Enabled—This column lists whether the hardware accelerator is<br />
enabled (On) or disabled (Off).<br />
To enable a hardware accelerator, select the hardware accelerator you<br />
want to enable and click Enable.<br />
To disable a hardware accelerator, select the hardware accelerator you<br />
want to disable and click Disable.<br />
Click the Save icon to save your changes.<br />
General System Tasks 3-53
Modifying the static route<br />
Modifying the<br />
static route<br />
Figure 3-24. Static<br />
window<br />
3-54 General System Tasks<br />
Traffic between machines on different networks or subnets requires<br />
routing. Each computer must be told where to direct traffic it cannot<br />
deliver directly; this “default gateway” is generally a router which<br />
allows access to distant subnets.<br />
A “default route” (route <strong>of</strong> last-resort) is used to specify the IP address<br />
where packets are forwarded that have no explicit route. It is usually<br />
the IP address <strong>of</strong> a router (for example, a Cisco box) that will forward<br />
packets to your Internet Service Provider (ISP).<br />
Note: For more detailed information on routing, please refer to "Routing options" in the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong>.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, this default route is typically defined while<br />
using the Configuration Wizard during the initial configuration<br />
process. Once it is set it rarely needs to change; hence it is also<br />
known as a static route. However, if your network configuration<br />
should change, you may find it necessary to change this static route.<br />
You can do this using the Admin Console. To change a static route,<br />
select Services Configuration -> Routing -> Static. The Static window<br />
appears.
Modifying the static route<br />
About the Static window The Static window contains a static route definition table that lists all<br />
<strong>of</strong> the route definitions. To modify the static routes currently defined<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>, follow the steps below.<br />
About the Static: Route<br />
window<br />
Note: Interface routes cannot be modified or deleted.<br />
1. To change the IP address <strong>of</strong> the router that is used as your default or<br />
"static" route, type the new address in the Default Route field. The<br />
address must be entered using standard quad notation.<br />
Note: If your <strong>Sidewinder</strong> <strong>G2</strong> is defined with two DNS servers, the IP address for the<br />
static route must be an address on the external burb.<br />
2. Perform one <strong>of</strong> the following actions:<br />
To add a static route, click New. The Static Route window appears.<br />
Proceed to step 3.<br />
To modify an existing static route, highlight the route you want to<br />
modify and click Modify. The Static Route window appears.<br />
Proceed to step 3.<br />
To delete an existing static route, highlight the route you want to<br />
delete and click Delete. When you click this button, the system<br />
checks for any sessions that are currently using the address that<br />
you want to delete. If the address is in use, you will not be allowed<br />
to delete the entry. Proceed to step 8.<br />
3. In the Entry Type field, select the type <strong>of</strong> route: Net or Host.<br />
4. In the Net/Host Address field, type the subnet address for this route.<br />
5. In the Gateway field, type the gateway address the route will use.<br />
6. [Conditional] In the Net Mask field, type the network mask that will be<br />
used for this route. This field is only available if Net is selected in the<br />
Entry Type field.<br />
7. Click Add to add the information you entered to the static route<br />
definition table. (To exit the window without saving your changes, click<br />
Close.)<br />
8. In the Static window, click the Save icon to write all non-interface routes<br />
to /etc/gateways and automatically add changes to the current routing<br />
table, or click Cancel to cancel the change.<br />
General System Tasks 3-55
Configuring remote Admin Console management<br />
Configuring<br />
remote Admin<br />
Console<br />
management<br />
Figure 3-25. Remote<br />
<strong>Administration</strong> tab<br />
About the Remote<br />
<strong>Administration</strong> tab<br />
3-56 General System Tasks<br />
The <strong>Sidewinder</strong> <strong>G2</strong> is managed remotely from a Windows machine.<br />
Before you can establish a connection to the <strong>Sidewinder</strong> <strong>G2</strong>, you must<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to accept administration via the Admin<br />
Console. This is typically enabled via the Configuration Wizard during<br />
initial <strong>Sidewinder</strong> <strong>G2</strong> configuration. Use the following steps to enable<br />
or disable administration in a particular burb.<br />
Start the Admin Console and select Firewall <strong>Administration</strong> -> UI Access<br />
Control. A window similar to the following appears.<br />
This window allows you to enable management for the <strong>Sidewinder</strong><br />
<strong>G2</strong> using the Admin Console. When enabled, users with<br />
administrative privileges will be able to connect to and administer the<br />
<strong>Sidewinder</strong> <strong>G2</strong> from a Windows machine. You can enable Admin<br />
Console management on a per burb basis. For example, if you enable<br />
Admin Console management for Burb A but not Burb B, only those<br />
users with access to the interfaces assigned to Burb A will be able to<br />
administer the <strong>Sidewinder</strong> <strong>G2</strong> using an Admin Console.<br />
Note: For information on configuring the Firewall Certificate tab, see “Configuring and<br />
displaying firewall certificates” on page 13-37.<br />
Follow the steps below to configure Admin Console management.<br />
Note: Admin Console management is typically enabled via the Configuration Wizard<br />
during initial <strong>Sidewinder</strong> <strong>G2</strong> configuration.
About the SSL certificate<br />
fields for the Admin<br />
Console<br />
Enabling and<br />
disabling multiprocessor<br />
mode<br />
Enabling and disabling multi-processor mode<br />
1. In the Allow Secure Sessions From list, select the burbs that will allow<br />
administration access from a Windows system. Connections to the<br />
burbs in this list are encrypted using SSL.<br />
2. In the Secure Ports field, specify the range <strong>of</strong> ports on which secure<br />
sessions will be allowed.<br />
Note: See “NSS regulation <strong>of</strong> valid ports for the Admin Console” on page 1-16 for<br />
details on selecting valid ports.<br />
3. Click the Save icon to save your changes. To configure the SSL certificate<br />
fields for the Admin Console, see the following section.<br />
The Admin Console provides secure access to the <strong>Sidewinder</strong> <strong>G2</strong><br />
using the Secure Socket Layer (SSL) protocol. The SSL protocol<br />
requires the use <strong>of</strong> certificates by both the client and the server when<br />
creating the secure connection. Follow the steps below to configure<br />
the SSL certificate for the Admin Console.<br />
Important: Secure Computing recommends assigning a new certificate to the Admin<br />
Console before using the <strong>Sidewinder</strong> <strong>G2</strong> in an operational environment.<br />
A default SSL certificate is initially assigned to the Admin Console.<br />
When using the <strong>Sidewinder</strong> <strong>G2</strong> in an operational environment,<br />
however, it is highly recommended that you assign a different<br />
certificate to the Admin Console. For more information, see “Assigning<br />
new certificates for Admin Console and synchronization services” on<br />
page 13-43.<br />
To assign a new SSL certificate to the Admin Console, select the<br />
certificate from the Certificate drop-down list. Only self-signed, RSA<br />
certificates that are defined in Services Configuration -> Certificate<br />
Management in the Firewall Certificates tab are displayed in this field.<br />
The Firewall Certificates tab is used to define a new certificate for use<br />
by the Admin Console. After creating the new certificate you can<br />
return to the UI Access Control window and assign the new certificate<br />
to the Admin Console.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports the use <strong>of</strong> dual-processor platforms. If<br />
your hardware platform contains a second CPU, you might consider<br />
enabling this feature if your site meets one <strong>of</strong> the following<br />
conditions.<br />
Your site is passing large volumes <strong>of</strong> e-mail.<br />
Your site is generating large volumes <strong>of</strong> audit data.<br />
General System Tasks 3-57
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
Configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to<br />
use a UPS<br />
3-58 General System Tasks<br />
To enable the use <strong>of</strong> the second processor, perform the following<br />
steps.<br />
1. Enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command line to<br />
switch to the Admn domain:<br />
srole<br />
2. Type one <strong>of</strong> the following commands to enable the multi-processor<br />
feature.<br />
If you want to test how multi-processor mode works on your<br />
system, but you do not want it enabled permanently, type the<br />
following command. You can skip step 4 if you use this command.<br />
cpu mp<br />
If you have tested multi-processor mode and are confident<br />
enough to enable it permanently, type:<br />
touch /etc/mp.config<br />
3. Reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. Check to see that the second CPU is active by typing the following<br />
command.<br />
cpu stat<br />
If you encounter a problem enabling the second processor, it might<br />
indicate that you need to modify the /etc/boot.default file or the<br />
/etc/mp.config file by adding the proper interrupts or command<br />
overrides for your specific hardware platform. Contact Secure<br />
Computing <strong>Technical</strong> Support if you have questions or problems.<br />
Once multi-processor mode is enabled, the only way to disable it is to<br />
delete the /etc/mp.config file and reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Many organizations connect the <strong>Sidewinder</strong> <strong>G2</strong> to an Uninterruptible<br />
Power Supply (UPS). This allows the <strong>Sidewinder</strong> <strong>G2</strong> to continue to be<br />
operational if a power outage occurs. If the power outage is long<br />
enough, however, the battery in the UPS will begin to fail. To avoid an<br />
uncontrolled shutdown, you can configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
initiate an orderly shutdown before the UPS fails. The <strong>Sidewinder</strong> <strong>G2</strong><br />
is much more likely to restart in a good condition following an orderly<br />
shutdown than from an uncontrolled shutdown.
Figure 3-26. UPS<br />
Configuration window<br />
About the UPS<br />
Configuration window<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS, select Services<br />
Configuration -> Servers and select upsd in the list <strong>of</strong> server names. Click<br />
the Configuration tab. The following window appears.<br />
The UPS Configuration window enables you to configure how the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will interact with an uninterruptible power supply. The<br />
window contains the following fields.<br />
UPS Serial Port—Click the drop-down list to select the <strong>Sidewinder</strong><br />
<strong>G2</strong> port being used to monitor the UPS.<br />
If you are using a <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance, your system<br />
will only support COM1 port (COM2 is not supported). Therefore,<br />
you cannot enable the uninterruptible power supply (UPS) service<br />
AND connect a console directly on your <strong>Sidewinder</strong> <strong>G2</strong> on the<br />
COM1 port at the same time. Doing so will cause your <strong>Sidewinder</strong><br />
<strong>G2</strong> Security Appliance to shutdown immediately. If this happens,<br />
you must do one <strong>of</strong> the following:<br />
— Disable upsd and use a serial console: Disconnect the <strong>Sidewinder</strong><br />
<strong>G2</strong> console, disable upsd using the Admin Console, and then<br />
reconnect to the <strong>Sidewinder</strong> <strong>G2</strong> console.<br />
— Remove the serial console and use upsd: Disconnect the<br />
<strong>Sidewinder</strong> <strong>G2</strong> console, and then connect the UPS cable.<br />
Battery Time—Specify the estimated amount <strong>of</strong> time (in seconds)<br />
that the UPS battery will last before running low. The <strong>Sidewinder</strong><br />
<strong>G2</strong> will initiate an orderly shutdown when this timer expires,<br />
regardless <strong>of</strong> the amount <strong>of</strong> battery power remaining in the UPS.<br />
General System Tasks 3-59
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
3-60 General System Tasks<br />
Enabling/disabling the UPS server<br />
1. Select Services Configuration -> Servers.<br />
2. Select upsd from the list <strong>of</strong> server names.<br />
3. Click Enable or Disable.<br />
Enabled—Indicates the <strong>Sidewinder</strong> <strong>G2</strong> is configured to use a UPS.<br />
If a power outage occurs, the <strong>Sidewinder</strong> <strong>G2</strong> will monitor the UPS<br />
and will perform an orderly shutdown when the UPS battery<br />
begins to run low.<br />
Disabled—Indicates the <strong>Sidewinder</strong> <strong>G2</strong> is not configured to use a<br />
UPS. If a power outage occurs and the <strong>Sidewinder</strong> <strong>G2</strong> IS connected<br />
to a UPS, the <strong>Sidewinder</strong> <strong>G2</strong> will not monitor the UPS and will not<br />
perform an orderly shutdown when the UPS battery begins to run<br />
low.<br />
4. Click the Save icon.
C HAPTER 4<br />
Understanding Policy<br />
Configuration<br />
About this chapter This chapter provides an overview <strong>of</strong> the pieces that comprise your<br />
security policy: rules, rule elements, and Application Defenses. It also<br />
provides useful examples to assist you in building rules and<br />
organizing them into the groups that you use to enforce your security<br />
policy.<br />
Policy<br />
configuration<br />
basics<br />
This chapter covers the following topics:<br />
“Policy configuration basics” on page 4-1<br />
“Rule elements” on page 4-6<br />
“Application Defenses” on page 4-14<br />
“Proxy rule basics” on page 4-17<br />
“IP Filter rule basics” on page 4-28<br />
Your site’s security policy is implemented and enforced by applying<br />
rules to all traffic that passes through the <strong>Sidewinder</strong> <strong>G2</strong>. Each rule is<br />
basically a mini policy that contains criteria which are used to inspect<br />
incoming or outgoing traffic. Rules determine whether that traffic will<br />
be allowed to continue to its destination. There are two distinct rules<br />
types that you can configure on the <strong>Sidewinder</strong> <strong>G2</strong>:<br />
Proxy rules—Proxy rules allow you to control access to <strong>Sidewinder</strong><br />
<strong>G2</strong> proxies and servers. Proxy rules determine whether traffic will<br />
be allowed through the <strong>Sidewinder</strong> <strong>G2</strong> or denied using various<br />
criteria such as source and destination address.<br />
Note: When you are configuring proxy rules for a particular proxy or service, you<br />
must ensure that the corresponding proxies and/or servers have also been enabled<br />
and configured before the rule will pass traffic.<br />
IP Filter rules—IP Filter rules allow you to configure your<br />
<strong>Sidewinder</strong> <strong>G2</strong> to securely forward IP packets between networks.<br />
IP Filter rules operate directly on the IP packets, allowing you to<br />
configure filtering for TCP/UDP and non-TCP/UDP traffic passing<br />
between networks.<br />
4<br />
Understanding Policy Configuration 4-1
4<br />
Policy configuration basics<br />
Figure 4-1. Basic rule<br />
group structure<br />
4-2 Understanding Policy Configuration<br />
After you plan and create all <strong>of</strong> the rules you need to enforce your<br />
security policy, you can organize them into sets, called rule groups. A<br />
rule group can consist <strong>of</strong> both rules and nested rule groups. A nested<br />
rule group is a rule group that you place within another rule group.<br />
You can nest multiple rule groups within a rule group.<br />
Figure 4-1 demonstrates the basic structure <strong>of</strong> a rule group that uses<br />
nested rules.<br />
Sample rule group<br />
Rule 1<br />
Rule group A<br />
Rule group B<br />
Rule 9<br />
Rule Rule 21<br />
Rule 3<br />
Rule 4<br />
Rule 5<br />
Rule 6<br />
Rule 7<br />
Rule 8<br />
While you can create numerous rules and groups, the <strong>Sidewinder</strong> <strong>G2</strong><br />
will only load and use the rules contained in the groups that you<br />
select in the Active Rules window. These active rules are the rules that<br />
enforce your security policy. When you select the active rule groups<br />
(you can select one active proxy group and one active IP Filter<br />
group), those groups begin actively monitoring traffic coming into<br />
and leaving the <strong>Sidewinder</strong> <strong>G2</strong>. All rules and rule groups that are not<br />
part <strong>of</strong> the active rules will remain inactive unless you add them to an<br />
active rule group. You can modify your existing active rule group to<br />
add or delete rules and/or nested rule groups as your security needs<br />
change. You can also re-organize the rules within a group as needed.<br />
When you select an active group, the individual rules and the rules<br />
within nested groups are extracted into a single table <strong>of</strong> ordered rules<br />
as shown in Figure 4-2.
Figure 4-2. Example <strong>of</strong><br />
active rules<br />
rule group<br />
Rule 1<br />
Rule group A<br />
Rule group B<br />
Rule 9<br />
active rules<br />
Rule 1<br />
Rule 2<br />
Rule 3<br />
Rule 4<br />
Rule 5<br />
Rule 6<br />
Rule 7<br />
Rule 8<br />
Rule 9<br />
Policy configuration basics<br />
contents <strong>of</strong><br />
rule group A<br />
contents <strong>of</strong><br />
rule group B<br />
The rules within an active group are processed in sequential order.<br />
When traffic arrives at the <strong>Sidewinder</strong> <strong>G2</strong>, it will first be processed by<br />
the active IP Filter rules. If the traffic does not match any IP Filter<br />
rules, it is forwarded on to the active proxy rules. If a rule match is<br />
found, the traffic is processed according to that rule and will not be<br />
processed by any other rules. Therefore, the order <strong>of</strong> the rules and<br />
nested rule groups within an active rule group is very important.<br />
The rule groups you specify in the Active Rules window (one for<br />
proxy and one for IP Filter) work together as follows: All traffic<br />
coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong> is compared to any active<br />
IP Filter rules that you have configured. The IP Filter rules examine<br />
packets at the IP layer. If a match is not found in the IP Filter rules,<br />
the traffic is then examined by the active proxy rules, which examine<br />
the traffic at the Application layer.<br />
Understanding Policy Configuration 4-3
Policy configuration basics<br />
Figure 4-3. Traffic<br />
passing through the<br />
active rule groups<br />
4-4 Understanding Policy Configuration<br />
traffic<br />
1. Traffic enters the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and<br />
is processed by the<br />
active IP FIlter rules.<br />
active IP Filter rules active proxy rules<br />
Rule group<br />
Rule<br />
Rule group<br />
Rule group<br />
Rule<br />
2. No match is found, so<br />
traffic is forwarded to the<br />
active proxy rules.<br />
Rule group<br />
Rule group B<br />
Rule group<br />
Rule<br />
Rule<br />
3. A match is found in Rule<br />
Group B. The traffic is<br />
processed by the rule<br />
specifications.<br />
Tip: Always place the deny_all rule at the end <strong>of</strong> the active proxy rules list. This rule<br />
denies any traffic that reaches it. Therefore, any rules that are listed after the deny_all rule<br />
will not process any traffic.<br />
An example <strong>of</strong> traffic being processed by the active rules<br />
The following scenario walks you through the basic process used by<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to process an outbound Telnet connection request.<br />
For simplicity, this scenario assumes that the active rules table consists<br />
<strong>of</strong> the following items:<br />
Some non-TCP/UDP IP Filter rules.<br />
A rule called NetMeeting that allows users to utilize audio and<br />
video conferencing components for NetMeeting ® .<br />
A rule group called <strong>Administration</strong>, which allows <strong>Sidewinder</strong> <strong>G2</strong><br />
administrators to access the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
A rule called InternetServices, which includes a service group that<br />
allows access to the most commonly used Internet services,<br />
including Telnet. (For information on service groups, see “Service<br />
groups” on page 4-12.)<br />
A deny_all rule that will deny any requests that did not match any<br />
other rules. This rule acts as a safeguard against traffic that did not<br />
meet any rule criteria, and may or may not be desirable depending<br />
on your site’s security policy.
Policy configuration basics<br />
The following steps outline the basic processing that takes place<br />
when an outbound Telnet connection request arrives at a <strong>Sidewinder</strong><br />
<strong>G2</strong> with the above active rules in place.<br />
1. A outbound Telnet request arrives at the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. The request is processed by the active IP Filter rules. No match is found,<br />
so the request is forwarded to the active proxy rules.<br />
3. The request is processed by the first rule in the Active Rules table, which<br />
is the NetMeeting rule. The request does not match the rule criteria.<br />
4. The request is forwarded to the next rule in the table, a rule group called<br />
<strong>Administration</strong>, and is inspected in sequential order by each rule<br />
contained within that group. No match is found in this rule group.<br />
5. The request is forwarded to the next rule in the table, a rule called<br />
InternetServices. A match is found (because the telnet proxy is included<br />
in the service group used in this rule).<br />
6. The request is processed according to the specifications in the<br />
InternetServices rule. The InternetServices rule is an allow rule with NAT<br />
enabled. The request bypasses all other rules and groups contained in<br />
the active rules table, the internal address <strong>of</strong> the request is translated,<br />
and the request is granted.<br />
Ordering proxy rules within a rule group<br />
The order in which rules and nested groups appear in the active rule<br />
group is significant. When the <strong>Sidewinder</strong> <strong>G2</strong> is looking for a rule<br />
match, it searches the active rules in sequential order (beginning with<br />
the first rule or nested group within the group, then the second, and<br />
so on). The first rule that matches all the characteristics <strong>of</strong> the<br />
connection request (service type, source, destination, and so on) is<br />
used to determine whether to allow or deny the connection.<br />
Therefore, you should always place rules that allow or deny the most<br />
frequent traffic near the top <strong>of</strong> an active rule group to reduce the<br />
processing time.<br />
Important: If the characteristics <strong>of</strong> a connection request matches more than one rule,<br />
the first one it matches will be used and the search will stop.<br />
For example, suppose you want to allow access to FTP services on<br />
the Internet for all systems except those included in a netgroup called<br />
“publications.” The scenarios below illustrate both the incorrect and<br />
correct rule placement.<br />
Understanding Policy Configuration 4-5
Rule elements<br />
4-6 Understanding Policy Configuration<br />
Incorrect placement <strong>of</strong> rules in a rule group<br />
The following shows a rule group list that is INCORRECT for this<br />
scenario.<br />
Rule 1: Allow FTP service for all internal systems to all external systems.<br />
Rule 2: Deny FTP service for the netgroup “publications” to all external systems.<br />
The first rule in the rule group allows all systems (via a wildcard) to<br />
use FTP and the second rule denies one particular netgroup.<br />
Problem: When a system specified in the “publications” netgroup<br />
requests an FTP connection to somewhere in the Internet, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will check rule 1 in the active proxy rule group.<br />
Because that rule allows all systems FTP service to the Internet, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> detects a match, stops searching the rule group, and<br />
grants the connection.<br />
Correct placement <strong>of</strong> rules in a rule group<br />
To deny a particular netgroup in this example, the deny rule should<br />
be placed before the allow rule. The correct way to order the rules in<br />
the rule group for this example is as follows.<br />
Rule 1: Deny FTP service for the netgroup “publications” to all external systems.<br />
Rule 2: Allow FTP service for all internal systems to all external systems.<br />
Important: As a basic guideline when configuring a rule group, place specific rules<br />
before any general (wildcard) rules.<br />
Rule elements Rule elements are the building blocks for your rules and help you<br />
save time and effort by allowing you to group information, reducing<br />
the number <strong>of</strong> rules you need to create. Rule elements consist <strong>of</strong> the<br />
following:<br />
Users and user groups—Users can be placed in user groups,<br />
allowing you to apply a single rule to multiple users who share the<br />
same access privileges. See “Users and user groups” on page 4-8.<br />
Note: Users and user groups are used only in proxy rules.
Rule elements<br />
Network objects—Network objects are entities for which you<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to allow or deny connections. They<br />
can consist <strong>of</strong> IP addresses, hosts, domains, netmaps, subnets, or<br />
netgroups. See “Network objects” on page 4-9.<br />
Service groups—A service group is a collection <strong>of</strong> proxies and/or<br />
servers. When specified in a rule, the rule will regulate access to<br />
all proxies and servers defined within that service group. See<br />
“Service groups” on page 4-12.<br />
Note: Service groups are used only in proxy rules.<br />
Planning for rule elements<br />
In providing network security, the main objective <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> is to enforce a set <strong>of</strong> rules that reflect your desired security policy.<br />
Properly defining and creating user groups, network objects, and<br />
service groups provides you with building blocks you can use to<br />
create sound rules. Remember, the groups you create and the rules<br />
you define serve as the embodiment <strong>of</strong> your site’s security policy.<br />
The following list provides guidelines to consider when planning your<br />
rule elements:<br />
Start by considering your security policy. If you do not have a<br />
security policy, see the Perimeter Security Planning <strong>Guide</strong> (located<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> Management Tools CD) for information on<br />
how to develop one.<br />
Decide if you want to control access based on user groups,<br />
netgroups, or both.<br />
If you want to control access based on user groups, make a list<br />
defining all users, and organize the list by the networking services<br />
they will be granted and authentication methods they must use.<br />
Plan to include all users who require access to the same services<br />
using the same authentication methods in the same group.<br />
Plan to create service groups for each user or netgroup that<br />
requires access to the same services to reduce the number <strong>of</strong> rules<br />
you need to create.<br />
Understanding Policy Configuration 4-7
Rule elements<br />
4-8 Understanding Policy Configuration<br />
If you want to control access based on netgroups, make a list<br />
defining all your machines, and organize the list by the networking<br />
services they will be granted.<br />
Create a proxy rule for each user group and/or netgroup.<br />
Important: Creating netgroups saves you the trouble <strong>of</strong> entering multiple versions<br />
<strong>of</strong> the same proxy rule. It is important to model (define) all network objects for which<br />
you want to allow access before you set up your rules.<br />
Users and user groups<br />
Users are people who use the networking services provided by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. User accounts are a mechanism used to authenticate<br />
people before they are permitted to make a network connection<br />
through (or to) the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Users and user groups are used only in proxy rules.<br />
As described in the following chapter, you can use the Admin Console<br />
to create user accounts which are stored in a user database located on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> or in a separate authentication server. A single<br />
account in a user database includes information such as the user’s<br />
login name and password. (“Supported authentication methods” on<br />
page 9-5 provides detailed information on various methods used to<br />
authenticate users during a the <strong>Sidewinder</strong> <strong>G2</strong> connection attempt.)<br />
A user group is a logical grouping <strong>of</strong> one or more users, identified by<br />
a single name. Also, a user group can include another “nested” user<br />
group. Figure 4-4 shows an example <strong>of</strong> two user groups.<br />
Important: User groups can be used in an allow rule only if the specified service<br />
supports authentication (login, Telnet, FTP, Web, secure shell [SSH], or SSO).
Figure 4-4. User Groups<br />
user group<br />
named<br />
“accounting”<br />
user group<br />
named<br />
“engineering”<br />
Rule elements<br />
Figure 4-4, shows five users divided into two user groups:<br />
“Accounting” and “Engineering.” Suppose you want to allow both<br />
user groups Telnet access to the Internet. Also suppose you want to<br />
authenticate the “Accounting” user group differently from the<br />
“Engineering” user group. In this example you create two nearly<br />
identical rules to allow Telnet access, one for each user group. The<br />
only difference in the rules for each user group would be the<br />
authentication method you specify for each group.<br />
Network objects<br />
internal<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
A network object is an entity for which you configure the <strong>Sidewinder</strong><br />
<strong>G2</strong> to allow or deny connections. A network object can be an IP<br />
address, a host, a network domain, a netmap, a subnet, or netgroup.<br />
When you create rules, you must specify a network object as the<br />
source or destination <strong>of</strong> the connection. (You may also select the All<br />
option, which serves as a wildcard.) The following subsections<br />
provide an overview <strong>of</strong> how each network object is used.<br />
Note: IP Filter rules can only use IP address, subnet, and some host (localhost) network<br />
objects.<br />
Understanding Policy Configuration 4-9
Rule elements<br />
4-10 Understanding Policy Configuration<br />
Domain network objects<br />
A domain network object is registered by the Internet community.<br />
Registered domain names typically end with a three letter suffix such<br />
as .edu (for education sites) or .com (for commercial sites). For<br />
example, a domain name could be specified as bizco.net. See<br />
“Configuring domain objects” on page 5-12 for more information.<br />
Host network objects<br />
A host network object is an individual machine connected to the<br />
network. When specifying a host object, you must use a host name<br />
that is resolvable by DNS, or provide at least one IP address that is<br />
resolvable by DNS. See “Configuring host objects” on page 5-13 for<br />
more information.<br />
IP address network objects<br />
A network object can be an IP address <strong>of</strong> an individual machine<br />
connected to the network. A machine can have more than one IP<br />
address. See “Configuring IP address objects” on page 5-15 for more<br />
information.<br />
Netmap network objects<br />
Many organizations use network address translation (NAT) and/or<br />
redirection to prevent internal addresses from being visible to external<br />
users. On the <strong>Sidewinder</strong> <strong>G2</strong>, NAT refers to rewriting the source<br />
address <strong>of</strong> the packet, while redirection refers to rewriting the<br />
destination address <strong>of</strong> the packet.<br />
For example, when a user sends a packet from an internal IP address<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> to an external IP address, the <strong>Sidewinder</strong> <strong>G2</strong><br />
intercepts the packet. If NAT is enabled for the matching rule, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> re-assigns (or translates) the source address to its<br />
external address (or an address you specify). Therefore, all traffic<br />
leaving your system appears to come from a single external IP<br />
address.
Rule elements<br />
If an organization requires many different address translations for<br />
multiple IP addresses, you would normally need to create an<br />
individual rule for each different NAT or redirection scenario, which<br />
can become difficult to manage. However, using netmaps you can<br />
map multiple IP addresses and subnets to alternate addresses without<br />
creating numerous rules.<br />
A netmap consists <strong>of</strong> one or more netmap members. A netmap<br />
member is any IP address or subnet object that you define. Each<br />
member in the netmap is mapped to an alternate address that you<br />
specify. See “Configuring netmaps” on page 5-16 for more<br />
information.<br />
When creating a rule, you can use netmaps as follows:<br />
If you select a netmap in the source address field for a rule, the<br />
appropriate NAT properties are automatically supplied based on<br />
the mapping configured for each IP address or subnet in that<br />
netmap.<br />
If you select a netmap as the destination address in a rule, the<br />
appropriate redirection properties are automatically supplied<br />
based on the mapping configured for each IP address and subnet<br />
in that netmap.<br />
Subnet network objects<br />
A subnet network object is a subset <strong>of</strong> a larger network, and consists<br />
<strong>of</strong> a network address and a subnet mask. A subnet object defines a<br />
range <strong>of</strong> IP addresses within a specific subnet. See “Configuring<br />
subnet objects” on page 5-17 for more information.<br />
Note: For more information on subnets, refer to Section 13.4 in the UNIX System<br />
<strong>Administration</strong> Handbook, third edition.<br />
Netgroup objects<br />
A netgroup object consists <strong>of</strong> two or more network objects, identified<br />
by a single name. For example, you can define a netgroup that<br />
includes a number <strong>of</strong> domains, several hosts that are outside <strong>of</strong> these<br />
domains, and a subnet. See “Configuring netgroup object” on page 5-<br />
18 for more information.<br />
Note: A netgroup may contain nested netgroups as members.<br />
Understanding Policy Configuration 4-11
Rule elements<br />
Figure 4-5. Netgroup<br />
4-12 Understanding Policy Configuration<br />
Figure 4-5 shows a sample netgroup configuration.<br />
members <strong>of</strong><br />
“sales”<br />
network<br />
group<br />
As shown in Figure 4-5, a netgroup named “Sales” is comprised <strong>of</strong><br />
two domains within a sales organization and an individual system<br />
using IP address 172.16.12.3. Suppose you want to allow users in all<br />
three <strong>of</strong> these network objects to access Telnet servers anywhere on<br />
the Internet. You need to create a rule to configure the connection,<br />
specifying ‘Sales’ as the source and a wildcard (leave the field blank to<br />
indicate a wildcard) as the destination. Without creating the Sales<br />
netgroup, you would need to make three rules to configure the Telnet<br />
access, one for each network object.<br />
You can create netgroups for network objects that are inside or<br />
outside <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. A netgroup can include nested<br />
netgroups.<br />
Service groups<br />
presales.bizco.net<br />
sales.bizco.net<br />
172.16.12.3<br />
A service group is a collection <strong>of</strong> selected proxies and/or servers.<br />
Once defined, a service group can be used in a proxy rule to regulate<br />
access to the services in the group. There are important administrative<br />
benefits gained by using service groups: While a typical proxy rule<br />
will regulate access for a single proxy or server, a proxy rule that is<br />
implemented using a service group can regulate access for multiple<br />
proxies and/or servers. Grouping services together in this manner<br />
enables you to reduce the overall number <strong>of</strong> rules you define, which<br />
in turn reduces the overall complexity <strong>of</strong> your rule database. A less<br />
complex rule database means there is less chance <strong>of</strong> introducing<br />
errors that may affect the integrity <strong>of</strong> your security policy. You can<br />
also configure Application Defense groups for rules that use service<br />
groups to specify advanced properties for each proxy included in that<br />
rule. (See “Application Defenses” on page 4-14 for an overview <strong>of</strong><br />
Application Defenses.)<br />
Note: Service groups are used only in proxy rules.<br />
internal<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet
Example <strong>of</strong> a rule that uses a service group<br />
Rule elements<br />
Here’s an example that illustrates the power <strong>of</strong> a service group.<br />
Assume you have a netgroup named eng_net_grp that consists <strong>of</strong> all<br />
the engineers in your organization. If you want to grant Web, FTP, and<br />
Telnet access to this group, you might do so by defining three<br />
separate rules. Table 4-1 illustrates how these three rules might look<br />
in the rule database.<br />
Table 4-1. Typical rules not using service groups<br />
No. Name Service Service Type Enabled Action<br />
1 http_out HTTP proxy Enabled Allow<br />
2 ftp_out FTP proxy Enabled Allow<br />
3 telnet_out Telnet proxy Enabled Allow<br />
A better option, however, is to use a service group. This enables you<br />
to accomplish the same thing with one proxy rule. Create a service<br />
group that contains the HTTP, FTP, and Telnet proxies, then use this<br />
service group when defining the proxy rule. Table 4-2 illustrates the<br />
service group you might create, and Table 4-3 illustrates how the<br />
resulting proxy rule will appear in a rule.<br />
Table 4-2. Sample service group<br />
Service Group Name Selected Proxies Selected Servers<br />
EngServGrp HTTP, FTP, Telnet<br />
Table 4-3. Sample proxy rule using a service group<br />
No. Name Service Service Type Enabled Action<br />
1 Eng_rule EngServGrp servicegroup Enabled Allow<br />
Understanding Policy Configuration 4-13
Application Defenses<br />
Application<br />
Defenses<br />
4-14 Understanding Policy Configuration<br />
Please note the following points about service groups:<br />
The services in a service group can be either all allowed or all<br />
denied on a proxy rule. It is not possible to use the same proxy<br />
rule to allow access to a subset <strong>of</strong> services in a service group while<br />
at the same time deny access to a different subset <strong>of</strong> services.<br />
Service groups are extremely effective when implemented in a<br />
proxy rule that regulates access for a user group or netgroup. Keep<br />
in mind, however, that all members in the user group or netgroup<br />
must conform to the same security policy (that is they will all be<br />
allowed or denied access to the same collection <strong>of</strong> services).<br />
Authentication can be configured for a service group rule, even if<br />
not every service in the group permits authentication. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> is able to differentiate which services require<br />
authentication within a group. Mixed service groups<br />
(authenticating and non-authenticating services) are best used with<br />
allow rules. You can use SSO to require authentication for all<br />
services in a service group.<br />
You can define as many service groups as needed.<br />
As always, the sequencing <strong>of</strong> rules within the active rule group<br />
remains important, regardless <strong>of</strong> whether a service group is used.<br />
Application Defenses allow you to configure advanced applicationspecific<br />
properties for each proxy, including basic timeout properties<br />
and application-specific permissions. You can also configure key<br />
services such as anti-virus, anti-spam, SSL decryption, and Web<br />
services management.<br />
You can create Application Defenses in advance and then select the<br />
defense for each rule that you create, or you can create defenses<br />
during rule creation. Whether you create Application Defenses in<br />
advance or within a proxy rule, the defense will be saved to a<br />
common database and can be used for other proxy rules without<br />
needing to be recreated for other rules.<br />
Application proxies that allow you to configure connection properties<br />
are included in the Standard Application Defense. (You can also<br />
configure transparency properties for the Telnet proxy within a<br />
Standard Application Defense.) Application proxies that allow you to<br />
configure advanced, application-specific options (such as anti-virus,<br />
application permissions, etc.) as well as connection properties have<br />
their own branch in the Defenses branch (e.g., Web, Secure Web,<br />
Mail, Multimedia).
Application Defenses<br />
You can also create Application Defense groups that allow you to<br />
specify an Application Defense for each category (Web, Secure Web,<br />
Mail, Standard, etc.). Application Defense groups are most useful<br />
when creating rules that use service groups. When you create an<br />
Application Defense group, you can configure and specify an<br />
Application Defense for each application included in a service group.<br />
For an example <strong>of</strong> how an Application Defense group is used in a<br />
rule, see “Using Application Defense groups and service groups to<br />
minimize rule creation” on page 4-16.<br />
The following list summarizes the various categories <strong>of</strong> Application<br />
Defenses:<br />
Note: For information on specifying an Application Defense in a proxy rule, see “Creating<br />
proxy rules” on page 7-4.<br />
Web—This category allows you to configure advanced parameters<br />
for HTTP, including header filtering and MIME/virus filtering. For<br />
information on configuring a Web Application Defense, see<br />
“Creating Web or Secure Web Application Defenses” on page 6-4.<br />
Secure Web—This category allows you to configure advanced<br />
parameters for Web-based proxies, such as HTTPS and SSO. For<br />
information on configuring a Secure Web Application Defense, see<br />
“Creating Web or Secure Web Application Defenses” on page 6-4.<br />
Web Cache—This category allows you to configure Squid<br />
parameters for SmartFilter. For information on configuring a Web<br />
Cache Application Defense, see “Creating Web Cache Application<br />
Defenses” on page 6-19.<br />
Mail—This category allows you to configure mail filtering and antivirus<br />
services to ensure that all e-mail traffic is scanned and filtered<br />
before being allowed through to your internal networks. For<br />
information on configuring a mail Application Defense, see<br />
“Creating Mail Application Defenses” on page 6-21.<br />
Citrix—This category allows you to configure advanced ICA proxy<br />
parameters. For information on configuring a Citrix Application<br />
Defense, see “Creating Citrix Application Defenses” on page 6-31.<br />
FTP—This category allows you to configure FTP permissions. For<br />
information on configuring an FTP Application Defense, see<br />
“Creating FTP Application Defenses” on page 6-33.<br />
Understanding Policy Configuration 4-15
Application Defenses<br />
4-16 Understanding Policy Configuration<br />
IIOP—This category allows you to configure filtering properties for<br />
the Internet Inter-ORB Protocol (IIOP) proxy. For information on<br />
configuring an IIOP Application Defense, see “Creating IIOP<br />
Application Defenses” on page 6-34.<br />
Multimedia—This category allows you to configure permissions for<br />
T.120 and H.323 proxies. For information on configuring a<br />
multimedia Application Defense, see “Configuring the IIOP<br />
Connection tab” on page 6-35.<br />
Oracle—This category allows you to configure continuous session<br />
monitoring to prevent spo<strong>of</strong>ing and tunneling attacks while<br />
sessions are in progress for the SQL proxy. For information on<br />
configuring an Oracle Application Defense, see “Creating Oracle<br />
Application Defenses” on page 6-38.<br />
SOCKS—This category allows you to configure advanced properties<br />
for the SOCKS proxy. For information on configuring a SOCKS<br />
Application Defense, see “Creating SOCKS Application Defenses”<br />
on page 6-41.<br />
SNMP—This category allows you to configure advanced properties<br />
for the SNMP proxy. For information on configuring an SNMP<br />
Application Defense, see “Creating SNMP Application Defenses”<br />
on page 6-42.<br />
Standard—This category allows you to configure connection<br />
properties for application proxies that do not require additional<br />
configuration options. You can also configure transparency<br />
properties for the Telnet proxy. For information on configuring a<br />
standard Application Defense, see “Creating Standard Application<br />
Defenses” on page 6-45.<br />
Using Application Defense groups and service groups to<br />
minimize rule creation<br />
The pre-configured rule called InternetServices uses a service group<br />
by the same name (InternetServices). This service group consists <strong>of</strong><br />
multiple applications such as HTTP, HTTPS, FTP, ping, and Telnet that<br />
require Internet access. Using an Application Defense group in this<br />
rule allows you to configure advanced, application-specific properties<br />
for each service contained in that service group without creating a<br />
separate rule for each application. The following table lists the<br />
applications that are contained in the InternetServices service group<br />
and how each application utilizes the Application Defense group.
Proxy rule basics<br />
Table 4-4. Application Defense group used in the InternetServices rule<br />
Service Group Apps Application Defense Used in Group<br />
finger Standard (finger-specific connection properties)<br />
ftp FTP (FTP allowed permits, connection properties)<br />
gopher Standard (gopher-specific connection properties)<br />
http Web (header filtering, MIME/virus filtering, etc)<br />
https SecureWeb (SSL decryption, MIME/virus filtering, etc)<br />
nntp Standard (nntp-specific connection properties)<br />
ping Standard (ping-specific connection properties)<br />
RealMedia Standard (RealMedia-specific connection properties)<br />
rtsp Standard (rtsp-specific connection properties)<br />
telnet Standard (Telnet-specific connection properties)<br />
Proxy rule basics The following subsections provide information on the basic<br />
components that comprise a proxy rule.<br />
Note: This section provides an overview <strong>of</strong> proxy rules. For instructions on creating proxy<br />
rules, see “Creating proxy rules” on page 7-4.<br />
Basic criteria used to allow or deny a connection<br />
<strong>Sidewinder</strong> <strong>G2</strong> determines whether to allow or deny a proxy or server<br />
connection by sequentially checking the rules in the active proxy rule<br />
group for the first match to ALL criteria attributed to the connection<br />
request. When a match is found, the connection will be allowed or<br />
denied based on the option selected in the Action field. The basic<br />
criteria used to allow or deny a connection includes the following:<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> uses the first proxy rule that matches all characteristics <strong>of</strong> the<br />
connection request to determine whether the connection will be allowed or denied.<br />
Understanding Policy Configuration 4-17
Proxy rule basics<br />
4-18 Understanding Policy Configuration<br />
source or destination burb—You can configure a proxy rule to allow<br />
or deny connections based on the source burb, the destination<br />
burb, or both.<br />
source or destination network object—You can configure a proxy rule<br />
to allow or deny connections based on the source network object,<br />
the destination network object, or both. The source or destination<br />
object can be an IP address, a host name, a domain name, a<br />
netmap, a subnet, or a netgroup. A netgroup is a grouping <strong>of</strong><br />
network objects defined by the <strong>Sidewinder</strong> <strong>G2</strong> administrator (see<br />
“Network objects” on page 4-9 for more information on<br />
netgroups).<br />
connection service type—You can configure a proxy rule to allow or<br />
deny connections based on the service type providing the<br />
connection in the <strong>Sidewinder</strong> <strong>G2</strong>. Service types include:<br />
— All—Allows connection service for both proxies and servers,<br />
but not service groups.<br />
— Proxy—Provides a connection through the <strong>Sidewinder</strong> <strong>G2</strong> in<br />
order to access a remote system.<br />
— Server—Provides a service (such as Telnet) directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
— Service group—Allows multiple proxies and/or servers to be<br />
grouped together and used to define a single proxy rule.<br />
type <strong>of</strong> network service requested—You can configure a proxy rule to<br />
allow or deny connections based on the type <strong>of</strong> network service<br />
that will be provided between the client and server. For proxy<br />
connections, the services include FTP, Telnet, and Web (HTTP), as<br />
well as many others.<br />
Optional criteria used to allow or deny a connection<br />
When setting up a proxy rule, you can also specify the following<br />
optional criteria for a connection.<br />
Note: You can specify any <strong>of</strong> the following criteria in an ’allow’ rule. However, only the<br />
authentication and date/time bullets apply to a ’deny’ rule.
Proxy rule basics<br />
the user requesting the connection—You can configure a proxy rule<br />
to allow connections based on a group for which the user<br />
requesting the connection is a member. A user group is comprised<br />
<strong>of</strong> multiple users defined by the <strong>Sidewinder</strong> <strong>G2</strong> administrator (see<br />
“Users and user groups” on page 4-8 for more information on user<br />
groups). This option is only valid when using authentication or<br />
SSO.<br />
authentication—You can configure a proxy rule to require the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to authenticate the user requesting the connection<br />
before granting the connection request. Refer to “Supported<br />
authentication methods” on page 9-5 for detailed information on<br />
the types <strong>of</strong> authentication services you can use.<br />
You can also configure a proxy rule to deny with authentication.<br />
The purpose <strong>of</strong> this type <strong>of</strong> rule would be to allow access to everyone<br />
except a specific group <strong>of</strong> users. For example, you might want<br />
to deny Telnet access to your contractors but allow access for your<br />
regular employees.<br />
Important: If you are not using SSO, configuring a deny with authentication proxy<br />
rule in a mixed service group (authenticating and non-authenticating services like<br />
Telnet and ping, respectively) will deny all non-authenticating services. However, if<br />
SSO authentication is configured, initial authentication will apply to all services<br />
contained in the service group. See “Service groups” on page 4-12 for more<br />
information.<br />
the time and day when the connection request is made—You can<br />
configure a proxy rule to allow or deny connections based on the<br />
time, the day, or both.<br />
Application Defense properties—You can configure a proxy rule to<br />
allow connections based on advanced application-specific<br />
parameters by selecting the appropriate Application Defense. You<br />
can also configure whether the connection will be transparent or<br />
non-transparent for some proxies. See “Application Defenses” on<br />
page 4-14 for information.<br />
Using NAT and redirection in proxy rules<br />
You can configure proxy rules to perform Network Address<br />
Translation (NAT) and/or redirection. On the <strong>Sidewinder</strong> <strong>G2</strong>, NAT<br />
refers to rewriting the source address <strong>of</strong> the packet, while redirection<br />
refers to rewriting the destination address <strong>of</strong> the packet. This protects<br />
IP addresses behind the <strong>Sidewinder</strong> <strong>G2</strong> (on your internal network).<br />
The following scenarios demonstrate how NAT and redirection work.<br />
Understanding Policy Configuration 4-19
Proxy rule basics<br />
4-20 Understanding Policy Configuration<br />
Scenario 1 - Internal network to external network Telnet access using<br />
NAT<br />
Internal network 172.17.0.0 requires Telnet access to the external<br />
network 192.101.0.0. The IP address <strong>of</strong> a machine on the internal<br />
network should not be passed through the <strong>Sidewinder</strong> <strong>G2</strong>. Traffic sent<br />
from the internal network to the external network should appear as if<br />
it originated at the <strong>Sidewinder</strong> <strong>G2</strong>. Therefore, a rule must be created<br />
that will translate the internal host addresses to the external address <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong>. To allow this type <strong>of</strong> access, the NAT information<br />
would be configured as follows:<br />
Source Burb: internal<br />
Destination Burb: external<br />
Source: 172.17.0.0 (internal address)<br />
Destination: 192.101.0.0 (destination address)<br />
NAT Address: localhost<br />
Scenario 2 - Redirect external connections to an internal Telnet<br />
server<br />
An external network at 192.101.0.0 requires Telnet access to the<br />
internal host at 172.17.120.123. However, 192.101.0.0 is not allowed to<br />
directly route to the internal host. External hosts will initiate a Telnet<br />
connection to the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> (localhost). The<br />
rule will then rewrite the destination address to that <strong>of</strong> the internal<br />
host and then forward the traffic onward. The TCP/UDP allow<br />
information for the rule could be configured as follows:<br />
Source Burb: external<br />
Destination Burb: internal<br />
Source: 192.101.0.0 (source address)<br />
Destination: localhost<br />
Redirection Address: 172.17.120.123 (internal host)<br />
Simple proxy rule examples<br />
This section provides several examples <strong>of</strong> proxy rules to help you<br />
better understand how the <strong>Sidewinder</strong> <strong>G2</strong> uses a rule to determine<br />
whether to allow or deny a connection request.
Proxy rule basics<br />
Table 4-5 summarizes criteria for a proxy rule that permits any client<br />
in a trusted burb to connect to any Web server located in the Internet<br />
burb.<br />
Note: This criteria reflects only the basic settings needed to allow access.<br />
Table 4-5. Sample settings for a simple proxy rule<br />
Basic rule<br />
Criteria<br />
Service Type<br />
Setting<br />
There are a number <strong>of</strong> optional effects you can configure for each<br />
proxy rule. For example, by adding the entry options shown in Table<br />
4-6, you can specify which internal users are allowed Web access,<br />
specify a time interval when Web access is allowed, and require<br />
authentication.<br />
Table 4-6. Optional proxy rule options<br />
Comments<br />
Proxy S<strong>of</strong>tware service type: proxy, server, or service<br />
group.<br />
Service HTTP Type <strong>of</strong> service: Telnet, FTP, Web (HTTP), etc.<br />
Action Allow Specifies whether to allow or deny a service.<br />
Source Burb Internal Name <strong>of</strong> the source burb.<br />
Source any (leave blank) Name <strong>of</strong> the source network object.<br />
Dest. Burb Internet Name <strong>of</strong> the destination burb.<br />
Destination any (leave blank) Name <strong>of</strong> the destination network object.<br />
App. Defense Web Contains application-specific properties.<br />
Optional Rule<br />
Criteria<br />
Setting<br />
Comments<br />
User Group marketing Specify the name <strong>of</strong> a user group.<br />
Authentication Password Specify the authentication method(s). FTP<br />
and Telnet proxies and console logins can<br />
also specify Password, Radius, SafeWord,<br />
SecurID, or SNK.<br />
Times/Day Mon-Fri<br />
7am-7pm<br />
Specify the time restrictions for allowing or<br />
denying service.<br />
Important: If you are not using SSO, user groups can be used in an allow rule only if the<br />
specified service supports authentication (login, Telnet, FTP, Web, or secure shell [SSH]).<br />
Understanding Policy Configuration 4-21
Proxy rule basics<br />
Figure 4-6. Sample<br />
Network Configuration<br />
4-22 Understanding Policy Configuration<br />
Example <strong>of</strong> proxy rules using netgroups<br />
For the configuration shown in Figure 4-5, the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator has grouped all internal systems into one <strong>of</strong> three<br />
netgroups: marketing (mkt_net_group), engineering (eng_net_group),<br />
and accounting (acct_net_group).<br />
Note: For more information on netgroups, see “Network objects” on page 4-9.<br />
mkt_net_grp<br />
eng_net_grp<br />
acct_net_grp<br />
internal burb<br />
172.20.1.1<br />
proxies<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external burb<br />
192.55.214.2<br />
Internet<br />
192.55.12.3<br />
Suppose you want to allow all groups access to external FTP sites but<br />
only the engineering group access to FTP host 192.55.12.3. Table 4-7<br />
shows the proxy rules in the order that they should be added to the<br />
rule group.
Table 4-7. Proxy rules for sample configuration shown in Figure 4-6<br />
Proxy rule<br />
Criteria<br />
Rule 1:<br />
allow_eng_ftp<br />
Rule 2:<br />
deny_other_ftp<br />
Service Type Proxy Proxy Proxy<br />
Service FTP FTP FTP<br />
Action Allow Deny Allow<br />
Source Burb Internal Internal Internal<br />
Proxy rule basics<br />
Rule 3:<br />
allow_oth_ftp<br />
Source eng_net_group any (leave blank) any (leave blank)<br />
Dest. Burb Internet Internet Internet<br />
Destination 192.55.12.3 192.55.12.3 any (leave blank)<br />
User Group any (leave blank) any (leave blank) any (leave blank)<br />
Authentication SafeWord<br />
Times/Days Fri 7am-7pm<br />
Application<br />
Defense (FTP)<br />
Allow Put/Get deny_all Allow Put/Get<br />
The following list summarizes key points to consider for the proxy<br />
rules listed in Table 4-7.<br />
Rule 1 allows all systems in the engineering group authenticated<br />
FTP access to IP address 192.55.12.3 on the Internet, but only on<br />
Friday between 7:00 a.m. and 7:00 p.m.<br />
Note: This rule requires users to authenticate themselves via SafeWord before an<br />
FTP connection is allowed.<br />
Rule 2 denies all systems in the trusted burb named internal from<br />
FTP service to IP address 192.55.12.3 on the Internet.<br />
Rule 3 allows FTP service from all systems in the internal trusted<br />
burb to any external system in the Internet burb.<br />
Understanding Policy Configuration 4-23
Proxy rule basics<br />
4-24 Understanding Policy Configuration<br />
Advanced proxy rule example using service groups<br />
Now assume you want to specify all the various privileges afforded<br />
each <strong>of</strong> the three netgroups in Figure 4-7. You could do this by<br />
defining many different allow and deny proxy rules. However,<br />
because the source and destination criteria for each <strong>of</strong> the network<br />
objects within a group are identical, a more elegant option is to use<br />
service groups. Service groups enable you to use a single proxy rule to<br />
define all the privileges assigned to a particular group.<br />
Note: For more information on service groups, see “Service groups” on page 4-12.<br />
For example, assume you want to assign the following privileges to<br />
each <strong>of</strong> the netgroups in Figure 4-7:<br />
Engineering group—Access to all <strong>Sidewinder</strong> <strong>G2</strong> proxies and servers<br />
Marketing group—Access to the Web, FTP, and e-mail via the http,<br />
ftp, and smtp proxies<br />
Accounting group—Access to FTP and e-mail via the ftp and smtp<br />
proxies<br />
You first define three different service groups. This is illustrated in<br />
Table 4-8.<br />
Table 4-8. Sample service groups<br />
Service group<br />
Criteria<br />
Selected<br />
Proxies<br />
Selected<br />
Servers<br />
EngServiceGrp MktServiceGrp AcctServiceGrp<br />
All proxies HTTP, FTP, SMTP FTP, SMTP<br />
All servers None None<br />
You then use the service groups when defining your proxy rules.<br />
Table 4-9 shows the sample proxy rules.
Table 4-9. Proxy rules for the advanced rule group example<br />
Proxy rule<br />
Criteria<br />
Active rules for<br />
<strong>Administration</strong> Only<br />
Entry 1:<br />
eng_rule<br />
Default rules<br />
Entry 2:<br />
deny_other_ftp<br />
Proxy rule basics<br />
As mentioned earlier in this chapter, when you configure the<br />
<strong>Sidewinder</strong> <strong>G2</strong> you can select from one <strong>of</strong> two sets <strong>of</strong> default services<br />
that will be automatically placed in the active proxy rule group during<br />
initial configuration:<br />
<strong>Administration</strong> Services Only<br />
Standard Internet<br />
Entry 3:<br />
mkt_rule<br />
Entry 4:<br />
acct_rule<br />
Service Type Service Group Proxy Service Group Service Group<br />
Service EngServiceGroup FTP MktServiceGroup AcctServiceGroup<br />
Action Allow Deny Allow Allow<br />
Source Burb Internal Internal Internal Internal<br />
Source eng_net_group Any (leave blank) mkt_net_group acct_net_group<br />
Dest. Burb Any (leave blank) Internet Internet Internet<br />
Destination Any (leave blank) 192.55.12.3 Any (leave blank) Any (leave blank)<br />
User Group Any (leave blank) Any (leave blank) Any (leave blank) Any (leave blank)<br />
Authentication SafeWord SafeWord SafeWord<br />
Times/Days<br />
Application<br />
Defense group<br />
Web<br />
FTP<br />
Mail<br />
deny_all Web<br />
FTP<br />
Mail<br />
Web<br />
FTP<br />
Mail<br />
If you select <strong>Administration</strong> Services Only, a minimum list <strong>of</strong> rules<br />
(needed to maintain an operational <strong>Sidewinder</strong> <strong>G2</strong>) are placed in the<br />
default active rule group, called <strong>Administration</strong>. No traffic is allowed<br />
between any <strong>of</strong> the burbs. The minimum set includes the following<br />
rules:<br />
Note: If you select <strong>Administration</strong> Services Only, the default Standard Internet rules will<br />
still be placed in the Rules window for later use, if needed. However, they will not initially be<br />
included in the active proxy rule group.<br />
Understanding Policy Configuration 4-25
Proxy rule basics<br />
Additional rules for<br />
Standard Internet<br />
4-26 Understanding Policy Configuration<br />
Table 4-10. <strong>Administration</strong> Services Only active proxy rules and rule groups<br />
Proxy rule name Summary<br />
Login Console This rule allows administrators to log in directly at the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, using an attached keyboard and monitor.<br />
Admin Console This rule allows administrators to connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console.<br />
Single Sign-On This rule allows redirection to the Single Sign-On (SSO)<br />
daemon. It is initially disabled. If you will be using SSO<br />
authentication, you will need to enable this rule.<br />
Synchronization This rule allows the synchronization server to access the<br />
burbs for which it is enabled. This rule is initially disabled.<br />
If you configure One-To-Many or High Availability, you<br />
will need to enable this rule.<br />
Entrelay This rule allows relay service access to the burbs for<br />
which it is enabled. This rule is initially disabled. If you are<br />
configuring One-To-Many or High Availability, you will<br />
need to enable this rule.<br />
Shun Server This rule allows shund server to accept shunning<br />
requests from an Intrusion Detection Servers (IDS), and<br />
verify the signature on the data that the IDS has<br />
generated. This rule is initially disabled.<br />
If you selected Standard Internet services, the following additional<br />
rules will be added to the proxy rule list. (The rule names may vary<br />
slightly on your system.)<br />
Note: Rules that are automatically placed in the default active proxy rules are bold.<br />
However, some rules need to be enabled before they will pass traffic.
Mutually<br />
exclusive rules for<br />
Transparent DNS<br />
configurations<br />
Proxy rule basics<br />
Table 4-11. Additional rules and groups included in the Standard Internet rule<br />
set<br />
Rule Name Summary<br />
Internet Services This rule is automatically included in the active proxy<br />
rule group. It provides users access to the most<br />
commonly used Internet services using a preconfigured<br />
“InternetServices” service group. The<br />
Standard Internet rule regulates access to the<br />
following proxies and servers:<br />
Finger<br />
FTP<br />
Gopher<br />
HTTP<br />
HTTPS<br />
NNTP<br />
Ping<br />
Real Media<br />
RTSP<br />
Telnet<br />
NetMeeting This rule is also added to the Rules window, but is not<br />
automatically included in the active proxy rules. If<br />
your site requires NetMeeting access, refer to “T.120<br />
and H.323 proxy considerations” on page 8-22.<br />
dns self Allows DNS clients from the specified internal burb<br />
to use the unbound DNS server on the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Plus the rule below if using transparent DNS with a single external<br />
resolver<br />
dnsp_all_to_external<br />
_resolver<br />
Allow DNS clients in internal burb through to the<br />
external resolver<br />
Plus the rules below if using transparent DNS with a single internal<br />
resolver<br />
dnsp_internal_to<br />
_external<br />
dnsp_external_to_inter<br />
nal_prim_resolver<br />
Allow DNS clients on the internal burb to proxy<br />
through to the external burb<br />
Allow DNS clients on the external burb to proxy<br />
through to the internal primary resolver<br />
Plus the rules below if using transparent DNS with both internal &<br />
external resolver (split)<br />
dnsp_deny_external_to<br />
_internal_resolvers<br />
dnsp_all_to_internal<br />
_resolvers<br />
dnsp_internal_<br />
resolvers_to_external<br />
Deny DNS clients in the external burb to the internal<br />
burb resolvers, used with the<br />
dnsp_all_to_internal_resolvers entry<br />
Allow DNS clients in all burbs to the internal burb<br />
resolvers, used with the<br />
dnsp_deny_external_to_internal_resolvers entry<br />
Allow the internal burb resolvers through to the<br />
external burb<br />
Understanding Policy Configuration 4-27
IP Filter rule basics<br />
Mutually<br />
exclusive rules for<br />
SMTP<br />
configurations<br />
IP Filter rule basics IP Filter rules allow you to securely forward IP packets between<br />
networks, allowing traffic to pass between the networks (for example,<br />
encrypted VPN sessions). You can create IP filter rules for TCP, UDP,<br />
ICMP, and many other protocols (such as AH).<br />
4-28 Understanding Policy Configuration<br />
Rule Name Summary<br />
Plus the rules below if using transparent SMTP<br />
smtp out Allow SMTP access from internal to external. This rule<br />
is created and included in the Mail rule group if you<br />
selected transparent Mail services during<br />
configuration.<br />
smtp in Allow SMTP access from external to internal. This rule<br />
is created and included in the Mail rule group if you<br />
selected transparent Mail services during<br />
configuration.<br />
Plus the rule below if using Secure Split SMTP<br />
smtp all This rule is created and included in the Mail rule<br />
group if you selected Secure Split SMTP servers<br />
during configuration.<br />
Functionally, IP Filter is based upon a rule database in the <strong>Sidewinder</strong><br />
<strong>G2</strong> kernel. IP Filter rules filter incoming packets based on source and<br />
destination IP address. Like proxy rules, IP Filter rules also have the<br />
option <strong>of</strong> using network address translation (NAT) and/or redirection.<br />
You can configure and manage the IP Filter rule database using the<br />
Admin Console.<br />
IP Filter processing can be configured to reject the following source<br />
address packets:<br />
Packets with broadcast source addresses<br />
Packets with source addresses on a loopback network that were<br />
received on a non-loopback device<br />
Note: Packets that are rejected for source route information will generate a<br />
netprobe audit event.<br />
When you initially configure the <strong>Sidewinder</strong> <strong>G2</strong>, you will have a<br />
default IP Filter rule group that is assigned in the active rules. This<br />
rule group is empty. You can create and add rules and/or rule groups<br />
to this group, or create your own group and assign it as the active rule<br />
group instead.
Figure 4-7. IP Filtering on<br />
non-TCP/UDP packets<br />
incoming<br />
packet A<br />
incoming<br />
packet B<br />
IP Filter rule basics<br />
The following two sections summarize how IP Filtering works for<br />
non-TCP/UDP traffic and for TCP/UDP traffic.<br />
Note: For information on creating IP Filter rules, see “Creating IP Filter rules” on page 7-<br />
12.<br />
Using IP Filter to filter non-TCP/UDP traffic<br />
When a non-TCP/UDP packet is received on one <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> network interfaces, the <strong>Sidewinder</strong> <strong>G2</strong> checks the active IP Filter<br />
rules to determine whether the packet matches any <strong>of</strong> the allow rules<br />
specified. If a rule match is found, the packet source or destination<br />
address and ports will be translated according to the translation<br />
information that is configured for that rule. The packet then is<br />
forwarded on for any further <strong>Sidewinder</strong> <strong>G2</strong> processing. The<br />
flowchart in Figure 4-7 illustrates this process.<br />
Note: If there are no rules in the IP Filter database, the IP Filter is bypassed and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> performs normal processing on the packet.<br />
active IP<br />
Filter rules<br />
no match<br />
match<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Deny Rule<br />
reject packet<br />
no further<br />
processing<br />
allow or<br />
deny rule?<br />
Allow Rule<br />
translate packet<br />
(as rule<br />
required)<br />
continue application<br />
layer proxy<br />
processing<br />
Understanding Policy Configuration 4-29
IP Filter rule basics<br />
4-30 Understanding Policy Configuration<br />
Using IP Filter to filter TCP/UDP traffic<br />
Security Alert: Secure Computing strongly recommends that you use IP Filter only for<br />
non-TCP/UDP protocols, such as Vines, PPTP, NES, etc. Using IP Filter for a TCP/UDP<br />
protocol will, in most cases, severely degrade the effectiveness <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
will expose your network to security hazards.<br />
When a TCP or UDP packet is received on one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
network interfaces, the <strong>Sidewinder</strong> <strong>G2</strong> checks an IP Filter session<br />
record database to determine if an active session record exists for this<br />
traffic.<br />
Note: The following bullets assume that session tracking is enabled.<br />
If an active session record exists, the following occurs:<br />
— Perform address rewriting, if required<br />
— Perform session processing<br />
— Forward packet directly to the correct destination interface<br />
without any additional processing<br />
If no active session record exists, the <strong>Sidewinder</strong> <strong>G2</strong> checks the IP<br />
Filter allow TCP/allow UDP database to determine if an allow rule<br />
exists that will permit this traffic to be forwarded.<br />
If an allow rule does not exist, normal <strong>Sidewinder</strong> <strong>G2</strong> processing is<br />
performed on the packet.<br />
If an allow rule does exist, the following occurs:<br />
— Add a session record to the session record database<br />
— Perform Network Address Translation (NAT) if required<br />
— Session processing occurs<br />
— Forward packet directly to the correct destination interface<br />
without any additional processing by the <strong>Sidewinder</strong> <strong>G2</strong><br />
The flowchart in Figure 4-8 illustrates the complete process.
Figure 4-8. IP Filtering on<br />
TCP/UDP packets<br />
TCP/UDP<br />
packet<br />
in<br />
does a<br />
session<br />
exist?<br />
yes<br />
translate as<br />
required<br />
perform<br />
session<br />
processing<br />
forward<br />
message w/o<br />
further<br />
processing<br />
no<br />
match<br />
“allow”<br />
rule?<br />
add a<br />
session<br />
perform<br />
additional<br />
processing<br />
Using NAT and redirection for IP Filter rules<br />
IP Filter rule basics<br />
Many organizations use network address translation (NAT) and/or<br />
redirection to prevent internal addresses from being visible to external<br />
users. On the <strong>Sidewinder</strong> <strong>G2</strong>, NAT refers to rewriting the source<br />
address <strong>of</strong> the packet to the external address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> (or<br />
an address you specify). This allows you to protect (or hide) the<br />
actual client source address, and in the case <strong>of</strong> non-routable source<br />
addresses (such as 10.0.0.0) rewrite it to an address that can be routed<br />
on the Internet. Redirection refers to rewriting the destination address<br />
<strong>of</strong> an incoming packet to a redirect host for delivery.<br />
yes<br />
no<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
out<br />
Understanding Policy Configuration 4-31
IP Filter rule basics<br />
Figure 4-9. Example<br />
network<br />
4-32 Understanding Policy Configuration<br />
Note: NAT and redirection function independently <strong>of</strong> one another. For applications that<br />
allow either side <strong>of</strong> a connection to act as the client, you will generally create two rules: one<br />
using NAT, and one using redirection.<br />
Caution: Allowing IP Filter to pass traffic without NAT or redirection is possible assuming<br />
all addresses are routable. However, it is not recommended because it will expose internal<br />
addresses to the external side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
When NAT or redirection is enabled in a rule, the source address in<br />
the rule is always protected, as follows:<br />
For a rule <strong>of</strong> source-> destination, enabling NAT will "hide" the<br />
source address from the destination for traffic originating from the<br />
source by translating that address to the external address <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
For a rule <strong>of</strong> source -> redirect address, the destination (or external<br />
<strong>Sidewinder</strong> <strong>G2</strong> address) will be redirected to the actual source<br />
address and hides the redirected address for traffic returning to the<br />
source.<br />
Note: NAT or redirection are not allowed for bi-directional TCP/UDP IP Filter rules with<br />
session tracking enabled.<br />
For the following scenarios, assume your network looks like this:<br />
172.17.0.0 internal<br />
network<br />
172.17.129.130 10.11.12.13<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Limitations <strong>of</strong> NAT for IP Filter TCP/UDP protocols<br />
192.101.0.0<br />
external network<br />
Note the following limitations when setting up rules involving address<br />
rewriting for TCP/UDP protocols.<br />
NAT and redirection are not allowed for bi-directional TCP/UDP IP<br />
Filter rules with session tracking enabled.<br />
For address rewrite rules with redirection to the source address,<br />
only uni-directional rules are allowed. Furthermore, the destination<br />
address in this type <strong>of</strong> rule must have a significant bits value <strong>of</strong> 32<br />
(that is, it must be a single host). This is because the redirect<br />
address must be a single host.
Setting the IP Filter NAT port rewrite range<br />
IP Filter rule basics<br />
When a packet from a source reaches the <strong>Sidewinder</strong> <strong>G2</strong> and matches<br />
an IP Filter rule with NAT configured, the source port and source<br />
address will be rewritten and the packet will then be forwarded to its<br />
destination.<br />
To facilitate this process, the IP Filter reserves a block <strong>of</strong> 200 ports for<br />
its own use. The OS will never allow a process to bind to a port in<br />
this range. Creating a TCP generic services proxy in this port range<br />
will not work. The default range is set to 38000–38199.<br />
If you need a port in IP Filter's reserved range (perhaps for a generic<br />
proxy), the range can be moved by modifying the Start <strong>of</strong> Reserved<br />
Ports field in the IP Filter Properties window. See “Viewing and<br />
modifying general IP Filter properties” on page 7-25.<br />
It is possible that an existing TCP proxy connection may be using a<br />
port in the range you specify. In this case the ipfilter command<br />
will fail. You should look at the current port usage by entering the<br />
netstat -a command and adjust the IP Filter port range accordingly.<br />
Specifying the source port in an IP Filter rule<br />
The <strong>Sidewinder</strong> <strong>G2</strong> enables you to specify the source port value to<br />
use in an IP Filter connection. This capability is typically only used<br />
when connecting to an application that requires the source port to be<br />
a specific value. (In some cases the application will require the source<br />
port to be the same value as the port on which the application is<br />
listening.)<br />
This capability is implemented by configuring NAT on the appropriate<br />
IP Filter rule. This "source port" implementation <strong>of</strong> NAT, however, is<br />
different from a normal implementation <strong>of</strong> NAT.<br />
Normal—Each connection uses the same IP address but gets its<br />
source port from a pool <strong>of</strong> ports. When using normal NAT rules,<br />
the total number <strong>of</strong> connections is dependent on the number <strong>of</strong><br />
ports reserved for IP Filter in the IP Filter Properties window.<br />
Understanding Policy Configuration 4-33
IP Filter rule basics<br />
Figure 4-10. Normal NAT<br />
IP Filter rule<br />
implementation<br />
4-34 Understanding Policy Configuration<br />
Source port—Each connection uses the original client source port,<br />
but gets its translated IP address from a pool <strong>of</strong> IP addresses. (The<br />
pool <strong>of</strong> IP addresses is derived from whatever IP aliases are<br />
defined for the associated NIC. The total number <strong>of</strong> connections is<br />
therefore dependent on the number <strong>of</strong> alias addresses defined for<br />
the NIC.) The pool <strong>of</strong> addresses is normally a group <strong>of</strong> alias IP<br />
addresses associated with the destination NIC. The total number <strong>of</strong><br />
connections is therefore dependent on the number <strong>of</strong> IP addresses<br />
specified by the rule.<br />
Figure 4-10 and Figure 4-11 illustrate the differences in the two<br />
implementations.<br />
A<br />
172.27.18.9<br />
internal<br />
network<br />
38000<br />
....<br />
38199<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Possible connections from<br />
workstation A to application B<br />
using a normal NAT IP Filter rule<br />
Internal IP<br />
172.27.18.9<br />
172.27.18.9<br />
172.27.18.9<br />
172.27.18.9<br />
11.80.1.1<br />
pool <strong>of</strong> available IP<br />
Filter ports<br />
app. B<br />
192.1.1.1 listening<br />
on port 50<br />
Source IP<br />
Source Port Dest IP Dest Port<br />
11.80.1.1 38142 192.1.1.1 50<br />
11.80.1.1 38077 192.1.1.1 50<br />
11.80.1.1 38012 192.1.1.1 50<br />
11.80.1.1 38184 192.1.1.1 50
Figure 4-11. "Source<br />
port" NAT IP Filter rule<br />
implementation<br />
A<br />
172.27.18.9<br />
internal<br />
network<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Possible connections from workstation<br />
A to application B using “source port<br />
NAT IP Filter rule<br />
Internal IP<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
IP aliases<br />
11.80.1.4<br />
11.80.1.5<br />
11.80.1.6<br />
11.80.1.7<br />
11.80.1.1<br />
pool <strong>of</strong> available IP<br />
addresses<br />
IP Filter rule basics<br />
192.1.1.1 listening<br />
on port 50<br />
By specifying one or more IP aliases you can have multiple<br />
connections (each connection uses the same port number but a<br />
different IP address).<br />
Requirements Please note the following requirements when using NAT to specify the<br />
source port <strong>of</strong> an IP Filter connection.<br />
app. B<br />
Source IP Source Port Dest IP Dest Port<br />
11.80.1.4 50 192.1.1.1 50<br />
11.80.1.5 50 192.1.1.1 50<br />
11.80.1.6 50 192.1.1.1 50<br />
11.80.1.7 50 192.1.1.1 50<br />
This configuration only applies to uni-directional (source -><br />
destination) TCP/UDP IP Filter rules with stateful inspection<br />
enabled.<br />
Use Source Port when specifying the source port in an IP Filter<br />
connection. See “Creating IP Filter rules” on page 7-12 for more<br />
information.<br />
Understanding Policy Configuration 4-35
IP Filter rule basics<br />
4-36 Understanding Policy Configuration<br />
Sharing IP Filter sessions in an HA cluster<br />
When IP Filter session sharing is configured for an HA cluster, the<br />
primary <strong>Sidewinder</strong> <strong>G2</strong> sends out multicast messages to notify the<br />
secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong> IP Filter session activity (such as<br />
a new session, closed session, or change in session state). Each time a<br />
secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> receives a message, it updates its<br />
local session table accordingly. All sessions received from the primary<br />
<strong>Sidewinder</strong> <strong>G2</strong> will have a status <strong>of</strong> shared on the secondary/standby<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
When HA causes a secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> to take over as<br />
the acting primary, the shared sessions on the acting primary become<br />
available. When a packet is received for a session, it will be validated<br />
against the rules <strong>of</strong> the acting primary <strong>Sidewinder</strong> <strong>G2</strong>. The acting<br />
primary <strong>Sidewinder</strong> <strong>G2</strong> will then begin sending multicast state-change<br />
messages.<br />
Specifying the number <strong>of</strong> TCP or UDP IP Filter sessions<br />
By default, the <strong>Sidewinder</strong> <strong>G2</strong> allows only 1,000 active TCP and UDP<br />
filter sessions. These limits can be changed by modifying the Max TCP<br />
Sessions or Max UDP Sessions field in the IP Filter General Properties<br />
window. See “About the IP Filter General Properties window” on<br />
page 7-25.
C HAPTER 5<br />
Creating Rule Elements<br />
About this chapter This is a task-oriented chapter that provides instructions for creating<br />
rule elements. Rule elements include users and user groups, network<br />
objects, and service groups. Rule elements allow you to organize<br />
multiple users, objects, or services into useful groups that will save<br />
time and enable you to create fewer rules with greater capabilities.<br />
Creating users<br />
and user groups<br />
Note: For an overview <strong>of</strong> each rule element, see Chapter 4.<br />
This chapter covers the following topics:<br />
“Creating users and user groups” on page 5-1<br />
“Creating network objects” on page 5-10<br />
“Creating service groups” on page 5-21<br />
A user is a person who uses the networking services provided by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. A user group is a logical grouping <strong>of</strong> one or more<br />
users, identified by a single name. You can also nest one or more user<br />
groups within a user group.<br />
Note: For basic information on users and user groups, see “Users and user groups” on<br />
page 4-8.<br />
To display the current users and user groups configured for your<br />
<strong>Sidewinder</strong> <strong>G2</strong>, using the Admin Console select Policy Configuration -><br />
Rule Elements -> Users & User Groups. The following window appears.<br />
5<br />
Creating Rule Elements 5-1
5<br />
Creating users and user groups<br />
Figure 5-1. Users and<br />
User Groups window<br />
About the Users and User<br />
Groups window<br />
5-2 Creating Rule Elements<br />
This window displays the users and user groups currently configured<br />
in the user database. In this window you can perform the following<br />
actions:<br />
Note: When you initially install your <strong>Sidewinder</strong> <strong>G2</strong>, the only user that will appear is the<br />
user name for the administrator account you defined during installation. There will not be<br />
any user groups defined.<br />
Display users, groups, or both—You can display only users (Users),<br />
only groups (Groups) or both users and groups (All) using the Show<br />
drop-down list.<br />
Filter users and/or groups—You can filter the users and/or groups<br />
that are displayed in the window by typing alphabetic characters<br />
for which you want to filter in the Match field. For example, if you<br />
type br in the Match field, only users and groups whose name<br />
begins with “br” will appear in the list.<br />
Note: The Match field is case sensitive.<br />
Add or modify a user or user group—To add a new user or user group,<br />
see “Configuring users or user groups” on page 5-3. To modify an<br />
existing user or user group, highlight the entry you want to modify<br />
and click Modify.<br />
Tip: You may find it more convenient to create user groups before creating<br />
individual user accounts. That way, as you set up your user accounts, you will be able<br />
to assign them to a group at the same time.
Creating users and user groups<br />
Modify the members <strong>of</strong> a user group—To modify the members in a<br />
user group, highlight the user group and click Members. See<br />
“Managing user group membership” on page 5-8 for details.<br />
Delete a user or user group—To delete a user or user group, highlight<br />
the entry you want to delete and click Delete. You will be<br />
prompted to confirm this action.<br />
Note: You can select multiple entries by pressing the Shift key while you select<br />
entries. To select several non-consecutive entries, press the Ctrl key as you select the<br />
desired entries.<br />
Configuring users or user groups<br />
To create or modify a user or user group, follow the steps below.<br />
1. Using the Admin Console, select Policy Configuration -> Rule Elements<br />
-> Users & User Groups. The Users and User Groups window appears.<br />
2. In the Show drop-down list, select one <strong>of</strong> the following options and<br />
then click New:<br />
(To edit a user or user group, highlight the entry you want to modify<br />
and click Modify. You can also double-click the entry.)<br />
All—Select this option to display both users and groups. If you<br />
select this option, when you click New the Create User or Group<br />
Object window appears. See “About the Create New User or Group<br />
Object window” on page 5-4.<br />
Groups—Select this option to display only user groups. If you<br />
select this option, when you click New the New Group Object<br />
window appears. See “Configuring a new group using the New<br />
Group Object window” on page 5-5.<br />
Users—Select this option to display only users. If you select this<br />
option, when you click New the New User Object window appears.<br />
See “Configuring individual user accounts using the New User<br />
Object window” on page 5-6.<br />
Note: To delete an entry, select that entry by clicking on it, and then click Delete.<br />
You are prompted to verify your action—click Yes to delete the entry or click No to<br />
cancel the action.<br />
Creating Rule Elements 5-3
Creating users and user groups<br />
Figure 5-2. Create New<br />
User or Group Object<br />
window<br />
About the Create New User<br />
or Group Object window<br />
5-4 Creating Rule Elements<br />
This window allows you to select whether you want to create a user<br />
or user group.<br />
1. Select one <strong>of</strong> the following options in the Create field:<br />
New User—Select this option to create a new user.<br />
New Group—Select this option to create a new user group.<br />
2. (New User only) If you want to create a new user account using the<br />
information contained in an existing user account, select the Copy from<br />
existing user option and then select the user account that you want to<br />
copy.<br />
This option will copy the following information fields from the existing<br />
user’s account: Organization, User Fields 1–4, and Group Membership<br />
information. You will still need to enter information for the following<br />
fields: Username, Description, Employee ID, and Password, as these fields<br />
contain information specific to each individual user.<br />
3. Click OK.<br />
If you are creating a new user group, the New Group Object<br />
window appears. See “Configuring a new group using the New<br />
Group Object window” on page 5-5.<br />
If you are creating a new user, the New User Object window<br />
appears. See “Configuring individual user accounts using the New<br />
User Object window” on page 5-6.
About the Group<br />
Information tab<br />
About the Group<br />
Membership Information<br />
tab<br />
Creating users and user groups<br />
Configuring a new group using the New Group Object window<br />
The New Group Object window contains two tabs:<br />
Group Information—This tab is used to define the name <strong>of</strong> a new<br />
group. Follow the steps below.<br />
Group Membership Information—This is an optional tab that enables<br />
you to make this group a member <strong>of</strong> one or more other groups<br />
(called a “nested group”). See “About the Group Membership tab”<br />
on page 5-8 for details.<br />
Note: You cannot edit the name <strong>of</strong> an existing group from this window. To change a<br />
group name you must delete the group, then add it back using the new name.<br />
1. In the Group Name field, type a name for this group. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
2. [Optional] In the Comments field, type any additional information about<br />
the user group.<br />
3. [Optional] If you want to add or remove this group as a member <strong>of</strong><br />
another group, click the Group Membership Information tab and follow<br />
the steps below. If not, click OK.<br />
The Group Membership Information tab enables you to make this group<br />
a member <strong>of</strong> one or more other groups (called a “nested group”).<br />
1. To add the group that is being created (or modified) as a member <strong>of</strong><br />
one or more other groups, click on an existing group in the Available<br />
Groups list to select it, and then click the ==>> button.<br />
Note: You can move multiple groups simultaneously by pressing the Shift key as<br />
you select groups. To select multiple groups, press the Ctrl key and then clicking the<br />
desired entries.<br />
2. To remove the group from one or more groups, select the group in the<br />
Member <strong>of</strong> Groups list to select it, and then click the
Creating users and user groups<br />
Figure 5-3. User<br />
Information window<br />
About the User Information<br />
tab<br />
5-6 Creating Rule Elements<br />
Configuring individual user accounts using the New User Object<br />
window<br />
The New User Object window contains three tabs:<br />
Tip: You may find it more convenient to create user groups before creating individual<br />
user accounts. That way, as you set up your user accounts you will be able to assign them<br />
to a group at the same time.<br />
When you create a new user account or modify an existing user<br />
account, the User Information window appears. This window contains<br />
three tabs that are used to enter information about a user.<br />
The User Information tab is used to enter descriptive information<br />
about a user. Follow the steps below.<br />
1. In the Username field, type the name the user will enter when he or she<br />
requests a connection that requires authentication. This entry can<br />
consist <strong>of</strong> up to 16 alphanumeric characters (upper or lower case) but<br />
must start with an alphabetic character. Apostrophes are not allowed<br />
(for example, O’Hare).<br />
2. [Optional] In the Description field, type any information about the user<br />
that may be helpful.<br />
3. [Optional] In the Employee ID field, type an employee ID number, if<br />
applicable.
About the User Password<br />
tab<br />
Creating users and user groups<br />
4. [Optional] In the Organization field, type the organization that the user<br />
is associated with, if applicable.<br />
5. [Optional] In the four User Fields, enter any additional information that<br />
your organization requires. For example, if you will be generating<br />
chargeback reports for authenticated FTP, Telnet, or Web connections,<br />
you might enter account numbers in these fields.<br />
Note: You cannot modify the field names.<br />
6. Select the User Password tab and see “About the User Password tab”<br />
below to define password information for this user.<br />
The User Password tab is used to enter password information for a<br />
user. Follow the steps below.<br />
1. In the Password area, select how the user’s password will be displayed:<br />
Clear Text—This option displays the actual password in the text<br />
box as the user types it in the field.<br />
Encrypted—This option displays the encrypted version <strong>of</strong> the clear<br />
text password you have entered. (The encrypted version is used for<br />
display purposes only.)<br />
2. Create the user’s password using one <strong>of</strong> the following methods:<br />
Manually select—If you want to manually create a password that<br />
the user must type when requesting a connection that requires<br />
authentication, click in the text box and type a password. The<br />
password must not exceed 64 characters.<br />
Generate Password—If you want the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
automatically create a password, click Generate Password. This will<br />
be the password the user must type when he or she requests a<br />
connection that requires authentication.<br />
3. If you want the user’s password to expire so they are required to change<br />
it, do the following:<br />
a. Click Expire Password. A confirmation window appears.<br />
b. Click Yes. The Expire Password button changes to a Reinstate<br />
Password button.<br />
c. Click OK and then click the Save icon to save your changes. If the<br />
user’s password is expired, the password will appear in the Password<br />
field with the word EXPIRED prepended to the password.<br />
Note: If you need to re-instate a user’s expired password, click Reinstate Password,<br />
click OK, and then click the Save icon in the toolbar.<br />
Creating Rule Elements 5-7
Creating users and user groups<br />
About the Group<br />
Membership tab<br />
5-8 Creating Rule Elements<br />
4. To delete a user’s password account from the database, click Discard<br />
Password Info. For example, this can be used if you are changing a user’s<br />
authentication method from password to SafeWord and need to<br />
remove the previous password information.<br />
5. Select the Group Membership tab and see “About the Group<br />
Membership tab” below to define group information for this user.<br />
The Group Membership tab is used to assign the user to one or more<br />
existing groups. (For information on setting up a user group, see<br />
“Configuring users or user groups” on page 5-3.)<br />
1. To add the user to a group, select a group in the Available Groups list<br />
and then click the ==>> button.<br />
2. To remove the user from a group, click on a group in the Group<br />
Membership list and then click the Users & User Groups. The Group Information window appears.<br />
2. In the Show drop-down list, select Groups.<br />
3. Highlight a group name to select it, and then click the Members button<br />
in the lower portion <strong>of</strong> the window. The User Group Membership<br />
window appears.
Figure 5-4. User Group<br />
Membership window<br />
About the User Group<br />
Membership window<br />
Creating users and user groups<br />
This window displays the users and groups that are members <strong>of</strong> the<br />
selected group. You can perform the following actions from this<br />
window:<br />
Select a group to modify—In the Group Name drop-down list, select<br />
the group for which you want to add or remove members.<br />
Determine which users and groups are displayed—To display only<br />
users, only groups, or both users and groups (all), select the<br />
appropriate item from either Show drop-down list. To further filter<br />
the list, in the Match field enter alphabetic characters for which you<br />
want to filter. For example, if you type br in the text box, only<br />
entries that begin with “br” appear in the list.<br />
Note: The Match field is case sensitive.<br />
Add or remove users as members <strong>of</strong> the selected group—To add a user<br />
or group to this group, select an entry in the Available Users and<br />
Groups list and then click the ==>> button. To remove a user from<br />
this group, select a user in the Current Group Members list and then<br />
click the
Creating network objects<br />
Creating network<br />
objects<br />
Figure 5-5. Network<br />
Objects window<br />
About the Network Objects<br />
window<br />
5-10 Creating Rule Elements<br />
A network object can be an IP address, a host, a network domain, a<br />
netmap, a subnet, or netgroup. When you create rules to allow or<br />
deny a connection to or through the <strong>Sidewinder</strong> <strong>G2</strong>, you must specify<br />
a network object as the source or destination <strong>of</strong> the connection. The<br />
following sections provide information on creating each type <strong>of</strong><br />
network object. For basic information on network objects, see<br />
“Network objects” on page 4-9.<br />
Displaying network objects and netgroups<br />
To display the network objects and groups currently set up in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, using the Admin Console, select<br />
Policy Configuration -> Rule Elements -> Network Objects. The following<br />
window appears.<br />
This window lists the network objects currently configured on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. You can perform the following actions in this<br />
window:<br />
Filter the list <strong>of</strong> network objects—To modify the list that is displayed,<br />
select an object type from the Filter drop-down list. The list will<br />
then display only network objects <strong>of</strong> that type.<br />
Configure a new network object—To configure a new object, click<br />
New. The New Network Object window appears. See “About the<br />
New Network Object window” on page 5-12.
Figure 5-6. New Network<br />
Object window<br />
Creating network objects<br />
Modify an existing network object—To modify an existing network<br />
object, highlight the appropriate item within the list and click<br />
Modify. For information on modifying specific fields, refer to the<br />
following sub-sections.<br />
Delete an existing network object—To delete a network object,<br />
highlight the item you want to delete in the list and then click<br />
Delete.<br />
Add or remove a network object from a netgroup—To add or remove a<br />
network object from one or more netgroups, highlight the<br />
netgroup and click the Groups Object In button in the lower portion<br />
<strong>of</strong> the window. See “Managing the groups to which a network<br />
object belongs” on page 5-20.<br />
View the areas that are currently using a particular network object—To<br />
view the areas (netgroup, netmap, proxy rule) that are currently<br />
using a particular network object, highlight the network object and<br />
click the Object Usage button in the lower portion <strong>of</strong> the window.<br />
Click Close to exit the Object Usage window.<br />
Note: You cannot modify the information in the Object Usage window.<br />
Creating Rule Elements 5-11
Creating network objects<br />
About the New Network<br />
Object window<br />
Figure 5-7. Network<br />
Objects: Domain window<br />
5-12 Creating Rule Elements<br />
In the Type drop-down list, select the type <strong>of</strong> object you want to<br />
create. The following options are available:<br />
Note: The fields that appear will vary depending on the type <strong>of</strong> object you select.<br />
Domain—For information on configuring a domain object, see<br />
“Configuring domain objects” on page 5-12.<br />
Host—For information on configuring a host object, see<br />
“Configuring host objects” on page 5-13.<br />
IP Address—For information on configuring an IP address object,<br />
see “Configuring IP address objects” on page 5-15.<br />
Netmap—For information on configuring a netmap object, see<br />
“Configuring netmaps” on page 5-16.<br />
Subnet—For information on configuring a subnet object, see<br />
“Configuring subnet objects” on page 5-17.<br />
Netgroup—For information on configuring a netgroup object, see<br />
“Configuring netgroup object” on page 5-18.<br />
Configuring domain objects<br />
When you add a new domain using the Admin Console, the following<br />
window appears.
Entering domain<br />
information<br />
Figure 5-8. Host network<br />
object window<br />
Creating network objects<br />
This window is used to define information about a domain. Each<br />
domain you define becomes a network object that can be used in a<br />
rule. Follow the steps below.<br />
1. In the Name field, type a name for this domain object (for example,<br />
“bizco”). (This field cannot be edited if you are modifying an existing<br />
domain.) Valid values include alphanumeric characters, periods (.),<br />
dashes(-), and underscores (_), and spaces ( ). However, the first and last<br />
character <strong>of</strong> the name must be alphanumeric. The name cannot exceed<br />
100 characters.<br />
2. [Optional] In the Description field, enter any useful information for this<br />
domain object.<br />
3. In the Domain field, enter the domain to use for this object (for example,<br />
“bizco.net”).<br />
4. Click Add to add the domain object. (If you are modifying an existing<br />
domain object, click OK.)<br />
Configuring host objects<br />
When you add a new host, a window similar to the following appears:<br />
Creating Rule Elements 5-13
Creating network objects<br />
Entering host information This window is used to define information about a host. Each host<br />
you define becomes a network object that can be used in a rule.<br />
5-14 Creating Rule Elements<br />
1. In the Name field, type a name <strong>of</strong> the host. (This field cannot be edited if<br />
you are modifying an existing host.) Valid values include alphanumeric<br />
characters, periods (.), dashes(-), and underscores (_), and spaces ( ).<br />
However, the first and last character <strong>of</strong> the name must be alphanumeric.<br />
The name cannot exceed 100 characters.<br />
2. [Optional] In the Description field, enter any useful information about<br />
this host.<br />
3. In the Host field, enter the hostname for this host object (for example,<br />
mail.bizco.net).<br />
4. In the DNS drop-down list, determine whether this host will use DNS:<br />
DNS—Select this option to perform normal DNS look-ups.<br />
No DNS—Select this option if you do not want to perform DNS<br />
lookups for this host.<br />
5. If you selected DNS in the previous step, and you need to override the<br />
DNS time-to-live value, do the following:<br />
Note: Overriding the default DNS time-to-live value is not recommended.<br />
a. Select the Override TTL check box.<br />
b. Specify a time value in the first text field.<br />
c. Specify the appropriate time increment in the drop-down list.<br />
For example, if you wanted the DNS time-to-live value to be 30 minutes<br />
you would type 30 in the text field and select minutes from the dropdown<br />
list.<br />
6. To configure the IP address list for a host, do one <strong>of</strong> the following:<br />
To add a new IP address, click New and refer to “Managing host IP<br />
addresses” on page 5-14.<br />
To modify an existing IP address, highlight the IP address and click<br />
Modify and refer to “Managing host IP addresses” on page 5-14.<br />
To delete an IP address, highlight an entry and click Delete.<br />
7. Click Add to add the host information. (If you are modifying an existing<br />
host object, click OK.)<br />
Managing host IP addresses The IP Addresses window allows you to add an IP address for this<br />
host. When you add IP addresses, if the host name is not known to<br />
DNS, it can be identified here. To assign a new IP address to this host<br />
or modify an existing IP address, follow the steps below.
Figure 5-9. IP Address<br />
network object window<br />
Entering IP address<br />
information<br />
Creating network objects<br />
1. In the Host IP Address field, type the host IP address associated with that<br />
host. The IP address must be entered using standard dotted quad<br />
notation (for example, 1.2.3.4).<br />
2. Click Add, and then click Close.<br />
Note: A host IP address should only be specified if it cannot be derived dynamically<br />
from DNS.<br />
Configuring IP address objects<br />
When you add a new IP address, a window similar to the following<br />
appears.<br />
This window is used to define information about an IP address. Each<br />
IP address you define becomes a network object that can be used in a<br />
rule. Follow the steps below.<br />
1. In the Name field, enter a name for this object. (This field cannot be<br />
edited if you are modifying an existing IP address.) Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
2. [Optional] In the Description field, enter any useful information about<br />
this IP address object.<br />
3. In the IP Address field, type the value <strong>of</strong> the IP address.<br />
Creating Rule Elements 5-15
Creating network objects<br />
Figure 5-10. Network<br />
Object: Netmap window<br />
Creating/modifying a<br />
netmap entry<br />
5-16 Creating Rule Elements<br />
4. Click Add to add the IP address information. (If you are modifying an<br />
existing IP address object, click OK.)<br />
Configuring netmaps<br />
Netmap objects allow you to map multiple IP addresses and subnets<br />
to alternate addresses without creating numerous rules. A netmap<br />
consists <strong>of</strong> one or more netmap members. A netmap member is any<br />
IP address or subnet that you add to a particular netmap. Each<br />
member in the netmap is mapped to an alternate address that you<br />
specify. For more information about netmaps, see “Rule elements” on<br />
page 4-6.<br />
To create a netmap, in the New Network Object window, select<br />
netmap. A window similar to the following appears.<br />
This window is used to create or modify a netmap. Each netmap you<br />
define becomes a network object that can be used in a rule. Follow<br />
the steps below.<br />
1. In the Name field, type the name <strong>of</strong> the new netmap. (This field cannot<br />
be edited if you are modifying an existing netmap.) Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_).<br />
However, the first and last character <strong>of</strong> the name must be alphanumeric.<br />
The name cannot exceed 100 characters.<br />
2. In the Description field, enter any useful information for this netmap.
About the Netmap<br />
Members window<br />
Creating network objects<br />
3. To create a new netmap member, click New. The Netmap Members<br />
window appears.<br />
Once you add netmap members, you can sort them in the table by<br />
clicking on the column name that you want to sort. For example, if you<br />
want to sort the table by type, click the Type column heading. All <strong>of</strong> the<br />
entries in the table will be sorted by type and will appear in<br />
alphanumeric order. If you click the heading a second time, the table<br />
will be sorted by type in the reverse alphanumeric order.<br />
4. Click Add to add the netmap information. (If you are modifying an<br />
existing netmap, click OK.)<br />
The Netmap Members window allows you to map an IP address or<br />
subnet address to an alternate address within a netmap. Follow the<br />
steps below.<br />
1. In the drop-down list that appears, select one <strong>of</strong> the following:<br />
IP Address—Select this option if you want to map an internal IP<br />
address to be translated to a different IP address.<br />
Subnet—Select this option if you want to map a subnet address to<br />
be translated to a different subnet address.<br />
2. In the Original list, select the IP address or subnet that you want to map<br />
to a different address.<br />
3. In the Mapped list, select the IP address to which the original IP address<br />
or subnet (that you selected in the previous step) will be mapped.<br />
4. Click Add.<br />
Configuring subnet objects<br />
When you add a subnet, the following window appears.<br />
Creating Rule Elements 5-17
Creating network objects<br />
Figure 5-11. Subnet<br />
network object window<br />
Entering subnet<br />
information<br />
5-18 Creating Rule Elements<br />
This window is used to define information about a subnet. Each<br />
subnet you define becomes a network object that can be used in a<br />
rule.<br />
1. In the Name field, type a name for this object. (This field cannot be<br />
edited if you are modifying an existing subnet.) Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
2. In the Description field, type any useful information about the object.<br />
3. In the Subnet field, enter the following information:<br />
In the Subnet text field, type the subnet address. You must enter a<br />
valid IP address containing four distinct fields separated by periods<br />
(for example, 1.2.3.4).<br />
In the numeric text box following the subnet field, enter the<br />
number <strong>of</strong> significant bits for the subnet address. You must enter<br />
an integer value in the range 0–32. For example, if you enter 16,<br />
only the first 16 bits <strong>of</strong> the address are important.<br />
4. Click Add to add the subnet object. (If you are modifying an existing<br />
subnet, click OK.)<br />
Configuring netgroup object<br />
Tip: You may find it more convenient to create all <strong>of</strong> your network objects before defining<br />
your netgroup objects. That way, as you set up your netgroup objects, you will be able to<br />
immediately assign the desired network objects to the group.
Figure 5-12. Network<br />
Object: netgroup<br />
window<br />
Entering netgroup<br />
information<br />
Creating network objects<br />
When you add a new netgroup object, the following window appears.<br />
This window is used to define information about a netgroup. Each<br />
group you define becomes a network object that can be used in a<br />
rule. Follow the steps below.<br />
1. In the Name field, type the name <strong>of</strong> the new netgroup. The name will be<br />
used by rules to identify the netgroup when you set up <strong>Sidewinder</strong> <strong>G2</strong><br />
connections. (This field cannot be edited if you are modifying an<br />
existing group.) Valid values include alphanumeric characters, periods<br />
(.), dashes(-), and underscores (_), and spaces ( ). However, the first and<br />
last character <strong>of</strong> the name must be alphanumeric. The name cannot<br />
exceed 100 characters.<br />
2. [Optional] In the Description field, enter any useful information about<br />
this group.<br />
3. To add a member to this netgroup, highlight the member in the<br />
Available Members list that you want to add, and then click the ==>><br />
button to move it to the Chosen Members list. To remove a network<br />
object from this netgroup, highlight the object in the Chosen Members<br />
list, and then click the
Creating network objects<br />
Figure 5-13. Group<br />
Membership window<br />
About the Group<br />
Membership window<br />
5-20 Creating Rule Elements<br />
4. Click Add to add the netgroup. (If you are modifying an existing<br />
netgroup, click OK.)<br />
Managing netgroup membership<br />
You can manage netgroup membership in two ways:<br />
To configure the members <strong>of</strong> a particular group, select Netgroup in<br />
the Network Object window drop-down list, and highlight the<br />
group you want to configure. Then click Modify and refer to<br />
“Configuring netgroup object” on page 5-18 for detailed<br />
instructions.<br />
To configure the groups for which a particular network object is a<br />
member, see “Managing the groups to which a network object<br />
belongs” on page 5-20.<br />
Managing the groups to which a network object belongs<br />
To determine which groups a network object belongs to, select the<br />
network object you want to configure in the Network Objects<br />
window, and then click Groups Object In. The Group Membership<br />
window appears.<br />
This window allows you to configure the groups to which a particular<br />
network object belongs. The Available list displays all the available<br />
groups. The Selected list displays the groups to which the object<br />
currently belongs. To add/remove the network object to/from a<br />
particular group, do the following:<br />
To add this network object to another group, select the group in<br />
the Available list and then click the ==>> button to move the group<br />
to the Selected list.
Creating service<br />
groups<br />
Figure 5-14. Service<br />
Groups window<br />
About the Service Groups<br />
window<br />
Creating service groups<br />
To delete a network object from a group, select the group in the<br />
Selected list and then click the Service Groups. The<br />
following window appears:<br />
This window allows you to view information for individual service<br />
groups. The Service Group Name list contains all currently defined<br />
service groups.<br />
To view information for a particular service group, highlight the<br />
service group and the information will appear in the right-hand<br />
portion <strong>of</strong> the window. To add a new service group, follow the steps<br />
below.<br />
Creating Rule Elements 5-21
Creating service groups<br />
5-22 Creating Rule Elements<br />
1. To create a new service group, click New. The New Service Group<br />
window appears. (To modify a service group, highlight the service<br />
group name in the Service Group Name list and proceed to step 3.)<br />
Note: To delete a service group, highlight the service group and click Delete.<br />
2. Type a name for the service group in the New Service Group field and<br />
click Add. The service group is added to the list <strong>of</strong> service groups in the<br />
main Service Group window. Valid values include alphanumeric<br />
characters, periods (.), dashes(-), and underscores (_), and spaces ( ).<br />
However, the first and last character <strong>of</strong> the name must be alphanumeric.<br />
The name cannot exceed 100 characters.<br />
3. Determine which proxies you want to assign to the selected service<br />
group. The proxies currently assigned to the selected service group are<br />
listed in the Selected Proxies list. The proxies that are available on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> are listed in the Available Proxies list.<br />
To add a proxy to the Selected Proxies list, click on a proxy name in<br />
the Available Proxies list, and then click the ==>> button.<br />
To remove a proxy from the Selected Proxies list, click on a proxy<br />
name, and then click the button.<br />
To remove a server from the Selected Servers list, click on a server<br />
name, and then click the
C HAPTER 6<br />
Configuring Application<br />
Defenses<br />
About this chapter This is a task-oriented chapter that provides instructions for creating<br />
Application Defenses. For an overview <strong>of</strong> Application Defenses and<br />
how they are used in rules, see Chapter 4.<br />
Viewing<br />
Application<br />
Defense<br />
information<br />
This chapter covers the following topics:<br />
“Viewing Application Defense information” on page 6-1<br />
“Creating Web or Secure Web Application Defenses” on page 6-4<br />
“Creating Web Cache Application Defenses” on page 6-19<br />
“Creating Mail Application Defenses” on page 6-21<br />
“Creating Citrix Application Defenses” on page 6-31<br />
“Creating FTP Application Defenses” on page 6-33<br />
“Creating IIOP Application Defenses” on page 6-34<br />
“Creating Multimedia Application Defenses” on page 6-36<br />
“Creating Oracle Application Defenses” on page 6-38<br />
“Creating SOCKS Application Defenses” on page 6-41<br />
“Creating SNMP Application Defenses” on page 6-42<br />
“Creating Standard Application Defenses” on page 6-45<br />
“Configuring Application Defense groups” on page 6-46<br />
“Configuring connection properties” on page 6-48<br />
To view the Application Defenses windows, in the Admin Console<br />
select Policy Configuration -> Application Defenses -> Defenses and then<br />
select the type <strong>of</strong> Application Defense you want to view from the tree.<br />
A window similar to the following appears.<br />
6<br />
Configuring Application Defenses 6-1
6<br />
Viewing Application Defense information<br />
Figure 6-1. Application<br />
Defenses window (Web)<br />
6-2 Configuring Application Defenses<br />
Overview <strong>of</strong> the Application Defense windows<br />
The top portion <strong>of</strong> each Application Defense window consists <strong>of</strong> a<br />
table that lists all <strong>of</strong> the Application Defenses (by row) that are<br />
currently configured for a particular category. The table columns<br />
display the individual attributes for the defenses. Basic default<br />
defenses (such as Default and Deny All) are pre-configured for each<br />
category <strong>of</strong> Application Defense.<br />
Note: The Application Defenses that are displayed in the table will vary depending on the<br />
defense category you select from the tree.<br />
You can perform the following actions in any <strong>of</strong> the Application<br />
Defense windows:<br />
Create/modify/delete an Application Defense—To create a new<br />
Application Defense, click New in the upper portion <strong>of</strong> the<br />
window. To create a new Application Defense based on an<br />
existing defense, select the defense that you want to duplicate, and<br />
then click Duplicate. You can then modify the defense as needed to<br />
suit your needs. See “About the New/Duplicate Application<br />
Defense window” on page 6-4.<br />
To modify an existing Application Defense, select the defense that<br />
you want to modify from the table. The configuration information<br />
is displayed in the bottom portion <strong>of</strong> the window. To modify the<br />
Application Defense in a pop-up window format, click Modify.
Viewing Application Defense information<br />
For information on configuring a specific Application Defense, see<br />
the following:<br />
— Web/Secure Web (page 6-4)<br />
— Web Cache (page 6-19)<br />
— Mail (page 6-21)<br />
— Citrix (page 6-31)<br />
— FTP (page 6-33)<br />
— IIOP (page 6-34)<br />
— Multimedia (page 6-35)<br />
— Oracle (page 6-38)<br />
— SOCKS (page 6-41)<br />
— SNMP (page 6-42)<br />
— Standard (page 6-45)<br />
Note: For information on configuring Application Defense groups, see “Configuring<br />
Application Defense groups” on page 6-46.<br />
To delete an Application Defense, select the Application Defense<br />
that you want to delete, and click Delete. You will be prompted to<br />
confirm your decision.<br />
Note: You cannot delete an Application Defense if it is being used in a proxy rule. If<br />
the Application Defense is used in a rule, a pop-up window will appear informing you<br />
which rules are currently using this defense. Before you can delete the defense, you<br />
will need to modify each <strong>of</strong> the rules to remove the specified defense from those rules.<br />
View the rules in which an Application Defense/Group is currently used—<br />
To view the rules or rule groups that currently use a particular<br />
Application Defense (or group), highlight the appropriate defense<br />
(or group) and click Usage. A pop-up window appears listing the<br />
rule names that are currently using the specified defense. Click<br />
Close when you are finished viewing the rule list.<br />
The bottom portion <strong>of</strong> each window (or pop-up, if you clicked<br />
Modify) displays the actual configuration information for the selected<br />
Application Defense. The information will vary depending on the<br />
Application Defense category you select. The following fields remain<br />
constant among all Application Defense windows:<br />
Configuring Application Defenses 6-3
Creating Web or Secure Web Application Defenses<br />
Creating Web or<br />
Secure Web<br />
Application<br />
Defenses<br />
6-4 Configuring Application Defenses<br />
Name—This field contains the name <strong>of</strong> the Application Defense<br />
that you are viewing. This field cannot be modified. If you need to<br />
rename an Application Defense, you can create a duplicate<br />
defense with the desired name, and then delete the existing<br />
Application Defense.<br />
[Web/Secure Web only] Type—This field allows you to specify<br />
whether a defense will be used to protect a server, client, or both.<br />
For more information about the Type field, see “Creating Web or<br />
Secure Web Application Defenses” on page 6-4.<br />
Description—This field allows you to provide information about the<br />
Application Defense to help you more easily identify it.<br />
About the New/Duplicate Application Defense window<br />
When you click New or Duplicate in the Application Defense window,<br />
the New/Duplicate Application Defense window appears. This<br />
window allows you to specify a name for the Application Defense. If<br />
you are creating a Web or Secure Web Application Defense, the “type”<br />
<strong>of</strong> Web filtering this Application Defense will protect against is also<br />
listed. You cannot modify the Type field when creating a duplicate<br />
defense. Click OK.<br />
When you click OK, the Application Defense is added to the table and<br />
the properties for that defense are displayed in the lower portion <strong>of</strong><br />
the window. To configure the new Application Defense, either use the<br />
lower portion <strong>of</strong> the window, or click Modify to configure the<br />
properties within a pop-up window. The remaining sections in this<br />
chapter provide information for configuring each Application Defense<br />
category.<br />
The Web/Secure Web Application Defenses allow you to configure<br />
advanced parameters for Web (HTTP) or Secure Web (HTTPS and<br />
SSO) proxy rules. To create Web or Secure Web Application Defenses,<br />
in the Admin Console select Policy Configuration -> Application Defenses<br />
-> Defenses and then select Web or Secure Web respectively. One <strong>of</strong> the<br />
following windows appears. (Figure 6-2 displays only the bottom<br />
portion <strong>of</strong> the windows.)
Figure 6-2. Application<br />
Defense: Web and Secure<br />
Web<br />
Creating Web or Secure Web Application Defenses<br />
Web Secure Web<br />
Configuring the Web/Secure Web Enforcements tab<br />
The Enforcements tab allows you to select the feature enforcement<br />
tabs that you want to make available for configuration. If you are<br />
configuring a Secure Web Application Defense, you can also<br />
configure SSL decryption properties in the Enforcements tab.<br />
In the Type field, you can specify whether this defense will be used to<br />
protect a server, client, or both, as follows.<br />
Combined—[Web only] This option allows you to create an<br />
Application Defense that can protect both a Web client (outbound)<br />
and a Web server (inbound) behind the <strong>Sidewinder</strong> <strong>G2</strong>. When you<br />
select this option, all <strong>of</strong> the configuration options for this defense<br />
will appear. However, some <strong>of</strong> the options that you configure will<br />
only apply to the client or server. (For example, HTTP Request<br />
properties do not apply to the client. Therefore, if you select<br />
Combined, HTTP Request properties that you configure will only<br />
apply to the server.)<br />
Client—This option allows you to create an Application Defense<br />
that protects a client behind the <strong>Sidewinder</strong> <strong>G2</strong>. Options that do<br />
not apply for client protection (such as HTTP Requests) will not be<br />
available for configuration.<br />
Server—This option allows you to create an Application Defense<br />
that protects a server behind the <strong>Sidewinder</strong> <strong>G2</strong>. Options that do<br />
not apply for server protection (such as Content Control options<br />
other than SOAP) will not be available for configuration.<br />
Configuring Application Defenses 6-5
Creating Web or Secure Web Application Defenses<br />
6-6 Configuring Application Defenses<br />
Enabling Web/Secure Web configuration tabs<br />
To enable (or disable) feature enforcement tabs for Web/Secure Web,<br />
you must first select the appropriate check box in the Enforcements<br />
tab. When you select the check box for a feature, that tab becomes<br />
enabled.<br />
Note: The Connection tab does not need to be enabled before you can configure it.<br />
The following tabs can be enabled:<br />
Note: If you are configuring a Secure Web defense, you will need to select the Decrypt<br />
Web Traffic check box before you can enable tabs. See “Configuring SSL decryption<br />
properties [Secure Web server only]” on page 6-7.<br />
— URL Control—The URL Control tab allows you to configure<br />
filtering on the URL contained in the HTTP request. To enable<br />
URL filtering, select this check box. To configure URL filtering<br />
properties, select the URL Control tab and see “Configuring the<br />
Web/Secure Web URL Control tab” on page 6-8.<br />
— HTTP Request—The HTTP Request tab allows you to configure<br />
header filtering on HTTP requests. To enable HTTP header<br />
filtering for HTTP requests, select this check box. To configure<br />
HTTP header request properties, select the HTTP Request tab<br />
and see “Configuring the Web/Secure Web HTTP Request tab”<br />
on page 6-10.<br />
— HTTP Reply—The HTTP Reply tab allows you to configure<br />
header filtering on HTTP replies. To enable HTTP header<br />
filtering for HTTP replies, select this check box. To configure<br />
HTTP header reply properties, select the HTTP Reply tab and<br />
see “Configuring Web/Secure Web HTTP Reply tab” on page<br />
6-11.<br />
— MIME/Virus—The MIME/Virus tab allows you to configure<br />
MIME (Multi-Purpose Internet Mail Extensions) and anti-virus<br />
filtering, virus signature scanning, and infected file handling.<br />
To enable filtering for MIME/virus, select this check box. To<br />
configure MIME/virus properties, select the MIME/Virus tab<br />
and see “Configuring the Web/Secure Web MIME/Virus tab” on<br />
page 6-13.
Creating Web or Secure Web Application Defenses<br />
— Content Control—The Content Control tab allows you to<br />
configure filtering for Web content types including Active X,<br />
Java, scripting languages, and SOAP. (For Secure Web, you can<br />
only configure SOAP filtering.) To enable content filtering,<br />
select this check box. To configure content control properties,<br />
select the Content Control tab and see “Configuring the Web/<br />
Secure Web Content Control tab” on page 6-17.<br />
Configuring SSL decryption properties [Secure Web server only]<br />
The <strong>Sidewinder</strong> <strong>G2</strong> enables you to perform SSL decryption services at<br />
the firewall level on a per rule basis, increasing the security <strong>of</strong> your<br />
data transactions. You can also use SSL decryption to allow clientless<br />
VPN connections for trusted remote users to provide secure access to<br />
the internal network. (For information on configuring clientless VPN<br />
services, see “Setting up clientless VPN access for trusted remote<br />
users” on page 12-8.) To utilize SSL decryption services on <strong>Sidewinder</strong><br />
<strong>G2</strong>, you must have SSL Decryption and Strong Cryptography licensed on<br />
your <strong>Sidewinder</strong> <strong>G2</strong>. For licensing information, see “Activating the<br />
<strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19.<br />
Tip: To increase performance, you can also utilize a supported hardware accelerator<br />
board (such as Cavium) on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: If you want to utilize SSL decryption using a hardware accelerator on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> and you do not currently have a supported hardware accelerator board<br />
installed on your <strong>Sidewinder</strong> <strong>G2</strong>, contact Secure Computing Customer Service for<br />
assistance.<br />
To configure decryption properties for a Secure Web Application<br />
Defense, follow the steps below.<br />
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt Web<br />
Traffic option enabled must have redirection configured.<br />
1. To enable SSL decryption for an Application Defense, select the Decrypt<br />
Web Traffic check box.<br />
2. [Conditional] If you are configuring a Secure Web defense to allow<br />
clientless VPN sessions to access a Micros<strong>of</strong>t Exchange® Server, select<br />
the Rewrite Micros<strong>of</strong>t OWA HTTP check box. For details on configuring<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to allow clientless VPN connections for trusted<br />
remote users, see “Setting up clientless VPN access for trusted remote<br />
users” on page 12-8.<br />
Configuring Application Defenses 6-7
Creating Web or Secure Web Application Defenses<br />
Figure 6-3. Web/Secure<br />
Web: URL Control tab<br />
6-8 Configuring Application Defenses<br />
3. Select the appropriate firewall certificate from the Firewall Certificate<br />
drop-down list. This is the certificate that is used to authenticate the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the remote HTTPS/SSL client. For information on<br />
configuring firewall certificates, see “Configuring Certificate<br />
Management” on page 13-27.<br />
4. Specify the SSL/TLS versions that will be accepted for secure Web<br />
connections. The following options are available:<br />
SSL2—When this check box is selected, the SSL version 2 protocol<br />
will be accepted.<br />
SSL3—When this check box is selected, the SSL version 3 protocol<br />
will be accepted.<br />
TLS1—When this check box is selected, the TLS version 1 protocol<br />
will be accepted.<br />
Note: SSL2 is not recommended. It is only provided to allow compatibility with older<br />
Web browsers/SSL applications. Diffe-Hellman Key Exchange is not supported for<br />
SSL2. You must deselect SSL2 to enable the Require Diffe-Hellman Key Exchange<br />
field.<br />
5. Select the minimum level <strong>of</strong> cryptography from the Minimum Crypto<br />
Level Strength drop-down list.<br />
Configuring the Web/Secure Web URL Control tab<br />
To configure URL control properties for a Web/Secure Web defense,<br />
click the URL Control tab.<br />
About the URL Control tab The URL Control tab allows you to configure URL properties, such as<br />
which HTTP operations will be allowed and which URLs will be<br />
explicitly denied. Follow the steps below.
Creating Web or Secure Web Application Defenses<br />
Note: The fields in this tab will be disabled unless you select the URL Control check box<br />
on the Enforcements tab.<br />
1. In the Allow Selected HTTP Commands area, select the commands<br />
(operations) that you want to allow users to issue by clicking in the<br />
corresponding check box(es).<br />
To select all <strong>of</strong> the commands, click Select All. To deselect all <strong>of</strong> the<br />
commands, click Deselect All. A description <strong>of</strong> each command is<br />
provided within the window.<br />
2. To disallow special characters in a query, select the Enforce Strict URLs<br />
check box. If you select this option, URLs with certain special characters<br />
will be disallowed under certain circumstances (such as RFC violation).<br />
For example: quote (“), single quote (‘), back quote (`),<br />
brackets ( [ ], { }, < >), pipe (|), back slash (\), karat (^), and tilde (~).<br />
3. To allow international multi-byte characters in a query, select the Allow<br />
Unicode check box.<br />
4. [Server or Combined only] In the Maximum URL Length field, specify the<br />
maximum length allowed for a URL. The default value is 1024<br />
characters. Valid values are 1–10000.<br />
5. To require that the HTTP version be included in all requests, select the<br />
Require HTTP Version in Request check box.<br />
6. [Conditional] If you selected Require HTTP Version in Request in the<br />
previous step, specify the HTTP versions that you want to allow in the<br />
Allow Selected HTTP Versions area. Valid versions are 1.0 and 1.1.<br />
7. In the Deny Specified URL Matches table, you can specify which URLs to<br />
explicitly deny. The table lists any URLs that are currently denied.<br />
To add a URL to the list, click New. To modify a URL in the list, highlight<br />
the click Modify. The Edit URL Parsing Values window appears. See<br />
“Configuring the Edit URL Parsing Values window” on page 6-9 for<br />
information on adding a URL.<br />
Configuring the Edit URL Parsing Values window<br />
This window allows you to create a URL value to add to the Deny<br />
Specified URL Matches table. Follow the steps below.<br />
1. In the String field, type the URL string that you want to deny. For<br />
example: www.do-not-go-here.com<br />
Configuring Application Defenses 6-9
Creating Web or Secure Web Application Defenses<br />
Figure 6-4. Web/Secure<br />
Web: HTTP Request tab<br />
About the HTTP Request<br />
tab<br />
6-10 Configuring Application Defenses<br />
2. In the Match Parameter area, select the portion <strong>of</strong> the URL that will be<br />
filtered:<br />
Host—Select this option to filter on the URL host<br />
(http://hostname/path).<br />
Path—Select this option to filter on the URL path<br />
(http://hostname/path).<br />
All—Select this option to filter on the entire request<br />
(http://hostname/path).<br />
Configuring the Web/Secure Web HTTP Request tab<br />
To configure HTTP Request properties for a Web/Secure Web defense,<br />
click the HTTP Request tab. The following window appears.<br />
The HTTP Request tab allows you to configure header filtering for<br />
HTTP requests. This tab is only available if you selected Server or<br />
Combined in the Type field. Follow the steps below.<br />
Note: The fields in this tab will be disabled unless you select the HTTP Request check box<br />
on the Enforcements tab.<br />
1. Select the type <strong>of</strong> HTTP header filtering you want to allow or deny in the<br />
Selected HTTP Request Header Filter Types area. The following options<br />
are available:<br />
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx request<br />
headers (commonly found in user-defined headers). If you create an Allow list and do<br />
not include the X-* filter type, most Web traffic will be denied.<br />
None—Select this option if you want to deselect all HTTP request<br />
header filter types in the list. (You can also deselect all <strong>of</strong> the types<br />
by clicking Deselect All.)
Figure 6-5. Web/Secure<br />
Web: HTTP Reply tab<br />
Creating Web or Secure Web Application Defenses<br />
Standard—Select this option if you want to automatically select all<br />
<strong>of</strong> the header types contained in the list. (You can also select all<br />
header types by clicking Select All.)<br />
Paranoid—Select this option if you want to exclude all options not<br />
defined in the RFC.<br />
Custom—Select this option if you want to manually configure<br />
which HTTP header types you will allow or deny.<br />
2. In the Filter Option field, determine whether you want to allow or deny<br />
the header types you select, as follows:<br />
Allow—Select this option to allow all header types that are<br />
selected in the HTTP Request Header Filter Types window. All other<br />
types will be denied.<br />
Deny—Select this option to deny all header types that are selected<br />
selected in the HTTP Request Header Filter Types window. All other<br />
types will be allowed.<br />
3. In the Denied Header Action area, select one <strong>of</strong> the following options:<br />
Block Entire Page—Select this option to block the entire page<br />
when an HTTP header is denied.<br />
Allow Page Through Without Denied Headers—Select this option<br />
to mask the denied HTTP header, but still allow the page to be<br />
viewed. (A denied HTTP header will be overwritten with X’s.)<br />
Configuring Web/Secure Web HTTP Reply tab<br />
To configure HTTP Reply properties for a Web/Secure Web defense,<br />
click the HTTP Reply tab. The following window appears.<br />
Configuring Application Defenses 6-11
Creating Web or Secure Web Application Defenses<br />
About the HTTP Reply tab The HTTP Reply tab allows you to configure header filtering for HTTP<br />
replies. Follow the steps below.<br />
6-12 Configuring Application Defenses<br />
Note: The fields in this tab will be disabled unless you select the HTTP Reply check box on<br />
the Enforcements tab. Also, this tab is not available for Secure Web if you select Client in<br />
the Type field.<br />
1. In the Filter Option field, determine whether you want to allow or deny<br />
the header types you select, as follows:<br />
Allow—Select this option to allow all header types that are<br />
selected in the HTTP Reply Header Filter Types window. All other<br />
types will be denied.<br />
Deny—Select this option to deny all header types that are selected<br />
selected in the HTTP Reply Header Filter Types window. All other<br />
types will be allowed.<br />
2. Select the type <strong>of</strong> HTTP header filtering you want to allow or deny in the<br />
Selected HTTP Reply Header Filter Types area. The following options are<br />
available:<br />
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx reply<br />
headers (commonly found in user-defined headers). If you create an Allow list and do<br />
not include the X-* filter type, most Web traffic will be denied.<br />
None—Select this option if you want to deselect all HTTP reply<br />
header filter types in the list. (You can also deselect all <strong>of</strong> the types<br />
by clicking Deselect All.)<br />
Standard—Select this option if you want to automatically select all<br />
<strong>of</strong> the header types contained in the list. (You can also select all<br />
header types by clicking Select All.)<br />
Paranoid—Select this option if you want to exclude all options not<br />
defined in the RFC.<br />
Custom—Select this option if you want to manually configure<br />
which HTTP reply header types you will allow or deny.<br />
3. In the Denied Header Action area, select one <strong>of</strong> the following options:<br />
Block Entire Page—Select this option to block the entire page<br />
when an HTTP reply header is denied.<br />
Allow Page Through Without Denied Headers—Select this option<br />
to mask the denied HTTP reply header, but still allow the page to<br />
be viewed. (A denied HTTP reply header will be scrubbed.)
Figure 6-6. Web/Secure<br />
Web: MIME/Virus tab<br />
Creating Web or Secure Web Application Defenses<br />
Configuring the Web/Secure Web MIME/Virus tab<br />
To configure MIME/anti-virus properties for a Web/Secure Web<br />
defense, click the MIME/Virus tab. The following window appears.<br />
About the MIME/Virus tab The MIME/Virus tab allows you to configure filtering for<br />
MIME and anti-virus scanning services. The tab contains a rule table<br />
that displays any MIME/Anti-Virus filtering rules that have been<br />
created. The tab also contains various virus scanning and handling<br />
configuration options.<br />
Note: Virus scanning is performed on data sent from the client if the request method is<br />
either PUT or POST, and the appropriate file type is specified for scanning in the MIME<br />
filtering rules table.<br />
Note: MIME/Virus scanning services are not available for Web defenses if you select<br />
Server in the Type field. They are not available for Secure Web if you select Client in the<br />
Type field. The fields in this tab will be disabled unless you select the MIME/Virus check<br />
box on the Enforcements tab.<br />
To configure MIME/Virus properties for an Application Defense,<br />
follow the steps below.<br />
Important: You must license and configure scanning services before the MIME/Anti-<br />
Virus filter rules you create will scan HTTP/HTTPS traffic. See “Configuring scanning<br />
services” on page 3-34.<br />
1. In the Type <strong>of</strong> Scanning area, you can configure virus scanning for<br />
known and/or unknown viruses, as follows:<br />
Security Alert: If you want to perform virus scanning, you must create the<br />
appropriate virus scan rules in the MIME/Anti-Virus Filtering Rules table. Rules that<br />
are configured only to allow or deny traffic based on rule criteria will not perform<br />
virus scanning. (See step 2 for information on configuring MIME/Anti-virus filter<br />
rules.)<br />
Configuring Application Defenses 6-13
Creating Web or Secure Web Application Defenses<br />
6-14 Configuring Application Defenses<br />
If you select Scan for Known Viruses only, traffic that matches a rule<br />
requiring virus scanning will be scanned for viruses with known<br />
signatures.<br />
If you select Scan for Unknown Viruses only, traffic that matches a<br />
rule requiring virus scanning will be scanned only for unknown<br />
signatures using heuristic methods.<br />
If you select both Scan for Known Viruses and Scan for Unknown<br />
Viruses, traffic that matches a rule requiring virus scanning will be<br />
scanned for both known and unknown virus signatures.<br />
Note: If you do not select at least one scanning option and you have filter rules<br />
configured that require virus scanning, traffic that matches those rules will NOT be<br />
scanned for known virus signatures.<br />
2. Configure the appropriate MIME/Anti-Virus filter rules in the MIME/Anti-<br />
Virus Filter Rules table, as follows:<br />
Create a new filter rule—To create a new filter rule, click New and<br />
see “Configuring MIME filtering rules” on page 6-15.<br />
Modify an existing filter rule—To modify an existing filter rule,<br />
select the rule you want to modify, and click Modify. See<br />
“Configuring MIME filtering rules” on page 6-15. (If you are<br />
modifying the default MIME filtering rule, see “Configuring the<br />
Default filtering rule action” on page 6-17.)<br />
Delete a filter rule—To delete an existing filter rule, select the rule<br />
you want to delete and click Delete. You will be prompted to<br />
confirm your decision.<br />
3. To configure file handling for infected files in the Infected File Handling<br />
area, do the following:<br />
a. Determine how infected files will be handled.<br />
To discard infected files, select Discard.<br />
To remove the virus from the file and then continue processing the<br />
file, select Repair.<br />
b. To quarantine infected files for later viewing, select Quarantine Files.<br />
If you select this option, the files will be quarantined in:<br />
/var/log/vscan/quarantine/
Creating Web or Secure Web Application Defenses<br />
4. To configure file size limits and rejection options for Web traffic in the<br />
Other Values area, do the following:<br />
a. In the Scan File Size Limit (kB) field, specify the maximum file size<br />
that will be allowed in kB. If a file exceeds the size specified in this<br />
field, filtering will not take place and the file will be denied.<br />
b. To reject all files in the event that scanning is not available, select the<br />
Reject All Files If Scanning Is Unavailable check box. (If you select this<br />
option, the connection will be dropped if scanning is unavailable.)<br />
Configuring MIME filtering rules<br />
When you click New or Modify beneath the MIME/Anti-Virus Filter Rules<br />
area, the MIME Rule Edit window appears. This window allows you to<br />
add or modify MIME/Anti-Virus filtering rules.<br />
Important: Rules that are configured with an allow or deny action will allow or deny<br />
traffic based on the rule criteria that is defined for those rules. Allow and deny rules do not<br />
perform virus scanning. To perform virus scanning for traffic that matches a rule before it is<br />
allowed, you must specify Virus Scan in the rule’s Action field.<br />
By default, a single allow rule is contained in the filter rule table. If<br />
you choose to leave the default allow rule as the last rule in your table<br />
(that is, all traffic that isn’t explicitly denied will be allowed), you will<br />
need to configure the appropriate virus scan and/or deny rules and<br />
place them in front <strong>of</strong> the default allow rule. If you configure the<br />
default rule action to deny (that is, all traffic that is not explicitly<br />
allowed will be denied) you will need to configure the appropriate<br />
virus scan and/or allow rules and place them in front <strong>of</strong> the default<br />
deny rule.<br />
To create MIME/Anti-Virus rules, follow the steps below.<br />
Note: Rules that specify both a MIME type/subtype and file extensions will allow or deny<br />
any traffic that matches either the MIME Type or a File Extension type. That is, the traffic<br />
does not need to match both criteria to match the rule.<br />
1. In the MIME Type drop-down list, select the MIME type for which you<br />
want to filter. If you select the asterisk (*) option, the filter rule will ignore<br />
this field when determining a match.<br />
Configuring Application Defenses 6-15
Creating Web or Secure Web Application Defenses<br />
6-16 Configuring Application Defenses<br />
2. In the MIME Subtype drop-down list, select a subtype for the MIME type<br />
that you selected in the previous step (the available options will vary<br />
depending on the MIME type you selected in the previous step). If you<br />
select the asterisk (*) option, the filter rule will ignore this field when<br />
determining a match.<br />
3. In the File Extensions area, specify the type <strong>of</strong> file extensions that you<br />
want to filter:<br />
Ignore Extensions (*)—Select this option to ignore extensions<br />
when determining a match.<br />
Archive Extensions—Select this option to specify basic archive<br />
extensions (such as .tar, .zip, etc.) for the specified MIME types/subtype.<br />
Standard Extensions—Select this option to specify the standard<br />
file extensions associated with the selected MIME type/subtype.<br />
For example, if you select text in the MIME Type field, and HTML in<br />
the MIME Subtype field, the .htm and .html file extensions will<br />
appear in the standard list.<br />
Custom—Select this option to create a custom list <strong>of</strong> file<br />
extensions for the selected MIME type/subtype. To add a file<br />
extension to the list, click New and see “Configuring the Add New<br />
File Extension window” on page 6-17. To delete a file extension,<br />
select the extension you want to delete and click Delete. You can<br />
use the Reset button to clear all extensions from the list, or to<br />
select a different file extension list (Archive or Standard).<br />
4. In the Action area, select one <strong>of</strong> the following options:<br />
Allow—Select this option if you want to explicitly allow the file<br />
extensions that you specified in the previous steps. (Virus scanning<br />
will not be performed.)<br />
Deny—Select this option if you want to explicitly deny the file<br />
extensions that you specified in the previous steps. (Virus scanning<br />
will not be performed.)<br />
Virus Scan—Select this option if you want to perform virus<br />
scanning on the file extensions that you specified in the previous<br />
steps. The type <strong>of</strong> scanning that is performed will be determined<br />
by the option(s) configured in the Type <strong>of</strong> Scanning area. If no<br />
viruses are detected, the file will be allowed through the system.
Creating Web or Secure Web Application Defenses<br />
Configuring the Add New File Extension window<br />
This window allows you to specify additional file extensions on which<br />
to filter. In the File Extension field, type the extension that you want to<br />
add, and then click Add. The file extension is added to the Custom file<br />
extension list. If you select the Custom file extension option, all file<br />
extensions listed in the box will be allowed, denied, or filtered<br />
depending on the action you select.<br />
Configuring the Default filtering rule action<br />
The default filter rule is a catch-all rule designed to occupy the last<br />
position in your rule table. To modify the default action for the default<br />
MIME filtering rule, do the followings:<br />
1. Select the default rule in the table and click Modify. The MIME Default<br />
Action window appears.<br />
2. Select the appropriate action for this rule and then click OK.<br />
Allow—The default rule is initially configured to allow all data that<br />
does not match other filter rules. If you leave the default rule as an<br />
allow rule, you must create filter rules that require virus scanning or<br />
explicitly deny any MIME types that you do not want to allow, and<br />
place them in front <strong>of</strong> the default allow rule.<br />
Deny—If you prefer the default rule to deny all data that did not<br />
match a filter rule, you must create the appropriate virus scan and<br />
allow rules and place them in front <strong>of</strong> the default deny rule.<br />
Virus Scan—If you want to perform virus scanning for traffic that<br />
does not match any allow or deny filter rules you create, select this<br />
option. You will then need to create the appropriate allow and<br />
deny rules that will not require scanning.<br />
Configuring the Web/Secure Web Content Control tab<br />
To configure content control properties for a Web/Secure Web<br />
defense, click the Content Control tab. The following window<br />
appears.<br />
Configuring Application Defenses 6-17
Creating Web or Secure Web Application Defenses<br />
Figure 6-7. Web/Secure<br />
Web Content Control tab<br />
About the Content Control<br />
tab<br />
6-18 Configuring Application Defenses<br />
The Content Control tab allows you to configure filtering to deny<br />
certain types <strong>of</strong> embedded objects. Follow the steps below.<br />
Note: If you are configuring a Web or Secure Web defense for type Server, you will only be<br />
allowed to select the Deny SOAP option. If you are configuring a Web defense for type<br />
Client, the Deny SOAP option is not available.<br />
1. Select the Deny ActiveX Controls check box to scrub the ActiveX<br />
embedded objects from the Web content.<br />
2. Select the Deny Java Applets check box to scrub the Java Applet objects<br />
from the Web content.<br />
3. Select the Deny Scripting Languages check box to scrub scripting<br />
languages from the Web content.<br />
4. Select the Deny SOAP check box to scrub SOAP embedded objects from<br />
the Web content. In some cases, selecting this option can cause the<br />
entire page to be denied if it contains SOAP embedded objects.<br />
Configuring the Web/Secure Web Connection tab<br />
The Web/Secure Web Connection tab allows you to configure basic<br />
connection properties, such as the type <strong>of</strong> connection that will be<br />
allowed (transparent, non-transparent, or both), timeout properties,<br />
and fast path session properties. You can also configure whether to<br />
send traffic to an upstream proxy.<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.
Creating Web<br />
Cache Application<br />
Defenses<br />
Figure 6-8. Application<br />
Defenses: Web Cache<br />
window<br />
Creating Web Cache Application Defenses<br />
To configure Web Cache Application Defenses, in the Admin Console<br />
select Policy Configuration -> Application Defenses -> Defenses -> Web<br />
Cache. The following window appears. (Figure 6-8 displays only the<br />
bottom portion <strong>of</strong> the window.)<br />
Configuring the Web Cache Application Defense window<br />
This window allows you to configure SmartFilter properties for the<br />
Web Proxy server (Squid). Follow the steps below.<br />
Note: You must configure and enable your SmartFilter s<strong>of</strong>tware before this defense will<br />
be effective in your policy. See “Configuring the Web proxy server” on page 12-12 and<br />
“Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong>” on page A-3.<br />
1. Configure the SmartFilter category table.<br />
The SmartFilter category table displays the available SmartFilter<br />
categories, as well as the configured properties for each category. To<br />
modify the properties for a SmartFilter category, select the category<br />
that you want to modify, and click Modify. See “Modifying a SmartFilter<br />
category” on page 6-20.<br />
2. To filter URLs to deny specific file extension types, click New in the<br />
Denied File Extensions area. To modify an existing file extension, select<br />
the file extension you want to modify and click Modify in the Denied File<br />
Extensions area. See “Configuring the SmartFilter File Extension<br />
window” on page 6-21 for information about adding or modifying a<br />
denied file extension.<br />
Configuring Application Defenses 6-19
Creating Web Cache Application Defenses<br />
6-20 Configuring Application Defenses<br />
3. [Conditional] To slow the download process for filtered sites, in the<br />
Delay field type the amount <strong>of</strong> time (in seconds) that you want to delay<br />
the Web page display.<br />
Delaying the download time discourages users from browsing certain<br />
sites because it takes longer for those pages to be displayed. Valid<br />
values are from 1–999.<br />
Note: The Delay field applies to ALL categories in a rule that are set to Delay. For<br />
example, if you have set Chat, Entertainment, and Art/Culture to delay, and enter<br />
30 seconds in the Delay field, sites that fall into any <strong>of</strong> the three categories will be<br />
delayed by 30 seconds.<br />
4. To deny Web access if a user attempts to access a site using an IP<br />
address rather than a URL, select the Deny IP Addresses check box.<br />
Secure Computing recommends enabling this check box.<br />
5. To deny unclassified personal pages (pages that consist <strong>of</strong><br />
uncategorized URLs that contain a tilde, such as<br />
www.rootsweb.com/~wgnorway/), select the<br />
Deny Unclassified Personal Pages check box.<br />
Note: This option does NOT refer to the Personal Pages category. It only refers to<br />
pages that contain a tilde (~), as described above.<br />
6. Click the Save icon to save your changes when you are finished<br />
configuring an Application Defense.<br />
Modifying a SmartFilter category<br />
When you select a SmartFilter category and click Modify in the<br />
SmartFilter tab, the SmartFilter Modification window appears. This<br />
window enables you to change the settings for the selected<br />
SmartFilter category. The Category field in the top portion <strong>of</strong> the<br />
window displays the SmartFilter category you selected for<br />
modification. Follow the steps below.<br />
1. In the Permission field, specify whether access to the selected<br />
SmartFilter category will be allowed or denied by selecting the<br />
appropriate option from the drop-down list.
Creating Mail<br />
Application<br />
Defenses<br />
Creating Mail Application Defenses<br />
2. In the Special Handling field, specify whether SmartFilter will process<br />
Web requests to this category in a special manner. Valid options are:<br />
None—No special handling is performed.<br />
Coach—A predefined message is displayed to users informing<br />
them that the site has been filtered, but allows them to proceed at<br />
their own risk. The predefined message can be modified by editing<br />
the /usr/local/squid/etc/errors/ERR_SCC_SMARTFILTER_COACH file.<br />
For information on configuring this file, see “Configuring advanced<br />
SmartFilter options” on page E-6.<br />
Note: The Coaching feature works with all Internet Explorer browsers and with<br />
Netscape browsers at version 6.0 or greater.<br />
Delay—Slows the download process <strong>of</strong> filtered sites. This<br />
discourages users from browsing certain sites because it takes<br />
longer for those pages to be displayed. The delay time is specified<br />
on the Set SmartFilter Delay field on the main SmartFilter tab.<br />
Configuring the SmartFilter File Extension window<br />
This window allows you to specify file extensions that will be denied.<br />
To add a file extension that you want to deny, type the extension in<br />
the Denied File Extension window. Do not include a period (.) in front<br />
<strong>of</strong> the file extension.<br />
Mail Application Defenses are used in SMTP proxy rules. To configure<br />
Mail Application Defenses, in the Admin Console select Policy<br />
Configuration -> Application Defenses -> Defenses -> Mail. The following<br />
window appears. (Figure 6-9 displays only the bottom portion <strong>of</strong> the<br />
window.)<br />
Note: You must have Secure Split SMTP mail servers configured to use mail filtering.<br />
Configuring Application Defenses 6-21
Creating Mail Application Defenses<br />
Figure 6-9. Application<br />
Defenses: Mail window<br />
6-22 Configuring Application Defenses<br />
Configuring the Mail Control tab<br />
This tab allows you to configure filtering for mail services. The Anti-<br />
Relay feature prevents your mailhost from being used by a hacker as a<br />
relay point for spam to other sites. This option is automatically<br />
enabled for all mail defenses and cannot be disabled.<br />
To configure a Mail Application Defense, follow the steps below.<br />
1. To enable (or disable) a particular type <strong>of</strong> filtering, you must select the<br />
appropriate check box in the Enable Mail Filters area. Once you enable a<br />
mail filter, you can configure it by selecting the appropriate tab. You<br />
cannot configure a mail filter unless you have selected it in this tab. The<br />
following filters can be enabled:<br />
Size Filter—The Size filter allows you to specify the maximum size<br />
for mail messages. To configure the Size filter once it has been<br />
enabled, select the Size Filter tab and see “About the Mail Size tab”<br />
on page 6-23.<br />
Keyword Search Filter—The Keyword Search filter allows you to<br />
filter mail messages based on the presence <strong>of</strong> defined key words<br />
(character strings). To configure the Keyword Search filter once it<br />
has been enabled, select the Keyword Search tab and see “About<br />
the Keyword Search tab” on page 6-24.<br />
MIME/Anti-Virus Filter—The MIME/Anti-Virus Filter allows you to<br />
configure MIME and Anti-virus filtering for e-mail messages. To<br />
configure the MIME/Anti-Virus filter once it has been enabled,<br />
select the MIME tab and see “Configuring the Mail MIME/Virus tab”<br />
on page 6-26.
Figure 6-10. Mail Size tab<br />
Creating Mail Application Defenses<br />
Anti-Spam Filter—The Anti-Spam filter allows you to filter out mail<br />
messages that fall under the “spam” pr<strong>of</strong>ile. The Anti-Spam filter<br />
can only be enabled or disabled in this window. To enable Anti-<br />
Spam filtering, select this check box. To disable Anti-Spam filtering,<br />
deselect the check box.<br />
If desired, you can modify the default actions for the Anti-Spam<br />
filter in the appropriate configuration file(s) using the Admin<br />
Console File Editor. See “Configuring advanced anti-spam options”<br />
on page 11-13 for details.<br />
2. To specify how mail messages that are rejected should be handled,<br />
select one <strong>of</strong> the following options in the Rejected Mail Handling field:<br />
Discard—Select this option if you want to discard rejected mail<br />
messages without notifying the sender.<br />
Return to Sender—Select this option if you want to send a<br />
rejection notice to the sender.<br />
Note: If a message is denied by the MIME/Anti-Virus filter rules (configured in the<br />
MIME/Virus tab), that message will be discarded without sending a rejection notice<br />
regardless <strong>of</strong> which option you select here.<br />
Configuring the Mail Size tab<br />
To configure size restrictions for a Mail defense, select the Size tab.<br />
The following window appears.<br />
About the Mail Size tab The Size filter checks e-mail messages for the number <strong>of</strong> bytes the<br />
message contains, including the message header. A message is<br />
rejected if it is greater than or equal to the threshold size you specify<br />
when you configure a filter.<br />
Configuring Application Defenses 6-23
Creating Mail Application Defenses<br />
Figure 6-11. Keyword<br />
Search tab<br />
About the Keyword Search<br />
tab<br />
6-24 Configuring Application Defenses<br />
To configure the Size filter, in the Maximum Message Size field specify<br />
the maximum message size (in kB) that will be allowed to pass<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>. The default is 1024kB. Valid values are<br />
1–2147483647 kB.<br />
Configuring the Mail Keyword Search tab<br />
To configure key words (character strings) that will be filtered for a<br />
Mail defense, select the Keyword Search tab. The following window<br />
appears.<br />
The Keyword Search tab allows you to configure the <strong>Sidewinder</strong> <strong>G2</strong><br />
to perform a search for specified character set(s), or key words, within<br />
an e-mail message. If the filter finds a specific number <strong>of</strong> key word<br />
matches, the message is rejected. If the filter does not match a specific<br />
number <strong>of</strong> key words, it passes the message onto the next filter or to<br />
the intended recipient.<br />
Important: You must enable the kmvfilter server in the appropriate burbs before the<br />
keyword search feature will function. For information on enabling the kmvfilter server, see<br />
“Enabling and disabling servers” on page 3-30.<br />
To configure character sets to search for, follow the steps below.<br />
1. In the Minimum Number <strong>of</strong> Phrase Matches Required for Rejection <strong>of</strong><br />
Message field, specify the number <strong>of</strong> key word matches that must be<br />
found in a message before it is rejected.
Creating Mail Application Defenses<br />
2. In the Total Number <strong>of</strong> Phrase Matches to Verify Before Rejection field,<br />
specify whether the filter will search the entire message for key words,<br />
or whether it will stop searching for key words if the minimum number<br />
<strong>of</strong> matches is met:<br />
Minimum—Select this option if you want the filter to stop<br />
searching and fail the message if the minimum number <strong>of</strong> key<br />
word matches is met. This is based on the number that you enter<br />
in the previous step. The filter will reject a mail message once the<br />
minimum number <strong>of</strong> key words are matched.<br />
All—Select this option if you want the filter to continue searching<br />
the message for key words after the minimum number <strong>of</strong> key<br />
word matches is met, for auditing purposes. After searching the<br />
entire message for key word matches, the message is rejected.<br />
3. The Phrase List table provides the list <strong>of</strong> phrases that will be filtered for<br />
this Application Defense. The table contains three columns:<br />
Before—This column indicates whether a space is required<br />
immediately before the specified phrase to match the filter. An<br />
asterisk (*) indicates that the phrase will not match unless there is a<br />
space immediately in front <strong>of</strong> the phrase.<br />
Phrase Text—This column lists each phrase for which the filter will<br />
search.<br />
After—This column indicates whether a space is required<br />
immediately after the specified phrase to match the filter. An<br />
asterisk (*) indicates that the phrase will not match unless there is a<br />
space immediately following the phrase.<br />
To add a phrase, click New. To modify a phrase, highlight the<br />
appropriate row and click Modify. The Keyword Search: Phrase Edit<br />
window appears.<br />
Configuring the Keyword Search: Phrase Edit window<br />
When you click New or Modify beneath the Phrase List area, the<br />
Keyword Search Phrase Edit window appears. This window allows<br />
you to add or modify character strings (known as “key words”).<br />
Follow the steps below.<br />
1. In the Text field, type the text you want to filter. You can include any<br />
printable character, as well as spaces. However, the character string<br />
must consist <strong>of</strong> at least two characters.<br />
Note: Some special characters, such as a space, will be displayed in the Key Word list<br />
using their hexadecimal equivalents.<br />
Configuring Application Defenses 6-25
Creating Mail Application Defenses<br />
6-26 Configuring Application Defenses<br />
You can also define a key word entry that consists partly or entirely <strong>of</strong><br />
binary characters. The binary characters you want to search for are<br />
entered into the Key Word list using their hexadecimal equivalents. Each<br />
character must be preceded with a back slash (\). This distinguishes the<br />
character from a regular character. You can specify several characters in<br />
a row, but each character must be preceded by a back slash. You can<br />
also intermingle the binary characters with regular characters. For<br />
example, the following are valid entries in the Key Word list:<br />
— \ac\80\fe<br />
— \ff\00\fb\40secrets<br />
— password\df\01\04<br />
Valid hexadecimal characters are allowed immediately following a back<br />
slash. To use the back slash character as part <strong>of</strong> a key word entry, you<br />
must type a double back-slash (\\).<br />
Note: The exception is \0a (the new line character). The filter will not detect a key<br />
word that contains this character unless it is the first character in the key word entry<br />
or unless the character is preceded by \0d (the line feed) character (e.g., \0d\0a).<br />
2. If you want to require that there be white space directly in front <strong>of</strong> and/<br />
or after a key word, select the Require whitespace immediately before<br />
phrase and/or Require whitespace immediately after phrase check<br />
boxes, accordingly. This prevents the filter from misidentifying character<br />
strings that innocently appear as part <strong>of</strong> another word.<br />
For example, if you require whitespace before and after the key word<br />
“for,” words like “forest,” “formula,” “information,” and “uniform” will be<br />
allowed to pass through the filter, while the word “for” would not. If you<br />
do not require whitespace before and after the key word “for,” the “for”<br />
string within the word would match the filter and cause the message to<br />
be rejected (if the specified number <strong>of</strong> matches are found).<br />
3. To add the new or modified key word, click OK.<br />
Configuring the Mail MIME/Virus tab<br />
To configure MIME and anti-virus filtering options for a Mail defense,<br />
select the MIME/Virus tab. The following window appears.
Figure 6-12. Mail MIME/<br />
Virus tab<br />
About the Mail MIME/Virus<br />
tab<br />
Creating Mail Application Defenses<br />
The MIME/Virus tab allows you to configure MIME and virus filtering<br />
services. The tab contains a rule table that displays any MIME/Anti-<br />
Virus filtering rules that have been created. It also contains various<br />
virus scanning and handling configuration options.<br />
Important: You must license and configure additional services before the MIME/Anti-<br />
Virus filter rules you create will scan mail messages. See “Configuring scanning services” on<br />
page 3-34.<br />
Note: The fields in this tab will be disabled unless you select the MIME/Virus check box<br />
on the Control tab.<br />
To configure MIME/Virus properties for an Application Defense,<br />
follow the steps below.<br />
Security Alert: If you want to perform virus scanning, you must create the appropriate<br />
rules with Virus Scan selected in the Action field. Rules that are configured only to allow or<br />
deny traffic based on rule criteria will not perform virus scanning. (See step 2 for<br />
information on configuring MIME/Anti-virus filter rules.)<br />
1. In the Type <strong>of</strong> Scanning area, you can configure virus scanning for<br />
known and/or unknown viruses, as follows:<br />
If you select Scan for Known Viruses only, messages that match a<br />
rule requiring virus scanning will be scanned only for viruses with<br />
known signatures.<br />
If you select Scan for Unknown Viruses only, messages that match a<br />
rule requiring virus scanning will be scanned only for unknown<br />
signatures using heuristic methods.<br />
If you select both Scan for Known Viruses and Scan for Unknown<br />
Viruses, messages that match a rule requiring virus scanning will<br />
be scanned for both known and unknown virus signatures.<br />
Configuring Application Defenses 6-27
Creating Mail Application Defenses<br />
6-28 Configuring Application Defenses<br />
Note: If you do not select at least one <strong>of</strong> the scanning options and you have filter<br />
rules configured that require virus scanning, messages that match those rules will<br />
NOT be scanned for known virus signatures by default.<br />
2. Configure the appropriate MIME/Anti-Virus filter rules in the MIME/Anti-<br />
Virus Filter Rules table, as follows:<br />
Create a new filter rule—To create a new filter rule, click New and<br />
see “Configuring MIME filtering rules” on page 6-15.<br />
Modify an existing filter rule—To modify an existing filter rule,<br />
select the rule you want to modify, and click Modify. See<br />
“Configuring MIME filtering rules” on page 6-15. (If you are<br />
modifying the default MIME filtering rule, see “Configuring the<br />
Default filtering rule action” on page 6-17.)<br />
Delete a filter rule—To delete an existing filter rule, select the rule<br />
you want to delete and click Delete. You will be prompted to<br />
confirm your decision.<br />
3. To quarantine infected files for later viewing, select Quarantine Files. If<br />
you select this option, the files will be quarantined in:<br />
/var/log/vscan/quarantine/<br />
4. To configure file size limits and rejection options for mail messages in<br />
the Other Values area, do the following:<br />
a. In the Scan File Size Limit (kB), specify the maximum file size that will<br />
be allowed (in kB). If a file exceeds the size specified in this field,<br />
scanning will not take place and the file will be denied.<br />
b. To reject all files in the event that scanning is not available, select the<br />
Reject All Files If Scanning Is Unavailable check box. (If you select this<br />
option, the connection will be dropped if scanning is unavailable.)<br />
c. Select Full Scan <strong>of</strong> Entire Mail Message if you want to perform<br />
scanning on the entire mail message (that is, the message with all <strong>of</strong><br />
its MIME types is scanned as a single entity). If this check box is<br />
deselected, each piece <strong>of</strong> the mail message will be scanned and<br />
handled independently.
Configuring MIME filtering<br />
rules<br />
Creating Mail Application Defenses<br />
When you click New or Modify beneath the MIME/Anti-Virus Filter<br />
Rules area, the MIME Rule Edit window appears. This window allows<br />
you to add or modify a MIME filtering rule.<br />
Important: Rules that are configured with an Allow or Deny action will allow or deny<br />
messages based on the rule criteria that is defined within the rule. Allow and deny rules do<br />
not perform virus scanning. To perform virus scanning for messages that match a rule<br />
before it is allowed, you must specify Virus Scan in the rule’s Action field.<br />
By default, a single allow rule is contained in the filter rule table. If<br />
you choose to leave the default allow rule as the last rule in your table<br />
(that is, all mail that isn’t explicitly denied will be allowed), you will<br />
need to configure the appropriate virus scan and/or deny rules and<br />
place them in front <strong>of</strong> the default allow rule.<br />
If you configure the default rule action to deny (that is, all mail that is<br />
not explicitly allowed will be denied) you will need to configure the<br />
appropriate virus scan and/or allow rules and place them in front <strong>of</strong><br />
the default deny rule. In this scenario, if you want to allow multi-part<br />
mixed MIME elements within a mail message (which is fairly<br />
common) you will need to create an allow rule with Multipart selected<br />
in the Type field and Mixed selected in the Subtype field. If you do not<br />
create this type <strong>of</strong> allow rule when using a default deny rule, any mail<br />
message that contains multiple MIME types will be denied.<br />
To configure MIME/Virus Filter rules, follow the steps below.<br />
Note: Rules that specify both a MIME type/subtype and file extensions will allow or deny<br />
any traffic that matches either the MIME Type or a File Extension type. That is, the traffic<br />
does not need to match both criteria to match the rule.<br />
1. In the MIME Type drop-down list, select the MIME type for which you<br />
want to filter. If you select the asterisk (*) option, the filter rule will ignore<br />
this field when determining a match.<br />
2. In the MIME Subtype drop-down list, select a subtype for the MIME type<br />
that you selected in the previous step (the available options will vary<br />
depending on the MIME type you selected in the previous step). If you<br />
select the asterisk (*) option, the filter rule will ignore this field when<br />
determining a match.<br />
Configuring Application Defenses 6-29
Creating Mail Application Defenses<br />
6-30 Configuring Application Defenses<br />
3. In the File Extensions area, specify the type <strong>of</strong> file extensions that you<br />
want to filter:<br />
Ignore Extensions (*)—Select this option to ignore extensions<br />
when determining a match.<br />
Archive Extensions—Select this option to match basic archive<br />
extensions (such as .tar, .zip, etc.).<br />
Standard Extensions—Select this option to match standard file<br />
extensions associated with the selected MIME type/subtype. For<br />
example, if you select text in the MIME Type field, and HTML in the<br />
MIME Subtype field, the .htm and .html file extensions will appear in<br />
the standard list.<br />
Custom—Select this option to create a custom list <strong>of</strong> file<br />
extensions for the selected MIME type/subtype. To add a file<br />
extension to the list, click New and see “Configuring the Add New<br />
File Extension window” on page 6-17. To delete a file extension,<br />
select the extension you want to delete and click Delete. You can<br />
use the Reset button to clear all extensions from the list, or to<br />
select a different file extension list (Archive or Standard).<br />
4. In the Action area, select one <strong>of</strong> the following options:<br />
Allow—Select this option if you want to explicitly allow the file<br />
extensions that you specified in the previous steps. (Virus scanning<br />
will not be performed.)<br />
Deny—Select this option if you want to explicitly deny the file<br />
extensions that you specified in the previous steps. (Virus scanning<br />
will not be performed.)<br />
Virus Scan—Select this option if you want to perform virus<br />
scanning on the file extensions that you specified in the previous<br />
steps. The type <strong>of</strong> scanning that is performed will be determined<br />
by the option(s) configured in the Type <strong>of</strong> Scanning area. If no<br />
viruses are detected, the file will be allowed through the system.<br />
Configuring the Add New File Extension window<br />
This window allows you to customize the file extensions on which to<br />
filter. In the File Extension field, type the extension that you want to<br />
add, and then click Add. The file extension is added to the Custom file<br />
extension list. When you select the Custom file extension option, all<br />
file extensions listed in the box will be allowed, denied, or filtered<br />
depending on the action you select.
Creating Citrix<br />
Application<br />
Defenses<br />
Figure 6-13. Application<br />
Defenses: Citrix window<br />
Configuring the Default filter rule action<br />
Creating Citrix Application Defenses<br />
The default filter rule is a catch-all rule designed to occupy the last<br />
position in your rule table. To modify the default action for the default<br />
MIME filtering rule, do the followings:<br />
1. Select the default rule in the table and click Modify. The MIME Default<br />
Action window appears.<br />
2. Select the appropriate action for this rule and then click OK.<br />
Allow—The default rule is initially configured to allow all messages<br />
that do not match other filter rules. If you leave the default rule as<br />
an allow rule, you must create filter rules that require virus<br />
scanning or explicitly deny any MIME types that you do not want<br />
to allow, and place them in front <strong>of</strong> the default allow rule.<br />
Deny—If you prefer the default rule to deny all data that did not<br />
match a filter rule, you must create the appropriate virus scan and<br />
allow rules, and place them in front <strong>of</strong> the default deny rule.<br />
Virus Scan—If you want to perform virus scanning for messages<br />
that do not match other allow or deny filter rules, select this<br />
option. You will then need to create the appropriate allow and<br />
deny rules that will not require scanning.<br />
To configure Citrix Application Defenses, in the Admin Console select<br />
Policy Configuration -> Application Defenses -> Defenses -> Citrix. The<br />
following window appears. (Figure 6-13 displays only the bottom<br />
portion <strong>of</strong> the windows.)<br />
Configuring Application Defenses 6-31
Creating Citrix Application Defenses<br />
Figure 6-14. Citrix Filters<br />
tab<br />
6-32 Configuring Application Defenses<br />
Configuring the Citrix Enforcements tab<br />
The Enforcements tab allows you to enable or disable Citrix filtering.<br />
You will not be able to configure filtering on the Citrix Filter tab<br />
unless the Citrix Filters check box is selected. When this check box is<br />
selected, the values you configure in the Citrix Filters tab will be<br />
enforced. To disable Citrix filtering, deselect the Citrix Filters check<br />
box.<br />
Configuring the Citrix Filters tab<br />
To configure the Citrix Filters tab, select the tab. The following<br />
window appears.<br />
About the Citrix Filters tab The Citrix Filters tab allows you to configure filtering properties for<br />
Citrix. To configure filters in Citrix, select the items that you want to<br />
deny. Each entry in the list represents a type <strong>of</strong> application or<br />
communication channel supported by Citrix. A check box will appear<br />
in front <strong>of</strong> types that will be denied. Deselect the check boxes for the<br />
items you want to allow in Citrix.<br />
To deny all <strong>of</strong> the types listed, click Select All. To allow everything (no<br />
filter restrictions), click Deselect All.
Creating FTP<br />
Application<br />
Defenses<br />
Figure 6-15. Application<br />
Defenses: FTP Filter<br />
window<br />
Configuring the Citrix Connections tab<br />
Creating FTP Application Defenses<br />
The Citrix Connections tab allows you to configure timeout properties<br />
and specify whether fast path sessions will be disabled.<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
To configure FTP Application Defenses, in the Admin Console select<br />
Policy Configuration -> Application Defenses -> Defenses -> FTP. The<br />
following window appears. (Figure 6-15 displays only the bottom<br />
portion <strong>of</strong> the window.)<br />
Configuring the FTP Filter tab<br />
This tab allows you to specify the FTP commands (permits) that you<br />
want to allow your users to issue. The available FTP commands as<br />
well as a description <strong>of</strong> each is included in the Allowed FTP Permits<br />
area.<br />
Configuring Application Defenses 6-33
Creating IIOP Application Defenses<br />
Creating IIOP<br />
Application<br />
Defenses<br />
6-34 Configuring Application Defenses<br />
Select one <strong>of</strong> the following options:<br />
None—Select this option if you do not want to allow any FTP<br />
permits. (None <strong>of</strong> the check boxes will be selected.)<br />
All—Select this option if you want to allow all <strong>of</strong> the FTP permits<br />
that are displayed. (All <strong>of</strong> the check boxes will be selected.)<br />
Custom—Select this option if you want to allow only certain FTP<br />
permits. To select the FTP permits that will be allowed, click the<br />
appropriate check box. A check mark appears in front <strong>of</strong><br />
commands that are allowed.<br />
Note: If you select None or All and then make modifications to the commands, the<br />
Custom option will automatically become selected.<br />
Configuring the FTP Connection tab<br />
The FTP Connection tab allows you to configure timeout and fast path<br />
session properties, as well as the type <strong>of</strong> connection that will be<br />
allowed (transparent, non-transparent, or both).<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
To configure IIOP Application Defenses, in the Admin Console select<br />
Policy Configuration -> Application Defenses -> Defenses -> IIOP. The<br />
following window appears. (Figure 6-17 displays only the bottom<br />
portion <strong>of</strong> the windows.)
Figure 6-16. Application<br />
Defenses: IIOP Filter tab<br />
Creating IIOP Application Defenses<br />
About the IIOP Filter tab The IIOP Filter tab allows you to configure the following options:<br />
Allow Bi-directional GIOP—Select this option to enable support for<br />
bi-directional 1.2 GIOP (General Inter-ORB Protocol).<br />
Validate Content Format—Select this option to filter the message<br />
encapsulated in the GIOP PDU, and verify that the header content,<br />
message direction, and message length are valid for the GIOP<br />
message type identified in the GIOP header.<br />
Note: The data in the GIOP header portion <strong>of</strong> the PDU is always validated.<br />
Configuring the IIOP Connection tab<br />
The IIOP Connection tab allows you to configure timeout and fast<br />
path session properties, as well as the maximum allowed message<br />
size.<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
Configuring Application Defenses 6-35
Creating Multimedia Application Defenses<br />
Creating<br />
Multimedia<br />
Application<br />
Defenses<br />
Figure 6-17. Application<br />
Defenses: Multimedia<br />
6-36 Configuring Application Defenses<br />
To configure Multimedia Application Defenses, in the Admin Console<br />
select Policy Configuration -> Application Defenses -> Defenses -><br />
Multimedia. The following window appears. (Figure 6-17 displays only<br />
the bottom portion <strong>of</strong> the windows.)<br />
Configuring the Multimedia General tab<br />
This tab allows you to enable the multimedia applications you want to<br />
configure. You cannot configure the H.323 Filter or T.120 Filter tabs<br />
unless you have selected the appropriate check box on the<br />
Multimedia-General tab. The following options are available:<br />
Enforce Permission Checking for H.323—Select this option to enable<br />
the H.323 filter. To configure H.323 properties, see “Configuring<br />
the H.323 Filter tab” on page 6-36.<br />
Enforce Permission Checking for T120—Select this option to enable the<br />
T.120 filter. To configure T.120 properties, see “Configuring the<br />
T120 Filter tab” on page 6-38.<br />
Note: For more information on H.323 or T.120, see “T.120 and H.323 proxy<br />
considerations” on page 8-22.<br />
Configuring the H.323 Filter tab<br />
This tab allows you to select H.323 codecs you will allow your users<br />
to access. You can select from the following options:
Creating Multimedia Application Defenses<br />
Required—Select this option to allow only the codecs required by<br />
H.323 for compliance.<br />
Required + Low Bandwidth Audio—Select this option to allow the<br />
required H.323 codecs as well as low bandwidth options.<br />
Required + All Audio—Select this option to allow all H.323 codecs<br />
except the codecs that allow video.<br />
Required + All Audio + Video—Select this option to allow all available<br />
H.323 codecs.<br />
Custom—Select this option to specify which codecs you want to<br />
allow. To allow a codec, select the appropriate check box. A check<br />
mark appears in the corresponding check box when a codec is<br />
allowed.<br />
Select All—Click this button to select all <strong>of</strong> the H.323 codecs (all<br />
codecs will be selected).<br />
Deselect All—Click this button to deselect all <strong>of</strong> the H.323 codecs<br />
(all codecs will be deselected).<br />
Note: If you select an option other than Custom and then make modifications to the<br />
selected codecs, the Custom option will automatically become selected.<br />
The following list provide an example <strong>of</strong> codecs commonly used by<br />
Micros<strong>of</strong>t’s NetMeeting:<br />
G.711—The G.711 codec options can transmit audio at 48, 56, and<br />
64 kB per second (kBps). Select this codec for audio that is being<br />
passed using high speed connections.<br />
G.723—The G.723 codec options determine which format and<br />
algorithm will be used for sending and receiving voice<br />
communications over a network. This codec transmits audio at 5.3<br />
and 6.3 kBps, which will reduce bandwidth usage.<br />
H.261—The H.261 codec will transmit video images at 64 kBps<br />
(VHS quality). Select this codec for video that is being passed<br />
using high speed connections.<br />
H.263—The H.263 codec determines which format and algorithm<br />
will be used to send and receive video images over a network.<br />
This codec supports common interchange format (CIF), quarter<br />
common interchange format (QCIF), and sub-quarter common<br />
interchange format (SQCIF) picture formats. It is also a good match<br />
for Internet transmission over low-bit-rate connections (for<br />
example, a 28.8 kBps modem).<br />
Configuring Application Defenses 6-37
Creating Oracle Application Defenses<br />
Creating Oracle<br />
Application<br />
Defenses<br />
6-38 Configuring Application Defenses<br />
Configuring the T120 Filter tab<br />
This tab allows you to specify which T.120 services you will allow<br />
your users to access. One <strong>of</strong> the more common T.120 applications is<br />
Micros<strong>of</strong>t’s Netmeeting. You can select from the following options:<br />
Whiteboard (T.126)<br />
File transfer (T.127)<br />
Base application sharing (T.128)<br />
Legacy application sharing (T.128)<br />
Chat (Micros<strong>of</strong>t specific)<br />
Configuring the Multimedia Connection tab<br />
The Multimedia Connections tab allows you to configure timeout<br />
properties for the T.120 and H.323 proxies. To configure the<br />
properties for one <strong>of</strong> the proxies, either double-click the entry in the<br />
table, or highlight the entry and click Modify. The Connection window<br />
appears.<br />
For information on configuring the Connections window, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
To configure Oracle Application Defenses, in the Admin Console<br />
select Policy Configuration -> Application Defenses -> Defenses -> Oracle.<br />
The following window appears. (Figure 6-18 displays only the bottom<br />
portion <strong>of</strong> the windows.)
Figure 6-18. Application<br />
Defenses: Oracle<br />
Enforcements window<br />
Configuring the Enforcements tab<br />
Creating Oracle Application Defenses<br />
The Enforcements tab allows you to enable or disable Oracle service<br />
name checking. Service name checking allows you to restrict access to<br />
the SQL server by specifying which service names will be explicitly<br />
allowed. If service name checking is enabled, only sessions that match<br />
a service name specified in the Service Name (SID) tab will be<br />
allowed.<br />
You cannot configure service name checking on the Service Name<br />
(SID) tab unless the Enforce Service Name Checking check box is<br />
selected. When this check box is selected, the values you configure in<br />
the Service Name (SID) tab will be enforced. To disable service name<br />
checking, deselect the Enforce Service Name Checking check box.<br />
Configuring Application Defenses 6-39
Creating Oracle Application Defenses<br />
About the Service Name<br />
(SID): New Service Name<br />
window<br />
6-40 Configuring Application Defenses<br />
Configuring the Service Name (SID) tab<br />
The Service Name (SID) tab allows you to configure which service<br />
names will be allowed access to the SQL server. If you do not specify<br />
any service names, service names will not be used in determining<br />
whether a session is allowed or denied.<br />
To configure a service name, click New. See “About the Service Name<br />
(SID): New Service Name window” on page 6-40.<br />
To modify a service name, highlight the service name you want to<br />
modify, and click Modify. See “About the Service Name (SID): New<br />
Service Name window” on page 6-40.<br />
To delete a service name, highlight the service name you want to<br />
modify, and click Delete.<br />
The New Service Name window allows you to create or modify a<br />
service name. In the Service Name (SID) field, enter the service name<br />
you want to add or modify and then click OK.<br />
Important: The service name you enter in this field must be an exact match (including<br />
capitalization) <strong>of</strong> the full service name that is in the Oracle tnsnames.ora file in order for<br />
those sessions to be allowed. The use <strong>of</strong> wildcards or substrings is not supported at this<br />
time.<br />
Configuring the Oracle Connection tab<br />
The Oracle Connections tab allows you to configure timeout, fast path<br />
session, and connection timeout properties.<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.
Creating SOCKS<br />
Application<br />
Defenses<br />
Figure 6-19. Application<br />
Defenses: SOCKS5<br />
Creating SOCKS Application Defenses<br />
To configure SOCKS Application Defenses, in the Admin Console<br />
select Policy Configuration -> Application Defenses -> Defenses -> SOCKS.<br />
The following window appears. (Figure 6-19 displays only the bottom<br />
portion <strong>of</strong> the windows.)<br />
Configuring the SOCKS 5 Filter tab<br />
The SOCKS 5 Filter tab allows you to configure the type <strong>of</strong> SOCKS<br />
traffic that will be allowed when using the SOCKS5 proxy. The<br />
following options are available:<br />
Allow TCP SOCKS traffic—Select this option to allow TCP traffic.<br />
Allow UDP SOCKS traffic—Select this option to allow UDP traffic.<br />
Allow Both—Select this option to allow both TCP and UDP traffic.<br />
Enforce SOCKS 4 Filtering—Select this option if you want to support<br />
SOCKS at version 4. (If this check box is not selected, you will not<br />
be able to pass traffic using SOCKS 4.)<br />
Configuring the SOCKS Connections tab<br />
The SOCKS Connections tab allows you to configure timeout<br />
properties, fast path session properties, and which ports will be open<br />
for the SOCKS proxy.<br />
Configuring Application Defenses 6-41
Creating SNMP Application Defenses<br />
Creating SNMP<br />
Application<br />
Defenses<br />
Figure 6-20. SNMP Filter<br />
tab<br />
6-42 Configuring Application Defenses<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
To configure SNMP Application Defenses, in the Admin Console select<br />
Policy Configuration -> Application Defenses -> Defenses -> SNMP. The<br />
following window appears. (Figure 6-20 displays only the bottom<br />
portion <strong>of</strong> the windows.)<br />
Configuring the SNMP Filter tab<br />
This tab allows you to specify the SNMP version you want to<br />
configure. The options that you are allowed to configure within the<br />
subsequent SNMP tabs will vary depending on which option you<br />
select. The following options are available:<br />
Allow SNMP v1 filtering—Select this option to allow SNMP v1 traffic<br />
and configure object ID (OID) filtering. For information on<br />
configuring OID filtering for SNMP v1 traffic, see “Configuring the<br />
SNMP v1 tab” on page 6-43.<br />
Allow SNMP v2c traffic—Select this option to allow SNMP v2c traffic.<br />
OID filtering is not available for SNMP v2c traffic. For information<br />
on configuring connection timeout properties, see step 2 on page -<br />
43.
Creating SNMP Application Defenses<br />
Allow SNMP v1 and v2c traffic—Select this option to allow SNMP v1<br />
and v2c traffic. OID filtering is not available when both SNMP v1<br />
and v2c are allowed. For information on configuring connection<br />
timeout properties, see “Configuring connection properties” on<br />
page 6-48.<br />
Configuring the SNMP v1 tab<br />
This tab allows you to configure Object ID (OID) filtering for SNMP<br />
v1 traffic. Follow the steps below.<br />
Note: Filtering is not available for SNMP v2c. If you selected Allow SNMP v2c Traffic or<br />
Allow SNMP v1 and v2c Traffic on the SNMP Filter tab, you cannot configure any options<br />
on this tab.<br />
1. In the Options area, determine the types <strong>of</strong> requests and events that the<br />
SNMP proxy will filter, as follows:<br />
Allow Read Requests—Select this option to allow the Get and<br />
Get Next requests. (If you select SNMP v2c, this is automatically<br />
allowed.)<br />
Allow Write Requests—Select this option to allow the Set request.<br />
(If you select SNMP v2c, this is automatically allowed.)<br />
Allow Notify Events—Select this option to allow v1 traps. (If you<br />
select SNMP v2c, this is automatically allowed.)<br />
Note: Additional SNMP requests are not supported in SNMP v1.<br />
2. Select the Enable OIDs Filtering check box to configure object IDs (OIDs)<br />
for the SNMP proxy. OIDs are a unique, numeric representation <strong>of</strong> a<br />
device within the SNMP network.<br />
3. In the Actions field, determine whether the list <strong>of</strong> OIDs that you define<br />
will be allowed or denied, as follows:<br />
Allow—Select this option to allow only the OIDs that you specify in<br />
the table. All other OIDs will be denied.<br />
Deny—Select this option to deny only the OIDs that you specify in<br />
the table. All other OIDs will be allowed.<br />
To add an OID to the table, click New. To modify an existing OID, select<br />
that ID and click Modify. The OID Editing window appears. (For<br />
information on configuring a new OID, see “Configuring the SNMP v1:<br />
OID Editing window” on page 6-44.)<br />
Note: To delete an existing OID, select that ID and click Delete. You will be<br />
prompted to confirm your action.<br />
Configuring Application Defenses 6-43
Creating SNMP Application Defenses<br />
Figure 6-21. SNMP v1:<br />
OID Editing window<br />
6-44 Configuring Application Defenses<br />
Configuring the SNMP v1: OID Editing window<br />
This window allows you to add a new object ID (OID). You can select<br />
from the list <strong>of</strong> standard OIDs, or you can create your own OID using<br />
the custom option. Follow the steps below.<br />
1. In the OID Options area, determine whether the OID will be Standard<br />
(pre-defined) or Custom (you determine and enter the OID manually) by<br />
selecting the appropriate radio button.<br />
2. [Conditional] If you selected Standard in step 1, select the appropriate<br />
OID from the Standardized OIDs drop-down list.<br />
3. [Conditional] If you selected Custom in step 1, type the OID number in<br />
the Customized OID field using the standard OID structure. The<br />
numbering scheme for each object is determined by the object’s<br />
management information base (MIB) location, as shown in Figure 6-22<br />
below.<br />
For example, the object ID for the SCC node in the private enterprise<br />
portion <strong>of</strong> the network would be .1.3.6.1.4.1.1573.<br />
Note: The object ID will always begin with the following pattern .1.3.6.1. For<br />
assistance on obtaining object IDs, visit the Internet assigned numbers authority Web<br />
site at www.iana.org/assignments/enterprise-numbers or contact the<br />
appropriate vendor.
Figure 6-22. Example <strong>of</strong><br />
OID numbering scheme<br />
Creating Standard<br />
Application<br />
Defenses<br />
system<br />
.1<br />
interfaces<br />
.2<br />
Creating Standard Application Defenses<br />
.2 mgmt<br />
private .4<br />
.1 mib2<br />
enterprises .1<br />
ip<br />
.4<br />
tcp<br />
.6<br />
4. Click Add or OK to add the OID to the table. Repeat these steps for each<br />
OID you want to add or modify.<br />
5. Click Close to return to the SNMP v1 tab.<br />
Configuring the SNMP Connection tab<br />
The SNMP Connections tab allows you to configure timeout<br />
properties and the maximum protocol data unit (PDU) size.<br />
Configuring connection properties is common to most Application<br />
Defenses. For information on configuring the Connections tab, see<br />
“Configuring connection properties” on page 6-48.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
The Standard window allows you to configure timeout and fast-path<br />
properties for proxies that are not listed elsewhere in the Application<br />
Defenses tree. You can also configure transparency properties for the<br />
Telnet proxy. To configure Standard Application Defenses, in the<br />
Admin Console select Policy Configuration -> Application Defenses -><br />
Defenses -> Standard. The following window appears. (Figure 6-23<br />
displays only the bottom portion <strong>of</strong> the windows.)<br />
iso<br />
org<br />
dod<br />
internet<br />
..........<br />
.1<br />
.3<br />
.6<br />
.1<br />
UNIX<br />
.4<br />
scc<br />
.1573<br />
..........<br />
Configuring Application Defenses 6-45
Configuring Application Defense groups<br />
Figure 6-23. Standard<br />
Application Defense:<br />
Connections tab<br />
Configuring<br />
Application<br />
Defense groups<br />
6-46 Configuring Application Defenses<br />
Configuring the Standard Connections tab<br />
To configure connection properties for a standard Application<br />
Defense, select the Application Defense type that you want to<br />
configure from the table, and click Modify. The Connection window<br />
appears. See “Configuring connection properties” on page 6-48 for<br />
information on configuring connection properties.<br />
Note: Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.<br />
Application Defense groups allow you to select a single Application<br />
Defense from each category within a single group. When you specify<br />
an Application Defense group within a rule, only the Application<br />
Defense(s) that apply to that rule’s services will be implemented in<br />
the rule. Application Defense groups can only be used when<br />
configuring rules that use service groups.<br />
Note: For more information on how Application Defense groups are used in a rule, see<br />
Chapter 4.<br />
To create an Application Defense group, in the Admin Console select<br />
Policy Configuration -> Application Defenses -> Groups. The following<br />
window appears.
Figure 6-24. Application<br />
Defense Group window<br />
Configuring Application Defense groups<br />
Configuring the Application Defense groups window<br />
The Application Defense Group window allows you to select a<br />
defense for each category (for example, Web, Secure Web, standard,<br />
etc.) to include in a group. A list <strong>of</strong> which defenses are included in a<br />
group are displayed in the table, with the following information:<br />
Type—This column lists each <strong>of</strong> the Application Defense types<br />
contained.<br />
Name—This column lists the Application Defense that is currently<br />
selected for each category.<br />
Set—This column indicates which Application Defense is currently<br />
selected for configuration.<br />
To select an Application Defense for a particular category, select the<br />
appropriate row in the table. A list <strong>of</strong> available Application Defenses<br />
for that category appear. Select an Application Defense from the list.<br />
The table will be updated to display the new selection as the current<br />
Application Defense for that category. (To add or modify an<br />
Application Defense for a category, highlight the appropriate row and<br />
click New or Modify.)<br />
Configuring Application Defenses 6-47
Configuring connection properties<br />
Configuring<br />
connection<br />
properties<br />
Figure 6-25. Web<br />
Connection tab<br />
Configuring connection<br />
properties<br />
6-48 Configuring Application Defenses<br />
You can configure connection properties for most Application<br />
Defenses. For defenses that support multiple proxies (Multimedia and<br />
Standard), the Connections tab will display a table. To configure the<br />
connection properties for Multimedia or Standard, select the proxy for<br />
which you want to configure connection properties, and click Modify.<br />
A Connection window appears. For defenses that have configurable<br />
connection properties (Web, Secure Web, Citrix, FTP, Oracle, SOCKS5,<br />
and SNMP) the configurable connection properties are displayed<br />
directly in the Connection tab. Figure 6-25 shows the Connection tab<br />
for a Web defense.<br />
To configure the connection properties for an Application Defense,<br />
follow the steps below. The fields that appear will vary depending on<br />
the type <strong>of</strong> Application Defense you are configuring.<br />
1. In the Set Timeouts (in seconds) area, do the following:<br />
a. In the TCP Connect Timeout field, specify the length <strong>of</strong> time, in<br />
seconds, that the proxy should attempt to connect to the server<br />
before the proxy stops trying.<br />
b. In the TCP Idle Timeout field, specify the length <strong>of</strong> time, in seconds,<br />
that the connection can remain idle before it is closed.<br />
c. [SNMP proxy only] In the Request Timeout field, specify the length <strong>of</strong><br />
time, in seconds, that the proxy will wait for a response from an<br />
SNMP agent before the connection times out. (The Get, Get Next,<br />
and Set commands request a response.)
Configuring connection properties<br />
d. In the UDP Idle Timeout field, specify the length <strong>of</strong> time, in seconds,<br />
that a live UDP session will live. This field is valid for Citrix, SOCKS,<br />
and various Standard proxies.<br />
e. To return the values to their default value, click Restore Defaults.<br />
2. [Conditional] If you want to disallow fast path sessions, select the<br />
Disable Fast Path Sessions check box. (In most cases, fast path sessions<br />
enhance system performance.) Fast path sessions are allowed by<br />
default for proxies that support this option. See “Improving<br />
performance using Fast Path Sessions” on page 8-3 for more<br />
information.<br />
Note: This option is disabled by default for the IIOP Application Defense.<br />
3. [Web/Secure Web only] To enable a proxy to communicate with a nontransparent<br />
proxy, select the Send Traffic to Upstream Proxy option, and<br />
configure the following options:<br />
Note: If you allow transparent connections when using this option, the URL will be<br />
rewritten to contain an IP address rather than a hostname. If you allow transparent<br />
connections, you must first ensure that the upstream proxy server will accept an<br />
IP address.<br />
a. In the IP Address field, specify the IP address for the upstream proxy.<br />
b. In the Port field, specify the port that will be used (for HTTP, this will<br />
generally be port 80.)<br />
4. [Conditional] In the Allowed Connection Types area, determine the type<br />
<strong>of</strong> traffic that will be allowed for this Application Defense (this field<br />
appears if you selected Web, Secure Web, Oracle [SQL]), or Telnet. The<br />
following options are available:<br />
Note: The default connection type for Oracle is Transparent. The default for Web,<br />
Secure Web, and Telnet is Both.<br />
Transparent—Select this option to allow transparent connections.<br />
Non-Transparent—Select this option to allow non-transparent<br />
connections.<br />
Both—Select this option to allow both transparent and nontransparent<br />
connections.<br />
Note: If you are using Non-Transparent or Both, you will need to specify which<br />
destination ports will be allowed through the proxy. See “Configuring connection<br />
ports” on page 6-50.<br />
Configuring Application Defenses 6-49
Configuring connection properties<br />
6-50 Configuring Application Defenses<br />
5. [SNMP only] In the Max PDU field, specify the maximum protocol data<br />
unit (PDU) size that will be allowed. The default is 535. (Valid values are<br />
120–1450.)<br />
Note: You may want to increase this value depending on the type <strong>of</strong> device(s) you<br />
are using. However, keep in mind that some devices cannot handle a larger value.<br />
6. [IIOP only] In the Maximum message size (PDU) field, specify the<br />
maximum protocol data unit (PDU) message size that will be allowed.<br />
The default is 72000.<br />
7. [SOCKS/Web/Secure Web only] To configure ports for a defense, click<br />
New and see “Configuring connection ports” on page 6-50.<br />
8. [Web only] To allow non-transparent, secure Web traffic through the<br />
HTTP proxy, select the Allow non-transparent secure web traffic through<br />
the web (HTTP) proxy check box.<br />
Configuring connection ports<br />
The Edit a Port window allows you to configure a single port or a port<br />
range, or you can select from pre-defined ports for specific proxies by<br />
selecting one <strong>of</strong> the following radio buttons:<br />
Specify a Port—Select this option to specify a single port. In the Port<br />
field, type a port number or use the up and down arrows to<br />
display the desired port.<br />
Specify a Port Range—Select this option to specify a port range. In<br />
the Begin Port and End Port fields, specify the range <strong>of</strong> ports that<br />
this proxy can use (you can either type the port numbers in the<br />
appropriate fields or use the up and down arrows to display the<br />
desired ports).<br />
Use Pre-defined Ports—Select this option if you want to specify the<br />
port(s) or port range(s) that have been pre-defined for this proxy.
C HAPTER 7<br />
Creating Rules and Groups<br />
About this chapter This is a task-oriented chapter that provides instructions for creating<br />
rules and groups. It also provides instructions for modifying the active<br />
policy rule groups.<br />
Viewing rules and<br />
rule groups<br />
Note: For an overview <strong>of</strong> rules and groups, see Chapter 4.<br />
This chapter covers the following topics:<br />
“Viewing rules and rule groups” on page 7-1<br />
“Creating proxy rules” on page 7-4<br />
“Creating IP Filter rules” on page 7-12<br />
“Creating and managing rule groups” on page 7-19<br />
“Selecting your active policy rules” on page 7-22<br />
To view the existing proxy and IP Filter rules currently available for<br />
use, in the Admin Console select Policy Configuration -> Rules. The<br />
main Rules window appears with the Proxy Rules list displayed by<br />
default.<br />
7<br />
Creating Rules and Groups 7-1
7<br />
Viewing rules and rule groups<br />
Figure 7-1. Rules window<br />
displaying proxy rules<br />
About the Rules window The <strong>Sidewinder</strong> <strong>G2</strong> contains two rule tables:<br />
7-2 Creating Rules and Groups<br />
Proxy rules—This table contains all <strong>of</strong> the proxy rules and groups<br />
that were loaded during initial configuration as well as any rules<br />
that you have created (displayed in Figure 7-1).<br />
IP Filter rules—This table contains all <strong>of</strong> the IP Filter rules and<br />
groups that have been created. Each row within a table contains a<br />
single rule or group. The components <strong>of</strong> each rule are displayed in<br />
the labeled columns.<br />
The order <strong>of</strong> rules in the main rule tables is not important. The rule<br />
tables are holding grounds for rules that you create. They may or may<br />
not be included in the active rule group that enforces your security<br />
policy. Rather, it is the order <strong>of</strong> rules and nested rule groups within<br />
rule groups that is important. For information on ordering your rule<br />
groups, see “Ordering proxy rules within a rule group” on page 4-5.
Viewing rules and rule groups<br />
You can perform the following tasks in the Rules window:<br />
View proxy or IP Filter rules and groups—To view a rule table, click the<br />
appropriate radio button (Proxy Rules or IP Filter Rules) in the View<br />
Option field. You can resize the columns to suit your needs by<br />
clicking and dragging the edge <strong>of</strong> a column heading. (Use the<br />
scroll bars to view all columns and entries listed in the table.)<br />
Note: If you view the proxy rule table, an Inspection column will appear in front <strong>of</strong><br />
the Name column. A status <strong>of</strong> On indicates that all <strong>of</strong> the Application Defense<br />
properties will be actively enforced for a rule. A status <strong>of</strong> Off indicates that only the<br />
connection properties portion <strong>of</strong> the defense will be enforced for that rule.<br />
Filter the table to display rules or groups—To filter the table to display<br />
only rules or only groups, select Rules or Groups from the Filter<br />
drop-down list. (To display both rules and groups, select No Filter.)<br />
Add/modify a rule—To add a new rule, select the appropriate rule<br />
view (Proxy or IP Filter) using the View Option and then click New<br />
-> Rule. (To modify a rule, highlight the entry and click Modify.)<br />
— To add/modify a new proxy rule, see “Creating proxy rules”<br />
on page 7-4.<br />
— To add/modify a new IP Filter rule, see “Creating IP Filter<br />
rules” on page 7-12.<br />
Add/modify a group—To add a new rule group, select the<br />
appropriate rule view (Proxy or IP Filter) using the View Option and<br />
then click New -> Group. For information on adding or modifying a<br />
rule group, see “Creating and managing rule groups” on page 7-19.<br />
(To modify a rule group, highlight the entry and click Modify.)<br />
Delete a rule or group—To delete a rule or group, highlight the entry<br />
you want to delete and click Delete. You cannot delete rules or<br />
rule groups that are part <strong>of</strong> a group.<br />
View the groups to which a rule or group belongs—To determine which<br />
groups a rule or group belongs to, highlight the entry and click the<br />
Members Of button. An information window appears listing the<br />
groups to which the rule or group belongs.<br />
Duplicate an existing rule or rule group—To duplicate a rule or group,<br />
highlight the rule or group you want to duplicate and click<br />
Duplicate. The Duplicate Rule Name window appears.<br />
Creating Rules and Groups 7-3
Creating proxy rules<br />
About the Duplicate Rule<br />
Name window<br />
Creating proxy<br />
rules<br />
Figure 7-1. Proxy Rule<br />
window: General tab<br />
7-4 Creating Rules and Groups<br />
In the Duplicate Rule Name window, do the following:<br />
1. In the Name field, type a unique name for the duplicate rule or group.<br />
Valid values include alphanumeric characters, periods (.), dashes(-), and<br />
underscores (_), and spaces ( ). However, the first and last character <strong>of</strong><br />
the name must be alphanumeric. The name cannot exceed 100<br />
characters.<br />
2. [Conditional] If you are creating a duplicate IP Filter rule <strong>of</strong> type Other,<br />
select a protocol for the new rule from the Protocol drop-down list. (The<br />
protocol does not need to be the same protocol used by the original<br />
rule.)<br />
3. Click Add.<br />
This section provides information on creating proxy rules.<br />
Note: For an overview <strong>of</strong> proxy rules, see Chapter 4.<br />
To create a proxy rule, using the Admin Console select<br />
Policy Configuration -> Rules. Then click New -> Proxy Rule. The Proxy<br />
Rule window appears. (To modify a proxy rule, highlight the rule you<br />
want to modify and click Modify.)<br />
Important: Proxy rules that you create will not be part <strong>of</strong> the active policy unless you<br />
place them in a rule group that is part <strong>of</strong> the active policy. For information on adding a<br />
proxy to a rule group and ensuring that it is included in the active policy, see “Creating and<br />
managing rule groups” on page 7-19 and “Selecting your active policy rules” on page 7-22.
Entering information on the<br />
Proxy Rule General tab<br />
Creating proxy rules<br />
The General tab in the Proxy Rule window is used to enter basic<br />
information about a proxy rule. Follow the steps below.<br />
1. In the Name field, type a name that helps identify the purpose <strong>of</strong> the<br />
rule. For example, the pre-configured rule that allows synchronization<br />
between systems is called “Synchronization.” Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
2. In the Service Type drop-down list, select one <strong>of</strong> the following:<br />
Note: The Service Type field determines the options that are available to you in the<br />
Service field in step 3.<br />
All—This option includes both proxies and servers. It does NOT<br />
include service groups.<br />
Proxy—This option includes proxies only.<br />
Server—This option includes servers only.<br />
Service Group—This option includes service groups only. For<br />
information on service groups, see “Service groups” on page 4-12.<br />
3. In the Service drop-down list, select the type <strong>of</strong> network service this rule<br />
is allowing or denying. (The options that are displayed in this list are<br />
determined by the option you selected in the previous step.)<br />
4. In the Action drop-down list, select Allow to allow the service or Deny to<br />
deny the service when a match occurs.<br />
5. In the Control drop-down list, select Enable to enable the rule or Disable<br />
to disable the rule. This allows you to disable a rule, if necessary, without<br />
deleting it. Rules that are disabled will appear grayed out in the main<br />
Rule window.<br />
6. In the Audit Level drop-down list, select one <strong>of</strong> the following audit<br />
options for this rule:<br />
Errors Only—Select this option to generate only error audit events<br />
for this rule. If you select this option, normal traffic will not be<br />
logged. (This option increases performance and reduces the size<br />
<strong>of</strong> audit logs.)<br />
Traffic—Select this option to generate both normal traffic and<br />
error audit events for this rule.<br />
Informational—Select this option to generate error audit events,<br />
normal traffic, and informational audit events for this rule.<br />
7. [Optional] In the Description field, enter any useful information for this<br />
rule (for example, a brief description <strong>of</strong> the rule).<br />
Creating Rules and Groups 7-5
Creating proxy rules<br />
Figure 7-2. Proxy Rule:<br />
Source/Dest tab<br />
Entering source and<br />
destination information<br />
7-6 Creating Rules and Groups<br />
8. [Optional] If you want to temporarily disable the Application Defense<br />
associated with this rule, select the Disable Defense Inspection check<br />
box. Selecting this check box will temporarily disable all Application<br />
Defense settings other than connection properties (timeout and fastpath<br />
settings).<br />
Note: This option will be grayed out if there is no Application Defense associated<br />
with the rule.<br />
The Source/Dest tab is used to enter source and destination<br />
restrictions for a proxy rule. Follow the steps below.<br />
1. In the Source Burb drop-down list, select the source burb associated<br />
with this rule.<br />
2. In the Destination Burb drop-down list, select the destination burb<br />
associated with this rule.<br />
Note: When defining inbound address redirection for a rule, you should select the<br />
Internet (external) burb for both the Source Burb and the Destination Burb fields<br />
unless you are redirecting internally, or if you are redirecting inbound to another<br />
internal address.<br />
3. In the Source list that is displayed, select the source object to use for this<br />
rule. (If needed, you can use the Show drop-down list to filter the list to<br />
display only one type <strong>of</strong> object.)<br />
Note: If you need to create a network object for this rule, see step 5 below.<br />
4. In the Destination list that is displayed, select the destination object to<br />
use for this rule. (If needed, you can use the Show drop-down list to filter<br />
the list to display only one type <strong>of</strong> object.)<br />
Note: If you need to create a network object for this rule, see step 5 below.
Creating proxy rules<br />
5. [Optional] To create a network object for this rule, do the following:<br />
a. Click New. You will be prompted to select the type <strong>of</strong> object you<br />
want to create.<br />
b. Select the type <strong>of</strong> network object you want to create and click OK.<br />
The New Network Object window appears.<br />
c. Create the network object. When you click Add, you are returned to<br />
the Source/Dest tab in the Proxy Rule window.<br />
Note: For information on creating a Network Object, see “Creating network objects”<br />
on page 5-10.<br />
6. [Conditional] In the NAT Address drop-down list, select the object (IP<br />
address or host) that will replace the original source address when it is<br />
translated.<br />
Note: If you selected a netmap in the Source field, the appropriate NAT properties<br />
are automatically supplied based on the mapping configured for each IP address or<br />
subnet in that netmap. For more information on netmaps, see “Netmap network<br />
objects” on page 4-10.<br />
Note: Do not set the NAT Address to localhost if you are using a virtual burb as your<br />
destination burb.<br />
7. [Conditional] In the Redirect Host drop-down list, select the host or IP<br />
address to redirect the original destination.<br />
Note: If you selected a netmap in the Destination field, the appropriate redirection<br />
properties are automatically supplied based on the mapping configured for each IP<br />
address and subnet in that netmap. For more information on netmaps, see “Netmap<br />
network objects” on page 4-10.<br />
8. [Conditional] In the Redirect Port field, type the port number on which<br />
the connection will be redirected.<br />
Creating Rules and Groups 7-7
Creating proxy rules<br />
Figure 7-3. Proxy Rule:<br />
Authentication tab<br />
Entering authentication<br />
information<br />
7-8 Creating Rules and Groups<br />
The Authentication tab is used to enter authentication information for<br />
this rule.<br />
Note: The following proxies can use authentication: FTP, nt_FTP, HTTP, HTTPS, SOCKS,<br />
Telnet, and nt_Telnet. The following servers can use authentication: cobra, console, Telnet,<br />
sshd, SSO, and WebProxy.<br />
1. Select one <strong>of</strong> the following options:<br />
Do not require Authentication—Select this option if you do not<br />
want to require authentication for this rule.<br />
Authentication using SSO (Single Sign On)—Select this option if<br />
you want to allow SSO cached authentication for this rule. (If the<br />
SSO server has not been configured, you will not be able to select<br />
the option. See “Configuring SSO” on page 9-27.)<br />
Authenticate using selected Authentication Methods—Select this<br />
option to require authentication for this rule. If you select this<br />
option, you will need to specify the types <strong>of</strong> authentication that<br />
will be allowed for this rule by selecting the appropriate check<br />
boxes in the Authentication Methods area. (Only methods that<br />
have been configured and enabled will be available for selection.<br />
For information on authentication methods, see “Supported<br />
authentication methods” on page 9-5.)<br />
2. [Optional] If more than one authentication method is selected, you may<br />
specify a default method from the Default Method drop-down list. This<br />
is the authentication method that will be used by the <strong>Sidewinder</strong> <strong>G2</strong> if<br />
the user does not specify an authentication method during log in<br />
Important: The Default field is NOT used for administrative purposes (such as<br />
logging in to the Admin Console). The default administration authentication method<br />
is defined in the Firewall <strong>Administration</strong>-> Firewall Accounts window.
Figure 7-4. Proxy Rule:<br />
Time tab<br />
Creating proxy rules<br />
3. [Conditional] In the Authorization area, select one <strong>of</strong> the following<br />
options:<br />
Allow all successfully authenticated users—Select this option if you<br />
want to allow all users who successfully authenticate.<br />
Allow only users in the selected <strong>Sidewinder</strong> User Group—Select this<br />
option if you want to require users who belong to a particular<br />
group to be allowed to use the service(s) specified within the rule.<br />
By default All Users are authenticated.<br />
[Conditional] Allow only users in the selected External Authorization<br />
Role—This option is active only if SafeWord or LDAP is selected and<br />
enabled. Selecting this option is similar to assigning a user group<br />
to a proxy rule, except the group (or role in this case) is defined<br />
within an external authentication program such as SafeWord<br />
PremierAccess or LDAP/Active Directory. This relieves you from<br />
having to maintain a second instance <strong>of</strong> the group (role) on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: For additional information on configuring authentication for services, see<br />
“Setting up authentication for services” on page 9-30.<br />
Creating Rules and Groups 7-9
Creating proxy rules<br />
Entering information on the<br />
Time tab<br />
7-10 Creating Rules and Groups<br />
This tab allows you to determine the days and times a proxy rule is<br />
enabled. You can also specify whether a proxy rule is temporary and<br />
will expire after a specific period <strong>of</strong> time. Follow the steps below.<br />
1. In the Times/Days field, specify when to allow or deny the service(s)<br />
defined for this proxy rule. The format is fairly flexible. You must enter a<br />
day <strong>of</strong> the week (or a range <strong>of</strong> days), followed by a time range (be sure<br />
to either use military time OR include am or pm after each hour). You<br />
may abbreviate the day, but do not use periods. You can include<br />
multiple entries as long as they are separated by a comma and a space.<br />
The following are examples <strong>of</strong> valid entries:<br />
Mon-Fri 8am-5pm<br />
Monday-Tuesday 8am-5pm, Friday noon-Sunday 8am<br />
Thur 1200-1500, Sat 1800<br />
8:00am-10:00pm Mon-Thur, 8:30am-5:30pm Fri<br />
2. In the Rule Time To Live field, you can configure a proxy rule to be<br />
temporary (that is, to expire after a specified time period). Select one <strong>of</strong><br />
the following three options:<br />
No Expiration—Select this option if you do NOT want the proxy<br />
rule to be temporary (that is, it will NOT expire). This is the default<br />
value.<br />
Offset—Select this option to specify a period <strong>of</strong> time that must<br />
elapse, starting from the creation date <strong>of</strong> the rule, before the proxy<br />
rule will expire (for example, two days, one week, three years).<br />
When you select this option, the Disable Rule In field appears.<br />
Select a time period from the drop-down list (Days, Hours, Minutes,<br />
Months, Seconds, Weeks, or Years) and then specify the<br />
appropriate number in the text box.<br />
Date/Time—Select this option to specify an exact date and time<br />
when the proxy rule will expire. When you select this option,<br />
additional fields appear. In the Month, Day, and Year drop-down<br />
lists, specify the date that you want the rule to expire. In the Time<br />
drop-down lists, specify the exact time you want the rule to expire.
Figure 7-5. Proxy Rule:<br />
Application Defense tab<br />
Entering Application<br />
Defense rule information<br />
Creating proxy rules<br />
The Application Defense tab is used to determine which Application<br />
Defense (or group if you selected Service Group in the Service Type<br />
field) will be used by a rule. Select one <strong>of</strong> the following options:<br />
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt Web<br />
Traffic option enabled must have redirection configured.<br />
Use the default Application Defense/Group—Select this option to use<br />
the current default Application Defense group. The current default<br />
Application Defense that will be used is displayed next to this<br />
option. Ensure that this is the correct Application Defense Group<br />
for this rule.<br />
Select an Application Defense/Group—Select this option to select the<br />
Application Defense (or group if you selected a service group in<br />
the Service Type field) that you want to apply to this rule. Only<br />
Application Defenses that are applicable to the type <strong>of</strong> rule you<br />
are creating will appear in the table. For example, if you are<br />
creating an HTTP rule, you will only see Web Application<br />
Defenses in the table. To view the properties for a particular<br />
defense, select the appropriate table row and click View.<br />
To create a new Application Defense for this rule, click New. To<br />
modify one <strong>of</strong> the existing Application Defenses, highlight the<br />
appropriate table row and click Modify. (If you want to create a<br />
new defense based on an existing defense, highlight the defense<br />
and click Duplicate.) For information on creating or modifying an<br />
Application Defense, see Chapter 6.<br />
Creating Rules and Groups 7-11
Creating IP Filter rules<br />
Creating IP Filter<br />
rules<br />
7-12 Creating Rules and Groups<br />
To view the other areas where an Application Defense is used,<br />
highlight that defense and click Usage.<br />
Important: If the defense you want to modify is currently being used by other<br />
rules, you will receive a pop-up window listing the areas where this defense is used<br />
and asking you whether you want to continue modifying the defense. Click Yes to<br />
modify the defense, or click No to return to the Application Defense tab without<br />
modifying the defense.<br />
This section provides information on creating IP Filter rules. To create<br />
an IP Filter rule, follow the steps below.<br />
Note: For overview information on IP Filter rules, see Chapter 4.<br />
Important: IP Filter rules that you create will not be active until you place them in a rule<br />
group that is part <strong>of</strong> the active IP Filter rules. For information on adding an IP Filter rule to a<br />
rule group and ensuring that it is included in the active IP Filter rules, see “Creating and<br />
managing rule groups” on page 7-19 and “Selecting your active policy rules” on page 7-22.<br />
1. Using the Admin Console select Policy Configuration -> Rules. The Rules<br />
window appears.<br />
2. In the View Option field, select IP Filter Rules. The Rules window appears<br />
with the IP Filter rules table displayed.<br />
3. Click New -> IP Filter Rule and then select the type <strong>of</strong> IP Filter rule you<br />
want to create:<br />
TCP—Select this option to create an IP Filter rule specifically for the<br />
TCP protocol.<br />
UDP—Select this option to create an IP Filter rule specifically for<br />
the UDP protocol.<br />
ICMP—Select this option to create an IP Filter rule specifically for<br />
the ICMP protocol.<br />
Other—Select this option to create an IP Filter rule for protocols<br />
other than TCP, UDP, and ICMP (such as AH).<br />
Note: To modify an IP Filter rule, highlight the rule you want to modify, and click<br />
Modify.<br />
The IP Filter Rules window appears with the Rule tab displayed.
Figure 7-6. IP Filter Rules<br />
window<br />
Entering information on the<br />
Rule tab<br />
Creating IP Filter rules<br />
To configure the Rules tab for an IP Filter rule, follow the steps below.<br />
1. In the Name field, specify a name for the rule. Valid values include<br />
alphanumeric characters, period (.), underscore (_), or hyphen (-). The<br />
name cannot exceed 100 characters.<br />
2. In the Protocol field, select the protocol type for the rule you are<br />
creating. (If you selected TCP, UDP, or ICMP as the rule type, the Protocol<br />
field will be automatically filled in for you.)<br />
To create an IP Filter rule for a protocol that is not listed in the dropdown<br />
list, manually type the protocol number in the Protocol field.<br />
3. In the Action field, specify the action that should occur when a packet<br />
matches this rule:<br />
Allow—The packet will be translated or redirected, as defined in<br />
the Source/Dest tab and will then continue regular kernel-level<br />
processing.<br />
Deny—The packet will be rejected without further filtering.<br />
4. In the Control field, select Enable to enable the rule or Disable to disable<br />
the rule. This allows you to temporarily disable a rule, if necessary,<br />
without deleting it. Rules that are disabled will appear grayed out in the<br />
main Rule window.<br />
Creating Rules and Groups 7-13
Creating IP Filter rules<br />
Figure 7-7. IP Filter Rules<br />
Source/Dest tab<br />
7-14 Creating Rules and Groups<br />
5. In the Audit Level field, select the type <strong>of</strong> audit you want performed on<br />
when a packet matches this rule.<br />
None—No audit information will be recorded for this rule.<br />
Informational—Select this option to generate errors, normal traffic,<br />
and informational audit events for this rule.<br />
Traffic—Select this option to generate normal traffic and error<br />
audit events for this rule.<br />
Errors Only—Select this option to generate only error audit events<br />
for this rule. If you select this option, normal traffic will not be<br />
logged. (This option increases performance and reduces the size<br />
<strong>of</strong> audit logs.)<br />
6. [Conditional] If you selected Informational for the audit level, in the<br />
Audit Threshold field, specify the number <strong>of</strong> packets that will be allowed<br />
by this rule before an audit record is generated. To disable auditing for<br />
this IP Filter rule, set the value to zero (0).<br />
7. [Optional] In the Description field, enter any useful information about<br />
this IP Filter rule (for example, a brief description <strong>of</strong> the rule).<br />
8. To configure the source and destination information for this IP Filter<br />
rule, select the Source/Dest tab. The following window appears.
About the IP Filter Source/<br />
Dest tab<br />
Creating IP Filter rules<br />
The Source/Dest tab is used to specify the source and destination<br />
information, as well as NAT and redirection for this IP Filter rule.<br />
Follow the steps below.<br />
1. In the Direction field, specify which address can initiate a session by<br />
selecting one <strong>of</strong> the following options:<br />
Uni-directional: This option allows traffic to initiate only from the<br />
source address.<br />
Bi-directional: If stateful inspection is enabled for this rule, this<br />
option allows traffic initiation from either source or destination<br />
addresses.<br />
Note: NAT and redirection are not allowed for bi-directional rules with stateful<br />
inspection enabled.<br />
2. In the Source Burb drop-down list, select the burb through which the<br />
<strong>Sidewinder</strong> <strong>G2</strong> should route to get to the source IP address.<br />
3. In the Destination Burb drop-down list, select the burb through which<br />
the <strong>Sidewinder</strong> <strong>G2</strong> should route to get to the destination IP address.<br />
4. In the Source Show drop-down list, select the type <strong>of</strong> network object or<br />
group to use as the source object.<br />
5. In the Source list that is displayed, select the source object to use for this<br />
rule.<br />
Note: If you need to create a network object for this rule, see step 8 below.<br />
6. In the Destination Show drop-down list, select the type <strong>of</strong> network<br />
object or group to use as the destination object.<br />
7. In the Destination list that is displayed, select the destination object to<br />
use for this rule.<br />
Note: If you need to create a network object for this rule, see step 8 below.<br />
8. [Optional] To create a network object for the source or destination, do<br />
the following:<br />
a. Click New. You will be prompted to select the type <strong>of</strong> object you<br />
want to create.<br />
b. Select the type <strong>of</strong> network object you want to create. The New<br />
Network Object window appears.<br />
c. Create the network object. When you click Add, you are returned to<br />
the Source/Dest tab in the IP Filter Rule window.<br />
Note: For information on creating a Network Object, see “Creating network objects”<br />
on page 5-10.<br />
Creating Rules and Groups 7-15
Creating IP Filter rules<br />
7-16 Creating Rules and Groups<br />
9. (TCP/UDP only) In the Source Port Range field, specify the range <strong>of</strong> ports<br />
(inclusive) in which connections are allowed to be made to or initiated<br />
from the corresponding address. Valid port ranges are 1–65535. To<br />
specify “any port” leave the field blank.<br />
10. (TCP/UDP only) In the Destination Port Range field, specify the range <strong>of</strong><br />
ports (inclusive) in which connections are allowed to be made to or<br />
initiated from the corresponding address. Valid port ranges are<br />
1–65535. To specify “any port” leave the field blank.<br />
11. In the NAT Mode drop-down list, select one <strong>of</strong> the following options:<br />
Note: NAT and redirection are not allowed for bi-directional rules with stateful<br />
inspection enabled.<br />
None—This option will disable NAT for this rule.<br />
Normal—All packets that match this rule will be translated as<br />
follows: the source address will be translated to the associated NAT<br />
address, and the source port will be translated to a a port within<br />
the NAT port range.<br />
Source Port—All packets that match this rule will be translated as<br />
follows: the source address will be translated to the associated NAT<br />
address. The source port will not be translated.<br />
Note: The Source Port option can only be selected for TCP/UDP rules that have<br />
stateful inspection enabled.<br />
12. In the NAT Address drop-down list, select the object (IP address, host, or<br />
subnet) that will replace the original source address when it is<br />
translated. (To filter the type <strong>of</strong> objects that appear in the list, select an<br />
option from the Show drop-down list.)<br />
Important: If you selected Source Port NAT in the previous step, you must specify<br />
an alias IP address or a subnet that contains at least one alias IP address as the NAT<br />
Address. If you specify an interface IP address or subnet that does not contain an alias<br />
IP address, this rule will not pass traffic and audit will be generated.<br />
13. In the Redirection Mode field, select one <strong>of</strong> the following options:<br />
None—Select this option if you do not want to enable redirection.<br />
Normal—Select this option to enable redirection.<br />
14. In the Redirect Host drop-down list, select the IP address or subnet to<br />
which the original destination should be redirected. (To filter the type <strong>of</strong><br />
objects that appear in the list, select an option from the Show dropdown<br />
list.)<br />
15. To configure the days and times that the IP Filter rule is enabled, select<br />
the Time tab. The following window appears. (See
Figure 7-8. IP Filter Time<br />
tab<br />
Creating IP Filter rules<br />
About the IP Filter Time tab This tab allows you to determine whether an IP Filter rule is<br />
temporary and will expire after a specific period <strong>of</strong> time. Follow the<br />
steps below.<br />
1. In the Rule Time To Live area, specify whether this rule will expire<br />
(become disabled). Select one <strong>of</strong> the following three options:<br />
No Expiration—Select this option if you do NOT want the rule to<br />
expire. This is the default value.<br />
Offset—Select this option to specify a period <strong>of</strong> time that must<br />
elapse, starting from the creation date <strong>of</strong> the rule, before the rule<br />
will expire (for example, two days, one week, three years). When<br />
you select this option, the Disable Rule In field appears. Select a<br />
time period from the drop-down list (Seconds, Minutes, Hours,<br />
Days, Weeks, Months, or Years) and then specify the appropriate<br />
number in the text box.<br />
Date/Time—Select this option to specify an exact date and time<br />
when the rule will expire. When you select this option, additional<br />
fields appear. In the Month, Day, and Year drop-down lists, specify<br />
the date that you want the rule to expire. In the Time drop-down<br />
lists, specify the exact time you want the rule to expire.<br />
2. To configure advanced configuration information for this IP Filter rule,<br />
select the Advanced tab. The following window appears. (See “About<br />
the TCP/UDP IP Filter Advanced tab” below.)<br />
Note: The Advanced tab is not available if you selected Other as the IP Filter rule<br />
type.<br />
Creating Rules and Groups 7-17
Creating IP Filter rules<br />
Figure 7-9. IP Filter<br />
Advanced tab<br />
About the TCP/UDP IP Filter<br />
Advanced tab<br />
7-18 Creating Rules and Groups<br />
The IP Filter Advanced tab for TCP/UDP rules allows you to configure<br />
timeout information, stateful inspection, and control and error<br />
responses for TCP or UDP packets. Follow the steps below.<br />
Note: Stateful Packet Inspection is not currently supported for ICMP IP Filter rules in IPv4.<br />
1. To enable stateful inspection for this rule, select the Stateful Packet<br />
Inspection check box. You will not be able to configure other fields in<br />
this tab without this option selected. To disable stateful packet<br />
inspection, deselect the Stateful Packet Inspection check box.<br />
2. [TCP only] In the Connection Timeout field, specify the amount <strong>of</strong> time<br />
(in seconds) that a TCP session will wait for a connection to be<br />
established once it is started. Valid values are 1–65535. (The minimum<br />
value is one second.)<br />
3. In the Idle Timeout field, specify the amount <strong>of</strong> time (in seconds) that a<br />
session will remain open when there is no new traffic within an<br />
established session. Valid values are 1–65535. (The minimum value is<br />
one second.)<br />
4. [TCP only] In the Limit Connection Rate area, you can limit the number<br />
<strong>of</strong> connections that will be allowed per second by selecting Yes, and<br />
entering the number <strong>of</strong> connections that you want allowed per second<br />
in the Rate field. Valid values are 0—1000000000.<br />
To disable connection rate limitations, select No.
Creating and<br />
managing rule<br />
groups<br />
Creating and managing rule groups<br />
5. [UDP only] In the Limit Packet Rate area, you can limit the number <strong>of</strong><br />
packets that will be allowed per second in either direction by selecting<br />
Yes, and entering the number <strong>of</strong> packets that you want allowed per<br />
second in the Rate field. Valid values are 0—1000000000.<br />
To disable packet rate limitations, select No.<br />
6. [Conditional] In the Stateful Session Failover field, select Yes to enable<br />
stateful session sharing, or select No to disable stateful session sharing.<br />
This field can only be modified if you are connected to an HA cluster.<br />
(For more information on stateful session sharing, see “Sharing IP Filter<br />
sessions in an HA cluster” on page 4-36.)<br />
7. In the Allowed Control and Error Responses area, select the response<br />
types that you want to allow for this rule by selecting the check box<br />
next to each response type you want to allow. A check mark will appear<br />
next to response types that are selected. To deselect a response type,<br />
click the check box to clear it.<br />
8. Click Add to save your changes, or click Cancel to reset the fields to the<br />
values that were previously entered.<br />
This section provides information on creating and managing your rule<br />
groups. The process for creating and managing proxy groups and IP<br />
Filter groups is essentially the same.<br />
Creating a rule group<br />
To create a rule group, follow the steps below.<br />
1. Using the Admin Console, select Policy Configuration -> Rules. The Rules<br />
window appears.<br />
2. Select one <strong>of</strong> the following options in the View Option field:<br />
To create a proxy rule group, select Proxy Rules. A list <strong>of</strong> existing<br />
proxy rules and groups appears.<br />
To create an IP Filter group, select IP Filter Rules. A list <strong>of</strong> existing IP<br />
Filter rules and groups appears.<br />
3. Click New and select Proxy Group or IP Filter Group, as appropriate. A<br />
New Rule Group window appears prompting you to enter a name for<br />
the new group.<br />
Creating Rules and Groups 7-19
Creating and managing rule groups<br />
7-20 Creating Rules and Groups<br />
4. Enter a name that will help you identify the purpose <strong>of</strong> the rule group.<br />
For example, a default proxy rule group called <strong>Administration</strong> contains<br />
all <strong>of</strong> the rule associated with basic <strong>Sidewinder</strong> <strong>G2</strong> administration.<br />
Note: The InternetServices rule group is automatically created during initial<br />
<strong>Sidewinder</strong> <strong>G2</strong> configuration. However, the group is only active if you selected<br />
Internet Services during your initial <strong>Sidewinder</strong> <strong>G2</strong> configuration.<br />
5. Click Add to add the rule group. An empty rule group with the name<br />
you specified will appear in the appropriate rule table.<br />
6. To add rules and nested rule groups to the rule group you created, see<br />
“Managing rules and nested groups within a rule group” below.<br />
Managing rules and nested groups within a rule group<br />
When you create a new rule group, it will remain empty until you<br />
populate it with rules and/or groups. To add or remove rules and<br />
groups to an existing rule group, follow the steps below.<br />
Note: The process is essentially the same regardless <strong>of</strong> whether you are managing a<br />
proxy rule group or an IP Filter rule group.<br />
1. Using the Admin Console, select Policy Configuration -> Rules. The Rules<br />
window appears.<br />
2. Select one <strong>of</strong> the following options in the View Option field:<br />
To modify a proxy rule group, select Proxy Rules. A list <strong>of</strong> existing<br />
proxy rules and groups appears.<br />
To modify an IP Filter group, select IP Filter Rules. A list <strong>of</strong> existing IP<br />
Filter rules and groups appears.<br />
3. Double-click the rule group that you want to modify. (You can also<br />
highlight the rule group you want to modify and click Modify.) A Modify<br />
Groups window appears.
Figure 7-10. Modify<br />
Groups window<br />
About the Modify Groups<br />
window<br />
Creating and managing rule groups<br />
This window allows you to determine which rules and nested groups<br />
will be included in a particular rule group. It also allows you to<br />
determine the order in which you organize those rules and nested<br />
groups. The order <strong>of</strong> rules and nested groups within a rule group is<br />
very important. (For information on organizing your rule groups, see<br />
“Ordering proxy rules within a rule group” on page 4-5.)<br />
The Available Rules and Groups table contains a list <strong>of</strong> the rules and<br />
groups that are available to add to this rule group. The Assigned Rules<br />
and Groups table contains a list <strong>of</strong> the rules and groups that are<br />
currently assigned to this rule group. You can perform the following<br />
actions within the Rule Group window:<br />
Add a rule or nested group to the selected rule group—To add a rule or<br />
nested group to a rule group, double-click the entry that you want<br />
to add in the Available Rules and Groups table (or highlight the entry<br />
and click the down arrow icon). The rule or group will be placed<br />
in the Assigned Rules and Groups table.<br />
Remove a rule or rule group from the selected rule group—To remove a<br />
rule or group from a rule group, double-click the entry in the<br />
Assigned Rules and Groups table (or highlight the entry and click the<br />
up arrow icon). The rule or group will be removed from the<br />
Assigned Rules and Groups table and placed in the Available Rules and<br />
Groups table.<br />
Creating Rules and Groups 7-21
Selecting your active policy rules<br />
Selecting your<br />
active policy rules<br />
7-22 Creating Rules and Groups<br />
Organize the assigned rules and groups within the selected rule group—<br />
To organize the rules and groups in the Assigned Rules and<br />
Groups table, click and drag each entry to the desired location. For<br />
information on organizing your rule groups, see “Ordering proxy<br />
rules within a rule group” on page 4-5.<br />
Edit the description for a rule group—To edit the description for a rule<br />
group, place your cursor in the Description field and add or modify<br />
the text as needed.<br />
Save the changes you made to the rule group—To save your changes,<br />
click OK.<br />
When you select rule groups in the Active Rules window (one for<br />
proxy rules and one for IP Filter rules), they will begin actively<br />
filtering traffic coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
When you initially configure your <strong>Sidewinder</strong> <strong>G2</strong>, a default rule group<br />
is automatically assigned as your active policy (the rules contained in<br />
those groups will vary depending on the choices you made in the<br />
Configuration Wizard). All rules and groups that you have created that<br />
are not part <strong>of</strong> the active rules (that is, rules that are not included in<br />
the active group, or in a rule group that is nested in the active group)<br />
will remain inactive unless you add them to the active rule group or to<br />
a group that is part <strong>of</strong> the active rule group.<br />
You can modify your existing active rule group to add or delete rules<br />
and/or nested rule groups as your security needs change. You can<br />
also re-organize the rule group entries as needed. For a more detailed<br />
overview <strong>of</strong> the active rules and how they work, see<br />
Chapter 4.<br />
Viewing the active policy<br />
To view the active rules currently configured for your <strong>Sidewinder</strong> <strong>G2</strong>,<br />
using the Admin Console select Policy Configuration -> Rules and then<br />
click View Active Policy. The Active Rules window appears.
Figure 7-11. Active Rules<br />
window<br />
About the Active Rules<br />
window<br />
Selecting your active policy rules<br />
This window allows you to view the active rules currently in use on<br />
your <strong>Sidewinder</strong> <strong>G2</strong>. The active rules listed in each table consist <strong>of</strong> all<br />
<strong>of</strong> the rules (including both individual rules and rules included in<br />
nested groups) and determine the order in which traffic will be<br />
processed. Which rules appear in each table are determined by the<br />
rule group that is displayed in the Active Group field.<br />
In this window, you can perform the following actions:<br />
Select a new active rule group—To select a new active rule group that<br />
will enforce traffic coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong>, see<br />
“Modifying the active rule groups” on page 7-24. (The window is<br />
similar for IP Filter and Proxy rule groups.)<br />
View the IP Filter properties—To view the properties configured for<br />
the IP Filter rules contained in the active IP Filter group, click the<br />
IP Filter Properties button. The IP Filter General Rule Properties<br />
window appears. See “About the IP Filter General Properties<br />
window” on page 7-25.<br />
Determine which group a rule belongs to—Rules that are part <strong>of</strong> a<br />
nested rule group have a folder icon next to their name.<br />
Creating Rules and Groups 7-23
Selecting your active policy rules<br />
Figure 7-12. Rule Group<br />
Select window<br />
About the Rule Group<br />
Select window<br />
7-24 Creating Rules and Groups<br />
Modifying the active rule groups<br />
To modify the active rule groups that are currently enforcing your<br />
policy, using the Admin Console select Policy Configuration -> Rules<br />
and then click View Active Policy. Click the appropriate Set button (IP<br />
Filter or Proxy). The Rule Group Select window appears.<br />
This window allows you to select a new active policy for either IP<br />
Filter or proxy rules. Before you select a new rule group to enforce<br />
your security policy, ensure that the rule group you are specifying<br />
contains all <strong>of</strong> the necessary rules and rule groups in the correct order.<br />
When you select a new rule group in this window and save your<br />
changes, the rules contained in that rule group will be loaded into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and will begin enforcing your policy.<br />
To select a new rule group, click on the rule group that you want to<br />
use to enforce your security policy and click OK. The new rules will<br />
be loaded in the kernel and will use those rules to enforce your<br />
policy.
Figure 7-13. IP Filter<br />
General Properties<br />
window<br />
About the IP Filter General<br />
Properties window<br />
Selecting your active policy rules<br />
Viewing and modifying general IP Filter properties<br />
There are a number <strong>of</strong> IP Filter properties that affect all active IP Filter<br />
rules. To view or modify these properties, in the Admin Console select<br />
Policy Configuration -> Rules and then click View Active Policy -> IP Filter<br />
Properties. The IP Filter General Properties window appears.<br />
The IP Filter General Properties window allows you to specify basic<br />
properties that apply to all IP Filter rules contained in the IP Filter<br />
portion <strong>of</strong> the active policy. Follow the steps below.<br />
1. In the Maximum TCP Sessions field, specify the maximum number <strong>of</strong><br />
TCP sessions allowed to use the IP Filter at one time. Valid values are<br />
0–1000000.<br />
2. In the Maximum UDP Sessions field, specify the maximum number <strong>of</strong><br />
UDP sessions allowed to use the IP Filter at one time. Valid values are<br />
0–1000000.<br />
3. In the Start <strong>of</strong> reserved ports field, specify the starting port that IP Filter<br />
will reserve for its own use. Valid values are 1024–65533. The default is<br />
38000.<br />
4. In the Number <strong>of</strong> ports reserved for ipfilter field, specify the number <strong>of</strong><br />
ports IP Filter will reserve for its own use. Valid values are 1–64509. The<br />
default is 200.<br />
5. Click OK to save your changes, or click Cancel to reset the fields to the<br />
values that were previously entered.<br />
Creating Rules and Groups 7-25
Selecting your active policy rules<br />
7-26 Creating Rules and Groups
C HAPTER 8<br />
Configuring Proxies<br />
About this chapter This chapter describes the various TCP- and UDP-based proxies on<br />
<strong>Sidewinder</strong> <strong>G2</strong>. It also explains how to configure proxies to control<br />
communication between systems on opposite sides <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>. This chapter covers the following topics:<br />
“Proxy basics” on page 8-1<br />
“Redirected proxy connections” on page 8-5<br />
“Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies” on page 8-9<br />
“Transparent & non-transparent proxies” on page 8-14<br />
“Notes on selected proxy configurations” on page 8-15<br />
“Configuring proxies” on page 8-28<br />
“Setting up a new proxy” on page 8-31<br />
Proxy basics A proxy is a program that controls communication between clients on<br />
one side <strong>of</strong> a <strong>Sidewinder</strong> <strong>G2</strong> and servers on the other side. That is, an<br />
application client and application server on opposite sides <strong>of</strong> a<br />
<strong>Sidewinder</strong> <strong>G2</strong> do not communicate directly. Instead, the client and<br />
server both “talk” to a proxy, which forwards the data back and forth.<br />
Network applications are typically accessed using one <strong>of</strong> two lower<br />
level communication protocols: TCP or UDP. TCP is a connectionbased<br />
protocol that guarantees data is delivered in order and ensures<br />
address and data integrity. UDP is a connectionless service that<br />
delivers data with minimum overhead.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides pre-defined TCP-based proxies for a<br />
variety <strong>of</strong> Internet applications including Web, Telnet, FTP, and many<br />
others. The <strong>Sidewinder</strong> <strong>G2</strong> also supports proxies for routing UDP<br />
transmissions for applications based on protocols such as SNMP and<br />
NTP.<br />
8<br />
Configuring Proxies 8-1
8<br />
Proxy basics<br />
Figure 8-1. Example<br />
<strong>Sidewinder</strong> <strong>G2</strong> proxy<br />
connection<br />
8-2 Configuring Proxies<br />
Important: There is a security risk involved with using UDP proxies. Unlike TCP, UDP<br />
does not ensure address integrity. This makes it possible for a hacker to fake the source<br />
address for some dubious purpose.<br />
A proxy is not a server on your <strong>Sidewinder</strong> <strong>G2</strong>. Rather, a proxy<br />
controls access to a server on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Also, a proxy can only access the kind <strong>of</strong> server that it represents. For<br />
example, as shown in Figure 8-1, a Telnet proxy can access only<br />
Telnet servers; it cannot access a Web Proxy server (or any other kind<br />
<strong>of</strong> server).<br />
Telnet client<br />
internal<br />
network<br />
Telnet<br />
proxy<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
external<br />
network<br />
Telnet server<br />
Proxies can control connections between any two Type Enforced<br />
network areas, regardless <strong>of</strong> whether the areas are internal or<br />
external. The rules that you define in the active proxy rule group (see<br />
Chapter 4) determine how the networks connected to the <strong>Sidewinder</strong><br />
<strong>G2</strong> are allowed to communicate. The most common proxy directions,<br />
internal burb-to-external burb and external burb-to-internal burb, are<br />
explained below.<br />
internal burb-to-external burb<br />
The proxy connections you configure on the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
typically be outbound (internal-to-external) connections. All data<br />
packets traveling out through your <strong>Sidewinder</strong> <strong>G2</strong> will appear to<br />
come from the external address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. That is,<br />
the address <strong>of</strong> the network in the internal burb is not seen in the<br />
packet information on the external burb.<br />
external burb-to-internal burb<br />
A proxy can also be set up for inbound (external-to-internal) connections.<br />
In general, inbound proxies are not desirable for security<br />
reasons (see the "Important" note below). There are, however, certain<br />
configuration options you can use such as encryption, authentication,<br />
and address or port redirection that make an inbound<br />
proxy more secure. (These options are covered in more detail later<br />
in this chapter.)
Proxy basics<br />
Important: Network attacks using “sniffer” programs to steal users’ accounts and<br />
passwords are becoming more frequent on the Internet. To prevent such intrusions,<br />
you should use a strong authentication method (such as those described in Chapter<br />
9) that prevent an attacker from gaining account information. However, attacks can<br />
still use sniffers to compromise your data. By encrypting your network transmissions<br />
and using proxy redirection, you can provide further defense against network attacks<br />
(Strong Cryptography is a premium feature).<br />
Configuring advanced proxy parameters on a per-rule<br />
basis using Application Defenses<br />
The Proxy window allows you to configure the basic proxy properties<br />
and enable them in the appropriate burbs. Proxy rules allow you to<br />
determine whether proxy access will be allowed or denied and under<br />
what conditions. By adding Application Defenses to your rules, you<br />
can specify advanced, application-specific proxy properties (such as<br />
MIME/anti-virus filtering, SSL decryption, and timeout properties) on a<br />
per-rule basis. For information on configuring Application Defenses<br />
and rules for proxies, see Chapter 6 and Chapter 7.<br />
Improving performance using Fast Path Sessions<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports a Fast Path Sessions option that improves<br />
system performance by lessening the load placed on the system<br />
kernel when passing proxy data through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Performance is improved on the <strong>Sidewinder</strong> <strong>G2</strong> when the Fast Path<br />
Sessions option is enabled for protocols that use many small packets,<br />
such as Telnet.<br />
The Fast Path Session option is configured in the Application<br />
Defenses windows in the Connections area. Application Defenses can<br />
be configured in advance and added to rules later, or they can be<br />
created directly within a rule. For information on configuring Fast<br />
Path Session options, see “Configuring connection properties” on<br />
page 6-48.<br />
Configuring Proxies 8-3
Proxy basics<br />
8-4 Configuring Proxies<br />
When to disable the Fast Path Sessions option<br />
In most cases, the Fast Path Sessions option enhances system<br />
performance, and in many <strong>of</strong> these cases the improvement is<br />
significant. However, there are some cases where the Fast Path<br />
Sessions option may negatively affect performance. Large data<br />
transfers on heavily loaded systems, primarily FTP or HTTP traffic, can<br />
overload a system. The <strong>Sidewinder</strong> <strong>G2</strong> will also "throttle" these<br />
connections under very heavy load conditions to prevent them from<br />
taking over the system.<br />
Proxy session limits<br />
There is an upper limit to the number <strong>of</strong> simultaneous sessions for<br />
certain proxy configurations. Table 8-1 provides a summary <strong>of</strong> hard<br />
limits based on per-process resource limits.<br />
Table 8-1. Proxy session limits (hard limits)<br />
Proxy Session Limits<br />
FTP 4000 sessions<br />
t120 1000 sessions<br />
all other TCP 8000 sessions 1<br />
UDP The number <strong>of</strong> ports plus two times the number <strong>of</strong> sessions<br />
must not exceed 16,000. (The maximum number <strong>of</strong> enabled<br />
ports for all services on all burbs must not exceed 8000.)<br />
1 A maximum <strong>of</strong> 16 Telnet sessions are allowed in the "enter destination" or<br />
"authentication" stage.<br />
Tip: Session limits for each proxy can be lowered from the hard limits by editing the<br />
simultaneous_sessions entry in the configuration file (*.conf) for each proxy.
Redirected proxy<br />
connections<br />
Configuring multiple instances <strong>of</strong> certain proxies<br />
Redirected proxy connections<br />
Certain proxies (HTTP, HTTPS, generic TCP, and SQL) can be<br />
configured to enable multiple instances <strong>of</strong> the same proxy in order to<br />
load the traffic across the multiple instances. This is useful for<br />
hardware configurations with multiple CPUs or sites that have<br />
experienced problems due to an exceedingly large amount <strong>of</strong><br />
concurrent connections through one <strong>of</strong> those proxies. A single proxy<br />
instance for any <strong>of</strong> these proxies can handle up to 8000 sessions (a<br />
session consists <strong>of</strong> two connections for most protocols), which is<br />
more than adequate for most sites. However, if your site is<br />
consistently recording concurrent sessions that hover around the 8000<br />
range (or if you have experienced problems because the number <strong>of</strong><br />
connection attempts is significantly higher) for any <strong>of</strong> these proxies,<br />
you may need to enable additional instances for that proxy.<br />
To monitor the number <strong>of</strong> concurrent connections for any <strong>of</strong> the<br />
proxies listed above, in the Admin Console select Reports & Monitoring<br />
-> Firewall Monitoring. (You will be required to log in a second time to<br />
view the Firewall Monitoring application.) The lower right portion <strong>of</strong><br />
the Firewall Monitoring window contains a section titled Proxy Traffic.<br />
In that portion <strong>of</strong> the window, you will see a list <strong>of</strong> all proxies and<br />
servers that are currently running, with the current number <strong>of</strong><br />
connections that exist for that proxy.<br />
For information on configuring the HTTP, HTTPS, or SQL proxy to<br />
enable multiple instances, see “Configuring proxy properties” on page<br />
8-28.<br />
For typical <strong>Sidewinder</strong> <strong>G2</strong> operation, proxies are configured to permit<br />
connections from the internal network to the Internet. However, there<br />
may be circumstances in which you want to allow an external client<br />
access to hosts within your internal network (behind the <strong>Sidewinder</strong><br />
<strong>G2</strong>). For example, you may want to provide access to an internal<br />
Telnet server or you may want a server inside your internal network<br />
to be able to receive news feeds from an Internet news feeder.<br />
Configuring Proxies 8-5
Redirected proxy connections<br />
8-6 Configuring Proxies<br />
You can set up proxy rules to redirect a connection between an<br />
external client and the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to a system<br />
inside your network. This rerouted connection to the internal host<br />
system hides the actual destination from the system requesting the<br />
connection. You can configure <strong>Sidewinder</strong> <strong>G2</strong> proxy rules to translate<br />
connection requests to different addresses or to different ports within<br />
the internal network.<br />
The address or port translation provided by redirection is usually<br />
needed when enabling proxying from the external network to the<br />
internal network. The following section provides examples <strong>of</strong> both<br />
address and port redirection as supported by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Important: All proxies pose a security risk. As with any external-to-internal proxy, while<br />
you can guarantee the integrity <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, you cannot guarantee the integrity<br />
<strong>of</strong> the system for which an external user will have access. For the rare occasion where you<br />
configure an inbound proxy, you should always use a strong authentication method.<br />
Address redirection<br />
If you need to configure a proxy that allows access to the internal<br />
network, but do not want to provide routes to the internal network<br />
you will need to configure the <strong>Sidewinder</strong> <strong>G2</strong> for address redirection.<br />
Address redirection is implemented in the Source/Dest tab <strong>of</strong> the Rule<br />
window on a per-rule basis. See Chapter 7 for information on<br />
configuring address redirection.<br />
In the configuration shown in Figure 8-2, suppose you want to allow<br />
any host in the Internet to Telnet to host 172.25.5.5 on the internal<br />
network.
Figure 8-2. Address<br />
redirection for inbound<br />
proxy<br />
Telnet server<br />
172.25.5.5<br />
internal<br />
network<br />
redirect<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
The <strong>Sidewinder</strong> <strong>G2</strong> proxy redirects<br />
(remaps) the Telnet session to address<br />
172.25.5.5 (but the address is<br />
concealed from the external network)<br />
external<br />
network<br />
192.55.214.24<br />
Redirected proxy connections<br />
Telnet client<br />
192.55.214.25<br />
The client can access the internal<br />
server, but must use the <strong>Sidewinder</strong><br />
<strong>G2</strong> external address in the Telnet<br />
request<br />
With redirection configured, the connection is proxied to an address<br />
that is different from the original destination address. In Figure 8-2, a<br />
connection request from Internet address 192.55.214.25 is proxied to<br />
the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> (192.55.214.24). The proxy<br />
then redirects the connection to 172.25.5.5 and proxies the session to<br />
the internal host. From the external system’s point <strong>of</strong> view, the<br />
destination is 192.55.214.24, when in fact, the destination is really<br />
172.25.5.5.<br />
Address redirection can also be applied to solve more complicated<br />
problems. Suppose you want to allow inbound Telnet connections to<br />
three different hosts on your internal network. If you configure your<br />
router to route multiple addresses to the <strong>Sidewinder</strong> <strong>G2</strong>, it can then<br />
accept the connections and proxy them through to hosts on the<br />
internal network. Redirected proxy connections provide the address<br />
translation between IP addresses which are valid and routed on the<br />
Internet and private IP addresses on the corporate network. So if you<br />
want to redirect all incoming connections to one <strong>of</strong> three hosts, then<br />
you must reserve three IP addresses for your <strong>Sidewinder</strong> <strong>G2</strong>, or use<br />
netmaps. (For information on using netmaps, see “Network objects”<br />
on page 4-9.)<br />
Note: To avoid using multiple <strong>Sidewinder</strong> <strong>G2</strong> addresses in this scenario, you could set up<br />
port redirection rather than address redirection (described in the following section).<br />
Configuring Proxies 8-7
Redirected proxy connections<br />
Figure 8-3. Port<br />
redirection for inbound<br />
proxy<br />
8-8 Configuring Proxies<br />
Port redirection<br />
If you need to work around site-specific idiosyncrasies or to obscure<br />
the existence <strong>of</strong> a proxy for a given service, you can use port<br />
redirection. While such obscurity does not lessen the vulnerability<br />
resulting from something like an inbound Telnet proxy, it does reduce<br />
the number <strong>of</strong> attacks because the casual attacker might not notice it.<br />
Also, the attacker must take more conspicuous actions, like port<br />
scanning, to find the entry point. This makes it more likely that the<br />
administrator will notice the attack. Port redirection is implemented in<br />
the Source/Dest tab <strong>of</strong> the Rule window on a per-rule basis. See<br />
Chapter 7 for information on configuring port redirection.<br />
As an example, in Figure 8-3, suppose you want to configure a new<br />
proxy for an internal host that will provide Telnet service and accept<br />
external connections. In this configuration, a proxy connection arrives<br />
from the external network and connects to the external side <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The connection arrives on the port named “hidenet”<br />
(port 5111). When this connection comes in, it will be proxied to the<br />
internal network, similar to how an address redirection is handled.<br />
Telnet server<br />
192.55.4.4<br />
Telnet port 23<br />
internal<br />
network<br />
redirect<br />
192.55.214.24<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
external<br />
network<br />
hidenet port 5111<br />
client Telnets<br />
to port 5111 on<br />
the <strong>Sidewinder</strong><br />
172.16.4.4<br />
The proxy redirects (remaps) the<br />
Telnet session to port 23 (but the<br />
port is concealed from the<br />
external network)<br />
The difference here is that the client on the external network connects<br />
to port 5111 (hidenet) on the <strong>Sidewinder</strong> <strong>G2</strong> and the <strong>Sidewinder</strong> <strong>G2</strong><br />
connects the client to port 23 (the standard Telnet port) on 192.55.4.4<br />
host in the internal network. This permits an inbound Telnet<br />
connection to a host with a private IP address and does so on a port<br />
number that is not well-known for this service. This discourages socalled<br />
‘‘door-knob rattlers.”
Standard<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
proxies<br />
Proxy Name Type and Port Description<br />
aol TCP<br />
5190<br />
changepw-form TCP<br />
1999<br />
dns DNS<br />
53<br />
finger TCP<br />
79<br />
ftp TCP<br />
21<br />
gopher TCP<br />
70<br />
h.323 TCP/UDP<br />
1720<br />
http TCP<br />
80<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a variety <strong>of</strong> pre-defined proxies to<br />
control connections to popular Internet services using the standard<br />
port numbers for those services (see /etc/services for a list <strong>of</strong><br />
recognized protocols). Table 8-1 shows an alphabetical listing <strong>of</strong> the<br />
proxies that are preconfigured and can be quickly enabled using the<br />
Admin Console. To set up other proxies, see “Using other proxies on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>” on page 8-13.<br />
During system installation, if you selected Standard Internet services,<br />
the proxies listed in bold are automatically enabled for internal<br />
network-to-external network, and corresponding proxy rules are<br />
added to the default active rule group.<br />
Table 8-2. Proxies initially configured on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Allows America Online (AOL) members in your network to run their AOL<br />
client s<strong>of</strong>tware and connect directly to America Online through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows users to change their network login password for Web, Telnet, and<br />
FTP sessions.<br />
Enables DNS query traffic and DNS zone file transfers to cross burb<br />
boundaries.<br />
Enables the UNIX finger command to be used across burb boundaries.<br />
Allows users on one side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> transparent access to FTP<br />
(File Transfer Protocol) servers on the other side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows internal users to use a Gopher client to access information on<br />
Internet Gopher servers.<br />
Allows users to use audio and video features for H.323 applications such as<br />
Micros<strong>of</strong>t’s NetMeeting application. See “T.120 and H.323 proxy<br />
considerations” on page 8-22.<br />
Allows internal users to use a Web client, such as Netscape or Internet<br />
Explorer, to access Web sites on the Internet via transparent or nontransparent<br />
connections. See Chapter 12 for more information.<br />
More . . .<br />
Configuring Proxies 8-9
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Proxy Name Type and Port Description<br />
https TCP<br />
443<br />
ica TCP 1494<br />
UDP 1604<br />
ident TCP<br />
113<br />
iiop TCP<br />
683<br />
imap TCP<br />
143<br />
irc TCP<br />
6667<br />
ldap TCP<br />
389<br />
lotus TCP<br />
1352<br />
msn TCP<br />
569<br />
mssql TCP<br />
1433<br />
netbios-tcp TCP<br />
139<br />
8-10 Configuring Proxies<br />
Allows Secure Socket Layer (SSL) encrypted connections to Web servers<br />
such as the Netscape Commerce Server (optional). For Web s<strong>of</strong>tware that<br />
supports SSL, such as Netscape’s browser and the Commerce Server, this<br />
proxy permits a more secure Web connection. This proxy can be<br />
configured to handle decryption.<br />
Allows users to locate and connect to a Citrix server farm within a private<br />
address space.<br />
Note: If you are using Citrix XML Service, to locate the master browser you will<br />
need to enable the HTTP proxy on the port that the Citrix server is configured to<br />
use.<br />
Note: For information on using the altaddr feature on your Citrix server<br />
farm, refer to your Citrix documentation.<br />
Allows users to use the UNIX ident command.<br />
The Internet Inter-ORB Protocol (IIOP) is the wire protocol used by CORBA<br />
(Common Objects Request Broker Architecture) applications to<br />
interoperate in a heterogeneous network environment. The IIOP proxy<br />
allows the <strong>Sidewinder</strong> <strong>G2</strong> administrator to exercise control over the<br />
dialogue between the CORBA applications.<br />
Note: For more information on CORBA, refer to www.omg.org.<br />
Allows use <strong>of</strong> the Internet Message Access Protocol to access e-mail from a<br />
local server.<br />
Allows your users to chat with other users via the Internet Relay Chat<br />
protocol.<br />
Allows the LDAP protocol through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows use <strong>of</strong> Lotus Notes applications across burb boundaries.<br />
Allows Micros<strong>of</strong>t network members in your network to run their MSN client<br />
s<strong>of</strong>tware and connect directly to MSN through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Generic Micros<strong>of</strong>t SQL proxy.<br />
Generic netbios TCP proxy.<br />
More . . .
Proxy Name Type and Port Description<br />
netbios-udp 137, 138 Generic netbios UDP proxy.<br />
nntp TCP<br />
119<br />
nt_ftp TCP<br />
21<br />
nt_telnet TCP<br />
23<br />
ntp UDP<br />
123<br />
ping ICMP<br />
(na)<br />
pop TCP<br />
110<br />
printer TCP<br />
515<br />
RealMedia TCP/UDP<br />
7070<br />
rlogin TCP<br />
513<br />
rsh TCP<br />
514<br />
rtsp TCP/UDP<br />
554<br />
smtp TCP<br />
25<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Allows your internal users to access Usenet News received at your site and<br />
post information to newsgroups. See “Usenet News proxy configurations”<br />
on page 8-19 later in this chapter for information on Usenet News proxy<br />
configurations.<br />
Allows users on one side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> non-transparent access to<br />
FTP (File Transfer Protocol) servers on the other side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
See “Transparent & non-transparent proxies” on page 8-14 for the<br />
difference between transparent and non-transparent proxies.<br />
Allows users on one side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> non-transparent access to<br />
Telnet servers on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. See “Transparent &<br />
non-transparent proxies” on page 8-14 for the difference between<br />
transparent and non-transparent proxies.<br />
Allows you to send/receive Network Time Protocol (NTP) time feeds.<br />
Relays ICMP ECHO (ping) requests and ICMP Echo-REPLY messages<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows connections to Post Office Protocol (POP) remote mail servers.<br />
Allows use <strong>of</strong> the UNIX lpr command.<br />
Allows the <strong>Sidewinder</strong> <strong>G2</strong> to proxy audio and video data packet<br />
connections.<br />
Allows users on one side <strong>of</strong> your the <strong>Sidewinder</strong> <strong>G2</strong> access to rlogin servers<br />
on the other side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Supports rcp and rsh.<br />
Supports Real Media Player and Quick Time Multimedia Player protocols.<br />
Allows Simple Mail Transfer Protocol traffic to be sent across burb<br />
boundaries. (This proxy is automatically enabled if you selected transparent<br />
SMTP service during configuration.)<br />
More . . .<br />
Configuring Proxies 8-11
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Proxy Name Type and Port Description<br />
snmp UDP<br />
161-162<br />
socks5 TCP<br />
1080<br />
sql TCP<br />
1521<br />
ssh TCP<br />
22<br />
streamworks TCP<br />
1558<br />
sunrpc TCP/UDP<br />
111<br />
sybase TCP<br />
4000<br />
syslog UDP<br />
514<br />
t120 TCP<br />
1503<br />
telnet TCP<br />
23<br />
wais TCP<br />
210<br />
whois TCP<br />
43<br />
wins UDP<br />
42<br />
8-12 Configuring Proxies<br />
Supports remote management using SNMP protocol.<br />
Note: The SNMP proxy must be enabled in both the source and destination<br />
burb.<br />
Supports the SOCKS5 protocol.<br />
Allows Structured Query Language database lookup requests across burb<br />
boundaries.<br />
Allows use <strong>of</strong> the UNIX Secure Shell command, which provides secure<br />
access to remote systems.<br />
Supports Streamworks streaming audio and video.<br />
Relays requests from an RPC client through the <strong>Sidewinder</strong> <strong>G2</strong> to a remote<br />
server.<br />
Generic Sybase SQL proxy.<br />
Generic UNIX syslog protocol.<br />
Allows users to use T.120 applications such as Micros<strong>of</strong>t’s NetMeeting<br />
application. “T.120 and H.323 proxy considerations” on page 8-22.<br />
Allows users on one side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> transparent access to<br />
Telnet servers on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows users on your network with WAIS client s<strong>of</strong>tware connections to a<br />
database service called WAIS.<br />
Allows users to send the UNIX whois command from a terminal. whois<br />
looks up records in the Network Information Center.<br />
Supports Micros<strong>of</strong>t Windows Network Services.<br />
More . . .
Proxy Name Type and Port Description<br />
Xscreen0 TCP<br />
6000<br />
X500 TCP<br />
103<br />
Using other proxies on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Allows UNIX-based X Windows sessions to pass through the <strong>Sidewinder</strong><br />
<strong>G2</strong>. For instance, an X Windows process running on one terminal could<br />
send screen output through the <strong>Sidewinder</strong> <strong>G2</strong> to another window at a<br />
different terminal.<br />
Note: While redirecting X Windows is a common practice at larger UNIX sites<br />
with X Windows environments, X Windows is NOT a secure application. Using this<br />
proxy strictly for sending X Windows traffic through the <strong>Sidewinder</strong> <strong>G2</strong> is not<br />
recommended for most sites. However, if the <strong>Sidewinder</strong> <strong>G2</strong> has been configured<br />
as a <strong>Sidewinder</strong> <strong>G2</strong> between two networks, both <strong>of</strong> which are within your<br />
organization (sometimes called “inter-walling”), the Xscreen0 proxy might not<br />
pose serious security hazards. This depends on the nature <strong>of</strong> the site’s two<br />
networks.<br />
Supports the X500 directory server.<br />
In special cases, you may want to set up a UDP proxy or a TCP proxy<br />
service that is not preconfigured when you install the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains a special domain called Genx that can be<br />
used for TCP proxies other than the ones that are initially set up on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. A special domain called UDPx can be used for<br />
UDP proxies.<br />
If you set up more than one <strong>of</strong> your own proxies, they will not be<br />
isolated from each other using Type Enforcement since they are all<br />
contained in one domain (Genx for TCP and UDPx for UDP).<br />
However, proxies you add are still isolated from all other domains<br />
and cannot interfere with any other <strong>Sidewinder</strong> <strong>G2</strong> activity.<br />
Tip: To set up additional proxies using the Admin Console, refer to “Setting up a new<br />
proxy” on page 8-31.<br />
Important: If you set up your own proxies or reconfigure established proxies, do not use<br />
ports 9000–9010. These ports are reserved by the <strong>Sidewinder</strong> <strong>G2</strong> for administration<br />
purposes.<br />
Configuring Proxies 8-13
Transparent & non-transparent proxies<br />
Transparent &<br />
non-transparent<br />
proxies<br />
8-14 Configuring Proxies<br />
The <strong>Sidewinder</strong> <strong>G2</strong> FTP, HTTP, HTTPS, and Telnet proxies can be<br />
configured to be transparent or non-transparent to users.<br />
Transparency for the HTTP and HTTPS proxies is configured on a perrule<br />
basis via Application Defenses. Transparency for FTP and Telnet<br />
is determined by two distinct proxies that can be enabled and<br />
specified in your active rules (telnet and nt_telnet, ftp and nt_ftp).<br />
When using transparent proxy settings, the user appears to connect<br />
directly to the desired network’s FTP, HTTP, HTTPS, or Telnet proxy<br />
without connecting to the <strong>Sidewinder</strong> <strong>G2</strong> first.<br />
For example, to initiate an outbound Telnet session using a<br />
transparent Telnet proxy, a user would issue the following command<br />
from his or her workstation:<br />
telnet destination_IP_address<br />
With a non-transparent Telnet proxy, a user must first Telnet to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and specify a destination address for the Telnet<br />
session. For example, the following shows how an internal user<br />
would initiate a Telnet session to a server in an external network<br />
using a non-transparent proxy that requires standard password<br />
authentication.<br />
>telnet internal_IP_address<br />
(connection message from the <strong>Sidewinder</strong> <strong>G2</strong> appears...)<br />
>Enter destination: destination_address<br />
>Username: username<br />
>Password: password<br />
(connection message from the destination Telnet server appears...)<br />
>login: username<br />
>Password: password<br />
While non-transparent proxy configurations are not typically used,<br />
they may be useful under special circumstances. For example, if your<br />
internal network is experiencing problems resolving routes or names,<br />
non-transparent proxy configurations may be used as a temporary<br />
measure to allow FTP, HTTP, HTTPS, or Telnet sessions.
Notes on selected<br />
proxy<br />
configurations<br />
Notes on selected proxy configurations<br />
You may also need to use non-transparent proxy configurations for<br />
outgoing connections if you configure the <strong>Sidewinder</strong> <strong>G2</strong> to trigger an<br />
alarm event when external addresses are detected on the internal side<br />
<strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. (For information on alarm events, see Chapter<br />
17.) For incoming connections, you may need to use non-transparent<br />
proxy configurations if the internal network is not visible to the<br />
external side and redirection to a single internal machine is<br />
undesirable.<br />
Note: Certain transparent and non-transparent proxy configurations can require users to<br />
authenticate before they are allowed to connect (see Chapter 9).<br />
This section provides additional configuration information on some <strong>of</strong><br />
the more common proxy configurations that you can use at your site.<br />
Telnet (page 8-15)<br />
FTP (page 8-17)<br />
HTTP/HTTPS (page 8-18)<br />
ICA (page 8-18)<br />
Sun RPC (page 8-19)<br />
NNTP (page 8-19)<br />
T.120 and H.323 (page 8-22)<br />
generic TCP (page 8-26)<br />
DNS (page 8-27)<br />
Notes on using the Telnet proxy<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a Telnet proxy that allows your trusted<br />
users to remotely log in to Internet systems using a Telnet client.<br />
When the proxy s<strong>of</strong>tware is enabled, users can Telnet to any available<br />
Internet site, and the connections will be routed through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> without users being aware <strong>of</strong> it. You can control which<br />
systems on your trusted networks can use Telnet and prohibit users<br />
from accessing specified external addresses.<br />
Configuring Proxies 8-15
Notes on selected proxy configurations<br />
8-16 Configuring Proxies<br />
Systems that users log in to must be running a Telnet server in order<br />
to establish the connection. To make the Telnet connection, users<br />
must run a Telnet client and specify the name <strong>of</strong> the remote system<br />
they want to access. Users accessing a Telnet server must also have<br />
accounts on that system. Once the session is established, the user is<br />
logged in on the remote system as if he or she were a local user.<br />
Important: Using the Admin Console, you can also set up a Telnet proxy from the<br />
external burb to an internal burb on your <strong>Sidewinder</strong> <strong>G2</strong>. This is only required in specialized<br />
cases. For example, if you are using a strong authentication method to authenticate Telnet<br />
sessions, you may want to allow administrators to remotely access a server inside your<br />
network. Before setting up this type <strong>of</strong> proxy, you may want to contact Secure Computing<br />
to get assistance addressing any security issues this presents.<br />
Note: If an Internet Telnet server is not available when a trusted user tries to connect, the<br />
user will NOT receive a message stating that the connection was unsuccessful.<br />
The following steps summarize the tasks you need to perform to set<br />
up Telnet access for internal users.<br />
1. Enable the Telnet proxy for the appropriate burb(s). (See “Configuring<br />
proxies” on page 8-28.) The Telnet proxy runs in its own domain on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Ensure that the Internet Services proxy rule is enabled and is contained<br />
in the active rule group. The Internet Services proxy rule consists <strong>of</strong> a<br />
service group that contains Telnet as well as other Internet services.<br />
(You can also create an individual telnet_out rule if you want to<br />
configure authentication specifically for Telnet.) See “Creating proxy<br />
rules” on page 7-4.<br />
This rule allows users from one <strong>of</strong> your trusted burbs to Telnet to the<br />
Internet. You can use the Admin Console to disable this proxy rule or<br />
change its settings to control which internal users are allowed Telnet<br />
access and to which external systems they can connect. See “Users and<br />
user groups” on page 4-8 for detailed information.<br />
3. [Optional] Configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate all users<br />
requesting Telnet service before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network<br />
connection. Refer to Chapter 9 for details on the authentication<br />
methods supported by the <strong>Sidewinder</strong> <strong>G2</strong>.
Notes on using the FTP proxy<br />
Notes on selected proxy configurations<br />
The FTP proxy allows internal users to use an FTP client to remotely<br />
log in to Internet systems. Systems that users log in to must be<br />
running an FTP server in order to establish the connection. To make<br />
the FTP connection, users must run an FTP client and specify the<br />
name <strong>of</strong> the remote system they want to access.<br />
Note: If an Internet FTP server is not available when an internal user tries to connect, the<br />
user will NOT receive a message stating that the connection was unsuccessful.<br />
The following steps summarize the tasks you need to perform to set<br />
up FTP access for internal users.<br />
1. Enable the FTP proxy for the appropriate burb(s). (See “Configuring<br />
proxies” on page 8-28.) The FTP proxy runs in its own domain on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Ensure that the Internet Services proxy rule is enabled and is contained<br />
in the active rule group. The Internet Services proxy rule consists <strong>of</strong> a<br />
service group that contains FTP as well as other Internet services. (You<br />
can also create an individual ftp_out rule if you want to configure<br />
authentication specifically for FTP.) See “Creating proxy rules” on page 7-<br />
4.<br />
Once you enable the FTP proxy, this rule will allow all internal users FTP<br />
access to the Internet. You can use the Admin Console to disable this<br />
proxy rule or change its settings to control which internal users are<br />
allowed FTP access and to which external systems they can connect.<br />
See “Users and user groups” on page 4-8 for detailed information.<br />
3. [Optional] Create a rule that requires authentication for all users<br />
requesting FTP service before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network<br />
connection. Refer to Chapter 9 for details on the authentication<br />
methods supported by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: You can configure advanced parameters (such as FTP permits) for the FTP<br />
proxy on a per rule basis using Application Defenses. For information on creating FTP<br />
Application Defenses, see “Creating FTP Application Defenses” on page 6-33.<br />
Configuring Proxies 8-17
Notes on selected proxy configurations<br />
8-18 Configuring Proxies<br />
HTTP/HTTPS considerations<br />
The HTTP and HTTPS proxies allows you to configure Web access<br />
(including authentication) for trusted and untrusted users. You can<br />
configure header filtering, URL controls, MIME/anti-virus filtering, and<br />
types <strong>of</strong> Web content (objects) that will be denied on a per-rule basis<br />
using Application Defenses. Additionally, using HTTPS you can also<br />
configure SSL decryption and clientless VPN services. For more<br />
information on the HTTP/HTTPS proxies, see Chapter 12. For<br />
information on creating Application Defenses for the HTTP/HTTPS<br />
proxies, see “Creating Web or Secure Web Application Defenses” on<br />
page 6-4.<br />
Note: If your site requires caching services, you can use the Web proxy server. The Web<br />
proxy server is implemented using Squid, an open source s<strong>of</strong>tware program that provides<br />
proxying and caching capabilities. The Web proxy server is described in Chapter 12.<br />
ICA proxy considerations<br />
The ICA proxy allows you to utilize the Citrix Independent Computing<br />
Architecture (ICA) protocol to allow remote clients to access<br />
applications within a Citrix server farm. You may locate these<br />
applications either by configuring your client directly, or by pointing it<br />
to a master browser. A master browser is a Citrix server that is<br />
configured to be responsible for tracking the ICA functions that are<br />
available for clients to access, such as applications or other Citrix<br />
servers (known as member browsers).<br />
For information on configuring the ICA proxy, see “Configuring<br />
proxies” on page 8-28<br />
Note: You can configure advanced parameters (such as timeout properties) for the ICA<br />
proxy on a per rule basis using Application Defenses. For information on creating<br />
Application Defenses for the ICA proxy, see “Creating Citrix Application Defenses” on page<br />
6-31.<br />
Note: Refer to your Citrix documentation for information on configuring your master<br />
browser and member browsers.
Sun RPC proxy considerations<br />
Notes on selected proxy configurations<br />
The RPC proxy allows you to transfer Sun RPC traffic between a client<br />
application and an RPC server on opposite sides <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>. This proxy listens on port 111 (the portmap process) for RPC<br />
requests and forwards them to the destination server.<br />
Both TCP and UDP traffic are supported for this proxy. However,<br />
some additional configuration may be necessary for timeout<br />
processing when proxying UDP traffic. UDP sessions remain live until<br />
the idle timeout threshold is met. Therefore, a session with a timeout<br />
value <strong>of</strong> 30 seconds will remain live for 30 seconds even though the<br />
session may have only required two seconds <strong>of</strong> processing time.<br />
Connection properties for the Sun RPC proxy are configured via<br />
Standard Application Defenses. See “Creating Standard Application<br />
Defenses” on page 6-45.<br />
Usenet News proxy configurations<br />
<strong>Sidewinder</strong> <strong>G2</strong> supports a Network News Transfer Protocol (NNTP)<br />
proxy that allows you to use a Usenet News server at your site. This<br />
allows your site to exchange news with an Internet News provider.<br />
(<strong>Sidewinder</strong> <strong>G2</strong> does not run a news server because <strong>of</strong> the large<br />
amount <strong>of</strong> disk space required.)<br />
When you set up a news server at your site, that system must run a<br />
Usenet News package such as C-News/NNTP or InterNet News (INN).<br />
You must arrange for a news “feed” from the site responsible for<br />
transferring news to/from your site. In addition, you need to provide<br />
internal users with s<strong>of</strong>tware that allows them to access the news that<br />
your site receives and post their own articles to newsgroups.<br />
Before you configure a proxy rule for Usenet News proxies, you must<br />
specify which network objects the news information can be<br />
transferred to and from. For information on network objects, see<br />
“Creating network objects” on page 5-10.<br />
Note: You cannot use the <strong>Sidewinder</strong> <strong>G2</strong> to control which newsgroups your internal users<br />
can subscribe or post to—that must be configured in the Usenet News s<strong>of</strong>tware.<br />
Configuring Proxies 8-19
Notes on selected proxy configurations<br />
Figure 8-4. News server<br />
in front <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
8-20 Configuring Proxies<br />
Whether you need Usenet News proxies in one direction or two will<br />
depend on your server configuration, as described below. Normally<br />
you will use the NNTP proxy so that news can be transferred only to<br />
and from your feed site.<br />
News server configurations<br />
You have several options for configuring a Usenet News server when<br />
you use the <strong>Sidewinder</strong> <strong>G2</strong> in your network. Two common<br />
configurations are listed below, along with issues to consider with<br />
each.<br />
News server in front <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
In this configuration, your news server is placed in front <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The external server could be operated by your<br />
Internet service provider (ISP) or by your site. This configuration<br />
assumes that news access only via NNTP is allowed, which is typical<br />
(rather than through NFS or a local filesystem).<br />
news client<br />
internal<br />
network<br />
news<br />
proxy<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
external<br />
network<br />
news server<br />
In Figure 8-4:<br />
— An internal-to-external proxy is required to allow internal<br />
users access to the news server. An external-to-internal news<br />
proxy is not necessary.<br />
— Your router should be used to limit access so that only your<br />
news feed site can access the news server from the Internet.<br />
News server behind the <strong>Sidewinder</strong> <strong>G2</strong><br />
In this configuration, your news server is behind the <strong>Sidewinder</strong><br />
<strong>G2</strong> on your internal network.
Figure 8-5. News server<br />
behind the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
news client<br />
news server<br />
internal<br />
network<br />
Notes on selected proxy configurations<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
external<br />
network<br />
news feed<br />
In Figure 8-5:<br />
— Your feed site must send news through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> forces the connection to go to the server<br />
you designate as your internal news server.<br />
— If the NNTP daemon on your news server is compromised, an<br />
attacker may have full access to the internal network.<br />
— This configuration normally requires a news proxy for each<br />
direction as follows: An internal-to-external proxy must be<br />
enabled to allow your news server to send information to the<br />
feed site. A second proxy allows the feed site to send news to<br />
the internal server. The connection in both directions is<br />
handled through the <strong>Sidewinder</strong> <strong>G2</strong>. If your internal news<br />
server’s address was visible to the Internet, you could set up<br />
an external-to-internal proxy from your feed site to your news<br />
server. This is usually not the case, since you normally do not<br />
want internal addresses to be visible on the Internet.<br />
Note: If you set up the news feed using the NNTP “pull” model, you will only need an<br />
internal-to-external proxy. (For more information, see Managing UUCP and Usenet,<br />
published by O’Reilly & Associates, Inc.)<br />
— Instead <strong>of</strong> a standard external-to-internal proxy, you set up an<br />
external-to-internal news proxy using port or address<br />
redirection. Redirecting a proxy allows you to reroute a<br />
connection to a specific host system using the same or<br />
different port number as the original connection request.<br />
When you set up a proxy redirection for news, you allow a<br />
connection between your feed site and the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
then provide the address <strong>of</strong> your internal news server to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> so it will reroute the proxy to that server.<br />
Important: If your news server is behind the <strong>Sidewinder</strong> <strong>G2</strong>, refer to “Redirected<br />
proxy connections” on page 8-5 for additional information.<br />
Configuring Proxies 8-21
Notes on selected proxy configurations<br />
8-22 Configuring Proxies<br />
T.120 and H.323 proxy considerations<br />
The T.120 and H.323 proxies can be configured to work together,<br />
allowing you to make use <strong>of</strong> both the data-sharing and audio/video<br />
features <strong>of</strong> data conferencing products, such as Micros<strong>of</strong>t NetMeeting,<br />
in a single conference. This section provides an overview <strong>of</strong> each<br />
proxy and its role in data conferencing. It also provides information<br />
on configuring the two proxies to work together to enable the<br />
complete realm <strong>of</strong> NetMeeting features.<br />
About the T.120 proxy<br />
The T.120 proxy provides support for applications built using the<br />
International Telecommunication Union (ITU) T.120<br />
recommendations. The T.120 recommendations are most prevalent in<br />
data conferencing applications. T.120 defines several standardized<br />
data conferencing services including application sharing, text chat,<br />
shared whiteboard, and multipoint file transfer.<br />
Micros<strong>of</strong>t’s NetMeeting is a popular example <strong>of</strong> a T.120 enabled<br />
application. The T.120 proxy enables you to use all <strong>of</strong> the standard<br />
T.120 data conferencing services, and provides you with a means to<br />
control which services are accessible. The T.120 proxy also provides<br />
support for the Micros<strong>of</strong>t NetMeeting chat and application sharing,<br />
which are non-standard T.120 application services.<br />
Note: The audio, video, ILS, and ULS features <strong>of</strong> NetMeeting are not supported by the<br />
T.120 proxy. To provide support for these features, you must enable the H.323 proxy. You<br />
must also add the pre-configured NetMeeting proxy rule to the active proxy rule group.<br />
This will ensure that both proxies remain in synchronization with one another. See<br />
“Synchronizing the T.120 and H.323 proxies for use with NetMeeting” on page 8-25 for<br />
more information.<br />
When configured, the T.120 proxy is transparent to the participants <strong>of</strong><br />
the data conference. The T.120 proxy will come into play when a<br />
conference participant attempts to join an existing conference or<br />
attempts to invite another participant that resides in a different burb.<br />
The T.120 proxy will intercept and mediate the session between the<br />
pair <strong>of</strong> conference host machines (referred to as "nodes" in T.120<br />
parlance).
Notes on selected proxy configurations<br />
T.120 conferences are arranged into a hierarchy <strong>of</strong> nodes. The<br />
placement <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> with respect to the nodes in the<br />
conference affects how many sessions are created through the proxy<br />
and the communication path <strong>of</strong> the conference data. When a first<br />
conference participant joins a conference in a different burb, a T.120<br />
session will be created between the participant's node and the<br />
contacted node. If a second conference participant attempts to contact<br />
the new conference node, a separate session will be created.<br />
The preconfigured NetMeeting proxy rule (when added to the active<br />
rule group) will apply to each participant’s respective node IP<br />
address. On the other hand, if the second participant contacts the first<br />
participant and asks to join the conference, the same session through<br />
the proxy will be used. The NetMeeting proxy rule, which applies to<br />
the first participant’s node will also apply to this session.<br />
The T.120 proxy is configured to use port 1503 by default. This can be<br />
changed as described in “Configuring proxies” on page 8-28.<br />
About the H.323 proxy<br />
H.323 is an International Telecommunications Union (ITU) standard<br />
that provides support for audio and video conferencing across a<br />
shared medium such as the Internet. The H.323 proxy provides for<br />
safe transfer <strong>of</strong> packets between burbs, standard functions such as<br />
filtering on source and destination hosts and burbs, and NAT and<br />
redirection. The H.323 proxy is a protocol-aware, application layer<br />
proxy that examines H.323 packets for correctness and adherence to<br />
site security policy. In addition to the standard filtering mentioned<br />
above, the H.323 proxy provides a mechanism for allowing or<br />
disallowing certain codecs (audio or video encoding schemes) within<br />
the H.323 protocol. (See the H.323 permissions discussion in “Creating<br />
proxy rules” on page 7-4.)<br />
Micros<strong>of</strong>t NetMeeting is a popular implementation <strong>of</strong> the H.323<br />
protocol. The H.323 proxy enables you to use the audio and video<br />
features <strong>of</strong> data conferencing products, such as NetMeeting.<br />
Note: The standard data conferencing features, as well as the chat and application<br />
sharing features <strong>of</strong> NetMeeting are not supported by the H.323 proxy. To provide support<br />
for these features, you must also enable the T.120 proxy. You must also add the preconfigured<br />
NetMeeting proxy rule to the active proxy rule group. This will ensure that both<br />
proxies remain in synchronization with one another. See “Synchronizing the T.120 and<br />
H.323 proxies for use with NetMeeting” on page 8-25 for more information.<br />
Configuring Proxies 8-23
Notes on selected proxy configurations<br />
8-24 Configuring Proxies<br />
The H.323 proxy can function between two endpoints (a single client<br />
implementation such as NetMeeting), or between one or more<br />
endpoints and a Multi-point Control Unit (MCU). The MCU enables<br />
two or more endpoints to simultaneously participate in a call. Each<br />
endpoint sends its audio and video signals through the <strong>Sidewinder</strong> <strong>G2</strong><br />
to the MCU. The MCU then combines the audio signals and selects<br />
one or more video signals to return to each endpoint.<br />
Note: The H.323 proxy does not recognize any configuration difference between an<br />
endpoint and an MCU.<br />
At this time, the H.323 proxy will not communicate with an H.323<br />
gatekeeper. A gatekeeper is an entity, not unlike a <strong>Sidewinder</strong> <strong>G2</strong>,<br />
which sits between the source and destination endpoints, and<br />
typically provides services such as authentication, authorization, alias<br />
resolution, billing, and call routing. If there is a gatekeeper between<br />
the <strong>Sidewinder</strong> <strong>G2</strong> and the source or destination endpoint, and the<br />
endpoint is configured to use the gatekeeper, the conference will not<br />
be possible.<br />
The H.323 proxy must examine the contents <strong>of</strong> the protocol packets<br />
for encoded addresses and port numbers. Therefore, any sort <strong>of</strong><br />
encryption <strong>of</strong> H.323 sessions is not possible in conjunction with the<br />
proxy. When implementing the H.323 protocol, you must disable<br />
NetMeeting's security features, or the security features <strong>of</strong> any other<br />
endpoint or MCU you may be using. Additionally, you must not route<br />
H.323 traffic through a virtual private network (VPN).<br />
Also, any calls originating from the outside network and destined for a<br />
host on the internal network may be configured to use the netmaps<br />
feature. (For information on using netmaps, see “Configuring<br />
netmaps” on page 5-16.) This provides a form <strong>of</strong> redirection that<br />
allows you to hide a group <strong>of</strong> addresses behind the <strong>Sidewinder</strong> <strong>G2</strong><br />
while still allowing the inbound caller to reach the proper destination<br />
machine.
Notes on selected proxy configurations<br />
Synchronizing the T.120 and H.323 proxies for use with NetMeeting<br />
The T.120 and H.323 proxies can work together, allowing you to<br />
make use <strong>of</strong> both the data-sharing and audio/video features <strong>of</strong><br />
NetMeeting in a single conference as follows:<br />
The T.120 proxy enables you to use all <strong>of</strong> the standard T.120 data<br />
conferencing services, and provides you with a means to control<br />
which services are accessible. The T.120 proxy also provides<br />
support for the Micros<strong>of</strong>t NetMeeting chat and application sharing,<br />
which are non-standard T.120 application services.<br />
The H.323 proxy provides support for the audio and video<br />
features <strong>of</strong> NetMeeting.<br />
To make use <strong>of</strong> both the data-sharing and audio/video features <strong>of</strong><br />
NetMeeting in a single conference, you must ensure that both the<br />
T.120 and H.323 proxies are enabled in the same burbs. This is<br />
necessary because for a single NetMeeting session, part <strong>of</strong> the traffic<br />
(the H.323 portion) is routed through the H.323 proxy, and part <strong>of</strong> the<br />
traffic (the T.120 portion) is routed through the T.120 proxy. If the<br />
H.323 and T.120 proxy configurations are out <strong>of</strong> synchronization, it is<br />
likely that NetMeeting conferences will not function correctly or<br />
completely (for example, audio and video work, but data-sharing<br />
does not work).<br />
To prevent the two proxies from becoming out <strong>of</strong> synchronization,<br />
you can add the pre-configured NetMeeting proxy rule to your active<br />
rule group. (See “Creating and managing rule groups” on page 7-19.)<br />
The NetMeeting proxy rule allows access to both the T.120 and H.323<br />
proxies (using the pre-configured NetMeeting Service Group), and<br />
allows access to all available NetMeeting features.<br />
You can modify the NetMeeting proxy rule as needed or create your<br />
own proxy rules to allow only a portion <strong>of</strong> NetMeeting’s features,<br />
such as the chat and whiteboard features. These properties are<br />
configured via the Multimedia Application Defense that is associated<br />
with a particular proxy rule. For information on configuring<br />
Application Defenses for H.323/T.120, see “Configuring the IIOP<br />
Connection tab” on page 6-35.<br />
Configuring Proxies 8-25
Notes on selected proxy configurations<br />
8-26 Configuring Proxies<br />
To appropriately restrict access for the NetMeeting proxy rule, you<br />
can also configure network objects or other rule elements. For<br />
example, if you want to allow only administrators access to all<br />
NetMeeting features, you could create and specify a network object<br />
within rule that contains the IP addresses for all <strong>of</strong> your<br />
Administrators. See “Rule elements” on page 4-6 and “Creating proxy<br />
rules” on page 7-4 for more details.<br />
Generic TCP proxy considerations<br />
The following sections provide information on configuring the keep<br />
alive option for a generic TCP proxy, and restricting the outgoing port<br />
for a user-defined generic TCP proxy.<br />
Configuring the keep alive option for a generic TCP proxy<br />
The "keep alive" option allows you to configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
actively ensure that a generic TCP proxy session is still active. When<br />
the keep alive option is turned on for a particular TCP proxy the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will, at a determined time (the default is two hours),<br />
verify that the TCP session is still active. If the session is inactive, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will make a total <strong>of</strong> eight successive attempts to check<br />
for activity. If the session is still inactive, the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
immediately terminate that session.<br />
To configure a generic TCP proxy to use the keep alive option, follow<br />
the steps below.<br />
1. Using a text editor, open the appropriate TCP proxy configuration file<br />
(/etc/sidewinder/proxy/proxyname.conf ).<br />
2. In the keep_alive field, toggle the value to [on].<br />
Note: Secure Computing strongly recommends setting the Idle Timeout value to<br />
zero (0) for any TCP proxy with the keep-alive option enabled. (The Idle Timeout value<br />
for a generic TCP proxy is configured in the Standard Application Defense.)<br />
3. Save the changes and exit the file.<br />
Note: You will need to restart the proxy for the changes to take effect.
Notes on selected proxy configurations<br />
4. [Optional] Set the keep _idle value using the sysctl command.<br />
The "keep idle" value allows you to specify the amount <strong>of</strong> time that will<br />
pass before a session’s periodic "keep alive" exchange will begin when<br />
no data is being exchanged. The default value is 7200. The following<br />
example will set the value to 300.<br />
sysctl -w net.inet.tcp.keepidle=300<br />
Important: You must also add this line to /etc/rc.local or it will be overwritten<br />
upon reboot.<br />
Notes on using the DNS proxy<br />
If you have many hosts on a trusted network that point to an external<br />
DNS server, and you want these hosts to use the unbound DNS server<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> instead, you have two options:<br />
You can modify each <strong>of</strong> the individual hosts to point to the<br />
unbound DNS server.<br />
You can configure a DNS proxy rule on the <strong>Sidewinder</strong> <strong>G2</strong> that<br />
redirects the DNS traffic from the trusted burb in which the hosts<br />
reside to the unbound DNS server. This may be the preferred<br />
option if you have hundreds or thousands <strong>of</strong> local hosts, because<br />
you can make one change on the <strong>Sidewinder</strong> <strong>G2</strong> rather the<br />
hundreds or thousands <strong>of</strong> individual changes.<br />
When defining the DNS proxy rule, be sure to set the following<br />
information on the Source/Dest tab in the Proxy Rule window:<br />
— Set the Redirect Host field to 127.0.0.1<br />
— Set the NAT Address field to Localhost. The DNS proxy will not<br />
allow redirection to any other loopback addresses (127.2.0.1).<br />
Important: If your <strong>Sidewinder</strong> <strong>G2</strong> uses split DNS mode, do not create this type <strong>of</strong> proxy<br />
rule on the Internet burb, because traffic will bypass the Internet DNS name server.<br />
Configuring Proxies 8-27
Configuring proxies<br />
Configuring<br />
proxies<br />
Figure 8-6. Proxies<br />
window<br />
8-28 Configuring Proxies<br />
The pre-configured <strong>Sidewinder</strong> <strong>G2</strong> proxies consist <strong>of</strong> standard settings<br />
and require very little modification. For most proxies the only<br />
configuration decision to be made is whether to enable or disable<br />
each individual proxy. However, the Admin Console also provides the<br />
capability to modify and delete existing proxies, or to create entirely<br />
new proxies.<br />
Tip: You can configure advanced properties for most proxies on a per rule basis using<br />
Application Defenses. For information on configuring Application Defenses, see Chapter .<br />
For an overview <strong>of</strong> Application Defenses, see “Application Defenses” on page 4-14.<br />
Configuring proxy properties<br />
To configure properties for a proxy, start the Admin Console and<br />
select Services Configuration -> Proxies. A table appears in the upper<br />
portion <strong>of</strong> the window, listing the available proxies. (Use the scroll<br />
bar to browse the entire list <strong>of</strong> proxies.)<br />
About the Proxies window The main proxy window consists <strong>of</strong> a proxy table that lists all <strong>of</strong> the<br />
proxies that are currently available by row. Each row displays a<br />
summary <strong>of</strong> the current configuration for that proxy, as follows:<br />
Tip: You can configure advanced properties for most proxies on a per rule basis using<br />
Application Defenses. For information on configuring Application Defenses, see Chapter .<br />
For an overview <strong>of</strong> Application Defenses, see “Application Defenses” on page 4-14.<br />
Note: To enable or disable the Web proxy server, refer to “Configuring the Web proxy<br />
server” on page 12-12.
Proxy Name—Displays the name <strong>of</strong> the proxy.<br />
Configuring proxies<br />
Attributes—Displays icons indicating the type <strong>of</strong> Application<br />
Defense associated with a proxy, as well as which protocol this<br />
proxy uses. (A “T” icon with a solid line beneath it appears for<br />
TCP proxies, and a “U” icon with a dashed line appears for UDP<br />
proxies. If a proxy uses both protocols, both icons will appear.)<br />
Enabled in Burbs—Displays the burb(s) for which this proxy is<br />
currently enabled.<br />
Port Definitions—Displays the port(s) that this proxy currently uses.<br />
To create a new proxy, click New beneath the proxy table. See<br />
“Setting up a new proxy” on page 8-31 for details on creating a new<br />
proxy.<br />
To delete a proxy, highlight the proxy you want to delete, and click<br />
Delete in the lower left portion <strong>of</strong> the window. (You cannot delete<br />
proxies that are pre-configured on the <strong>Sidewinder</strong> <strong>G2</strong>.)<br />
Note: You cannot delete a proxy that is specified as a service in a proxy rule.<br />
When you select a proxy in the proxy table, the configuration<br />
information for that proxy appears in the Proxy Properties tab in the<br />
lower portion <strong>of</strong> the window. This tab allows you to modify the proxy<br />
information. To configure or modify the properties for a proxy, select<br />
the proxy in the table, and follow the steps below.<br />
Note: The fields that appear will vary depending on which proxy you select.<br />
Note: You cannot modify a proxy’s name or protocol once it has been created. To change<br />
the name or protocol for a proxy, you must delete the proxy and then create a new proxy<br />
with the new name and/or protocol.<br />
1. In the Enabled In Burbs field, select the burb(s) for which this proxy is<br />
enabled. A check mark indicates that a burb is enabled for that proxy.<br />
Important: Be sure to deselect any burbs for which you do not want this proxy<br />
enabled. (If a burb is disabled, a check mark will NOT appear next to it.)<br />
2. In the Port Definitions field, specify the port(s) or range(s) <strong>of</strong> ports that<br />
the proxy will use. TCP proxies can have multiple, non-contiguous ports<br />
configured. Non-TCP proxies may only be allowed to have a single port,<br />
or a single port range configured.<br />
Configuring Proxies 8-29
Configuring proxies<br />
8-30 Configuring Proxies<br />
To add a new port or range <strong>of</strong> ports, click New. To modify an existing<br />
port or range <strong>of</strong> ports, highlight the entry and click Modify. The Port(s)<br />
Configuration window appears. For information on configuring the Port<br />
Configuration window, see “Configuring connection ports” on page 8-<br />
33.<br />
Important: Do not specify a port number or range that is currently being used for<br />
a server or another proxy running on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
3. (http, https, sql, and generic TCP proxies only) To specify the total<br />
number <strong>of</strong> connections expected for a proxy, select one <strong>of</strong> the<br />
following options from the Expected Connections drop-down list:<br />
Caution: Do not change the value for this field unless you have experienced<br />
performance problems for one <strong>of</strong> the proxies listed. Opening multiple instances <strong>of</strong> a<br />
single proxy can create performance problems if you enable them unnecessarily. For<br />
specific information on when to enable multiple proxy instances, see “Configuring<br />
multiple instances <strong>of</strong> certain proxies” on page 8-5.<br />
1000—Select this value to open a single instance for a proxy.<br />
2000—Select this value to open a single instance for a proxy.<br />
4000—Select this value to open two identical proxies.<br />
8000—Select this value to open four identical proxies.<br />
16000—Select this value to open eight identical proxies.<br />
4. Click the Save icon to save your changes, or click Cancel to revert to the<br />
previously saved data.<br />
Note: You can configure advanced proxy parameters (such as Fast Path Sessions) and<br />
assign them on a per rule basis using Application Defenses. See Chapter 6 for details.<br />
Note: The ICA and ping proxies contain an additional Advanced tab that you can<br />
configure. For information on configuring the ICA proxy Advanced tab, see “Configuring<br />
the ICA proxy Advanced tab” on page 8-30. For information on configuring the ping proxy<br />
Advanced tab, see “Configuring the ping proxy Advanced tab” on page 8-31.<br />
Configuring the ICA proxy Advanced tab<br />
To configure the Advanced tab for the ICA proxy, in the Admin<br />
Console, select Services Configuration -> Proxies. The Proxies window<br />
appears. Select the ica proxy from the proxy table and select the<br />
Advanced tab. The following tab appears in the lower portion <strong>of</strong> the<br />
window.
Figure 8-7. ica proxy<br />
Advanced tab<br />
About the ICA proxy<br />
Advanced tab<br />
Setting up a new<br />
proxy<br />
Setting up a new proxy<br />
The ICA Advanced tab allows you to configure which burbs you want<br />
to enable for the master browser. Follow the steps below.<br />
Note: Refer to your Citrix documentation for information about the master browser.<br />
1. In the Browser field, select the burb(s) for which you want to enable the<br />
master browser.<br />
2. Click the Save icon in the toolbar to save your changes.<br />
Configuring the ping proxy Advanced tab<br />
Ping timeout properties cannot be configured on a per rule basis.<br />
Therefore, advanced ping properties cannot be configured via<br />
Application Defenses. To configure the timeout value for the ping<br />
proxy, do the following:<br />
1. In the Admin Console, select Services Configuration -> Proxies.<br />
2. Select the ping proxy, and then select the Advanced tab.<br />
3. In the Timeout field, specify the length <strong>of</strong> time, in seconds, that the<br />
proxy should attempt to connect to the server before the proxy stops<br />
trying.<br />
4. Click the Save icon to save your changes.<br />
As described earlier in this chapter, the <strong>Sidewinder</strong> <strong>G2</strong> is set up to run<br />
a variety <strong>of</strong> standard proxies. You can set up additional proxies if<br />
needed. To set up a new proxy, you will need to know the name <strong>of</strong><br />
the service and the port number on which it runs. In the Admin<br />
Console and select Services Configuration -> Proxies. The Proxies<br />
window appears.<br />
Configuring Proxies 8-31
Setting up a new proxy<br />
Figure 8-8. New Proxy<br />
window<br />
Entering new proxy<br />
information<br />
8-32 Configuring Proxies<br />
This window allows you to define a new proxy. Follow the steps<br />
below.<br />
1. In the New Proxy Name field, type a descriptive name for the new proxy.<br />
Note: You cannot modify the proxy name once it has been saved.<br />
2. In the Protocol drop-down list, select the appropriate protocol for this<br />
proxy, as follows:<br />
TCP—Select this option to create a TCP proxy.<br />
UDP—Select this option to create a UDP proxy.<br />
Other—Select this option to create a new instance <strong>of</strong> an<br />
application-aware proxy. If you select this option, a drop-down list<br />
appears. Select the appropriate service from the list.<br />
3. In the Port Range field, click New to specify the port range that the<br />
proxy will use. See “Configuring connection ports” on page 8-33 for<br />
more information on configuring ports.<br />
Important: Do not specify a port number or range that is currently being used for<br />
a server running on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. Click Add to add the new proxy to the proxy table. Once you have<br />
added the proxy to the table, you may select the proxy and configure<br />
additional information such as the burbs for which it will be enabled.<br />
For information on configuring the proxy, see “Configuring proxy<br />
properties” on page 8-28.<br />
Important: After configuring a new proxy, you should configure access restrictions<br />
to the proxy by following the procedure described in “Creating proxy rules” on page<br />
7-4.
Configuring connection ports<br />
Setting up a new proxy<br />
The Edit a Port window allows you to configure a single port or a port<br />
range, or you can select from pre-defined ports for specific proxies by<br />
selecting one <strong>of</strong> the following radio buttons:<br />
Specify a Port—Select this option to specify a single port. In the Port<br />
field, type a port number or use the up and down arrows to<br />
display the desired port.<br />
Specify a Port Range—Select this option to specify a port range. In<br />
the Begin Port and End Port fields, specify the range <strong>of</strong> ports that<br />
this proxy can use (you can either type the port numbers in the<br />
appropriate fields or use the up and down arrows to display the<br />
desired ports).<br />
TCP maximum segment size<br />
The TCP layer uses a maximum segment size (MSS) parameter to<br />
determine how much data can fit in a single data segment. At<br />
connection time, systems negotiate how big this value can be.<br />
If you choose an MSS that is too small, all systems passing a given<br />
piece <strong>of</strong> data through a network must process more IP and physical<br />
network frames. This can drastically slow down an entire network. On<br />
the other hand, an MSS value that is too large forces the IP layer to<br />
fragment and reassemble the data, overburdening the receiving<br />
system.<br />
Almost all systems on the Internet accept a TCP MSS <strong>of</strong> 536 data bytes.<br />
Most newer TCP/IP systems can effectively use a TCP MSS <strong>of</strong> 1460<br />
bytes, improving the traffic load on the entire network. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses this as the default MSS value. With systems that<br />
cannot accept segments <strong>of</strong> 1460 bytes, the <strong>Sidewinder</strong> <strong>G2</strong> negotiates<br />
down to the MSS that can be effectively used.<br />
In a few cases, the default 1460 byte MSS size could cause a problem.<br />
Some older TCP/IP implementations do not negotiate the TCP MSS<br />
value. These older implementations also cannot perform IP<br />
reassembly. The most likely symptom will be that these systems will<br />
no longer be able to communicate through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Configuring Proxies 8-33
Setting up a new proxy<br />
8-34 Configuring Proxies<br />
The TCP MSS can be set to different values using the sysctl<br />
command. For example, the following command sets the TCP MSS to<br />
536:<br />
sysctl -w net.inet.tcp.mssdflt=536<br />
Important: You must also add this line to /etc/rc.local or it will be overwritten<br />
upon reboot.
C HAPTER 9<br />
Setting Up Authentication<br />
About this chapter This chapter describes the methods that are available to authenticate<br />
<strong>Sidewinder</strong> <strong>G2</strong> users and administrators. This chapter includes<br />
information on how to set up the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate login,<br />
Telnet, FTP, Web, SOCKS5, secure shell (SSH), and VPN sessions. This<br />
chapter also provides information on configuring single sign-on<br />
(SSO). The following topics are covered:<br />
Authentication<br />
overview<br />
“Authentication overview” on page 9-1<br />
“Supported authentication methods” on page 9-5<br />
“Authentication process overview” on page 9-9<br />
“Users, groups, and authentication” on page 9-11<br />
“Configuring authentication services” on page 9-11<br />
“Configuring SSO” on page 9-27<br />
“Setting up authentication for services” on page 9-30<br />
“Setting up authentication for Web sessions” on page 9-32<br />
“Setting up authentication for administrators” on page 9-33<br />
“Allowing users to change their passwords” on page 9-34<br />
“How users can change their own password” on page 9-36<br />
In general, authentication refers to a process that validates a person’s<br />
identity before he or she is allowed to log in to a network server.<br />
Depending on the authentication method used, a person must provide<br />
a user name and valid password and/or a special passcode or<br />
personal identification number (PIN) before being logged on to a<br />
server. If a user enters an invalid password, passcode, or PIN the log<br />
in request is denied.<br />
There are two basic <strong>Sidewinder</strong> <strong>G2</strong> authentication scenarios: proxy<br />
authentication and <strong>Sidewinder</strong> <strong>G2</strong> administrator authentication. The<br />
following sections describe each scenario.<br />
9<br />
Setting Up Authentication 9-1
9<br />
Authentication overview<br />
9-2 Setting Up Authentication<br />
Proxy authentication<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate network users<br />
trying to connect from one side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to another via a<br />
Web, SOCKS5, Telnet, or FTP proxy. You can authenticate proxy use<br />
for internal-to-external, external-to-internal, and internal-to-internal<br />
connections.<br />
Internal-to-external authentication<br />
You can authenticate internal users whenever they try to access a<br />
SOCKS5, Telnet, FTP server, or Web access through the <strong>Sidewinder</strong><br />
<strong>G2</strong>. While internal users are generally thought to be trusted,<br />
authenticating internal-to-external proxy connections provides an<br />
extra level <strong>of</strong> security and allows you to closely track who is using<br />
each Internet service and how long they are using it. (See Chapter<br />
17 for information on <strong>Sidewinder</strong> <strong>G2</strong> reporting.) For example, you<br />
might use this information for internal accounting. Note that if you<br />
do not authenticate internal-to-external proxies, you can still track<br />
Internet usage, but the tracking is done for each machine address<br />
only (not for individual users).<br />
External-to-internal authentication<br />
You can authenticate SOCKS5, Telnet, FTP, or Web access from the<br />
Internet to hosts on an internal network. For example, an internal<br />
network may have Telnet, FTP, or Web servers that users at<br />
another location need to access via the Internet. In most, if not all<br />
cases, your <strong>Sidewinder</strong> <strong>G2</strong> should be configured to authenticate all<br />
external-to-internal proxy connections.<br />
Internal-to-internal authentication<br />
When your <strong>Sidewinder</strong> <strong>G2</strong> is configured with two Ethernet cards<br />
for two internal networks, you can authenticate SOCKS5, Telnet,<br />
FTP, and Web access from one internal network to a second internal<br />
network.
Administrator authentication<br />
Authentication overview<br />
When you log in to the <strong>Sidewinder</strong> <strong>G2</strong>, you are authenticated using<br />
either standard UNIX password authentication or a stronger form <strong>of</strong><br />
authentication, such as SafeWord PremierAccess. If standard UNIX<br />
password authentication is used, the password you provide is<br />
maintained in the user database, and the <strong>Sidewinder</strong> <strong>G2</strong> checks the<br />
database to validate your password. Dynamic passwords, called<br />
passcodes, or challenge/response information generated for stronger<br />
authentication methods are not stored on the <strong>Sidewinder</strong> <strong>G2</strong>. Instead,<br />
they are located on the associated authentication server. (Strong<br />
authentication is described in the next section.) The default<br />
administrator authentication method is configured in the Firewall<br />
Accounts window. For information on configuring the default<br />
administrator authentication method, see “Setting up and maintaining<br />
administrator accounts” on page 3-5.<br />
Administrators use Telnet or SSH to access a <strong>Sidewinder</strong> <strong>G2</strong> from an<br />
Admin Console. By default, standard UNIX password authentication is<br />
used to validate this type <strong>of</strong> remote log in attempt.<br />
Note: Secure Computing recommends using a strong authentication method for logon<br />
attempts from a remote UNIX server.<br />
Weak versus strong authentication<br />
Secure Computing uses the terms “weak” and “strong” when referring<br />
to the level <strong>of</strong> security provided by an authentication method. The<br />
differences are discussed in the following section.<br />
Weak authentication<br />
A weak authentication method merely requires a user to enter the<br />
same password each time he or she logs on. The “standard” UNIX<br />
password process is considered to be a weak authentication method.<br />
If someone “sniffs” the password <strong>of</strong>f the phone line or network as it is<br />
transmitted, they can conceivably use that password to break into the<br />
system. Because your internal network is thought to be “trusted,” this<br />
type <strong>of</strong> authentication is generally used for authenticating internal-toexternal<br />
proxy connections.<br />
Setting Up Authentication 9-3
Authentication overview<br />
9-4 Setting Up Authentication<br />
Strong authentication<br />
A basic premise <strong>of</strong> security is to positively identify who is accessing<br />
your networks. Strong user authentication performs this function and<br />
is generally desired for external-to-internal proxy connections. An<br />
authentication server, such as Secure Computing’s SafeWord<br />
PremierAccess, typically resides an internal network burb. When a<br />
user attempts to log in, the authentication server displays a passcode<br />
prompt for the user.<br />
A passcode is a unique, one-time response that is generated for the<br />
user via a hardware or s<strong>of</strong>tware authenticator known as a token.<br />
Because the token generates a unique passcode for each log in<br />
attempt, they are immune to password sniffing or theft. Because the<br />
passcodes are generated by a cryptographic algorithm, they are<br />
essentially impossible to guess.<br />
When tokens are PIN-protected, this strong authentication method is<br />
known as two-factor authentication. That is, authentication is based<br />
on something the user knows (a PIN that allows access to the token)<br />
and something the user has (a token that generates unique<br />
passwords).<br />
The <strong>Sidewinder</strong> <strong>G2</strong> coordinates the passcode prompt and response<br />
process between the authentication server and the user. The<br />
authentication server maintains detailed information about user<br />
accounts and connection times.<br />
Hardware authenticators A hardware authenticator is a small, hand-held device that looks<br />
similar to an ordinary calculator. The hardware authenticator displays<br />
the proper log in response on a digital display. A hardware<br />
authenticator is platform-independent and can be used from any PC<br />
or workstation equipped for network communications.<br />
S<strong>of</strong>tware authenticators In contrast, a s<strong>of</strong>tware authenticator is installed directly on the user’s<br />
PC or workstation. It automates the response process, requiring the<br />
user only to enter a personal identification number (PIN). A valid PIN<br />
unlocks the s<strong>of</strong>tware authenticator, which then calculates and returns<br />
the proper log in response. An example <strong>of</strong> a supported s<strong>of</strong>tware<br />
authenticator is the SafeWord PremierAccess S<strong>of</strong>Token-II.
Supported<br />
authentication<br />
methods<br />
Supported authentication methods<br />
<strong>Sidewinder</strong> <strong>G2</strong> supports standard UNIX password authentication,<br />
Windows Domain authentication, and the following stronger<br />
authentication methods: SafeWord PremierAccess and SafeWord<br />
RemoteAccess (from Secure Computing Corporation), SecureNet<br />
Key (SNK) from Symantec Corporation, and SecurID from RSA<br />
Security, Inc. <strong>Sidewinder</strong> <strong>G2</strong> also supports the widely-used RADIUS<br />
authentication protocol and the Lightweight Directory Access Protocol<br />
(LDAP). All <strong>of</strong> these can be used to authenticate SOCKS5, Telnet, FTP,<br />
and Web connections through the <strong>Sidewinder</strong> <strong>G2</strong> and administrator<br />
log in connections to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Single Sign-On (SSO) can be used in conjunction with the authentication methods<br />
listed below to cache a user’s initial authentication, thereby allowing access to multiple<br />
services with a single authentication to the <strong>Sidewinder</strong> <strong>G2</strong>. For information on configuring<br />
SSO, see “Configuring SSO” on page 9-27.<br />
Table 9-1. Authentication methods available for the <strong>Sidewinder</strong> <strong>G2</strong><br />
Authenticatio<br />
n Method<br />
Standard<br />
Password<br />
SafeWord<br />
(PremierAccess<br />
and<br />
RemoteAccess)<br />
Security<br />
Level<br />
Recommended<br />
Usage<br />
Weak Internal-to-external login, FTP,<br />
Telnet, Web, SOCKS5, or SSH<br />
sessions<br />
Strong External-to-internal login, FTP,<br />
Telnet, Web, SOCKS5, or SSH<br />
sessions<br />
LDAP Weak Internal-to-external login, FTP,<br />
Telnet, Web, SOCKS5, or SSH<br />
sessions<br />
Windows<br />
Domain<br />
SecureNet Key<br />
(SNK)<br />
Weak Internal-to-external login, FTP,<br />
Telnet, Web, SOCKS5, or SSH<br />
sessions<br />
Strong External-to-internal login, FTP,<br />
Telnet, or SSH sessions<br />
SecurID Strong External-to-internal login, FTP,<br />
Telnet, Web, SOCKS5, or SSH<br />
sessions<br />
RADIUS Strong External-to-internal login, FTP,<br />
Telnet, Web, or SSH sessions<br />
Server<br />
Type<br />
Authenticator<br />
Type<br />
Not applicable Not applicable<br />
SafeWord Authentication<br />
Server, external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
X.500 directory server,<br />
external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Windows primary<br />
domain controller (PDC)<br />
or backup domain<br />
controller (BDC)<br />
Defender Security Server<br />
(DSS), external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
ACE/Server, external to<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
RADIUS server, external to<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
S<strong>of</strong>tware (S<strong>of</strong>tToken<br />
II) and hardware token<br />
(Silver 2000, Gold 3000,<br />
Platinum)<br />
Not applicable<br />
Not applicable<br />
SecureNet Key (SNK) or<br />
Symantec Corporation<br />
hardware<br />
authenticator<br />
SecurID hardware<br />
authenticator<br />
Any<br />
Setting Up Authentication 9-5
Supported authentication methods<br />
9-6 Setting Up Authentication<br />
Below is a brief summary <strong>of</strong> the authentication methods supported by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Standard password authentication<br />
Standard password authentication requires a user to enter the same<br />
password each time he or she logs on. This method typically is used<br />
for authenticating a user’s internal-to-external SOCKS5, Telnet, FTP,<br />
and Web connections, and local <strong>Sidewinder</strong> <strong>G2</strong> administrator log ins.<br />
Since the internal users are generally thought to be trusted, a weak<br />
authentication method is probably all that is required. You may want<br />
to authenticate internal-to-external connections not so much for<br />
security reasons but to track usage <strong>of</strong> the system.<br />
SafeWord authentication<br />
The SafeWord family <strong>of</strong> authentication servers that interoperate with<br />
the <strong>Sidewinder</strong> <strong>G2</strong> includes SafeWord RemoteAccess and SafeWord<br />
PremierAccess. The following table is provided as a reference to<br />
better understand the authentication capabilities each server, and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> authentication methods that are supported.<br />
Table 9-2. Authentication capabilities <strong>of</strong> SafeWord servers<br />
Feature/Capability<br />
<strong>Sidewinder</strong> <strong>G2</strong> authentication<br />
methods supported<br />
SafeWord<br />
RemoteAccess<br />
SafeWord<br />
PremierAccess<br />
RADIUS only SafeWord & RADIUS<br />
Fixed passwords No Yes<br />
Dynamic passcodes w/o<br />
challenge<br />
Dynamic passcodes with<br />
challenge<br />
Hardware tokens only Hardware and<br />
s<strong>of</strong>tware tokens<br />
No Yes<br />
Location <strong>of</strong> user database Active Directory SafeWord<br />
Connectivity w/ the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
RADIUS ports only RADIUS ports or port<br />
5030 (default)
Supported authentication methods<br />
When connected to the <strong>Sidewinder</strong> <strong>G2</strong> using standard RADIUS ports,<br />
the authentication method is appropriately called RADIUS. This<br />
method is available with both SafeWord RemoteAccess and SafeWord<br />
PremierAccess. (For additional information on RADIUS, see “RADIUS<br />
authentication” on page 9-8.)<br />
SafeWord PremierAccess provides the ability to use fixed passwords<br />
or passcode authentication for Telnet and FTP sessions through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, and can be used to authenticate logins and SSH logins<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>. Web sessions can also be authenticated, but are<br />
limited to using either fixed passwords or passcodes without the<br />
challenge/response option. (Not all tokens support this option.)<br />
The biggest advantages <strong>of</strong> using a tightly coupled configuration such<br />
as SafeWord PremierAccess authentication, are the following:<br />
An improvement in performance over RADIUS<br />
The ability for PremierAccess to forward role information for a<br />
user from the PremierAccess database to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
(While SafeWord PremierAccess can be connected to <strong>Sidewinder</strong><br />
<strong>G2</strong> via standard RADIUS ports, configurations the user’s role<br />
cannot be made available to the <strong>Sidewinder</strong> <strong>G2</strong>.)<br />
Note: SafeWord RemoteAccess is always connected to the <strong>Sidewinder</strong> <strong>G2</strong> via standard<br />
RADIUS ports and therefore cannot be assigned the SafeWord authentication method.<br />
Aside from the ability to return a user’s role, SafeWord RemoteAccess provides equally<br />
strong user authentication via the RADIUS interface.<br />
LDAP/Active Directory<br />
LDAP (Lightweight Directory Access Protocol)/Active Directory is a<br />
protocol that you can use to provide fixed password authentication<br />
for SOCKS5, Telnet, FTP, and Web sessions through the <strong>Sidewinder</strong><br />
<strong>G2</strong>. It can also be used to authenticate logins and SSH logins to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. You can set up an LDAP directory server containing<br />
users and passwords. Use any valid combination <strong>of</strong> LDAP attributes<br />
and values as an optional filter string to distinguish authorized<br />
<strong>Sidewinder</strong> <strong>G2</strong> users.<br />
Setting Up Authentication 9-7
Supported authentication methods<br />
9-8 Setting Up Authentication<br />
Windows Domain<br />
If your organization operates a Windows primary domain controller<br />
(PDC) or backup domain controller (BDC), you can use it to provide<br />
weak authentication for login, SOCKS5, Telnet, FTP, Web, and SSH<br />
sessions to the <strong>Sidewinder</strong> <strong>G2</strong>. The PDC or BDC can be used to<br />
provide password authentication. Be sure the domain controller does<br />
not allow blank or default logins that can be easily guessed by<br />
outsiders.<br />
SNK (SecureNet Key)/Symantec Defender authentication<br />
If your organization operates a Defender Security Server (DSS) (made<br />
by Symantec Corporation) you can use it to provide fixed password,<br />
challenge/response, or password + challenge/response authentication<br />
for SOCKS5, Telnet, and FTP sessions through the <strong>Sidewinder</strong> <strong>G2</strong>. It<br />
can also be used to authenticate logins and SSH logins to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Web sessions can also be authenticated but are limited<br />
to using the password authentication method.<br />
SecurID authentication<br />
If your organization operates an ACE/Server (made by RSA Security,<br />
Inc.) you can use it to provide fixed or one-time password<br />
authentication for login, SOCKS5, Telnet, FTP, Web, and SSH sessions<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>. For this authentication method, users enter a<br />
PIN and a passcode that is displayed on the user’s SecurID<br />
authenticator.<br />
RADIUS authentication<br />
If your organization operates a RADIUS server, you can use it to<br />
provide strong authentication for SOCKS5, Telnet, FTP, and Web<br />
sessions through the <strong>Sidewinder</strong> <strong>G2</strong>. It can also be used to<br />
authenticate logins and SSH logins to the <strong>Sidewinder</strong> <strong>G2</strong>.
Authentication<br />
process overview<br />
Authentication process overview<br />
SafeWord RemoteAccess and SafeWord PremierAccess are RADIUS<br />
servers that have been certified for full interoperability with the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. As shown in Table 9-2, each method provides strong<br />
authentication using passcodes for SOCKS5, Telnet, and FTP sessions<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>, and for authenticating logins and SSH<br />
logins to the <strong>Sidewinder</strong> <strong>G2</strong>. Web sessions can also be authenticated,<br />
but are limited to using fixed passwords or passcodes without a<br />
challenge/response option.<br />
For all authentication methods, a warder in the <strong>Sidewinder</strong> <strong>G2</strong><br />
communicates with an authentication server to validate users. A<br />
warder provides an interface between the proxy s<strong>of</strong>tware and the<br />
various authentication services. As shown in Figure 9-1, there is a<br />
separate warder for each authentication method.<br />
Setting Up Authentication 9-9
Authentication process overview<br />
Figure 9-1.<br />
Authentication servers<br />
supported by the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
9-10 Setting Up Authentication<br />
3<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
proxy<br />
active rules<br />
Windows Domain<br />
warder<br />
LDAP warder<br />
RADIUS warder<br />
SNK warder<br />
SecurID warder<br />
SafeWord<br />
warder<br />
password warder<br />
user database<br />
2 5<br />
4<br />
6<br />
The numbers in Figure 9-1 represent the sequence <strong>of</strong> events that<br />
occur when a remote user requests a network connection through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. These events are described below. In this scenario,<br />
the user is authenticated using SafeWord PremierAccess, which<br />
implements a challenge-response authentication process. (Note that<br />
the process is different for other authentication methods.)<br />
1<br />
client PC<br />
or workstation<br />
NT PDC OR BDC<br />
LDAP SERVER<br />
RADIUS SERVER<br />
DEFENDER SEC.<br />
SERVER (DSS)<br />
ACE SERVER<br />
SAFEWORD<br />
SERVER<br />
database<br />
database<br />
database<br />
database<br />
database<br />
database<br />
Note: The numbers in this<br />
figure correspond to the<br />
process overview steps listed<br />
on the next page.
Users, groups, and<br />
authentication<br />
Configuring<br />
authentication<br />
services<br />
Users, groups, and authentication<br />
1. A user tries to make a network connection via Telnet or FTP.<br />
2. The <strong>Sidewinder</strong> <strong>G2</strong> checks the active rules to determine whether the<br />
connection between the source and destination addresses is allowed<br />
and to determine which warder to use.<br />
3. If the connection is allowed, the proxy contacts the appropriate warder<br />
in the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. The warder passes the log in request to the appropriate authentication<br />
server. The server checks the data base to verify the user’s log in name is<br />
registered and then generates a log in prompt.<br />
5. The log in challenge is sent to the user. Using client s<strong>of</strong>tware or a<br />
hardware authenticator, the user types in the proper response to the<br />
prompt.<br />
6. The <strong>Sidewinder</strong> <strong>G2</strong> sends the response to the authentication server. The<br />
authentication server checks the response and informs the <strong>Sidewinder</strong><br />
<strong>G2</strong> to either accept or reject the log in request.<br />
As a <strong>Sidewinder</strong> <strong>G2</strong> administrator, you are responsible for configuring<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to work with the desired authentication server. The<br />
first step is identifying the users that will need authentication services<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. You can set up authentication on a user-byuser<br />
basis or create user groups. A user group is a mechanism that<br />
allows you to identify multiple users by a single name, making it<br />
easier to configure authentication requirements for your network.<br />
Note: The procedures to add users to the user database and set up user groups are<br />
described in Chapter 5.<br />
After defining and creating the appropriate user groups for your site,<br />
you need to configure the authentication method(s) that your site will<br />
use. The following section describes what needs to be done to<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> for authenticating users or<br />
administrators.<br />
To configure authentication services for the <strong>Sidewinder</strong> <strong>G2</strong>, start the<br />
Admin Console and select Services Configuration -> Authentication. The<br />
Authentication Configuration window appears.<br />
Note: You must configure an authentication method before it can be enabled.<br />
Setting Up Authentication 9-11
Configuring authentication services<br />
Figure 9-2.<br />
Authentication<br />
Configuration window<br />
About the Authentication<br />
Configuration window<br />
9-12 Setting Up Authentication<br />
This window allows you to configure authentication services on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. You can also manage locked out administrators and<br />
SSO-authenticated users. You can perform the following actions in<br />
this window:<br />
Configure an authentication method—To configure an authentication<br />
method, click the appropriate Configure button. (If you attempt to<br />
enable an authentication method that has not yet been configured,<br />
you will be prompted to configure the method first.) The following<br />
authentication methods can be configured:<br />
— LDAP/Active Directory—To configure LDAP/Active Directory<br />
authentication, see “Setting up LDAP authentication” on page<br />
9-16.<br />
— Password—To configure password authentication, see “Setting<br />
up password authentication” on page 9-18.<br />
— RADIUS—To configure RADIUS authentication, see “Setting up<br />
RADIUS authentication” on page 9-19.<br />
— SafeWord—To configure SafeWord PremierAccess<br />
authentication in a tightly coupled configuration, see “Setting<br />
up SafeWord authentication” on page 9-21. (SafeWord<br />
PremierAccess and SafeWord RemoteAccess can also be<br />
configured using the RADIUS interface.)<br />
— SecurID—To configure SecurID authentication, see “Setting up<br />
SecurID authentication” on page 9-22.
Configuring authentication services<br />
— SNK/Symantec Defender—To configure SecureNet (SNK)/<br />
Symantec Defender authentication, see “Setting up SecureNet<br />
Key (SNK) authentication” on page 9-24.<br />
— Windows Domain—To configure Windows Domain<br />
authentication, see “Setting up Windows Domain<br />
authentication” on page 9-26.<br />
Enable/disable an authentication method—A check mark appears in<br />
front <strong>of</strong> authentication methods that are currently enabled. To<br />
enable an authentication method, select the appropriate check box<br />
under the Enable Warders area. To disable an authentication<br />
method, deselect the appropriate check box in the Enable Warders<br />
area.<br />
Note: If you attempt to enable an authentication method that has not yet been<br />
configured, you will be prompted to configure the method first.<br />
Manage locked out users—To configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
lockout a user if the number <strong>of</strong> failed authentication attempts<br />
reaches the specified lockout threshold, or to manage users who<br />
are currently locked out, click Authentication Failure Locked Out Users<br />
and see “Configuring and managing the locked out users” on page<br />
9-14 for details.<br />
View SSO Authenticated Users—To view users currently in the SSO<br />
authenticated cache, click Current SSO Authenticated Users, and see<br />
“Viewing currently authenticated SSO users” on page 9-15.<br />
Configure external authorization roles—The External Authorization Roles<br />
list displays the roles defined by an external authentication<br />
program (for example, SafeWord PremierAccess or LDAP/Active<br />
Directory) that can be used within a the <strong>Sidewinder</strong> <strong>G2</strong> proxy rule.<br />
Use the New, Modify, and Delete buttons to manage this list. If you<br />
click New or Modify under the External Authorization Roles field,<br />
the New (or Modify) External Authorization Roles window<br />
appears.<br />
Note: See “Creating proxy rules” on page 7-4 for information on how these roles are<br />
used in a proxy rule. (You may need to consult the administrator <strong>of</strong> your particular<br />
authentication program for the names <strong>of</strong> the roles to add to this list.)<br />
Setting Up Authentication 9-13
Configuring authentication services<br />
9-14 Setting Up Authentication<br />
About the New (or Modify) External Authorization Roles window<br />
The New (or Modify) External Authorization Roles window contains a<br />
single External Role field in which you specify a name for the external<br />
role. Currently, the only external authorization servers that support<br />
roles within a proxy rule are SafeWord PremierAccess and LDAP/<br />
Active Directory. The name <strong>of</strong> the external role must match the name<br />
<strong>of</strong> a group within the server (SafeWord PremierAccess or LDAP) to<br />
which the user belongs.<br />
Click Add to add the entry to the External Authorization Roles list, to<br />
add the entry and close the window.<br />
Configuring and managing the locked out users<br />
This window allows you to configure the authentication failure<br />
lockout feature on your <strong>Sidewinder</strong> <strong>G2</strong>. The authentication failure<br />
lockout feature allows you to configure the <strong>Sidewinder</strong> <strong>G2</strong> to block<br />
access to a user if the number <strong>of</strong> consecutive failed authentication<br />
attempts reaches a configured number. This protects unauthorized<br />
users from multiple attempts at guessing an user’s password. Using<br />
this window, you can perform the following actions:<br />
Important: If all administrators become locked out <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, see “Manually<br />
clearing an authentication failure lockout” on page A-21.<br />
Enable or disable the lockout feature—When this feature is enabled,<br />
any time a user account surpasses the specified authentication<br />
attempt threshold without a successful authentication, that user<br />
will be locked out until the lock is cleared by an administrator. The<br />
locked can also be cleared if the locked out administrator logs in<br />
at the <strong>Sidewinder</strong> <strong>G2</strong> using the correct login information. To<br />
enable this feature, select the Enable radio button. To disable this<br />
feature, select the Disable radio button.<br />
Note: When authentication failure lockout is enabled, the client-side cache is<br />
emptied and authenticated allow rules will not be cached.<br />
View locked out users—The Locked Out Users area lists any users who<br />
are currently locked out <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> due to exceeded<br />
authentication failures. It will also display the number <strong>of</strong> failed<br />
login attempts for each user.
Figure 9-1. SSO Cached<br />
Authentication Users<br />
Configuring authentication services<br />
Configure the lockout threshold—The Lockout Threshold field allows<br />
you to specify the number <strong>of</strong> failed login attempts that can occur<br />
for a single user account before that user is locked out <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: When a user is locked out, their authentication method will become invalid.<br />
They will NOT be notified that they are locked out.<br />
Clear user locks—To clear the lock for a user select the user and<br />
click Clear.<br />
Viewing currently authenticated SSO users<br />
This window allows you to view the current SSO-authenticated<br />
(cached) users. In this window, you have the option to override the<br />
authentication cache default values and immediately expire user SSO<br />
authentication for one or more users.<br />
The Authentication Cache table allows you to view all users who are<br />
currently authenticated (cached) using SSO. The following fields are<br />
displayed in the table:<br />
Note: If you disable the SSO server, the authenticated user cache will be emptied. When<br />
the SSO server is enabled again, all users will need to authenticate before being added<br />
back into the cache.<br />
Note: For information on configuring SSO, see “Configuring SSO” on page 9-27.<br />
Name—This column displays the name(s) <strong>of</strong> all users who<br />
currently have cached authentication.<br />
External Group—This column displays the external group to which<br />
a user belongs.<br />
Setting Up Authentication 9-15
Configuring authentication services<br />
9-16 Setting Up Authentication<br />
Warder—This column displays the type <strong>of</strong> authentication utilized<br />
by a user.<br />
IP Address—This column displays the source IP Address from<br />
which the authentication request originated.<br />
Time <strong>of</strong> User Entering Cache—This column displays the time at which<br />
a user was initially authenticated and added to the cache.<br />
Time Cached Data Last Accessed—This column displays the time at<br />
which a user last accessed service that required authentication.<br />
To expire the SSO authentication cache for all users listed in the table,<br />
click Expire All Entries. To expire the SSO authentication cache for a<br />
single user or group <strong>of</strong> users, select the users you want to expire by<br />
clicking on the appropriate table row(s). To select multiple users,<br />
press and hold the Ctrl key as you select users. Then click Expire<br />
Entry(s) to expire the selected users from the authentication cache.<br />
When you expire the authentication cache for a user(s), those users<br />
will be required to re-authenticate before they can again access any<br />
authenticated services.<br />
Note: Subsequent authentication requests by an expired user will be cached when they<br />
re-authenticate, allowing them to again utilize SSO authentication.<br />
Setting up LDAP authentication<br />
To configure LDAP authentication on the <strong>Sidewinder</strong> <strong>G2</strong>, in the<br />
Admin Console select Services Configuration -> Authentication, and click<br />
Configure LDAP. The following window appears.
Figure 9-3. LDAP<br />
configuration window<br />
Entering information on the<br />
LDAP Configuration<br />
window<br />
Configuring authentication services<br />
This window is used to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with<br />
an LDAP server. The top portion <strong>of</strong> the window displays a list <strong>of</strong> any<br />
current LDAP servers you have defined. To add a new server, click<br />
New. To modify an existing server, highlight the server and click<br />
Modify. See “About the LDAP Configuration: Domain Controller<br />
Configuration window” on page 9-18 for instructions on adding or<br />
modifying an LDAP server entry. To configure the general LDAP<br />
properties for all <strong>of</strong> the defined LDAP servers, follow the steps below.<br />
1. In the Maximum Retries field, specify the number <strong>of</strong> authentication<br />
attempts that will be made before a failure is issued. The default is 3.<br />
2. In the Timeout field, specify the number <strong>of</strong> seconds to wait for the<br />
server to respond. The default is 60 seconds.<br />
3. In the Login Prompt field, specify the prompt that you want to appear<br />
for the user name portion <strong>of</strong> the login process. The default is Username.<br />
4. In the Password Prompt field, specify the prompt that you want to<br />
appear for the password portion <strong>of</strong> the login process. The default is<br />
Password.<br />
5. In the User Attribute field, specify the attribute that will be used to<br />
define usernames in the LDAP server. The default is uid (used by<br />
i-Planet).<br />
Setting Up Authentication 9-17
Configuring authentication services<br />
About the LDAP<br />
Configuration: Domain<br />
Controller Configuration<br />
window<br />
9-18 Setting Up Authentication<br />
6. In the Member Attribute field, specify the attribute that will be used to<br />
check for group membership. The default is uniquemember (used by<br />
i-Planet).<br />
7. In the Search Base field, specify the user directory sub-tree. For example,<br />
i-Planet defaults to the People directory, as follows: ou=People.<br />
8. [Optional] In the Filter field, you can specify a free-form LDAP search<br />
filter that must match a user entry before that user can be<br />
authenticated. The filter is not enabled by default. Only administrators<br />
who are familiar with the free-form LDAP search capability should<br />
configure a filter value.<br />
9. [Optional] In the Domain field, specify the network domain that will be<br />
used for LDAP. Only for Windows Active Directory.<br />
10. Click OK to return to the Authentication window.<br />
11. Click the Save icon to save your changes.<br />
Note: If you want to use LDAP authentication after it is configured, you must also<br />
enable it in the Authentication Configuration window.<br />
The LDAP Configuration Domain Controller window allows you to<br />
configure the IP address and port for an LDAP server. Follow the steps<br />
below.<br />
1. In the IP Address field, type the IP address for the LDAP server.<br />
2. In the Port Number field, type the port that the LDAP server should use.<br />
The default port is 389.<br />
3. Click OK to add the LDAP server to the list <strong>of</strong> configured LDAP servers.<br />
4. Click the Save icon in the toolbar to save your changes.<br />
Setting up password authentication<br />
To configure password authentication on the <strong>Sidewinder</strong> <strong>G2</strong>, in the<br />
Admin Console select Services Configuration -> Authentication, and click<br />
Configure Password. The following window appears.
Figure 9-4. Password<br />
Configuration window<br />
Entering information on the<br />
Password Configuration<br />
window<br />
Configuring authentication services<br />
This window is used to configure password authentication on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1. In the Login Prompt field, type the prompt text that you want to appear<br />
when the Telnet proxy service prompts a user for his or her user name.<br />
Note: The prompt you configure in this field is only used for the Telnet proxy service,<br />
and only appears after an authentication attempt <strong>of</strong> this type has failed.<br />
2. In the Password Prompt field, type the prompt text that you want to<br />
appear when the <strong>Sidewinder</strong> <strong>G2</strong> prompts a user for his or her password.<br />
3. In the Expiration Message field, type the message you want to appear<br />
when a user’s password has expired.<br />
4. In the Password Expiration Timespan field, type the number <strong>of</strong> days the<br />
password will be valid.<br />
5. Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use password authentication after it is configured, you must<br />
also enable it in the Authentication Configuration window.<br />
Setting up RADIUS authentication<br />
RADIUS is a standard protocol used to authenticate users before they<br />
are allowed access to your system. To configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
work with a RADIUS server, start the Admin Console and select<br />
Services Configuration -> Authentication, and click Configure Radius. The<br />
following window appears.<br />
Setting Up Authentication 9-19
Configuring authentication services<br />
Figure 9-5. RADIUS<br />
configuration window<br />
Entering information on the<br />
RADIUS window<br />
9-20 Setting Up Authentication<br />
This window is used to configure RADIUS authentication on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1. The Radius Servers table lists the RADIUS servers currently configured<br />
for the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the Radius Servers table, do one <strong>of</strong><br />
the following:<br />
New—Click this button to create a new server entry. See “Adding<br />
or modifying a RADIUS server entry” on page 9-21 for details.<br />
Modify—Click this button to modify the selected server entry. See<br />
“Adding or modifying a RADIUS server entry” on page 9-21 for<br />
details.<br />
Delete—Click this button to remove the selected server entry.<br />
2. In the Login Prompt field, type the login prompt that you want to<br />
appear when a user authenticates using RADIUS (the default is<br />
Username:).<br />
3. In the Password Prompt field, type the password prompt that you want<br />
to appear when a user authenticates using RADIUS (the default is<br />
Password:).<br />
4. In the Failed Authentication Message field, type the message that you<br />
want to display if the user incorrectly enters their authentication<br />
information (the default is Login incorrect).<br />
5. Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use RADIUS authentication after it is configured, you must also<br />
enable it in the Authentication Configuration window.
Adding or modifying a<br />
RADIUS server entry<br />
Figure 9-6. SafeWord<br />
Configuration window<br />
About the SafeWord<br />
Configuration window<br />
Configuring authentication services<br />
The RADIUS Configuration: Domain Controller Configuration window<br />
is used to create a new server entry or to modify an existing server<br />
entry. Follow the steps below.<br />
1. In the IP Address field, type the IP address used by the RADIUS server.<br />
2. In the Port Number field, specify a port number used by the RADIUS<br />
server. (The default port is 1812.)<br />
3. In the Shared Secret field, type any text string or phrase. This must<br />
match the Shared Secret defined on the RADIUS server.<br />
4. Click Add to add the entry to the list <strong>of</strong> RADIUS servers, and then click<br />
Close.<br />
Setting up SafeWord authentication<br />
This section describes how to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work<br />
with a SafeWord PremierAccess authentication server for login,<br />
SOCKS5, Telnet, FTP, Web, or SSH authentication.<br />
To configure SafeWord PremierAccess authentication on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, you must first install and configure the SafeWord<br />
PremierAccess Authentication Server. (Refer to the appropriate<br />
product documentation.)<br />
In the Admin Console select Services Configuration -> Authentication,<br />
and click Configure SafeWord. The following window appears.<br />
This window allows you to view and modify your SafeWord<br />
PremierAccess server entries. The SafeWord Configuration tab<br />
contains a table with the following fields:<br />
Setting Up Authentication 9-21
Configuring authentication services<br />
Adding or modifying a<br />
SafeWord server entry<br />
9-22 Setting Up Authentication<br />
Rank—This column indicates which server the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
try first.<br />
Host—This column indicates the host (IP address) for each server<br />
entry.<br />
Port Number—This column indicates the port number for each<br />
server entry. The default port number for SafeWord PremierAccess<br />
is 5030. (If you are configuring a server entry for SafeWord, you<br />
will need to change the port to 7482.)<br />
To delete an existing entry, highlight that entry and click Delete.<br />
To create a new server entry, click New. To modify an existing server<br />
entry, highlight the entry you want to modify, and click Modify. See<br />
“Adding or modifying a SafeWord server entry” on page 9-22 for<br />
details.<br />
Note: If you want to use SafeWord PremierAccess authentication after it is configured,<br />
you must also enable it in the Authentication Configuration window.<br />
The SafeWord Server Configuration window is used to create a new<br />
server entry or to modify an existing server entry. Follow the steps<br />
below.<br />
1. In the IP Address field, type the IP address used by the SafeWord<br />
PremierAccess Authentication Server.<br />
2. In the Port Number field, specify a port number used by the SafeWord<br />
PremierAccess Authentication Server. (The default port for SafeWord<br />
PremierAccess is 5030.)<br />
3. Click Add to add the entry to the list <strong>of</strong> SafeWord servers, and then click<br />
Close.<br />
Setting up SecurID authentication<br />
This section describes how to configure your the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
work with an ACE Server for login, SOCKS5, Telnet, FTP, Web, or SSH<br />
authentication. Follow the steps below.<br />
1. Install and configure the ACE server s<strong>of</strong>tware.<br />
Note: Be sure to add the <strong>Sidewinder</strong> <strong>G2</strong> as a client. Refer to your ACE server<br />
documentation for details.<br />
Note: If you need to reinstall <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware you must disable the Send<br />
Node Secret option in the Edit Client window on the ACE server. This will cause the<br />
ACE server to resend the node secret to the <strong>Sidewinder</strong> <strong>G2</strong>.
Figure 9-7. SecurID<br />
Configuration window<br />
Entering information on the<br />
SecurID Configuration<br />
window<br />
Configuring authentication services<br />
2. Import the ACE Server configuration file (sdconf.rec) to a directory (for<br />
example, the /tmp directory) on the <strong>Sidewinder</strong> <strong>G2</strong> or directly to the<br />
Admin Console system.<br />
The ACE Server configuration file is created on the ACE Server. It must<br />
be transferred to a temporary location on the <strong>Sidewinder</strong> <strong>G2</strong> or Admin<br />
Console via FTP or diskette.<br />
3. Start the Admin Console and select Services Configuration -><br />
Authentication and click Configure SecurID. The following window<br />
appears.<br />
This window allows you to specify the installation configuration file<br />
location. Follow the steps below.<br />
1. In the Source field, specify whether the configuration file is stored on<br />
the Admin Console (Local File) or on the <strong>Sidewinder</strong> <strong>G2</strong> (Remote File).<br />
2. In the Install Configuration File field, type the path name <strong>of</strong> the file in<br />
which you stored the ACE Server configuration. This is the same file you<br />
imported in step 2 <strong>of</strong> “Setting up SecurID authentication” on page 9-22.<br />
To browse for the location <strong>of</strong> the configuration file rather than typing it<br />
directly, click Browse.<br />
3. Click OK to save your changes before returning to the Authentication<br />
Configuration window. This assigns the sdconf.rec file the proper Type<br />
Enforcement type and installs the file in the correct <strong>Sidewinder</strong> <strong>G2</strong><br />
directory.<br />
Note: If you want to use SecureID authentication after it is configured, make sure<br />
you enable it in the Authentication Configuration window.<br />
Setting Up Authentication 9-23
Configuring authentication services<br />
9-24 Setting Up Authentication<br />
Setting up SecureNet Key (SNK) authentication<br />
To configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with Symantec Defender<br />
Security Server (DSS) for login, SOCKS5, Telnet, FTP, Web, and SSH<br />
authentication, follow the steps below.<br />
Note: Configuring SNK consists <strong>of</strong> performing some configuration tasks on the DSS and<br />
some on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
On the Defender Security System, do the following:<br />
1. Install the Defender Security Server and Defender Management (DMS)<br />
s<strong>of</strong>tware. Refer to your Defender documentation for installation<br />
information. If DSS is already installed in your network, you can skip this<br />
step.<br />
2. Register your <strong>Sidewinder</strong> <strong>G2</strong> with the DMS s<strong>of</strong>tware. Refer to your<br />
Defender documentation for registration information.<br />
Important: The Agent ID can consist <strong>of</strong> 1–16 ASCII characters. The Agent Key<br />
must consist <strong>of</strong> exactly 16 hexadecimal digits. The values used in the DMS s<strong>of</strong>tware<br />
must also be entered on your <strong>Sidewinder</strong> <strong>G2</strong> (in step 1 and step 2 on page -25.) If the<br />
values are not identical, the <strong>Sidewinder</strong> <strong>G2</strong> will not accept the login, SOCKS5, Telnet,<br />
FTP, Web, or SSH proxy connections.<br />
3. Use the DMS s<strong>of</strong>tware to create accounts for users. Refer to the DMS<br />
documentation you received from Symantec.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, do the following:<br />
4. Start the Admin Console and select Services Configuration -><br />
Authentication and click Configure SNK. The following window appears.<br />
Note: If you change the SNK configuration on the <strong>Sidewinder</strong> <strong>G2</strong> while there are<br />
active SNK-authenticated sessions, when the sessions are terminated Defender<br />
Security Server (DSS) will not be notified. DSS will continue to report that those<br />
sessions are active. To avoid this, make SNK changes only from the Administrative<br />
kernel (which will guarantee that no SNK-authenticated sessions exist).
Figure 9-8. SNK<br />
Configuration window<br />
Entering information on the<br />
SNK Configuration window<br />
Configuring authentication services<br />
This window is used to configure SecureNet Key (SNK) authentication<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
Note: You must configure a primary or backup defender server (or both) before you can<br />
enable SNK authentication.<br />
1. In the <strong>Sidewinder</strong> Agent ID field, type the ID you used when you<br />
registered the <strong>Sidewinder</strong> <strong>G2</strong> with the WinDMS s<strong>of</strong>tware. The ID must<br />
match the ID created in step 2 on page -24 exactly or the connection<br />
will not be accepted.<br />
2. In the <strong>Sidewinder</strong> Agent Key field, type the key you used when you<br />
registered the <strong>Sidewinder</strong> <strong>G2</strong> with the WinDMS s<strong>of</strong>tware. The key must<br />
match the key created in step 2 on page -24 exactly or the connection<br />
will not be accepted.<br />
3. In the Primary Defender Server area, configure a Primary Defender<br />
Server, as follows:<br />
a. In the IP Address field, type the IP address used by the DSS system.<br />
b. In the Port Number field, type the port number used by the DSS<br />
system. This number must be larger than 1024.<br />
4. [Optional] In the Backup Defender Server area, do the following:<br />
a. In the IP Address field, type the IP address for the backup DSS<br />
system.<br />
b. In the Port Number field, type the port number used by the backup<br />
DSS system.<br />
5. Click OK to save your changes and return to the Authentication window.<br />
Note: If you want to use SNK authentication after it is configured, make sure you<br />
enable it in the Authentication window.<br />
Setting Up Authentication 9-25
Configuring authentication services<br />
Figure 9-9. Windows<br />
Domain configuration<br />
window<br />
Entering information on the<br />
Windows Domain<br />
Configuration window<br />
9-26 Setting Up Authentication<br />
Setting up Windows Domain authentication<br />
To configure Windows Domain authentication on the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
in the Admin Console select Services Configuration -> Authentication and<br />
click Configure Domain. The following window appears.<br />
This window is used to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with a<br />
Windows primary domain controller (PDC) or backup domain<br />
controller (BDC). Follow the steps below.<br />
1. The Windows Domain Controllers table lists the Windows domain<br />
controllers currently configured for the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the<br />
domain controllers, do one <strong>of</strong> the following:<br />
New—Click this button to create a new domain controller entry.<br />
See “Adding or modifying a Windows domain controller entry” on<br />
page 9-27 for details.<br />
Modify—Click this button to modify the selected entry. See<br />
“Adding or modifying a Windows domain controller entry” on<br />
page 9-27 for details.<br />
Delete—Click this button to remove the selected entry.<br />
2. In the Login Prompt field, specify the login prompt that you want to<br />
display to users when they log in. The default is Username.<br />
3. In the Password Prompt field, specify the password prompt that you<br />
want to display to users when they log in. The default is Password.
Adding or modifying a<br />
Windows domain controller<br />
entry<br />
Configuring SSO<br />
4. In the Failed Authentication Message field, specify the message that you<br />
want to display if a user’s authentication attempt fails. The default is<br />
Login incorrect.<br />
5. Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use Windows Domain authentication after it is configured,<br />
make sure you enable it in the Authentication Configuration window.<br />
The Domain Controller Configuration window is used to add or<br />
modify a domain controller entry. Follow the steps below.<br />
1. In the IP Address field, type the IP address used by the Windows domain<br />
controller.<br />
The Port Number field displays the port used by the Windows domain<br />
controller. The default value is 139. This field cannot be modified.<br />
2. In the Windows Domain Controller Name field, type the name <strong>of</strong> this<br />
Windows domain controller. Type only the host or computer name, not<br />
the fully qualified name. You can determine the name by selecting My<br />
Computer -> Control Panel -> Network on the Windows controller.<br />
3. Click Add to add the entry to the list <strong>of</strong> Windows domain controllers.<br />
Configuring SSO Single sign-on (SSO) works in conjunction with a specified<br />
authentication method to cache a user’s initial authentication, thereby<br />
allowing access to multiple services with a single successful<br />
authentication to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
This is done by storing the source IP address for a successful<br />
authentication in a cache. All proxy rule services that require<br />
authentication will check that cache for successful authentication. If<br />
the source IP address exists in the cache, transparent authentication<br />
based on the initial authentication takes place and the user is allowed<br />
access without manually re-authenticating.<br />
You can configure SSO to expire cached authentications after a<br />
specified time period has passed (for example, you may choose to<br />
require each user to re-authenticate every two hours). You also have<br />
the option to require a user to re-authenticate after a specified period<br />
<strong>of</strong> idle time (for example, a user must re-authenticate if the cached<br />
authentication has not been accessed for one hour or more). You also<br />
have the option to manually expire cached authentication for a<br />
specific user(s) or for all users, at any time.<br />
Setting Up Authentication 9-27
Configuring SSO<br />
Figure 9-10. SSO<br />
Configuration tab<br />
Entering information on the<br />
Single Sign On<br />
Configuration window<br />
9-28 Setting Up Authentication<br />
To configure SSO, in the Admin Console select Services Configuration -><br />
Servers, and select the SSO server. To enable the SSO server, select the<br />
check boxes for the appropriate burbs. To configure the SSO server,<br />
select the Configuration tab. The following window appears.<br />
This window allows you to configure Single Sign On authentication<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1. In the Authentication Methods Used to Establish SSO Credentials, select<br />
the authentication methods that will be allowed to store cached<br />
authentication credentials using SSO.<br />
Note: Only authentication methods that have been configured and enabled will be<br />
available to select in this window. For information on the available types <strong>of</strong><br />
authentication, see “Supported authentication methods” on page 9-5.<br />
2. In the Default Method drop-down list, select the authentication method<br />
that will be used if multiple methods are available and the user does not<br />
specify a method to use during login.<br />
3. If you want to require that a user log in via the SSO Web interface, select<br />
the Require Web Login check box.<br />
4. In the Web Login area, do the following:<br />
a. In the Port field, type the port that will be used to log in on the Web.<br />
(The default port is 8111.)
Configuring SSO<br />
b. In the Edit Login Page Banner field, you can configure the Web page<br />
banner that appears when a user successfully logs in. To view the<br />
existing banner, click the corresponding View button. To modify the<br />
login page banner, click the corresponding Edit HTML button. For<br />
information on using the File Editor to configure the banner page,<br />
see “Using the Admin Console File Editor” on page 2-12.<br />
c. In the Edit Logout Page Banner field, you can configure the Web<br />
page banner that appears when a user successfully logs out. To view<br />
the existing banner, click the corresponding View button. To modify<br />
the logout page banner, click the corresponding Edit HTML button.<br />
For information on using the File Editor to configure the banner<br />
page, see “Using the Admin Console File Editor” on page 2-12.<br />
5. In the Authenticate Inactive Users Every field, specify how <strong>of</strong>ten a user’s<br />
account must remain inactive before they must re-authenticate, as<br />
follows:<br />
a. In the corresponding drop-down list, select the time increment you<br />
want to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,<br />
Months, and Years.<br />
b. In the text box, specify the number <strong>of</strong> seconds, minutes, hours<br />
before a user will be required to re-authenticate.<br />
6. In the Force Authentication Every fields, specify a time period in which a<br />
user must re-authenticate regardless <strong>of</strong> whether the account is inactive<br />
or being used, as follows:<br />
a. In the corresponding drop-down list, select the time increment you<br />
want to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,<br />
Months, and Years.<br />
b. In the corresponding text box, specify the number <strong>of</strong> seconds,<br />
minutes, hours before a user will be required to re-authenticate.<br />
7. Click the Save icon in the toolbar to save your changes and return to the<br />
Authentication Configuration window.<br />
8. Ensure that the pre-configured Single Sign-On proxy rule has been<br />
included in your active rule group. The Single Sign-On proxy rule is<br />
configured to use a pre-configured Secure Web Application Defense<br />
called Single Sign-on, a Secure Web defense that uses SSL decryption to<br />
increase the security <strong>of</strong> data transactions.<br />
Important: You must also ensure that SSO authentication is configured for each<br />
rule for which you want to use SSO. See “Creating proxy rules” on page 7-4.<br />
Setting Up Authentication 9-29
Setting up authentication for services<br />
Setting up<br />
authentication for<br />
services<br />
9-30 Setting Up Authentication<br />
Accessing the Web login and logout pages<br />
When Web Login is configured for SSO, any time a user attempts to<br />
access the Web the login window will appear prompting them to<br />
authenticate. A user can also access the authentication login page by<br />
directing their browser to:<br />
https://<strong>Sidewinder</strong><strong>G2</strong>_address.com:8111/sidewinder/login.html<br />
If a user wants to log out <strong>of</strong> the SSO cache manually (before their SSO<br />
authentication cache expires), they can point their browser to:<br />
https://<strong>Sidewinder</strong><strong>G2</strong>_address.com:8111/sidewinder/logout.html<br />
If a browser is configured for the proxy, you will need to configure<br />
that browser to NOT proxy requests going to the <strong>Sidewinder</strong> <strong>G2</strong> on<br />
port 8111. The following steps provide an example <strong>of</strong> configuring an<br />
exception using Netscape.<br />
1. Open Netscape and select Edit -> Preferences -> Advanced -> Proxies.<br />
2. Select Manual Proxy Configuration.<br />
3. In the No Proxy For field, type the URL for the <strong>Sidewinder</strong> <strong>G2</strong> (for<br />
example, <strong>G2</strong>name.xyz.com.<br />
4. Click OK to save the information and exit.<br />
To require authentication for users who require any services that use<br />
authentication (for example, HTTP, Web, SOCKS5, sshd, VPN, Telnet,<br />
FTP, and the Admin Console), you will need to configure the<br />
appropriate proxy rule(s) for each service, and ensure that they are<br />
included in the active proxy rule group.<br />
You can configure a proxy rule to support multiple authentication<br />
methods if multiple methods have been configured on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. In this scenario, a user can specify the authentication method that<br />
they want the <strong>Sidewinder</strong> <strong>G2</strong> to use when they reply to a login<br />
prompt. For example, the following shows how a user can specify<br />
each authentication method from the login prompt:
Setting up authentication for services<br />
>: login_name:password<br />
>: login_name:ldap<br />
>: login_name:msnt<br />
>: login_name:snk<br />
>: login_name:securid<br />
>: login_name:safeword<br />
>: login_name:radius<br />
Tip: You only need to enter the first three characters for the name <strong>of</strong> the authentication<br />
method. For example, the following specifies minimum characters needed for each<br />
method:<br />
lda LDAP<br />
msn Windows Domain<br />
pas password<br />
snk SNK<br />
sec SecurID<br />
saf SafeWord<br />
rad Radius<br />
Note: The Default Method drop-down list in the Authentication tab <strong>of</strong> the Rule window<br />
selects the authentication method the <strong>Sidewinder</strong> <strong>G2</strong> uses when the user does not specify<br />
an authentication method during log in.<br />
After you enable an authentication method for a specific proxy rule,<br />
users will have to enter the information required by that method<br />
whenever they try to utilize a service associated with that rule.<br />
Note: For standard password authentication, you should inform those users how they<br />
can change their own log in password from their terminal or workstation using a Web<br />
browser such as Netscape or Internet Explorer. See “How users can change their own<br />
password” on page 9-36.<br />
Special authentication notes<br />
This section provides some special considerations that users should<br />
be made aware <strong>of</strong> regarding Telnet and FTP authenticated<br />
connections through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Setting Up Authentication 9-31
Setting up authentication for Web sessions<br />
Setting up<br />
authentication for<br />
Web sessions<br />
9-32 Setting Up Authentication<br />
Changing user passwords and PINs for authentication methods<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports changing user passwords and PINs<br />
only under the Telnet proxy. For example, users can change their<br />
DSS password or their SafeWord PremierAccess PIN via the Telnet<br />
proxy. (Refer to the documentation for your authentication method<br />
for information on the commands used to change passwords and<br />
PINs.) Passwords and PINs cannot be changed using the FTP, Web,<br />
or SOCKS5, proxy. The user must either initiate a Telnet proxy session<br />
or they can contact their system administrator.<br />
Switching authentication methods during a log in session<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to use multiple authentication<br />
methods for a given service (for example, users might use either<br />
SafeWord PremierAccess or SecurID for Telnet authentication).<br />
When logging on, if a user specifies the incorrect authentication<br />
method and authenticator, they cannot then specify a different<br />
authentication method. The <strong>Sidewinder</strong> <strong>G2</strong> does not support<br />
changing warders in the middle <strong>of</strong> a session, so the user must<br />
close the session with the incorrect authentication warder and start<br />
a new session specifying the correct authentication warder.<br />
Sessions through SNK hang if a user ID is not entered before the<br />
connection times out<br />
If you are using SecureNet Key (SNK) for authentication, and a<br />
connection times out before a Telnet or FTP user enters a user ID,<br />
the challenge or password prompts are not sent and the session<br />
hangs. Users can escape from a Telnet session and get a new<br />
prompt by simultaneously pressing the Control and end bracket (])<br />
keys. For FTP sessions, the process must be terminated.<br />
You can require users to enter a password before they are allowed<br />
Web access. To do so requires that the user access the Web using<br />
either the Web proxy server or the HTTP proxy, both <strong>of</strong> which can<br />
authenticate using either fixed or one-time passwords, but cannot use<br />
a challenge/response form <strong>of</strong> authentication.<br />
Follow these steps to set up Web authentication.<br />
1. Ensure that the authentication method you want to use is configured<br />
and enabled. See “Configuring authentication services” on page 9-11.
Setting up<br />
authentication for<br />
administrators<br />
Setting up authentication for administrators<br />
2. Ensure that the Web proxy server or HTTP proxy is configured, enabled,<br />
and is using the proper authentication method.<br />
To enable and configure the Web proxy server, see “Configuring<br />
the Web proxy server” on page 12-12.<br />
To enable and configure the HTTP proxy, see “Configuring proxy<br />
properties” on page 8-28.<br />
3. Add or modify proxy rules as needed. You must create one or more<br />
rules that define Web access between two burbs on your <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Note: When using standard password authentication, you may want to allow users<br />
to change their own log in password from their terminal or workstation. See<br />
“Allowing users to change their passwords” on page 9-34.<br />
By default, all administrators who log in to the <strong>Sidewinder</strong> <strong>G2</strong> are<br />
authenticated using standard password authentication. You can<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to require a stronger authentication for<br />
administrator log in methods. To do so, see “Setting up authentication<br />
for services” on page 9-30 to modify the appropriate proxy rule(s). For<br />
example, if your <strong>Sidewinder</strong> <strong>G2</strong> was installed with the Standard<br />
Internet set <strong>of</strong> services you might modify the login_console proxy rule.<br />
When an administrator replies to a login: prompt during a console<br />
or Telnet connection request, they can chose the authentication<br />
method the <strong>Sidewinder</strong> <strong>G2</strong> should use. For example:<br />
>login: login_name:-password<br />
>login: login_name:-ldap<br />
>login: login_name:-msnt<br />
>login: login_name:-snk<br />
>login: login_name:-securid<br />
>login: login_name:-safeword<br />
>login: login_name:-radius<br />
Note that this is similar to the response entered by your Telnet, FTP,<br />
SOCKS5, and Web users (see “Setting up authentication for services”<br />
on page 9-30), except that a dash (-) must precede the name <strong>of</strong> the<br />
authentication method. Shortcuts cannot be used; you must enter the<br />
entire name.<br />
Setting Up Authentication 9-33
Allowing users to change their passwords<br />
Allowing users to<br />
change their<br />
passwords<br />
9-34 Setting Up Authentication<br />
The <strong>Sidewinder</strong> <strong>G2</strong> changepw server allows external users to use a<br />
Web browser to change their <strong>Sidewinder</strong> <strong>G2</strong>, SafeWord<br />
PremierAccess, or LDAP login password. The changepw server runs<br />
on the firewall burb, and communicates with other burbs via a proxy.<br />
To allow this process to occur, do the following:<br />
Note: As an administrator, you should inform users how they can change their own<br />
password. See “How users can change their own password” on page 9-36.<br />
1. Enable the changepw server, as follows:<br />
a. In the Admin Console, select Services Configuration -> Servers, and<br />
select changepw from the Servers list.<br />
b. Enable the changepw server by selecting the Enable radio button.<br />
(To disable the server, select the Disable radio button.)<br />
c. Click the Save icon in the upper left portion <strong>of</strong> the window to save<br />
your changes.<br />
2. Create a changepw-form proxy rule and ensure that it is included in the<br />
active proxy rule group. Table 7-2 summarizes the key settings for this<br />
proxy rule. Refer to “Creating proxy rules” on page 7-4 for details on<br />
using the Admin Console to create a proxy rule.<br />
Note: Before creating the proxy rule, you may need to create the network objects<br />
that will be specified in the Destination and Redirect Host fields. In particular, make<br />
sure the network object representing the localhost address <strong>of</strong> the firewall burb<br />
(127.0.0.1) is created.
Allowing users to change their passwords<br />
Table 9-3. Proxy rule settings to allow users to change their log in passwords<br />
Criteria Setting<br />
Proxy Name: burbname_changeform<br />
Service Type: Proxy<br />
Service: changepw-form<br />
Action: Allow<br />
Src Burb: Desired burb (for example Internet)<br />
Dst Burb: Desired burb (for example Internet)<br />
Source: Site dependent<br />
Destination: Network object for the IP address <strong>of</strong> the desired burb<br />
Redirect Host: localhost<br />
User Groups: Site Dependent<br />
Authentication: None<br />
3. Enable the changepw_form proxy for the necessary burb(s).<br />
a. Start the Admin Console and select Services Configuration -><br />
Proxies. The Proxies window appears.<br />
b. Select the changepw_form proxy from the list <strong>of</strong> proxy names and<br />
enable it for the desired burbs.<br />
c. Click the Save icon in the toolbar to save your changes.<br />
4. (Optional: Web proxy only) Update the ERR_SCC_EXPIRED_PASSWORD<br />
file on the <strong>Sidewinder</strong> <strong>G2</strong> by doing the following:<br />
a. Change to the /usr/local/squid/etc/errors directory by entering the<br />
following command.<br />
cd /usr/local/squid/etc/errors<br />
b. Create a backup copy <strong>of</strong> the ERR_SCC_EXPIRED_PASSWORD file.<br />
cp ERR_SCC_EXPIRED_PASSWORD<br />
ERR_SCC_EXPIRED_PASSWORD.orig<br />
Setting Up Authentication 9-35
How users can change their own password<br />
How users can<br />
change their own<br />
password<br />
9-36 Setting Up Authentication<br />
c. Modify the contents <strong>of</strong> the ERR_SCC_EXPIRED_PASSWORD file as<br />
instructed in the file, for example:<br />
delete the line “Please follow the instructions your administrator<br />
has give you to change your Web proxy password.”<br />
delete the “
. Select Manual Proxy Configuration.<br />
How users can change their own password<br />
c. In the No Proxy For field, type the URL for the <strong>Sidewinder</strong> <strong>G2</strong> (for<br />
example, <strong>G2</strong>name.xyz.com.<br />
d. Click OK to save the information and exit.<br />
3. Open an HTTP connection to the <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
http://mysidewinder.abc.com:1999/<br />
A pre-defined HTML change password form appears.<br />
4. Enter your username.<br />
5. Enter your current password. This is your current password for<br />
establishing network connections.<br />
6. Enter your new password. This will be your new password for<br />
establishing network connections.<br />
7. Re-enter the new password. This confirms the spelling <strong>of</strong> the new<br />
password.<br />
8. Select one <strong>of</strong> the following password types:<br />
If you are changing a <strong>Sidewinder</strong> <strong>G2</strong> login password, select<br />
Password.<br />
If you are changing a SafeWord PremierAccess login password,<br />
select SafeWord.<br />
If you are changing an LDAP password, select LDAP.<br />
9. Click Send Request.<br />
This sends the change password request to the <strong>Sidewinder</strong> <strong>G2</strong>. You will<br />
be notified if the request failed or if it is accepted. If the request is<br />
accepted, the password database is updated and the new password<br />
must be used for all future connections.<br />
Setting Up Authentication 9-37
How users can change their own password<br />
9-38 Setting Up Authentication
C HAPTER 10<br />
Domain Name System (DNS)<br />
About this chapter This chapter describes how the <strong>Sidewinder</strong> <strong>G2</strong> functions as a name<br />
server for your site. The chapter contains the following topics:<br />
“What is DNS?” on page 10-1<br />
“About mail exchanger records” on page 10-4<br />
“Configuring the internal network to use hosted DNS” on page 10-<br />
5<br />
“Enabling and disabling your DNS server(s)” on page 10-6<br />
“Advanced configurations” on page 10-8<br />
“Managing your current DNS configuration” on page 10-9<br />
“Configuring transparent name servers” on page 10-9<br />
“Configuring hosted DNS servers” on page 10-11<br />
“Reconfiguring DNS” on page 10-29<br />
“Manually editing DNS configuration files” on page 10-35<br />
“DNS message logging” on page 10-36<br />
What is DNS? The domain name system (DNS) is a service that translates host names<br />
to IP addresses, and vice versa. DNS is necessary because while<br />
computers use a numeric addressing scheme to communicate with<br />
each other, most individuals prefer to address computers by name.<br />
DNS acts as the translator, matching computer names with their IP<br />
addresses.<br />
Much <strong>of</strong> the traffic that flows into and out <strong>of</strong> your organization must<br />
at some point reference a DNS server. In many organizations this<br />
server resides on a separate, unsecured computer. The <strong>Sidewinder</strong> <strong>G2</strong><br />
provides the additional option to host the DNS server directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, eliminating the need for an additional computer.<br />
10<br />
Domain Name System (DNS) 10-1
10<br />
What is DNS?<br />
10-2 Domain Name System (DNS)<br />
The <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers two main DNS configurations: Transparent<br />
DNS and <strong>Sidewinder</strong>-hosted DNS. The sections below explain each<br />
configuration method.<br />
Note: An excellent source <strong>of</strong> information on DNS is the Internet S<strong>of</strong>tware Consortium<br />
Web site at www.isc.org. Some background information is also provided in the<br />
<strong>Sidewinder</strong> <strong>G2</strong> installation documentation. The book DNS and BIND, by Albitz & Liu<br />
(O’Reilly & Associates, Inc.) is also a popular reference.<br />
About transparent DNS<br />
Transparent DNS represents a simplified DNS configuration. When<br />
transparent DNS is configured for the <strong>Sidewinder</strong> <strong>G2</strong>, DNS traffic<br />
passes transparently through the <strong>Sidewinder</strong> <strong>G2</strong> using a proxy. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses proxy rules that pass all DNS traffic by proxy to<br />
its appropriate burb. DNS requests are then handled by the remote<br />
servers. Other machines do not “see” the <strong>Sidewinder</strong> <strong>G2</strong>, which<br />
means there is minimal disruption to your current DNS configurations<br />
throughout your network.<br />
Configuring transparent DNS requires specifying the IP address <strong>of</strong> one<br />
or more remote DNS servers. (Alternative server addresses may be<br />
used for redundancy.) If a customer is using NAT through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, they should also have an additional DNS server on the<br />
outside <strong>of</strong> their network. The external DNS server handles the<br />
external zones <strong>of</strong> your network and its addresses. This configuration<br />
allows you to control which addresses are visible to the outside<br />
world.<br />
Note: Transparent DNS is designed for simple DNS configurations. Complex DNS<br />
configurations may require DNS services to be hosted directly on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
About <strong>Sidewinder</strong> hosted DNS<br />
<strong>Sidewinder</strong> hosted DNS represents a more complex DNS<br />
configuration that utilizes the integrated <strong>Sidewinder</strong> <strong>G2</strong> DNS server.<br />
When configured for hosted services, DNS servers run directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. This places the DNS server(s) on a hardened<br />
operating system, preventing attacks against these servers from<br />
penetrating your network.
What is DNS?<br />
In a hosted DNS configuration, the <strong>Sidewinder</strong> <strong>G2</strong> requires<br />
information about your DNS authority. Generally, there should be<br />
only one "master" name server for any fully-qualified domain, (such as<br />
nyc.bigbiz.com) also called a “zone”. There may be many "slave"<br />
servers, for redundancy and better performance, but they derive their<br />
information from the one master for each domain.<br />
You can configure <strong>Sidewinder</strong> hosted DNS to use a single server or<br />
split servers as follows:<br />
Hosted single server DNS—In a <strong>Sidewinder</strong> hosted single server<br />
configuration, one DNS server is hosted on the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
handles all DNS queries. The server is protected by the <strong>Sidewinder</strong><br />
<strong>G2</strong> hardened OS, preventing attacks from penetrating your<br />
network. A single server configuration is generally used when you<br />
have no concerns for keeping your internal network architecture<br />
hidden, such as when your <strong>Sidewinder</strong> <strong>G2</strong> is acting as an<br />
“intrawall” between two sets <strong>of</strong> private addresses. External hosts<br />
will need to be reconfigured to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers.<br />
Hosted split server DNS—In a <strong>Sidewinder</strong> hosted split server<br />
configuration, two DNS servers are hosted on the <strong>Sidewinder</strong> <strong>G2</strong>:<br />
one server (the external name server) is bound to the external<br />
burb and the other server (the "unbound" name server) is available<br />
for use by all internal burbs. Both servers are protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> hardened OS, which is able to prevent attacks<br />
against them from penetrating your network.<br />
The security benefit <strong>of</strong> using a <strong>Sidewinder</strong> hosted configuration is<br />
the ability to hide the DNS entries on the unbound server from<br />
those who only have access to the external burb. External hosts<br />
will need to be reconfigured to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers.<br />
Important: You must use hosted split DNS if you want the <strong>Sidewinder</strong> <strong>G2</strong> to hide your<br />
private IP addresses (via Network Address Translation).<br />
Note: Secure Computing recommends splitting the <strong>Sidewinder</strong> <strong>G2</strong> DNS servers when<br />
using hosted DNS.<br />
Domain Name System (DNS) 10-3
About mail exchanger records<br />
About mail<br />
exchanger records<br />
10-4 Domain Name System (DNS)<br />
Listed below are some additional points about running DNS on your<br />
<strong>Sidewinder</strong> <strong>G2</strong>:<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses Berkeley Internet Name Domain (BIND 9).<br />
The boot files for the unbound and the Internet name servers are<br />
/etc/named.conf.u and /etc/named.conf.i, respectively. The boot<br />
files specify corresponding directories: /etc/namedb.u and<br />
/etc/namedb.i. When you boot your <strong>Sidewinder</strong> <strong>G2</strong>, the name<br />
server daemon (named) is started. The /etc/named.conf.u and<br />
/etc/named.conf.i files specify whether the <strong>Sidewinder</strong> <strong>G2</strong> is a<br />
master or a slave name server and list the names <strong>of</strong> the files that<br />
contain the DNS database records.<br />
If you choose to configure the <strong>Sidewinder</strong> <strong>G2</strong> as a master name<br />
server on either the unbound (internal) or Internet (external) side,<br />
you can modify the /etc/namedb.u/domain-name.db and<br />
/etc/namedb.i/domain-name.db files (where domain-name = your<br />
site’s domain name). You can add the default information that is<br />
being advertised for these zones.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains a non-blocking DNS resolver to<br />
support reverse IP address look-ups in the active proxy rule group,<br />
and name-to-address look-ups in the http proxy. The relevant<br />
resolver library calls are gethostbyname() and gethostbyaddr(). The<br />
non-blocking DNS resolver provides a small number <strong>of</strong> DNS<br />
resolver daemons (nbresd) that are handed queries to resolve on<br />
behalf <strong>of</strong> the client.<br />
When you set up <strong>Sidewinder</strong> hosted DNS services for your site, you<br />
need to create mail exchanger (MX) records. MX records advertise<br />
that you are accepting mail for a specific domain(s). If you do not<br />
create an MX record for your domain, name servers and users on the<br />
Internet will not know how to send e-mail to you. When an e-mail<br />
message is sent from a site on the Internet, a DNS query is made in<br />
order to find the correct mail exchange (MX) host for the destination<br />
domain. The sender’s mail process then sends the e-mail to the MX<br />
host. The <strong>Sidewinder</strong> <strong>G2</strong>, through the use <strong>of</strong> mailertables, will forward<br />
the mail to the internal mail process, which in turn will forward it to<br />
the internal mail host. See “Editing the mail configuration files” on<br />
page 11-10 for more information on mailertables.
Figure 10-1. Mail<br />
exchanger example<br />
Configuring the<br />
internal network<br />
to use hosted DNS<br />
Configuring the internal network to use hosted DNS<br />
Consider the example shown in Figure 10-1. Someone in the Internet,<br />
Lloyd, wants to send one <strong>of</strong> your users, Sharon, an e-mail message,<br />
but all Lloyd knows is Sharon’s e-mail address: sharon@foo.com. The<br />
mailer at Lloyd’s site uses DNS to find the MX record <strong>of</strong> foo.com.<br />
Lloyd’s message for Sharon is then sent to the mailhost listed in the<br />
MX record for Sharon’s site.<br />
Lloyd<br />
(Request)<br />
MX record<br />
request<br />
(Response)<br />
e-mail message for<br />
sharon@foo.com<br />
name server for foo.com<br />
MX record*<br />
for foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
fw.foo.com<br />
* MX record for foo.com<br />
fw.foo.com<br />
A master name server stores and controls your site’s MX records. The<br />
master name server may be in the external burb <strong>of</strong> your <strong>Sidewinder</strong><br />
<strong>G2</strong>, or on a host outside <strong>of</strong> your network (for example, your Internet<br />
service provider). If your <strong>Sidewinder</strong> <strong>G2</strong> controls the master name<br />
server, then you can make any necessary changes to your MX records;<br />
if another host controls your master name server, then changes have<br />
to be made on that host. For more information on MX records see<br />
Chapter 5 <strong>of</strong> DNS and Bind by Albitz & Liu.<br />
For information on creating MX records using the Admin Console, see<br />
“Using the Master Zone Attributes tab” on page 10-20.<br />
If you are going to use transparent proxies to provide Internet<br />
services to your internal users, the internal client workstations must<br />
send their name server queries to the <strong>Sidewinder</strong> <strong>G2</strong> or to other<br />
internal name servers that forward unresolved host names to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. There are two ways to set this up:<br />
Domain Name System (DNS) 10-5
Enabling and disabling your DNS server(s)<br />
Enabling and<br />
disabling your<br />
DNS server(s)<br />
10-6 Domain Name System (DNS)<br />
Reference the <strong>Sidewinder</strong> <strong>G2</strong> in any name resolution configuration<br />
that the client workstation may have. For example, a UNIX system<br />
uses the /etc/resolv.conf file to list the name servers that system<br />
should query. A name server reference for the <strong>Sidewinder</strong> <strong>G2</strong> is all<br />
that is needed.<br />
Point client workstations at one or more internal name servers.<br />
These name servers should be authoritative for the internal domain<br />
and configured as slave forwarders, with the <strong>Sidewinder</strong> <strong>G2</strong> as the<br />
forwarding destination.<br />
This section describes how to determine the number <strong>of</strong> DNS servers<br />
currently in use. It also describes how to use the Admin Console to<br />
enable or disable the individual DNS servers.<br />
Using master and slave servers in your network<br />
Typically, a company will use two or more DNS servers to provide<br />
domain name service to their customers. This provides for load<br />
balancing and redundancy. When more than one DNS server is used,<br />
the local administrator designates one DNS server to host the "master"<br />
zone files. The other DNS servers are slave servers that merely retrieve<br />
copies <strong>of</strong> the zone files from the master server. To outside users there<br />
is no indication or need to know about which <strong>of</strong> the multiple servers<br />
is the master. They all provide equally authoritative answers to all<br />
queries. The designation <strong>of</strong> which DNS server will be the master is<br />
only significant to the DNS administrator, because changes are made<br />
only at the master DNS server and not at the individual slave servers.<br />
Important: When DNS servers in an HA cluster, Secure Computing recommends<br />
configuring the <strong>Sidewinder</strong> <strong>G2</strong> name servers as DNS slaves for authoritative zones. This<br />
allows the Master DNS servers to update both <strong>Sidewinder</strong> <strong>G2</strong>s in the HA cluster. If you do<br />
not configure the <strong>Sidewinder</strong> <strong>G2</strong> name servers as DNS slaves for authoritative zones, DNS<br />
changes will not be made to the secondary <strong>Sidewinder</strong> <strong>G2</strong> unless it is rebooted.
Enabling and disabling your DNS server(s)<br />
Determining the number <strong>of</strong> DNS servers currently<br />
defined on <strong>Sidewinder</strong> <strong>G2</strong><br />
When you initially configured your <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Configuration Wizard, you defined the number <strong>of</strong> DNS servers to use<br />
with your system. You can use the Admin Console to display the<br />
number <strong>of</strong> servers currently defined on your <strong>Sidewinder</strong> <strong>G2</strong>. Select<br />
Services Configuration -> Servers. If the named-internet server appears<br />
in the Server Name field it means there are two DNS servers (split<br />
DNS). If the named-internet server does not appear it means there is<br />
only one DNS server (single DNS). To modify the number <strong>of</strong> DNS<br />
servers you must use the Reconfigure DNS window. See<br />
“Reconfiguring DNS” on page 10-29 for information.<br />
Enabling and disabling hosted DNS servers<br />
When you configure <strong>Sidewinder</strong> hosted DNS services, the <strong>Sidewinder</strong><br />
<strong>G2</strong> will use either one or two DNS servers. The DNS server(s) start<br />
automatically when you boot the <strong>Sidewinder</strong> <strong>G2</strong>. If you need to<br />
manually enable or disable a DNS server, follow the steps in this<br />
section.<br />
Keep the following points in mind, however, if you decide to disable<br />
a <strong>Sidewinder</strong> hosted DNS server.<br />
If you have one DNS server<br />
In this situation the server is known as an unbound DNS server. If<br />
you disable the DNS server, only connections that use IP addresses<br />
will still work; those that use host names will not.<br />
If you have two DNS servers<br />
This situation is also known as split DNS mode. Note the following:<br />
— If you disable the Unbound DNS server, connections that use<br />
IP addresses will still work; those that use host names will not.<br />
— If you disable the Internet server, external connections that<br />
require host names will not work unless the name is already<br />
cached (saved) in the unbound name server’s database.<br />
Connections that use IP addresses will work. E-mail will be<br />
placed in a queue since IP addresses cannot be resolved.<br />
Domain Name System (DNS) 10-7
Advanced configurations<br />
Advanced<br />
configurations<br />
10-8 Domain Name System (DNS)<br />
— If you disable both name servers, connections will work only<br />
if they use IP addresses rather than host names. Also, mail will<br />
not work and other errors will happen as other parts <strong>of</strong> the<br />
system attempt to access the network by name.<br />
In either case, once you disable a server the server will remain disabled<br />
until you enable it again.<br />
Note: See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19 for information on<br />
enabling and disabling servers.<br />
Note: The following information applies only if you have a DNS server configured on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your site has multiple internal domains, and there are name servers<br />
for each <strong>of</strong> these domains, the <strong>Sidewinder</strong> <strong>G2</strong> must be designated as<br />
an authoritative name server for all <strong>of</strong> the internal domains (the<br />
internal name servers also may be authoritative for one or more <strong>of</strong> the<br />
internal domains). This must occur regardless <strong>of</strong> whether the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is a master or a slave name server. The <strong>Sidewinder</strong> <strong>G2</strong><br />
must be an authoritative name server for all internal domains so that it<br />
can resolve queries for the internal domains. The <strong>Sidewinder</strong> <strong>G2</strong> will<br />
otherwise automatically forward these internal name queries to the<br />
Internet, and the query will not be resolved.<br />
Note: In split DNS mode, if a DNS name occurs in the database <strong>of</strong> both servers, the name<br />
will resolve differently depending on the server that is queried. This occurs when the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is authoritative for the same domain both internally and externally.<br />
Because <strong>of</strong> this issue, if you try to access the Internet side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> from an<br />
internal workstation you must use the appropriate machine name. For example, if the<br />
name <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> is “chloe,” then use the machine name “chloe-Internet.” This<br />
entry is automatically created during installation. For more information on DNS see DNS<br />
and BIND by Albitz & Liu, 3rd edition (O’Reilly).
Managing your<br />
current DNS<br />
configuration<br />
Configuring<br />
transparent name<br />
servers<br />
Managing your current DNS configuration<br />
You initially configure your DNS servers during the installation<br />
process. If you want to make changes to your existing DNS<br />
configuration, you can use one <strong>of</strong> two methods:<br />
Admin Console—Using the Admin Console, you can do the<br />
following:<br />
— Configure DNS servers via Services Configuration -> DNS. The<br />
DNS server window enables you to configure the basic DNS<br />
settings as well as configure many advanced options. See<br />
“Configuring transparent name servers” on page 10-9 for<br />
details.<br />
— Completely reconfigure your DNS settings (for example,<br />
change from transparent to <strong>Sidewinder</strong> hosted or vice versa)<br />
via Tools -> Reconfigure DNS. See “Reconfiguring DNS” on page<br />
10-29 for details.<br />
Note: Using the Admin Console to modify your DNS configuration will remove any<br />
comments you may have manually inserted into the DNS configuration files.<br />
Manual—You can also manually edit the DNS configuration files.<br />
This should only be attempted by highly skilled DNS<br />
administrators. See “Manually editing DNS configuration files” on<br />
page 10-35 for details.<br />
The sections that follow provide information on each method.<br />
If you have configured DNS to use transparent services, you can add,<br />
modify, or delete transparent name servers. In the Admin Console,<br />
select Services Configuration -> DNS. The Transparent DNS Configuration<br />
window appears.<br />
Note: If you want to completely reconfigure your existing DNS configuration (for<br />
example, change from transparent DNS to <strong>Sidewinder</strong> hosted DNS or vice versa), you must<br />
use the Reconfigure DNS window. See “Reconfiguring DNS” on page 10-29 for details.<br />
Domain Name System (DNS) 10-9
Configuring transparent name servers<br />
Figure 10-2. Transparent<br />
DNS Configuration<br />
window<br />
About the Transparent DNS<br />
Configuration window<br />
Figure 10-3. Transparent<br />
New/Modify Nameserver<br />
window<br />
About the New/Modify<br />
Nameserver window<br />
10-10 Domain Name System (DNS)<br />
This window allows you to configure name servers for transparent<br />
DNS services. You can specify the burb to which the name servers<br />
will be assigned from the Burb drop-down list.<br />
To delete a name server, highlight the name server and click Delete.<br />
Note: To scroll through the list <strong>of</strong> nameservers, click the Up and Down buttons as<br />
appropriate.<br />
To add a new name server to the list, click New. To modify a name<br />
server, highlight the name server and click Modify. The Transparent:<br />
New/Modify Nameserver window appears.<br />
This window allows you to add a new name server to the list <strong>of</strong> name<br />
servers configured for transparent services. Type the IP address for<br />
the name server you want to add or modify in the Nameserver IP<br />
Address field, and click OK to add the name server to the list.
Configuring<br />
hosted DNS<br />
servers<br />
Figure 10-4. <strong>Sidewinder</strong><br />
Hosted DNS window<br />
About the <strong>Sidewinder</strong><br />
hosted DNS window<br />
Configuring hosted DNS servers<br />
If you have configured DNS to use <strong>Sidewinder</strong> hosted services (single<br />
or split), you can define various name server information. In the<br />
Admin Console, select Services Configuration -> DNS. The DNS window<br />
contains four tabs that allow you to define specific name server<br />
information.<br />
Note: If you want to completely reconfigure your existing DNS configuration (for<br />
example, change from transparent DNS to <strong>Sidewinder</strong> hosted DNS or vice versa), you must<br />
use the Reconfigure DNS window. See “Reconfiguring DNS” on page 10-29 for details.<br />
This window allows you to configure your <strong>Sidewinder</strong> hosted DNS<br />
server(s). It contains the following tabs.<br />
The Server Configuration tab is used to configure general<br />
information about a name server. See “Configuring the Server<br />
Configuration tab” on page 10-12 for details.<br />
The Zones tab defines each <strong>of</strong> the master and slave zones<br />
associated with the selected name server. See “Configuring the<br />
Zones tab” on page 10-16 for details.<br />
The Master Zone Attributes tab is used to configure attributes for<br />
each master zone defined on the Zones tab. See “Using the Master<br />
Zone Attributes tab” on page 10-20 for details.<br />
The Master Zone Contents tab defines the hosts associated with each<br />
master zone defined on the Zones tab. See “Using the Master Zone<br />
Contents tab” on page 10-25 for details.<br />
Domain Name System (DNS) 10-11
Configuring hosted DNS servers<br />
Figure 10-5. DNS objects<br />
and the tab used to<br />
configure each object<br />
10-12 Domain Name System (DNS)<br />
Figure 10-5 illustrates the different DNS objects you can configure,<br />
how they relate to each other, and which tab is used to configure<br />
each object.<br />
DNS Object<br />
Name server Zones (consists <strong>of</strong><br />
forward and reverse<br />
lookups)<br />
Where Defined<br />
DNS Object<br />
Where Defined<br />
Configuring the Server Configuration tab<br />
DNS Object<br />
Individual hosts<br />
within each zone<br />
Where Defined<br />
Server Configuration tab Zones tab Master Zone Attributes<br />
tab and Master Zone<br />
Contents tab<br />
Name<br />
Server<br />
Zone<br />
Zone<br />
Zone<br />
Zone<br />
The Server Configuration tab is used to define configuration settings for<br />
the selected name server. When you select the Server Configuration tab<br />
a window similar to the following appears.
Figure 10-6. DNS Server<br />
Configuration tab<br />
About the Server<br />
Configuration tab<br />
Configuring hosted DNS servers<br />
This window allows you to define alternate name servers that will be<br />
contacted if a query cannot be resolved by the selected name server.<br />
The alternate name servers are called forwarders. This window is also<br />
used to define advanced configuration settings for the name server. To<br />
modify the Server Configuration tab, follow the steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from <strong>Sidewinder</strong><br />
hosted single server to split server), click Reconfigure DNS.<br />
1. In the Modify Server For field, select the name server that you want to<br />
modify.<br />
Note: The File Directory displays the name and location <strong>of</strong> the files used to store<br />
information about this server. This field cannot be modified.<br />
2. In the Do Forwarding field, specify whether the name server will forward<br />
unresolvable queries to another name server. In a split DNS<br />
configuration, when modifying the unbound name server this field will<br />
default to Yes and will forward unresolved queries to the Internet server<br />
(127.x.0.1, where x = the external [or Internet] burb number).<br />
3. In the Forward Only field, specify whether the name server will<br />
immediately forward an unresolvable query to the names servers listed<br />
in the Forward To list. If you select No, the name server will attempt to<br />
contact the root server to resolve the query before contacting one <strong>of</strong><br />
the alternate name servers. The default value is Yes.<br />
Domain Name System (DNS) 10-13
Configuring hosted DNS servers<br />
Entering information on the<br />
Forwarding IP Address<br />
window<br />
10-14 Domain Name System (DNS)<br />
4. In the Forward To field, specify the alternate name servers that will be<br />
used when attempting to resolve a query. This list is consulted only if<br />
Yes is selected in the Do Forwarding field. If multiple name servers are<br />
defined, the names servers are consulted in the order listed until the<br />
query is resolved. In a split DNS configuration, when modifying the<br />
unbound name server this list will by default contain four entries for<br />
Internet name servers (127.x.0.1, where x = the external [or Internet]<br />
burb number).<br />
Important: If you are using a split DNS configuration, Secure Computing strongly<br />
recommends against defining additional alternate name servers for the unbound<br />
name server. The Internet (or external) name server should be the only alternate<br />
name server defined in this situation.<br />
5. To add another entry to the list <strong>of</strong> authorized name servers, click New<br />
under the Forward To list. See “Entering information on the Forwarding<br />
IP Address window” on page 10-14 for information on adding a new<br />
entry.<br />
Note: To delete a name server from the Forward To list, highlight the name server<br />
you want to delete and click Delete.<br />
6. [Conditional] To modify an advanced configuration setting for the name<br />
server, click Advanced. For more information on modifying the<br />
Advanced Server Options window, see “Entering information on the<br />
Advanced Server Options window” on page 10-15.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
7. Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Zones tab” on page<br />
10-17.<br />
This window is used to add an entry to the list <strong>of</strong> alternate name<br />
servers. The alternate name servers are consulted if the primary name<br />
server cannot resolve a query. Follow the steps below.<br />
1. In the Forward to IP Address field, type the IP address <strong>of</strong> the alternate<br />
name server. Use the standard quad notation when typing the IP<br />
address (for example, 1.1.1.1).<br />
2. Click Add to save the specified IP address to the list <strong>of</strong> alternate name<br />
servers.<br />
3. When you are finished adding alternate name servers, click Close.
Entering information on the<br />
Advanced Server Options<br />
window<br />
Configuring hosted DNS servers<br />
The Advanced Server Options window is used to define some <strong>of</strong> the<br />
more advanced DNS name server options. Do not change these<br />
options unless you are an experienced DNS system administrator.<br />
Important: By default the options on this window are disabled, meaning there are no<br />
restrictions. If your organization considers this to be a security risk you should use these<br />
options to limit the amount <strong>of</strong> interaction this name server has with other devices. Use<br />
your organization’s security policy as a guide.<br />
To modify advanced server options, follow the steps below.<br />
1. To enable the notify option, select the corresponding check box.<br />
Enabling this option allows you to specify whether the master server<br />
will notify all slave servers when a zone file changes. The notification<br />
indicates to the slaves that the contents <strong>of</strong> the master have changed<br />
and a zone transfer is necessary. If this field is not enabled (selected), the<br />
field defaults to Yes.<br />
2. To enable the check-names option, select the corresponding check box.<br />
Enabling this option allows you to define how the name server will treat<br />
queries that contain non-standard host names (for example, names<br />
with underscores). You can define a different response for each role the<br />
name server can assume.<br />
Master—Select this option if the name server is a master server.<br />
Slave—Select this option if the name server is a slave server.<br />
Response—Select this option if the name server is responding to a<br />
query using information it has received from another DNS server.<br />
For each <strong>of</strong> these roles you can define three different actions:<br />
warn—Select this option if the query contains a name error,<br />
provides a response to the query, but logs a warning message.<br />
fail—Select this option if the query contains a name error, and<br />
returns an error response.<br />
ignore—Select this option if the query contains a name error,<br />
ignores the name error, and provides a response to the query<br />
normally. For example, you should enable this option if you want<br />
the name server to accept queries from hosts that contain<br />
underscores in their name.<br />
The default values for the check-names field are as follows:<br />
For Master, the default is fail.<br />
For Slave, the default is warn.<br />
For Response, the default is ignore.<br />
Domain Name System (DNS) 10-15
Configuring hosted DNS servers<br />
10-16 Domain Name System (DNS)<br />
3. To enable the allow-query option, select the corresponding check box.<br />
Enabling this option allows you to limit who is able to query this name<br />
server. If enabled, only the requesters defined in the allow-query list will<br />
be authorized to query this name server. Use the New and Delete<br />
buttons to modify this list. See “Adding an IP address” on page 10-16 for<br />
details on using the New button.<br />
By default the allow-query option is not enabled, meaning all requesters<br />
are authorized to query the name server.<br />
4. To enable the allow-transfer option, select the corresponding check<br />
box. Enabling this option allows you to limit who is authorized to<br />
request zone file transfers from this name server. If enabled, the name<br />
server will only transfer zone files to requesters defined in the allowtransfer<br />
list. Use the New and Delete buttons to modify this list. See<br />
“Adding an IP address” on page 10-16 for details.<br />
By default the allow-transfer option is not enabled, meaning the name<br />
server will transfer zone files to all requesters.<br />
5. Click OK to save your changes.<br />
Adding an IP address This window is used to add a new IP address to the selected list in the<br />
Advanced Server Options window. To add a new IP address, type the<br />
IP address <strong>of</strong> the name server you want to add in the IP Address field.<br />
Click Add and then click Close to add the specified IP address to the<br />
name server list.<br />
Configuring the Zones tab<br />
A DNS server is responsible for serving one or more zones. A zone is<br />
a distinct portion <strong>of</strong> the domain name space. A zone consists <strong>of</strong> a<br />
domain or a subdomain (for example, securecomputing.com or<br />
sales.securecomputing.com). Each DNS server can be configured as<br />
either a master name server or a slave name server for a zone.<br />
When you select the Zones tab, a window similar to the following<br />
appears.
Figure 10-7. DNS Zones<br />
window<br />
Configuring hosted DNS servers<br />
About the Zones tab This tab is used to define zone information about the name server.<br />
Follow the steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from <strong>Sidewinder</strong><br />
hosted single server to split server), click Reconfigure DNS.<br />
1. In the Modify Server For field, select the name server that you want to<br />
modify.<br />
2. The Zones list defines the zones for which the name server is<br />
authoritative. This list initially contains a zone entry for each domain and<br />
each network interface defined to the <strong>Sidewinder</strong> <strong>G2</strong>. You can add or<br />
delete zone entries as follows:<br />
To add a new zone to the list, click New and see “About the Zone<br />
List window” on page 10-19 for details.<br />
To delete a zone, highlight a zone and click Delete.<br />
Secure Computing strongly recommends against deleting or modifying<br />
the following entries:<br />
Any 127 reverse zones (for example, 0.1.127.in-addr.arpa). These<br />
zones represent local loopback addresses and are required.<br />
The zone with 192.239 in its name. This zone provides multicast<br />
support for the <strong>Sidewinder</strong> <strong>G2</strong> failover feature.<br />
Domain Name System (DNS) 10-17
Configuring hosted DNS servers<br />
10-18 Domain Name System (DNS)<br />
There can be two different types <strong>of</strong> entries in the Zone list:<br />
Reverse zones (for example, 4.3.in-addr.arpa): This format indicates<br />
the entry provides reverse lookup functions for this zone.<br />
Forward zones (for example, bizco.net): This format indicates the<br />
entry provides forward lookup functions for this zone.<br />
The Related Zones list displays the zones that are related to the selected<br />
zone. For example, if a forward zone is selected, the related reverse<br />
lookup zones are displayed. This list cannot be modified.<br />
3. In the Zone Type field, specify whether the selected zone is a master<br />
zone or a slave zone as follows:<br />
Master—A master zone is a zone for which the name server is<br />
authoritative. Many organizations define a master zone for each<br />
sub-domain within the network. Administrators should only make<br />
changes to zones defined as a master.<br />
Important: You should consider defining a matching reverse zone (an<br />
in-addr.arpa zone) for each master zone you configure.<br />
Slave—A slave zone is a zone for which the name server is<br />
authoritative. Unlike a master zone, however, the slave zone’s data<br />
is periodically transferred from another name server that is also<br />
authoritative for the zone (usually, the master). If you select Slave,<br />
the Master Servers field becomes active. Be sure to use the Master<br />
Servers field to define the name server that will provide zone<br />
transfer information for this slave zone. Administrators should not<br />
make changes to zones defined as a slave.<br />
Caution:When changing a zone from slave to master, the Admin Console changes<br />
the slave file into a master file and the file becomes the lookup manager for the zone.<br />
The DNS server will have no problems understanding and using the new master file.<br />
For large zones (class A or B), however, this file may become too complex to be<br />
managed properly using the Admin Console. Secure Computing recommends either<br />
leaving large zones as slaves on the <strong>Sidewinder</strong> <strong>G2</strong> or manually modifying these files.<br />
Forward—A forward zone allows you to configure forward<br />
requests for a particular zone. To configure forward requests for a<br />
zone, click New beneath the Forwarders list and add the<br />
appropriate IP address.<br />
4. In the Zone File Name field, specify the name <strong>of</strong> the file that is used to<br />
store information about this zone. The file is located in the directory<br />
specified in the File Directory field on the Server Configuration tab.<br />
Secure Computing does not recommend changing this name.
About the Zone List<br />
window<br />
About the Advanced Zone<br />
Configuration window<br />
Configuring hosted DNS servers<br />
5. The Master Servers list defines one or more master name servers that<br />
are authorized to transfer zone files to the slave zone. This field is only<br />
active if a slave zone is selected in the list <strong>of</strong> Zones. You can add or<br />
delete zone entries as follows:<br />
To add a new master server to the list, click New and see “Adding<br />
an IP address” on page 10-16 for details.<br />
To delete a master server, highlight a server and click Delete.<br />
6. [Conditional] To modify an advanced configuration setting for the<br />
selected zone, click Advanced. For more information on modifying the<br />
Advanced Server Options window, see “About the Advanced Zone<br />
Configuration window” on page 10-19.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
7. Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Zone List window”<br />
on page 10-19.<br />
This window is used to add a new zone entry. In the Zone Name field,<br />
type the name <strong>of</strong> the forward or reverse zone you want to add to the<br />
list. Click Add and then click Close to exit this window.<br />
The Advanced Zone Configuration window is used to define some <strong>of</strong><br />
the more advanced zone configuration options. This window allows<br />
you to configure certain options specifically for the selected zone,<br />
overriding similar options that may be configured for the global name<br />
server (the Unbound or the Internet name server). Follow the steps<br />
below.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
1. To enable the check-names option, select the corresponding check box.<br />
Enabling this option allows you to determine how the zone will treat<br />
queries that contain non-standard host names (for example, names<br />
with underscores). You can define one <strong>of</strong> three different actions:<br />
warn—If the query contains a name error, provides a response to<br />
the query, but logs a warning message<br />
fail—If the query contains a name error, an error response is<br />
returned<br />
ignore—If the query contains a name error, the name error is<br />
ignored and a response to the query is provided normally. For<br />
example, you should enable this option if you want the zone to<br />
accept queries from hosts that contain underscores in their name.<br />
Domain Name System (DNS) 10-19
Configuring hosted DNS servers<br />
10-20 Domain Name System (DNS)<br />
1. To enable the notify option, select the corresponding check box.<br />
Enabling this option allows you to specify whether the master server<br />
will notify all slave servers when a zone file changes. The notification<br />
indicates to the slaves that the contents <strong>of</strong> the master have changed<br />
and a zone transfer is necessary. The name servers that are notified are<br />
those defined in the Zone NS Records field on the Master Zone<br />
Attributes tab. If this field is not enabled the field defaults to Yes.<br />
2. To enable the allow-update option, select the corresponding check box.<br />
Enabling this option allows you to specify from whom the zone will<br />
accept dynamic DNS updates. If this option is enabled, only the hosts in<br />
the allow-update list are authorized to update this zone. This option is<br />
only valid for master zones. Use the New and Delete buttons to modify<br />
this list. See “Adding an IP address” on page 10-16 for details on using<br />
the New button.<br />
By default the allow-update option is not enabled, meaning the zone<br />
will deny zone files from all hosts.<br />
3. To enable the allow-transfer option, select the corresponding check<br />
box. Enabling this option allows you to limit who is authorized to<br />
request a zone transfer for this zone. If this option is enabled, the name<br />
server will only transfer zone files to requesters defined in the allowtransfer<br />
list. Use the New and Delete buttons to modify this list. See<br />
“Adding an IP address” on page 10-16 for details.<br />
By default the allow-transfer option is not enabled, meaning the zone<br />
will transfer zone files to all requesters.<br />
Using the Master Zone Attributes tab<br />
The Master Zone Attributes tab is used to configure attributes for each<br />
master zone defined on the Zones tab. Slave zones are not included<br />
on this tab because you can only define attributes for those zones for<br />
which you are the master.<br />
When you select the Master Zone Attributes tab a window similar to the<br />
following appears.
Figure 10-8. Master Zone<br />
Attributes tab<br />
About the Master Zone<br />
Attributes tab<br />
Configuring hosted DNS servers<br />
This window is used to define the attributes <strong>of</strong> each master zone<br />
defined for the selected name server. In particular, it defines the Name<br />
Server record(s) and the Start <strong>of</strong> Authority (SOA) record for each<br />
master zone. The window also enables you to define Mail Exchanger<br />
(MX) records for those entries that are forward lookup zones. Follow<br />
the steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from <strong>Sidewinder</strong><br />
hosted single server to split server), click Reconfigure DNS.<br />
1. In the Modify Server For field, select the name server that you want to<br />
modify.<br />
The Master Zones list defines the zones for which the name server is<br />
master. A plus sign (+) will appear in front <strong>of</strong> any forward lookup zone<br />
that contains one or more sub-domains. Click on the plus sign to view<br />
the sub-domains.<br />
To modify an entry in the list, click on the entry name. A menu <strong>of</strong><br />
options used to characterize the selected entry is presented on the<br />
right side <strong>of</strong> the window.<br />
Note: The Forward Zone Name/Reverse Zone Name field displays the full zone<br />
name associated with the entry selected in the Master Zones list.<br />
2. To modify the Zone SOA tab, click on the tab and follow the sub-steps<br />
below. The fields on the Zone SOA tab collectively define one Start Of<br />
Authority (SOA) record. An SOA record controls how master and slave<br />
zones interoperate.<br />
Domain Name System (DNS) 10-21
Configuring hosted DNS servers<br />
10-22 Domain Name System (DNS)<br />
The DNS Serial # field displays the revision number <strong>of</strong> this SOA record.<br />
This field will increment by one each time you modify this zone. Slave<br />
zones use this field to determine if their zone files are out-<strong>of</strong>-date. You<br />
cannot modify this field. (See sub-step b for more details.)<br />
a. In the DNS Contact field, specify the name <strong>of</strong> the technical contact<br />
that can answer questions about this zone. The name must be a<br />
fully-qualified name, with the @ character replaced by a period (for<br />
example, hostmaster.domain.com).<br />
b. In the Refresh (seconds) field, specify how <strong>of</strong>ten a slave will check<br />
this zone for new zone files. The slave uses the DNS Serial # value to<br />
determine if its zone files need to be updated. For example, if the<br />
slave’s DNS serial number is 4 and the master zone’s DNS serial<br />
number is 5, the slave knows that its zone files are out-<strong>of</strong>-date and it<br />
will download the updated zone files. Values must be positive<br />
integers. The default value is 3600 (1 hour).<br />
c. In the Retry (seconds) field, specify how long a slave should wait to<br />
try another refresh following an unsuccessful refresh attempt. Values<br />
must be positive integers.<br />
d. In the Expiration (seconds) field, specify how long a slave can go<br />
without updating its data before expiring its data. For example,<br />
assume you set this value to 604800 (one week). If the slave is<br />
unable to contact this master zone for one week, the slave’s resource<br />
records will expire. Queries to the slave will then be treated as if that<br />
DNS server is not authoritative for that domain (zone), resulting in a<br />
recursive search or forwarding, depending on how the slave is<br />
configured. Values must be positive integers.<br />
e. In the TTL (seconds) field, specify the time to live (TTL) value. This<br />
value defines how long a resource record from this zone can be<br />
cached by another name server before it expires the record. The<br />
value specified here is used as the default in records that do not<br />
specify a TTL value. Values must be positive integers.<br />
f. To add a sub-domain to the selected zone, click Add Sub. This<br />
button is only available if a forward lookup zone is selected in the<br />
Zones list. For information on adding a sub-domain, see “Adding a<br />
forward lookup sub-domain” on page 10-23.<br />
g. To delete a sub-domain from the selected zone, click Delete Sub.<br />
This button is only available if a forward lookup zone is selected in<br />
the Zones list. See “Deleting a forward lookup sub-domain” on page<br />
10-24 for details.
Adding a forward lookup<br />
sub-domain<br />
Configuring hosted DNS servers<br />
3. To modify the Zone Records tab, click on the tab. This tab contains NS<br />
(Name Server) and MX (Mail Exchange) records for forward zones. This<br />
tab contains only NS Records for reverse zones.<br />
The Name Servers table contains DNS NS records that indicate what<br />
machines will act as name servers for this zone. By default the table<br />
contains an entry for the machine you are currently using. (To add or<br />
delete an entry use the New or Delete buttons, respectively. See “Adding<br />
an NS record” on page 10-24 for details on adding a new entry.)<br />
If this zone is configured to notify all slave servers when a zone file<br />
changes (see “About the Advanced Zone Configuration window” on<br />
page 10-19 for a description <strong>of</strong> the notify field), the notify commands<br />
are sent to all NS hosts specified here.<br />
The Zone MX Records list is available only if the selected zone entry is a<br />
forward lookup entry. It is used to specify entries in the Mail Exchangers<br />
table for the selected zone. The Mail Exchangers table contains DNS MX<br />
records that indicate what machines will act as mail routers (mail<br />
exchangers) for the selected domain. To add or delete an MX record<br />
entry use the New or Delete buttons, respectively. See “Adding an MX<br />
record” on page 10-24 for details on adding a new MX record entry.<br />
The Zone A Record field is available only if the selected zone entry is a<br />
forward lookup entry. It defines a DNS A record (an Address record). A<br />
DNS A record is used to map host names to IP addresses. The address<br />
you specify must be entered using standard dotted quad notation (for<br />
example 172.14.207.27).<br />
4. Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Master Zone<br />
Attributes tab” on page 10-21.<br />
This window is used to add a forward lookup sub-domain to the<br />
selected forward lookup zone. By adding a sub-domain you are<br />
delegating authority for a portion <strong>of</strong> the parent domain to the new<br />
sub-domain. Follow the steps below.<br />
1. In the Forward Sub-Domain Name field, type the name <strong>of</strong> the subdomain.<br />
Do not type a fully qualified name. For example, assume you<br />
have a domain named bizco.net that contains a sub-domain named<br />
west. You would type west in this field rather than west.bizco.net.<br />
Domain Name System (DNS) 10-23
Configuring hosted DNS servers<br />
Deleting a forward lookup<br />
sub-domain<br />
10-24 Domain Name System (DNS)<br />
2. In the Sub-Domain NS Records field, specify entries in the Name Servers<br />
table for this sub-domain. The Name Servers table contains DNS NS<br />
records that indicate what machines will act as name servers for this<br />
sub-domain. To add or delete an entry use the New or Delete buttons,<br />
respectively. See “Adding an NS record” on page 10-24 for details on<br />
adding a new entry.<br />
3. [Optional] In the Sub-Domain MX Records field, specify entries in the<br />
Mail Exchangers table for this sub-domain. The Mail Exchangers table<br />
contains DNS MX records that indicate what machines will act as mail<br />
routers (mail exchangers) for the sub-domain. To add or delete an MX<br />
record entry use the New or Delete buttons, respectively. See “Adding<br />
an MX record” on page 10-24 for details on adding a new MX record<br />
entry.<br />
This window is used to delete a sub-domain from a forward lookup<br />
zone. The Domains in Zone field lists the domains defined in the zone.<br />
1. To delete a domain, highlight the domain you want to delete and click<br />
Delete Domain.<br />
2. Click OK to save your changes. (Click Cancel to exit the window without<br />
saving your changes.)<br />
Adding an NS record This window is used to add a new NS record to the Name Servers<br />
table associated with the selected zone or sub-domain. Follow the<br />
steps below.<br />
1. In the NS Record field, type the domain name associated with this NS<br />
record. The name must be a fully-qualified name and must end with a<br />
period. The name you specify should be a pre-existing domain name<br />
that maps to a valid IP address.<br />
2. Click Add to add the specified entry to the Name Servers table.<br />
3. Click Close to exit the window.<br />
Adding an MX record This window is used to add a new MX record to the Name Servers<br />
table associated with the selected zone, sub-domain, or host. Follow<br />
the steps below.<br />
Note: For more information on MX records, see “About mail exchanger records” on page<br />
10-4.<br />
1. In the MX record field, type the fully-qualified name <strong>of</strong> the host that will<br />
act as the mail exchange for this zone, sub-domain, or host.
Figure 10-9. Master Zone<br />
Contents tab<br />
About the Master Zone<br />
Contents tab<br />
Configuring hosted DNS servers<br />
2. In the Priority field, type a priority level for this record. Valid values are<br />
1–65535. The lower the value, the higher the priority (for example, a<br />
value <strong>of</strong> 1 will have a higher priority than a value <strong>of</strong> 10).<br />
3. Click Add to save the new record.<br />
4. Click Close to exit the window.<br />
Using the Master Zone Contents tab<br />
The Master Zone Contents tab is used to define the hosts that are<br />
associated with each master zone.<br />
When you select the Master Zone Contents tab a window similar to the<br />
following appears.<br />
Note: If you are adding a large number <strong>of</strong> hosts (hundreds or thousands) to a master<br />
zone, you may want to consider manually adding the required host information directly to<br />
the appropriate DNS files using one <strong>of</strong> the available editors on the <strong>Sidewinder</strong> <strong>G2</strong> to save<br />
time. However, only experienced <strong>Sidewinder</strong> <strong>G2</strong> administrators should attempt this. (Using<br />
the manual method will still require you to manually define each host.)<br />
This window is used to define the hosts that are associated with each<br />
master zone. For each host you define in a forward lookup zone you<br />
should also create a matching entry in the associated reverse lookup<br />
zone. Follow the steps below.<br />
Domain Name System (DNS) 10-25
Configuring hosted DNS servers<br />
10-26 Domain Name System (DNS)<br />
Note: To completely reconfigure your DNS settings (for example, change from <strong>Sidewinder</strong><br />
hosted single server to split server), click Reconfigure DNS.<br />
1. In the Modify Server For field, select the name server that you want to<br />
modify.<br />
Note: The fields that are available on this tab will vary depending on whether a<br />
zone, a host in a forward lookup zone, or a host in a reverse lookup zone is selected.<br />
2. [Conditional] If you are modifying a zone, do the following:<br />
a. To add a host to the selected zone, click Add Entry. If you are adding<br />
a host to a forward lookup zone, see “Adding a new forward lookup<br />
entry” on page 10-27 for details. If you are adding a host to a reverse<br />
lookup zone, see “Adding a new reverse lookup entry” on page 10-<br />
28.<br />
b. To delete a host from the selected zone, click Delete Entry. See<br />
“Deleting a host entry from a zone” on page 10-28 for details.<br />
3. [Conditional] If you are modifying a host in a reverse lookup zone, the<br />
following two fields appear:<br />
Name (Host portion <strong>of</strong> IP): This field appears only if a host is<br />
selected in the list. The field displays the host portion <strong>of</strong> either the<br />
IP address or <strong>of</strong> the fully-qualified domain name <strong>of</strong> this entry. You<br />
cannot modify this field. If you need to change the host name you<br />
must delete the entry from the list, then add the entry back using<br />
the new name.<br />
Fully-Qualified Domain Name: This field displays the domain name<br />
<strong>of</strong> the host. You can modify this field by typing in a new value. Be<br />
sure to type the fully-qualified domain name <strong>of</strong> the host.<br />
Note: The Name field and the Fully-Qualified Name Entry field collectively define<br />
a PTR Record for the selected reverse lookup zone. The PTR record is used in a Reverse<br />
Addresses table and maps an IP address to a host name.<br />
4. [Conditional] If a host in a forward lookup zone is selected, the following<br />
fields appear:<br />
Entry Name: This field defines the host portion <strong>of</strong> the fully-qualified<br />
domain name <strong>of</strong> this entry.<br />
A Record IP: This field defines a DNS A record (an Address record),<br />
which is used to map host names to IP addresses. In this case the<br />
field displays the IP address <strong>of</strong> the selected host. You can modify<br />
this field by typing in a new value. The address you specify must be<br />
entered using standard dotted quad notation (for example<br />
172.14.207.27).
Adding a new forward<br />
lookup entry<br />
Configuring hosted DNS servers<br />
CNAME Rec: This field defines a DNS CNAME record, which is used<br />
to map an alias to its canonical name.The field, if populated,<br />
displays the name <strong>of</strong> the Canonical Record <strong>of</strong> the selected host.<br />
You can modify this field by typing in a new name. The name you<br />
specify must be entered using the fully-qualified primary name <strong>of</strong><br />
the domain.<br />
Important: A host in a forward lookup zone requires either an A Record or a<br />
CNAME Record.<br />
Entry MX Records: This field is used to specify entries in the Mail<br />
Exchangers table for the selected host. The Mail Exchangers table<br />
contains DNS MX records that indicate what machines will act as<br />
mail routers (mail exchangers) for the selected host. To add or<br />
delete an MX record entry use the New or Delete buttons,<br />
respectively. See “Adding an MX record” on page 10-24 for details<br />
on adding a new MX record entry.<br />
HINFO-Type: This field provides information about a host’s<br />
hardware type.<br />
HINFO-OS: This field provides information about a host’s operating<br />
system.<br />
Important: For security reasons, many organizations elect not to use these fields.<br />
5. Click the Save icon in the toolbar to save your changes.<br />
This window is used to define a new host for a forward lookup zone.<br />
Follow the steps below.<br />
Note: The following fields collectively define an Address record.<br />
1. In the Entry Name field, specify the host portion <strong>of</strong> the fully-qualified<br />
domain name <strong>of</strong> this entry.<br />
2. In the A Record IP field, specify a DNS A record (an Address record),<br />
which is used to map host names to IP addresses. The address you<br />
specify must be entered using standard dotted quad notation (for<br />
example 172.14.207.27). This field and the CNAME Rec field are mutually<br />
exclusive.<br />
3. In the CNAME Rec field, specify a DNS CNAME record, which is used to<br />
map an alias to its canonical name. The name you specify must be<br />
entered using the fully-qualified primary name <strong>of</strong> the domain. This field<br />
and the A Record IP field are mutually exclusive.<br />
Domain Name System (DNS) 10-27
Configuring hosted DNS servers<br />
Adding a new reverse<br />
lookup entry<br />
Deleting a host entry from a<br />
zone<br />
10-28 Domain Name System (DNS)<br />
4. [Optional] The Entry MX Records field lists entries in the Mail Exchangers<br />
table for this host. The Mail Exchangers table contains DNS MX records<br />
that indicate what machines will act as mail exchangers for the host. To<br />
add or delete an MX record entry use the New or Delete buttons,<br />
respectively. See “Adding an MX record” on page 10-24 for details on<br />
adding a new MX record entry.<br />
5. [Conditional] The HINFO-Type: field provides information about a host’s<br />
hardware type.<br />
6. [Conditional] The HINFO-OS field provides information about a host’s<br />
operating system.<br />
Important: For security reasons, many organizations elect not to use these fields.<br />
7. Click Add to save the new entry.<br />
8. Click Close to exit this window.<br />
This window is used to define a new host for a reverse lookup zone.<br />
Follow the steps below.<br />
1. In the Entry Name field, specify the host portion <strong>of</strong> the IP address <strong>of</strong> this<br />
entry.<br />
2. In the Fully-Qualified Name Entry field, specify the domain name <strong>of</strong> the<br />
host. Be sure to type the fully-qualified domain name <strong>of</strong> the host.<br />
Note: The Entry Name field and the Fully-Qualified Name Entry field collectively<br />
define a PTR Record for the selected reverse lookup zone. The PTR record is used in a<br />
Reverse Addresses table and maps an IP address to a host name.<br />
3. Click Add to save the new entry.<br />
4. Click Close to exit this window.<br />
This window is used to delete a host from the selected zone. The<br />
Hosts in Zone field lists all the hosts currently defined within the<br />
selected zone. To delete a host, highlight the host you want to delete<br />
and click Delete Host. You can only delete one host at a time. Click OK<br />
to save your changes and exit the window. (To cancel your changes,<br />
click Cancel.)
Reconfiguring<br />
DNS<br />
Reconfiguring DNS<br />
The Reconfigure DNS window allows you to completely reconfigure<br />
DNS on your <strong>Sidewinder</strong> <strong>G2</strong>. Changes made by the DNS configuration<br />
utility take effect immediately. You do not need to reboot the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Table 10-1 summarizes the available DNS configuration options. (For<br />
more detailed information on determining which DNS configuration<br />
best suits your situation, refer to the <strong>Sidewinder</strong> <strong>G2</strong> Perimeter Security<br />
Planning <strong>Guide</strong>.)<br />
Note: Any active DNS servers on the <strong>Sidewinder</strong> <strong>G2</strong> will be disabled during the<br />
reconfiguration process.<br />
Important: Any prior modifications you have made to your DNS configuration will be<br />
lost when you save your changes. You will need to re-apply the modifications.<br />
Domain Name System (DNS) 10-29
Reconfiguring DNS<br />
10-30 Domain Name System (DNS)<br />
Table 10-1. DNS configuration options<br />
DNS Configuration Options<br />
Transparent<br />
DNS<br />
Hosted<br />
DNS<br />
Single Indicates that DNS traffic will be proxied through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
This configuration is generally used when you plan to use your<br />
existing DNS server. If you are using a single internal DNS server,<br />
external users will have proxied access to your DNS server. External<br />
hosts will be unaware that the <strong>Sidewinder</strong> <strong>G2</strong> is “transparently”<br />
passing the DNS traffic. See “Reconfiguring transparent DNS” on page<br />
10-31 for more information.<br />
Split Indicates that DNS traffic will be proxied through the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
with a remote DNS server connected to each interface. DNS queries<br />
will generally be handled by both your internal DNS server and your<br />
external ISP. This configuration is more secure than using a single<br />
server because your external server can limit access to your internal<br />
naming system. External hosts will be unaware that the <strong>Sidewinder</strong> <strong>G2</strong><br />
is “transparently” passing the DNS traffic. See “Reconfiguring<br />
transparent DNS” on page 10-31 for more information.<br />
Single Indicates that only one DNS server is hosted on the <strong>Sidewinder</strong> <strong>G2</strong><br />
and handles all DNS queries. The server is protected by the <strong>Sidewinder</strong><br />
<strong>G2</strong> hardened OS, preventing attacks against it from penetrating your<br />
network. A single server configuration is generally used when you<br />
have no concerns for keeping your internal network architecture<br />
hidden, such as when your <strong>Sidewinder</strong> <strong>G2</strong> is acting as an “intrawall”<br />
between two sets <strong>of</strong> private addresses. External hosts will need to be<br />
reconfigured to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers. See<br />
“Reconfiguring single server hosted DNS” on page 10-32 for more<br />
information.<br />
Split Indicates that two DNS servers are hosted on the <strong>Sidewinder</strong> <strong>G2</strong>: one<br />
server (the external name server) is bound to the external burb and<br />
the other server (the "unbound" name server) is available for use by all<br />
internal burbs. Both servers are protected by the <strong>Sidewinder</strong> <strong>G2</strong><br />
hardened OS, which is able to prevent attacks against them from<br />
penetrating your network. The security benefit <strong>of</strong> this configuration is<br />
the ability to hide the DNS entries on the unbound server from those<br />
who only have access to the external burb. External hosts will need to<br />
be reconfigured to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers. See<br />
“Reconfiguring split server hosted DNS” on page 10-33 for more<br />
information.<br />
Important: You must use hosted split DNS if you want the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to hide your private IP addresses (via Network Address<br />
Translation).
Figure 10-10.<br />
Reconfigure transparent<br />
DNS window<br />
About the Reconfiguring<br />
transparent DNS window<br />
Reconfiguring transparent DNS<br />
Reconfiguring DNS<br />
To reconfigure DNS to use transparent services, using the Admin<br />
Console select Tools -> Reconfigure DNS. The Reconfigure DNS window<br />
appears.<br />
This window allows you to reconfigure your DNS settings to use<br />
transparent DNS services. Follow the steps below.<br />
1. In the New DNS Configuration drop-down list, select Transparent.<br />
2. To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the internal name server(s), do<br />
the following:<br />
a. Select the Internal Name Server check box.<br />
b. In the corresponding IP Address field, type the IP address <strong>of</strong> the<br />
name server located in the internal burb (that is, your enterprise<br />
name server).<br />
c. [Optional] In the Alternate IP Address field, type the IP address <strong>of</strong> an<br />
alternate name server.<br />
d. In the Burb drop-down list, select your internal burb.<br />
Domain Name System (DNS) 10-31
Reconfiguring DNS<br />
Figure 10-11.<br />
Reconfiguring<br />
<strong>Sidewinder</strong> Hosted<br />
(single server) DNS<br />
window<br />
10-32 Domain Name System (DNS)<br />
3. To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the external (Internet) name<br />
server(s), do the following:<br />
a. Select the Internet Name Server check box.<br />
b. In the corresponding IP Address field, type the IP address <strong>of</strong> the<br />
name server located in the external (Internet) burb (that is, your ISP’s<br />
name server).<br />
c. [Optional] In the Alternate IP Address field, type the IP address <strong>of</strong> an<br />
alternate name server.<br />
d. Click the Save icon in the toolbar to reconfigure your DNS settings.<br />
You will receive a pop-up message informing you whether the<br />
reconfiguration was successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read this<br />
window carefully before you click OK.<br />
Reconfiguring single server hosted DNS<br />
To reconfigure DNS to use single server hosted services, using the<br />
Admin Console select Tools -> Reconfigure DNS. The Reconfigure DNS<br />
window appears.
About the Reconfiguring<br />
DNS: <strong>Sidewinder</strong> Hosted<br />
(single server) window<br />
Reconfiguring DNS<br />
This window allows you to reconfigure your DNS settings to use<br />
hosted single server DNS services. Follow the steps below.<br />
1. In the New DNS Configuration drop-down list, select <strong>Sidewinder</strong> Hosted.<br />
2. Select the 1 Server radio button.<br />
3. In the Domain field, verify that the correct domain name appears.<br />
4. In the Authority field, select one <strong>of</strong> the following options:<br />
Master: Select this option if the server you are defining will be a<br />
master name server. A master name server contains name and<br />
address information for every computer within its zone.<br />
Slave: Select this option if the server you are defining will be a slave<br />
name server. A slave name server is similar to a master name server,<br />
except that it does not maintain its own original data. Instead, it<br />
downloads data from another name server.<br />
5. [Conditional] If you selected Slave in the previous step, type the IP<br />
address <strong>of</strong> the master authority server in the Master IP field.<br />
6. Click the Save icon in the toolbar to reconfigure your DNS settings. You<br />
will receive a pop-up message informing you whether the<br />
reconfiguration was successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read this<br />
window carefully before you click OK.<br />
Reconfiguring split server hosted DNS<br />
To reconfigure DNS to use split server hosted services, using the<br />
Admin Console select Tools -> Reconfigure DNS. The Reconfigure DNS<br />
window appears.<br />
Domain Name System (DNS) 10-33
Reconfiguring DNS<br />
Figure 10-12.<br />
Reconfiguring<br />
<strong>Sidewinder</strong> Hosted (split<br />
server) DNS window<br />
About the Reconfiguring<br />
DNS: <strong>Sidewinder</strong> Hosted<br />
(split server) window<br />
10-34 Domain Name System (DNS)<br />
This window allows you to reconfigure your DNS settings to use<br />
hosted split server DNS services. Follow the steps below.<br />
1. In the New DNS Configuration drop-down list, select <strong>Sidewinder</strong> Hosted.<br />
2. Select the 2 Server radio button.<br />
3. To configure the Unbound server, do the following:<br />
a. In the Domain field, verify that the correct domain name appears.<br />
b. In the Authority field, select one <strong>of</strong> the following options:<br />
Master: Select this option if the server you are defining will be a<br />
master name server. A master name server contains name and<br />
address information for every computer within its zone.<br />
Slave: Select this option if the server you are defining will be a slave<br />
name server. A slave name server is similar to a master name server,<br />
except that it does not maintain its own original data. Instead, it<br />
downloads data from another name server.<br />
c. [Conditional] If you selected Slave in the previous step, type the IP<br />
address <strong>of</strong> the master authority server in the Master IP field.
Manually editing<br />
DNS configuration<br />
files<br />
4. To configure the Internet server, do the following:<br />
Manually editing DNS configuration files<br />
a. In the Domain field, verify that the correct domain name appears.<br />
b. In the Authority field, select one <strong>of</strong> the following options:<br />
Master—Select this option if the server you are defining will be a<br />
master name server. A master name server contains name and<br />
address information for every computer within its zone.<br />
Slave—Select this option if the server you are defining will be a<br />
slave name server. A slave name server is similar to a master name<br />
server, except that it does not maintain its own original data.<br />
Instead, it downloads data from another name server.<br />
c. [Conditional] If you selected Slave in the previous step, type the IP<br />
address <strong>of</strong> the master authority server in the Master IP field.<br />
5. Click the Save icon in the toolbar to reconfigure your DNS settings. You<br />
will receive a pop-up message informing you whether the<br />
reconfiguration was successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read this<br />
window carefully before you click OK.<br />
If you prefer to edit the DNS configuration files manually, follow these<br />
steps.<br />
Note: Files with a u extension are for the unbound nameserver, and files with an i<br />
extension are for the Internet nameserver.<br />
Important: You should only edit zone files for a master name server. Never edit the<br />
slave name server files. The file names shown below are for a master name server.<br />
1. Log in to the <strong>Sidewinder</strong> <strong>G2</strong> and enter the following command to<br />
switch to the admin role.<br />
srole<br />
Note: The following two steps assume you have database files named<br />
domain.db and reverse.db in your system. Substitute your file names as<br />
required.<br />
2. Open the /etc/namedb.u/domain.db and /etc/namedb.i/domain.db files<br />
in a UNIX text editor and make the necessary changes.<br />
3. Open the /etc/namedb.u/reverse.db and /etc/namedb.i/reverse.db files in<br />
a UNIX text editor and make the necessary changes.<br />
Domain Name System (DNS) 10-35
DNS message logging<br />
DNS message<br />
logging<br />
10-36 Domain Name System (DNS)<br />
4. Open the /etc/named.conf.u and /etc/named.conf.i files in a UNIX text<br />
editor and make the necessary changes.<br />
Note: If you use the /etc/named.conf.* files to change an existing master zone into<br />
a slave zone, you must also manually remove the old zone files in your /etc/<br />
namedb.* directories.<br />
5. If you have added new files, you must change the files to the correct<br />
Type Enforcement types.<br />
To do this, type the following command and insert the names <strong>of</strong> the<br />
file(s) you edited in steps 2, 3 and 4. For non-Internet (unbound) burbs,<br />
in place <strong>of</strong> x type the identifier u. For the Internet burb, in place <strong>of</strong> x<br />
type the index number <strong>of</strong> the Internet burb. (Use the region show<br />
command to determine the index number.)<br />
chtype DNSx:conf filename<br />
6. Increment the serial number after every change to the master files.<br />
7. Enter the following command to restart DNS.<br />
ndc restart<br />
Note: Any files created by named daemons, such as zone backup files or query log<br />
files, have types <strong>of</strong> DNSu:file or DNSx:file.<br />
8. Check /var/log/daemon.log for any errors.<br />
DNS messages, Type Enforcement errors and process limit errors are<br />
logged in the following locations on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
/var/log/audit.raw: Contains information in the <strong>Sidewinder</strong> <strong>G2</strong><br />
audit format.<br />
/var/log/daemon.log: Contains traditional Syslog format messages.<br />
You can view the audit.raw file using the Audit windows in the<br />
Admin Console (See Chapter 18). The daemon.log file can be viewed<br />
using any text editor. (See Appendix A for more information on using<br />
the different text editors.)
C HAPTER 11<br />
Electronic Mail<br />
About this chapter This chapter covers the information you need to use electronic mail<br />
(e-mail) at your site and includes the following topics:<br />
Overview <strong>of</strong><br />
e-mail on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
“Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-1<br />
“Administering mail on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6<br />
“Managing sendmail” on page 11-7<br />
“Editing the mail configuration files” on page 11-10<br />
“Redirecting mail to a different destination” on page 11-20<br />
“Other sendmail features” on page 11-22<br />
“Managing mail queues” on page 11-27<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses the sendmail message transfer agent to<br />
receive and route mail messages. When you run mail on a network<br />
protected by the <strong>Sidewinder</strong> <strong>G2</strong>, all messages coming into and going<br />
out from your site must be routed through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Mail server configuration options<br />
The <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers two configuration options for handling mail:<br />
Transparent—This configuration option allows you to use<br />
transparent SMTP services (without sendmail processes running<br />
directly on the <strong>Sidewinder</strong> <strong>G2</strong>). Transparent SMTP service indicates<br />
that all inbound and outbound mail passes by proxy through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, just as other proxy traffic does. When you use<br />
transparent SMTP, the SMTP proxy is enabled and policy controls<br />
for mail are enforced via the active policy rules. If you selected<br />
Internet Services during configuration, two rules (smtp_in and<br />
smtp_out) are automatically created and added to the Mail rule<br />
group. The Mail rule group is automatically included in the active<br />
proxy rule group. Mail filtering is not supported for transparent<br />
mail services.<br />
11<br />
Electronic Mail 11-1
11<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
11-2 Electronic Mail<br />
Secure Split SMTP Servers (hosted on <strong>Sidewinder</strong> <strong>G2</strong>)—This<br />
configuration option allows you to have two sendmail servers<br />
running directly on the <strong>Sidewinder</strong> <strong>G2</strong>, each supported on its own<br />
burb: the external burb and one non-Internet burb that you<br />
choose. The <strong>Sidewinder</strong> <strong>G2</strong> sendmail servers will route mail<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> only for these two burbs. This<br />
configuration protects your internal mailhost from malicious<br />
attacks, and <strong>of</strong>fers a variety <strong>of</strong> additional mail-handling options.<br />
When using secure split mail services, the <strong>Sidewinder</strong> <strong>G2</strong> external<br />
sendmail server is the mail host to which all external SMTP hosts<br />
will connect. The <strong>Sidewinder</strong> <strong>G2</strong> internal sendmail server will<br />
connect with internal hosts in its same burb.<br />
If you selected Secure Split SMTP during configuration, a rule<br />
called smtp_all is automatically created and added to the Mail rule<br />
group. This rule allows any client to connect to sendmail from any<br />
location and attempt to send mail to another user. The Mail rule<br />
group is automatically included in the active proxy rule group if<br />
you selected Internet Services during configuration.<br />
If you already have e-mail services running on your internal network,<br />
the only change you need to make is to configure your<br />
internal mail host to forward all outgoing messages to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Your internal mail host must run mail s<strong>of</strong>tware that<br />
can accept incoming messages from and send outgoing messages<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>. This system might be running sendmail or<br />
some other mail package such as Micros<strong>of</strong>t Exchange or cc:Mail<br />
with a Simple Mail Transport Protocol (SMTP) gateway.<br />
When you configure secure split SMTP services, there are three<br />
separate sendmail servers that each have a different purpose.<br />
Local<br />
The local server handles mail that is sent directly from the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. For example, if an administrator sends a mail message<br />
from the <strong>Sidewinder</strong> <strong>G2</strong>, it is sent through the local server.<br />
This sendmail process runs in the mtac domain and forwards all<br />
mail to the internal network side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Internal<br />
The internal server runs in a trusted burb that you specified during<br />
initial <strong>Sidewinder</strong> <strong>G2</strong> configuration. This sendmail daemon<br />
receives mail from one <strong>of</strong> three sources:
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
— a host on the internal network<br />
— a sendmail process transferring mail from the local sendmail<br />
server<br />
— a sendmail process transferring mail from the external<br />
sendmail server<br />
The internal server delivers mail to one <strong>of</strong> three places:<br />
— If the message is for a user local to the <strong>Sidewinder</strong> <strong>G2</strong>, such as<br />
an administrator with a mailbox on the <strong>Sidewinder</strong> <strong>G2</strong>, it<br />
delivers the message to the user’s mailbox using the<br />
mail.local program.<br />
— If the message is for a user on the internal network, it<br />
connects to the mail host on the internal network and delivers<br />
the mail there.<br />
— If the message is not for either <strong>of</strong> the above, it assumes the<br />
message is for an external user and transfers the message to<br />
the external burb for that user.<br />
External<br />
The external server runs in the mta# domain (# is the burb index<br />
<strong>of</strong> the Internet burb). This sendmail daemon receives mail from<br />
one <strong>of</strong> two sources:<br />
— a host on the external network<br />
— a sendmail process transferring mail from the internal<br />
sendmail server<br />
The external server delivers mail to one <strong>of</strong> two places:<br />
— If the message is for an external user, it connects to an<br />
external host and delivers the mail there.<br />
— If the message is for a user local to the <strong>Sidewinder</strong> <strong>G2</strong> (such as<br />
an administrator) or for a user on the internal network, it<br />
transfers the mail to the internal burb for delivery to that user.<br />
Electronic Mail 11-3
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
11-4 Electronic Mail<br />
Mail filtering services on <strong>Sidewinder</strong> <strong>G2</strong><br />
The following mail filtering services can be configured using Mail<br />
Application Defenses, and including them in the appropriate rule(s):<br />
Note: You must have Secure Split SMTP mail servers configured to use mail filtering.<br />
MIME/anti-virus filtering—You can configure filtering rules to specify<br />
the types <strong>of</strong> MIME elements that will be allowed or denied,<br />
configure the type <strong>of</strong> virus scanning you want to perform,<br />
configure infected file handling, specify file attachment size<br />
restrictions, and determine whether mail messages will be scanned<br />
as a whole (entire message is allowed or denied) or in segments<br />
(attachments may be dropped if they do not meet filtering criteria,<br />
but the acceptable portions <strong>of</strong> the mail message will still reach the<br />
recipient). You can also configure all mail to be rejected if<br />
scanning services become unavailable. See “Configuring the Mail<br />
MIME/Virus tab” on page 6-26.<br />
Important: You must license and configure additional services before the MIME/<br />
Anti-Virus filter rules you create will scan mail messages. See “Configuring scanning<br />
services” on page 3-34.<br />
Anti-spam filtering—Anti-spam filtering is a licensed service. Once<br />
you are licensed for Anti-spam, you can enable or disable it on a<br />
per-rule basis. See “Configuring the Mail Control tab” on page 6-<br />
22.<br />
Note: If you enable anti-spam filtering without licensing it, filtering will not be<br />
performed.<br />
Key word search filtering—The Keyword Search filter allows you to<br />
filter mail messages based on the presence <strong>of</strong> defined key words<br />
(character strings). See “About the Keyword Search tab” on page 6-<br />
24. You must enable the kmvfilter server in the appropriate burbs<br />
before the key word search filter will function.<br />
Configure size limitations for mail messages—The size filter performs a<br />
check on e-mail messages for the number <strong>of</strong> bytes the message<br />
contains, including the message header. Messages that equal or<br />
exceed the specified size you specify will be rejected. See “About<br />
the Mail Size tab” on page 6-23.<br />
Anti-relay controls—Anti-relay control uses access control to prevent<br />
your mailhost from being used by a hacker as a relay point for<br />
spam to other sites. This option is automatically enabled for all<br />
Mail defenses and cannot be disabled. See “Configuring the Mail<br />
Control tab” on page 6-22.
Sendmail differences on <strong>Sidewinder</strong> <strong>G2</strong><br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
When using <strong>Sidewinder</strong>-hosted SMTP services, all mail for a user local<br />
to the <strong>Sidewinder</strong> <strong>G2</strong> goes to the internal mta domain for delivery.<br />
Local delivery does not take place in the external mta domain or the<br />
mtac domain. Running sendmail on the <strong>Sidewinder</strong> <strong>G2</strong> works as it<br />
does in any other UNIX environment, with the following exceptions:<br />
The <strong>Sidewinder</strong> <strong>G2</strong> runs three separate sendmail servers (as<br />
described in the previous section).<br />
Type Enforcement restricts sendmail so that its security flaws<br />
cannot be exploited. For example, <strong>Sidewinder</strong> <strong>G2</strong> users cannot<br />
execute shell scripts or other executables through sendmail, as<br />
they could do on a standard UNIX system.<br />
.forward files allow users to send their mail to another mailbox<br />
that may be at a different location. For example, <strong>Sidewinder</strong> <strong>G2</strong><br />
administrators might choose to forward their mail to a mailbox<br />
located on the internal network so they receive all <strong>of</strong> their mail in<br />
one place. Administrators can use .forward files, but these files<br />
cannot contain commands to run other programs, such as program<br />
mailers (for example, procmail). For more information on<br />
.forward files, see “Redirecting mail to a different destination” on<br />
page 11-20.<br />
If a server is too busy to send a message, or if the machine it is<br />
sending mail to is not responding, the messages are sent to a mail<br />
queue. The <strong>Sidewinder</strong> <strong>G2</strong> has a separate queue for each sendmail<br />
server: /var/spool/mqueue.#, /var/spool/mqueue.#, and<br />
/var/spool/mqueue.c (# = the burb number).<br />
Important: If mail cannot be delivered on the first attempt, it is placed in a queue.<br />
By default, the system checks the queues every 30 minutes and attempts redelivery.<br />
You can check if there are messages in the mail queues by following<br />
the steps described in “Managing mail queues” on page 11-27.<br />
Note: Mail is an extremely complex subject and can require a great deal <strong>of</strong> effort to<br />
configure. With the <strong>Sidewinder</strong> <strong>G2</strong>, most <strong>of</strong> the mail configuration is automatically<br />
completed during initial <strong>Sidewinder</strong> <strong>G2</strong> configuration. However, if you want to get<br />
deeper into mail than you have ever dreamed possible, the best resource is the book<br />
sendmail by Bryan Costales (O’Reilly & Associates, Inc.).<br />
Electronic Mail 11-5
Administering mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
Administering<br />
mail on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
11-6 Electronic Mail<br />
Mail is configured on the <strong>Sidewinder</strong> <strong>G2</strong> during initial <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration. The configuration process allows you to specify either<br />
transparent or secure split (<strong>Sidewinder</strong>-hosted) mail services. If you<br />
select secure split services, you specify a mail host on your internal<br />
network, and the necessary configuration files are automatically sets<br />
up for you.<br />
Once the <strong>Sidewinder</strong> <strong>G2</strong> is configured, everything you need to run<br />
the mail servers should already be set up:<br />
The three mail domains: mtac, mtaX, and mtaY (where X = the<br />
number <strong>of</strong> the external burb, and Y = the number <strong>of</strong> an internal<br />
burb), are in place. Sendmail is already configured to route mail<br />
among the three sendmail servers.<br />
Mail addressed to users on your internal network will be<br />
forwarded to the mail host you specified during configuration.<br />
Messages that are sent to the person administering a mail system<br />
are generally addressed to “postmaster.” During configuration, you<br />
set up an administrator’s account. Postmaster messages are<br />
automatically routed to that user.<br />
Note: You will need to configure your internal mail server to forward non-local mail to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. This procedure differs depending on the type <strong>of</strong> mail program your<br />
network runs. Refer to your mail s<strong>of</strong>tware’s documentation for details.<br />
To manually configure options for your mail servers, see “Managing<br />
sendmail” on page 11-7.<br />
To enable or disable the servers, see “Managing sendmail” on page<br />
11-7.<br />
To configure Application Defenses for mail services, see “Creating<br />
Mail Application Defenses” on page 6-21.<br />
Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong><br />
Administrators can receive mail as soon as an account is created on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. A mailbox will be created the first time an<br />
administrator sends or receives a mail message. Mailboxes for<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrators are stored in the /var/mail directory.<br />
Important: Do not ignore the e-mail that accumulates on the <strong>Sidewinder</strong> <strong>G2</strong> as it<br />
contains important information about your network and <strong>Sidewinder</strong> <strong>G2</strong> and also uses disk<br />
space. Routinely read and delete mail sent to the <strong>Sidewinder</strong> <strong>G2</strong>, or have it redirected<br />
elsewhere. To redirect mail to another destination, see “Redirecting mail to a different<br />
destination” on page 11-20 or “Changing mail aliases” on page 11-26.
Managing<br />
sendmail<br />
Managing sendmail<br />
To view mail for a specific administrator account, follow the steps<br />
below.<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in to the <strong>Sidewinder</strong> <strong>G2</strong><br />
using your administrator user ID and password.<br />
2. Enter the following command to change to the Admn role:<br />
srole<br />
Note: If you are a read-only administrator, enter srole adminro to change to the<br />
AdRO domain.<br />
3. Enter the following command to view a list <strong>of</strong> email messages<br />
addressed to your mailbox:<br />
mail<br />
Note: Refer to the mail man page for detailed information on utilizing the mail<br />
command. If you prefer, you may use an alternate mail program, such as Elm.<br />
You can also configure your mail account to forward messages to an<br />
internal email account.<br />
You can perform many <strong>of</strong> the necessary sendmail configuration<br />
functions using the Admin Console. To enable or disable the sendmail<br />
server, follow the steps below.<br />
1. In the Admin Console, select Services Configuration -> Servers -> and<br />
then select sendmail.<br />
2. To enable sendmail in a burb, select the corresponding check box for<br />
that burb. To disable sendmail in a burb, deselect the check box.<br />
3. Click the Save icon in the toolbar to save your changes.<br />
4. To modify your existing mail configuration, select the Configuration tab.<br />
The following window appears:<br />
Electronic Mail 11-7
Managing sendmail<br />
11-8 Electronic Mail<br />
Figure 11-1. sendmail<br />
window: Configuration<br />
tab<br />
About the sendmail<br />
Configuration tab<br />
The sendmail Configuration tab allows you to edit some <strong>of</strong> the more<br />
common mail configuration files, enable ACL rule checking, and also<br />
provides a shortcut to the Reconfigure Mail window. You can perform<br />
the following actions:<br />
Edit common mail configuration files—This portion <strong>of</strong> the window<br />
displays commonly used mail configuration files for the two burbs<br />
containing mail servers. If you need to edit one <strong>of</strong> the files, select<br />
that file from the appropriate list and then click Edit File. The<br />
selected file will be opened using the File Editor. (For basic<br />
information on using the File Editor, see “Using the Admin Console<br />
File Editor” on page 2-12. For detailed information on editing mail<br />
configuration files, see “Editing the mail configuration files” on<br />
page 11-10.)<br />
Enable ACL Rule Checking—This field is enabled by default and<br />
cannot be disabled.<br />
Go to the Reconfigure Mail window—Click Reconfigure Mail to go<br />
directly to the Reconfigure Mail window. The Reconfigure Mail<br />
window allows you to completely reconfigure your existing mail<br />
configuration files or create a default set <strong>of</strong> SMTP server<br />
configuration files. See “Reconfiguring mail” on page 11-9 for more<br />
information.
Figure 11-2. Reconfigure<br />
Mail window<br />
About the Reconfigure Mail<br />
window<br />
Reconfiguring mail<br />
Managing sendmail<br />
The Reconfigure Mail window is used to reconfigure your existing<br />
mail configuration on the <strong>Sidewinder</strong> <strong>G2</strong>. In the Admin Console,<br />
select Tools -> Reconfigure Mail. (You can also access this window<br />
within the Configuration tab in the sendmail server window.) The<br />
Reconfigure Mail window appears.<br />
The Reconfigure Mail window allows you to reconfigure your existing<br />
mail configuration. Follow the steps below.<br />
Caution: If you manually edited any sendmail configuration files, changing your mail<br />
configuration in the Reconfigure Mail window will overwrite the changes you made. Also,<br />
if there is e-mail in the queue directory for a burb that will not be specified in the new mail<br />
configuration, the e-mail will be deleted.<br />
1. In the New SMTP Mode drop-down list, select the mail configuration<br />
mode you want to configure. The following options are available:<br />
Tip: Be sure to verify that your active proxy rules support the SMTP service<br />
configuration that you choose. If you reconfigure your mail to use transparent<br />
services, you will need to ensure that the appropriate proxy rules (rules that allow<br />
mail to be delivered through the <strong>Sidewinder</strong> <strong>G2</strong>) are included in the active proxy rule<br />
group. If you reconfigure your mail to use hosted (split) services, you will need to<br />
ensure that the appropriate proxy rules exist if you configure the SMTP servers to<br />
perform policy rule checks.<br />
Electronic Mail 11-9
Editing the mail configuration files<br />
Editing the mail<br />
configuration files<br />
11-10 Electronic Mail<br />
Note: The current mode is listed in the Current SMTP Mode field.<br />
Transparent—This option is used when you want to totally<br />
reconfigure your mail system to use transparent SMTP service.<br />
Transparent SMTP indicates that mail passes by proxy through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If you select this option, only the necessary files<br />
needed to send administrative messages (including <strong>Sidewinder</strong><br />
<strong>G2</strong>-generated alerts, messages, and logs) will be configured. The<br />
SMTP proxy is enabled.<br />
Secure Split SMTP Servers (<strong>Sidewinder</strong>-hosted)—This option is used<br />
when you want to totally reconfigure your mail system. It allows<br />
you to take advantage <strong>of</strong> configuring additional sendmail features<br />
including header stripping, spam control, mail routing and aliases,<br />
and masquerading. For more information on configuring these<br />
features, see “Other sendmail features” on page 11-22.<br />
2. In the Internal SMTP Burb field, select the burb in which your site’s<br />
internal SMTP server resides.<br />
3. In the Internal SMTP Mail Server field, type the fully qualified name <strong>of</strong><br />
your site’s internal SMTP server.<br />
4. Click the Save icon in the toolbar (or click Apply if you are accessing this<br />
window from the Server window) to reconfigure your mail mode. A<br />
confirmation window will appear when the reconfiguration process is<br />
complete.<br />
5. [Conditional] If you accessed Reconfigure Mail from the Servers<br />
window, click Close to return to the sendmail server Configuration tab.<br />
Sendmail stores its configuration information in sendmail.cf files.<br />
These files contain information such as which delivery agents to use<br />
and how to format message headers. These files are automatically set<br />
up and generated for you when you install and configure your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. You should change your configuration options only if<br />
you are directed to do so by Secure Computing, or if you are an<br />
experienced sendmail user and want to customize the files for your<br />
site.<br />
Sendmail allows you to create configuration files using macros written<br />
for the m4 preprocessor. Sections 19.5 and 19.6 in the UNIX System<br />
<strong>Administration</strong> Handbook describe these macros. You can also refer<br />
to the book sendmail by Bryan Costales (O’Reilly & Associates, Inc.).
Figure 11-3. <strong>Sidewinder</strong><br />
<strong>G2</strong> mailertables<br />
Editing the mail configuration files<br />
You set up two mailertables on the <strong>Sidewinder</strong> <strong>G2</strong>: one internal and<br />
one external. The external mailertable, /etc/mail/mailertable.mta# (#<br />
= the number <strong>of</strong> the external burb), processes the mail and directs it<br />
to the internal mailertable. The internal mailertable, /etc/mail/<br />
mailertable.mta#<br />
(# = the number <strong>of</strong> a trusted burb), sorts the mail by host name, and<br />
sends the mail to the correct internal mail host. Figure 8-1 shows an<br />
example <strong>of</strong> the route along which incoming mail messages travel.<br />
Incoming e-mail<br />
charlie@foo.com <strong>Sidewinder</strong> <strong>G2</strong><br />
lucy@sales.foo.com<br />
linus@corp.foo.com<br />
sally@ads.foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong> external<br />
mailertable<br />
(/etc/mail/mailertable.mta#)<br />
foo.com burbmailer-burb:localhost<br />
.foo.com burbmailer-burb:localhost<br />
Message destination<br />
corphub<br />
linus@corp.foo.com<br />
foohub<br />
sally@ads.foo.com<br />
charlie@foo.com<br />
saleshub<br />
lucy@sales.foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong> internal<br />
mailertable<br />
(/etc/mail/mailertable.mta#)<br />
foo.com smtp:foohub<br />
.foo.com smtp:foohub<br />
corp.foo.com smtp:corphub<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides several different editors that you can use<br />
when manually editing your mail files. The easiest method <strong>of</strong><br />
modifying these files is using the Admin Console. You may also use vi,<br />
emacs, or pico if you prefer.<br />
To edit the mail configuration files using the Admin Console, follow<br />
these steps:<br />
Caution: Only experienced administrators should modify sendmail configuration files.<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
Electronic Mail 11-11
Editing the mail configuration files<br />
11-12 Electronic Mail<br />
3. Select the configuration file you want to modify in the appropriate burb<br />
configuration file list. You may edit the following files for a burb:<br />
Important: If you modify any <strong>of</strong> these files, click the Save icon in the toolbar to<br />
rebuild the sendmail configuration and database files.<br />
Access Table—This file defines anti-relaying and anti-spamming<br />
policies for the SMTP server.<br />
Aliases File—(Available only in the internal burb.) This file defines<br />
the mail aliases that are used to redirect e-mail to another person<br />
or location.<br />
Alternate Host Names File—This file identifies alternate host names<br />
by which the <strong>Sidewinder</strong> <strong>G2</strong> is known. E-mail addressed to any <strong>of</strong><br />
the alternate names is treated as local mail by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Domain Table—This file provides a mapping from an old domain<br />
name to a new domain name. For example, you might modify this<br />
file if your organization’s external domain name changes.<br />
M4 Config File—This file defines the initial sendmail configuration.<br />
Modify this file as needed to account for your site-specific<br />
requirements.<br />
Mailer Table—This file maps a domain to a mail relay that is<br />
responsible for mail delivery in that domain.<br />
Important: Only edit mail configuration files if it is necessary for your site’s e-mail<br />
functionality.<br />
There are separate files for each sendmail daemon running on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. Save your changes, and close the file.<br />
5. Open the appropriate mailertable file and edit as necessary.<br />
Important: Only edit mailertable files if it is necessary for your site’s e-mail<br />
functionality.<br />
The mailertable files are named /etc/mail/mailertable.mta# (# = the<br />
appropriate burb number).<br />
6. Enter the correct domain, mailer, and host in the following format:<br />
domainmailer:host<br />
On the internal side <strong>of</strong> the network, the mailertable appears as:<br />
.foo.comsmtp:foohub<br />
foo.comsmtp:foohub<br />
corp.foo.comsmtp:foohub<br />
sales.foo.comsmtp:foohub
Configuring<br />
advanced antispam<br />
options<br />
Configuring advanced anti-spam options<br />
On the external side <strong>of</strong> the network, the mailertable should appear as:<br />
foo.comburbmailer-burb:localhost<br />
.foo.comburbmailer-burb:localhost<br />
where burb = the external burb number and Y = the internal (trusted)<br />
burb number.<br />
The entries that begin with a dot act as a wildcard, matching anything<br />
with that domain name. The entries that do not begin with a dot match<br />
the full domain name. See the /usr/share/sendmail/README file for more<br />
information on creating mailertables.<br />
7. Save the changes you made to file and then close the file.<br />
8. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Using the Admin Console, you can configure the following advanced<br />
anti-spam areas:<br />
Configure the whitelist.cfg files to specify domains, IP addresses,<br />
and headers that will be allowed to pass through unmodified<br />
regardless <strong>of</strong> any rules that have been created. There is a separate<br />
whitelist.cfg file for the internal and external (Internet) burbs. For<br />
information on configuring a whitelist, see “Configuring the<br />
whitelist.cfg files” on page 11-13.<br />
Configure the policy.cfg file to determine the actions that will be<br />
taken by the spam filter on a per-burb basis when it encounters<br />
messages that are suspected to be spam. To configure the<br />
policy.cfg file, see “Configuring the policy.cfg file” on page 11-15.<br />
Caution: Modifying the authority.cfg files may prevent the spam filter from starting.<br />
Therefore, the authority.cfg file should not be modified.<br />
Configuring the whitelist.cfg files<br />
To configure a whitelist for the internal or external (Internet) burb, in<br />
the Admin Console select Services Configuration -> Servers and then<br />
select Spamfilter from the list <strong>of</strong> servers. Select the Advanced tab. The<br />
following window appears.<br />
Electronic Mail 11-13
Configuring advanced anti-spam options<br />
11-14 Electronic Mail<br />
Figure 11-4. Spamfilter<br />
Advanced tab<br />
About the Spamfilter<br />
Advanced tab<br />
This tab allows you to manually configure whitelist entries for the<br />
internal or external (Internet) burbs using the File Editor. To configure<br />
a whitelist for the internal burb, select Edit Internal Burb Whitelist. To<br />
configure the external (Internet) burb, select Edit Internet Burb Whitelist.<br />
The appropriate whitelist.cfg file opens for editing.<br />
There are two types <strong>of</strong> whitelist entries that can be added to this file:<br />
Host—This type <strong>of</strong> whitelist entry applies to any kind <strong>of</strong> IP address<br />
or domain name. If a DNS name is provided, then whitelist<br />
effectiveness is contingent on DNS being properly enabled and set<br />
up on the system on which Authority is installed. IP subclasses and<br />
DNS subdomains are supported. The following examples display<br />
the basic structure for a host entry:<br />
type = host; address = [1.2.3.4]<br />
type = host; address = [192.168.]<br />
type = host; address = [mx1.somecompany.com]<br />
type = host; address = [.gov]<br />
Header—This type <strong>of</strong> whitelist entry effectively matches any<br />
substring or regular expression against the specified header field.<br />
The following examples display the basic structure for a host<br />
entry:<br />
type = header; header = [From]; value = [@.*gov>];<br />
type = header; header = [From]; value = [@cloudmark.com];<br />
When you are finished modifying the whitelist.cfg file, select File -><br />
Save to save your changes and then select File -> Exit to return to the<br />
Spamfilter Advanced tab.
Configuring the policy.cfg file<br />
Configuring advanced anti-spam options<br />
The policy.cfg file allows you to determine the actions that will be<br />
taken by the spam filter on a per-burb basis when it encounters<br />
messages that are suspected to be spam. These configuration options<br />
are stored in the /etc/sidewinder/authority/policy.cfg file. The<br />
policy.cfg file contains a list <strong>of</strong> the actions that will be taken based on<br />
the disposition <strong>of</strong> an email message (that is, the likelihood <strong>of</strong> the<br />
message being spam).<br />
The basic structure <strong>of</strong> each action is as follows:<br />
threshold=85%; action=ADDHEADER; config=[header=<br />
[X-SPAM]; value=[%p%%]]<br />
where:<br />
threshold—This field indicates the confidence level that is assigned<br />
to an action. A high confidence level indicates that a message is<br />
likely to be spam. A low confidence level indicates that a message<br />
is unlikely to be spam. You can assign threshold values from<br />
0–100. However, each action must have a unique threshold value.<br />
action—This field specifies the action that will be taken for a<br />
message based on the threshold defined. The available actions are<br />
described in the following sections.<br />
config—The configuration options allow you to specify additional<br />
attributes for a particular action. The available configuration<br />
options for each action are described in the following sections.<br />
Configuring a policy configuration file<br />
This section provides steps to access the policy.cfg files. For<br />
information on modifying a particular action, refer to the sections the<br />
follow this procedure.<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console and select File<br />
Editor. The File Editor window appears.<br />
2. Click Start File Editor and select File -> Open. The Open File window<br />
appears.<br />
Electronic Mail 11-15
Configuring advanced anti-spam options<br />
11-16 Electronic Mail<br />
3. Select the Firewall File radio button. The Open File window appears.<br />
Each burb on <strong>Sidewinder</strong> <strong>G2</strong> has a policy.cfgSMF file associated with it,<br />
allowing you to configure different actions for different burbs on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To distinguish among files, the corresponding burb<br />
index number is appended to each file (for example, policy.cfg.SMF1 is<br />
the configuration file for burb index 1).<br />
4. Type the following path in the File field:<br />
/etc/sidewinder/authority/policy.cfg.SMFn<br />
(where n is the corresponding burb index for the burb you want to<br />
configure)<br />
5. Click OK to open the file. The policy.cfg.SMF file for the burb you selected<br />
is displayed.<br />
Actions that are commented out (that is, the first character is a # sign)<br />
are disabled. To enable an action, remove the # signs. To modify a<br />
particular action refer to the previous sections.<br />
About the ADDHEADER action<br />
The ADDHEADER action will apply a new text header line to the<br />
message. The new header can then be used as a flag to sort or discard<br />
messages that contain that header text. The following two<br />
configuration options can be used with this action:<br />
header—This option allows you to specify the text string that will<br />
act as the name <strong>of</strong> the questionable header. The default value is<br />
X-SPAM.<br />
value—This option allows you to include the threshold value in the<br />
header. The syntax for this option uses standard C language<br />
expansion syntax. The only syntax supported for this option is<br />
%p%%. At run time, the %p portion <strong>of</strong> this option is replaced with<br />
the specified threshold value and the %% portion is translated to a<br />
single % sign.<br />
The following is an example <strong>of</strong> a ADDHEADER action that will add a<br />
text header <strong>of</strong> “X-SPAM **%” to the message:<br />
threshold=**%;action=ADDHEADER;config=[header=X-<br />
SPAM;value=[%p%%]]
About the COPY action<br />
Configuring advanced anti-spam options<br />
Important: If your site handles a large amount <strong>of</strong> spam messages, the disk space<br />
required to store copies can become significant. You may need to delete the copied<br />
mailboxes periodically in this case.<br />
This action will deliver the message to the recipient, as well as store a<br />
copy <strong>of</strong> the message in a designated location. The message can then<br />
be examined or deleted from the mbox file by an administrator. The<br />
following options can be specified for this action:<br />
path—The path for this value is preset as<br />
/var/spool/authority/copied. Do not modify the path value.<br />
depth—This option indicates the depth <strong>of</strong> the file within the<br />
directory. The default value is 0.<br />
default domain—This option allows you to specify the domain that<br />
will be used if a recipient does not have a domain specified. The<br />
default is local.<br />
method—This option specifies whether or not a unique mailbox<br />
will be created for each user in the designated directory, as<br />
follows:<br />
— individual: Specify this method to create a unique mailbox for<br />
each recipient.<br />
— consolidated: Specify this option to create a single, central<br />
mailbox.<br />
cycle—If a consolidated mailbox is used, this option can be used to<br />
create additional consolidated mailboxes. You can specify that a<br />
new mailbox be created each hour (hourly) or each day (daily).<br />
The following is an example <strong>of</strong> a COPY action:<br />
threshold=**%;action=COPY;config=[path=./copied;<br />
depth=0;default domain=local]<br />
About the DROP action<br />
This action deletes the message from the MTA and prevents it from<br />
being delivered to its recipient. Dropped messages cannot be<br />
recovered. There are no options that can be configured for this action.<br />
Electronic Mail 11-17
Configuring advanced anti-spam options<br />
11-18 Electronic Mail<br />
The following is an example <strong>of</strong> a DROP action that will delete the<br />
message from the MTA without delivering it to the recipient or saving<br />
a copy <strong>of</strong> the message for later handling:<br />
threshold=**%;action=DROP<br />
About the REFUSE action<br />
This action rejects suspected spam at the gateway and allows the<br />
sender to receive a customized return message, simulating the<br />
absence <strong>of</strong> a mailbox. The following options can be specified for this<br />
action:<br />
rcode—This option specifies the main SMTP response code. This is<br />
specified in RFC 821.<br />
xcode—This option specifies the secondary SMTP response code.<br />
This is specified in RFC 2034.<br />
msg—This option specifies the text that will be contained in the<br />
error message that is returned to the sender. For example, Delivery<br />
denied. Mailbox unknown.<br />
The following is an example <strong>of</strong> a REFUSE action that will cause mail<br />
suspected <strong>of</strong> being spam to be discarded at the gateway. The message<br />
“Delivery Denied.” will be returned to the sender.<br />
threshold=**%;action=REFUSE;config=[rcode=500;<br />
xcode=5.0.0;text=[Delivery Denied.]]<br />
About the SAVE action<br />
Important: If your site handles a large amount <strong>of</strong> spam messages, the disk space<br />
required to store saved messages can become significant. You may need to delete the<br />
saved mailboxes periodically in this case.<br />
This action stores the message in a designated location without<br />
delivering a copy to the recipient. The message can then be<br />
examined, deleted, or forwarded to the intended recipient by an<br />
administrator. The following options can be specified for this action:<br />
path—The path for this value is preset as<br />
/var/spool/authority/saved. Do not modify the path value.<br />
depth—This option indicates the depth <strong>of</strong> the file within the<br />
directory. The default is 0.
Configuring advanced anti-spam options<br />
default domain—This option allows you to specify the domain that<br />
will be used if a recipient does not have a domain specified. The<br />
default is local.<br />
method—This option specifies whether or not a unique mailbox<br />
will be created for each user in the designated directory, as<br />
follows:<br />
— individual: Specify this method to create a unique mailbox for<br />
each recipient.<br />
— consolidated: Specify this option to create a single, central<br />
mailbox.<br />
cycle—If a consolidated mailbox is used, this option can be used to<br />
create additional consolidated mailboxes. You can specify that a<br />
new mailbox be created each hour (hourly) or each day (daily).<br />
The following is an example <strong>of</strong> a SAVE action that will save all<br />
messages in the specified threshold to a single directory. A new<br />
directory will be created every hour.<br />
threshold=**%;action=SAVE;config=[path=./saved;<br />
depth=0;defaultdomain=local;method-consolidated;<br />
cycle=hourly]<br />
About the TAG action<br />
This action tags the message with a text string (such as “SPAM”) in the<br />
subject <strong>of</strong> the message, and then delivers it to the recipient. The<br />
following options can be specified for this action:<br />
target—This option specifies where the tag will be added.<br />
Currently, the tag can only be added to the subject <strong>of</strong> a message.<br />
action—This option determines whether the message will be<br />
added to the beginning (prefix) or end (postfix) <strong>of</strong> the message<br />
subject.<br />
text—This option specifies the actual text that will be added to the<br />
subject. The text must be enclosed in brackets, and should consist<br />
<strong>of</strong> a short string using uppercase characters (for example, SPAM),<br />
ending with a colon.<br />
Electronic Mail 11-19
Redirecting mail to a different destination<br />
Redirecting mail<br />
to a different<br />
destination<br />
11-20 Electronic Mail<br />
You can also include a confidence rating in the text portion <strong>of</strong> this<br />
tag. A confidence rating provides a percentage rating, indicating<br />
the likelihood that the email is spam using the Authority’s numerical<br />
spam confidence rating system. To include the confidence rating<br />
in this tag, add the string %p%% within the text brackets,<br />
following the colon (you must include a space between the colon<br />
and the string), as shown in the example below. At run time, the<br />
%p portion <strong>of</strong> this option is replaced with the specified threshold<br />
value and the %% portion is translated to a single % sign.<br />
The following is an example <strong>of</strong> a TAG action that will include the tag<br />
“SPAM” at the beginning <strong>of</strong> the subject line:<br />
threshold=**%;action=TAG;config=[target=subject;<br />
action=prefix;text=[SPAM: %p%%]]<br />
If you want to redirect mail from your mailbox to a different<br />
destination, you need to place a .forward file either in a user’s home<br />
directory or in the /root directory <strong>of</strong> where you want the mail sent<br />
from. The following sections provide information on how to create<br />
.forward files on the <strong>Sidewinder</strong> <strong>G2</strong>. (For additional information on<br />
.forward files see Chapter 19 in the UNIX System <strong>Administration</strong><br />
Handbook.)<br />
Creating a .forward file in a user’s home directory<br />
This section describes how to create a .forward file in a user’s home<br />
directory. Follow the steps below.<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in to the <strong>Sidewinder</strong> <strong>G2</strong><br />
using your administrator user ID and password.<br />
2. Enter the following command to switch to the admn role:<br />
srole<br />
3. Enter the following command to change to the /home/username<br />
directory (where username is a variable dependent on the user’s login).<br />
cd /home/username<br />
4. Use a text editor to create a new file called .forward.<br />
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the File<br />
Editor in the Admin Console as your text editor. See “Using the Admin Console File<br />
Editor” on page 2-12.
Redirecting mail to a different destination<br />
5. Enter the address where you want to have your mail redirected.<br />
For example:<br />
lloyd@foo.com<br />
6. Save your changes.<br />
7. Use the following command to change the owner <strong>of</strong> the file (the user<br />
must also be the owner <strong>of</strong> the file):<br />
chown username /home/username/.forward<br />
8. Use the following command to set the appropriate permissions:<br />
chmod 644 /home/username/.forward<br />
9. Use the following command to change the file’s type:<br />
chtype User:frwd .forward<br />
Creating a .forward file in the root directory<br />
To create a .forward file in the root directory, follow the steps below.<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in to the <strong>Sidewinder</strong> <strong>G2</strong><br />
using your administrator user ID and password.<br />
2. Enter the following command to switch to the admn role:<br />
srole<br />
3. Enter the following command to change to the /root directory.<br />
cd /root<br />
4. Use a text editor to create a new file called .forward.<br />
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the File<br />
Editor in the Admin Console as your text editor. See “Using the Admin Console File<br />
Editor” on page 2-12.<br />
5. Enter the address where you want to have your mail redirected.<br />
For example:<br />
chloe@foo.com<br />
6. Save your changes.<br />
7. Use the following command to change the file’s type.<br />
chtype Admn:frwd .forward<br />
Electronic Mail 11-21
Other sendmail features<br />
Other sendmail<br />
features<br />
11-22 Electronic Mail<br />
The mail server is initially installed with default settings that enable<br />
basic mail services. However, sendmail provides several additional<br />
features that you may choose to configure:<br />
Header stripping—Enables you to remove header information from<br />
a message to conceal internal host information from the outside<br />
world.<br />
Note: Header information can only be removed for outbound mail (that is, mail<br />
leaving the <strong>Sidewinder</strong> <strong>G2</strong>). Therefore, you should only enable header stripping in the<br />
destination (or external) burb for a message. If you configure header stripping in the<br />
source burb <strong>of</strong> a message, header stripping will not happen for that message.<br />
Blackhole list—Enables you to eliminate unwanted and unsolicited<br />
e-mail. The types <strong>of</strong> spam control you might implement include<br />
use <strong>of</strong> a Realtime Blackhole list, Promiscuous Relaying, and so on.<br />
Mail routing—Enables you to reroute e-mail from one domain name<br />
to another domain name.<br />
Mail aliases—Enables you to redirect inbound mail to another<br />
person or location.<br />
Masquerading—Enables you to transform a local host address in the<br />
header <strong>of</strong> an e-mail message into the address <strong>of</strong> a different host.<br />
Header stripping, the RealTime Blackhole list, and promiscuous<br />
relaying are the most popular additional sendmail features. The details<br />
for implementing these features are described in the sections that<br />
follow. For information on implementing the other sendmail features,<br />
refer to the book sendmail by Bryan Costales (O’Reilly & Associates,<br />
Inc.).<br />
Configuring sendmail to strip message headers<br />
During the normal operation <strong>of</strong> sendmail, the path a message traces is<br />
appended to the message by each host through which the mail<br />
passes. This enables internal host names and IP addresses to be<br />
allowed beyond the <strong>Sidewinder</strong> <strong>G2</strong>.
Other sendmail features<br />
You can configure sendmail to strip or scrub the following headers<br />
from messages leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Received (stripped)<br />
X400-received (stripped)<br />
Via (stripped)<br />
Mail-from (stripped)<br />
Return-path (stripped)<br />
Message-id (scrubbed)<br />
Resent-message-id (scrubbed)<br />
Perform the following steps to configure sendmail to strip or scrub<br />
headers.<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the M4 Config File in the external burb list and click Edit File.<br />
4. Locate the C{STRIP_DOMAINS} line in the file and append the domain<br />
name on which to perform header stripping. For example:<br />
C{STRIP_DOMAINS} domainx<br />
where domainx = the domain name on which to perform header<br />
stripping.<br />
You can define multiple domains by entering multiple domain names<br />
on one line (for example, C{STRIP_DOMAINS} abc.com xyz.com)<br />
Note: STRIP_DOMAINS contains the list <strong>of</strong> domains that will trigger header<br />
stripping. Each message processed by sendmail in the external burb will be<br />
subjected to header stripping if it is received from a domain in this list.<br />
5. Save the changes you made to file and then close the file.<br />
Note: Stripping the headers will NOT alter the To and From hosts. The To and From<br />
hosts can be eliminated using rules in the sendmail configuration file. You can also<br />
modify the To and From hosts using masquerading or by editing the domain tables.<br />
6. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Electronic Mail 11-23
Other sendmail features<br />
11-24 Electronic Mail<br />
Configuring sendmail to use the RealTime Blackhole list<br />
Sendmail is able to utilize the services <strong>of</strong> the RealTime Blackhole List.<br />
The Blackhole List, a list <strong>of</strong> known spam domain names, is maintained<br />
by an organization called MAPS (Mail Abuse Prevention System). The<br />
mail server checks each mail message against the Blackhole list. Any<br />
e-mail message originating from a domain in the list will be rejected.<br />
Note: You must subscribe to the MAPS Blackhole List in order to use it. Go to<br />
www.mail-abuse.org for details.<br />
To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the Realtime Blackhole List,<br />
follow the steps below.<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the M4 Config File in the external burb list and click Edit File.<br />
4. Add the following line to the file.<br />
FEATURE(‘dnsbl’, ‘hostname’)dnl<br />
The hostname that you enter in the above line will depend on the type<br />
<strong>of</strong> service for which you have subscribed. MAPS will provide you with<br />
the correct hostname (for example, blackholes.mail-abuse.org) to use<br />
when you subscribe to their list.<br />
5. Save the changes you made to file and then close the file.<br />
6. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Sendmail and promiscuous relaying<br />
Promiscuous relaying is the inappropriate use <strong>of</strong> an intermediate mail<br />
server to send mail messages. A message that is sent from client A to<br />
mail server B but that is first routed through mail server C is an<br />
example <strong>of</strong> promiscuous relaying. This technique is <strong>of</strong>ten used by<br />
hackers to send unfriendly or unwanted mail from mail servers other<br />
than their own.
Figure 11-5. Type <strong>of</strong><br />
relayed message<br />
typically rejected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Other sendmail features<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, sendmail is by default configured to BLOCK<br />
relayed mail, preventing the <strong>Sidewinder</strong> <strong>G2</strong> from inadvertently acting<br />
as a relay. This means any message not originating from or destined<br />
to the <strong>Sidewinder</strong> <strong>G2</strong> domain is considered spam and will be rejected.<br />
Note that the sender <strong>of</strong> the message is not relevant (sender names can<br />
be spo<strong>of</strong>ed). Figure 11-5 illustrates the type <strong>of</strong> relayed message that<br />
will be rejected.<br />
bad<br />
hacker<br />
innocent<br />
victim<br />
Internet<br />
If you choose to ALLOW promiscuous relaying, perform the following<br />
steps. (The <strong>Sidewinder</strong> <strong>G2</strong> initially configures sendmail to BLOCK<br />
relayed mail.)<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the M4 Config File for the burb that is running sendmail and click<br />
Edit File.<br />
4. Add the following line to the file.<br />
FEATURE(‘promiscuous_relay’)dnl<br />
5. Save the changes you made to file and then close the file.<br />
6. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Allowing or denying mail on a user basis<br />
mail<br />
server<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
domain<br />
By default sendmail will allow or deny mail on a domain basis.<br />
However, you can also instruct sendmail to allow or deny mail to/<br />
from specific users within a domain. To do this, follow the steps<br />
below:<br />
Electronic Mail 11-25
Other sendmail features<br />
11-26 Electronic Mail<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the Access Table file for the appropriate burb and click Edit File.<br />
4. Add user-based allow (relay) and/or deny (reject) information to the<br />
access table.<br />
For example, if you want to allow mail addressed to Lloyd and Sharon<br />
but deny mail addressed to everyone else, you would add the following<br />
lines:<br />
# Allow mail addressed to these users<br />
To:Lloyd@bizco.net RELAY<br />
To:Sharon@bizco.net RELAY<br />
# Deny mail for everyone else<br />
To:bizco.net REJECT<br />
5. Save the changes you made to file and then close the file.<br />
Note: For additional information, see the README file in the<br />
/usr/share/sendmail directory on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
6. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Changing mail aliases<br />
Aliases allow you to redirect mail to another person or location.<br />
(Individual users can also use a .forward file for this purpose, see<br />
“Redirecting mail to a different destination” on page 11-20.) Aliases<br />
are generally used for redirecting mail addressed to system users such<br />
as “postmaster.” On the <strong>Sidewinder</strong> <strong>G2</strong>, messages and other files are<br />
<strong>of</strong>ten e-mailed to root. By default, a root alias is created for the<br />
administrator you set up when you configured your system. For more<br />
information about mail aliases see Chapter 19 <strong>of</strong> the UNIX System<br />
<strong>Administration</strong> Handbook.<br />
Aliases are stored in the /etc/sidewinder/sendmail directory. Follow<br />
the steps below to edit this file:<br />
1. Log in to the Admin Console and select Services Configuration -><br />
Servers.
Managing mail<br />
queues<br />
Managing mail queues<br />
2. Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the Aliases file for the burb that is running sendmail and click Edit<br />
File.<br />
To redirect messages to a different user, type the user name after the<br />
colon for the account you want to redirect. For example, if you want to<br />
direct root’s messages to user name piper, you would locate the root<br />
line in the file and edit it to look like this:<br />
root: piper<br />
4. Save the changes you made to file and then close the file.<br />
5. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
6. To deny or restrict certain SMTP connections, add an appropriate proxy<br />
rule.<br />
If a sendmail message cannot be delivered, (for example, if the<br />
destination system is down) messages are temporarily placed in<br />
queues until they can be delivered. There are separate queues for<br />
each server: /var/spool/mqueue.c (local) and /var/spool/mqueue.# for<br />
the Internet and the trusted burbs. You should check the queues<br />
periodically. If there are a lot <strong>of</strong> messages that are several days old,<br />
you may have a problem with your system or its configuration.<br />
To view the mail queue output type the following command:<br />
/usr/bin/mailq<br />
The output <strong>of</strong> this command will list the messages currently in the<br />
queue you chose, along with information about each message. Each<br />
message is assigned a unique identification number, which is shown<br />
in the first column.<br />
Electronic Mail 11-27
Managing mail queues<br />
11-28 Electronic Mail<br />
Listing the burbname Queue<br />
Mail queue is empty<br />
Listing the burbname Queue<br />
Mail queue is empty<br />
Listing the burbname Queue<br />
Mail queue is empty<br />
By default, undelivered e-mail messages will remain in the mail<br />
queues 30 minutes before another delivery attempt is made. If you<br />
want to change the length <strong>of</strong> time e-mail messages remain in the mail<br />
queues before another delivery attempt is made, follow the steps<br />
below.<br />
1. Log in to the Admin Console, and select Services Configuration -><br />
Servers.<br />
2. Select the sendmail server Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3. Select the M4 Config File for the burb that is running sendmail, and click<br />
Edit File.<br />
4. Scroll to the Set the Queue Interval area and edit the following line:<br />
define(`confQUEUE_INTERVAL', `Xm')dnl<br />
where:<br />
X is the amount <strong>of</strong> time that the message will remain in the queue<br />
before an attempt is made to resend the message.<br />
m indicates that the time will be measured in minutes. You can also use<br />
other time measurements, such as seconds (s), hours (h), days (d), etc. if<br />
desired.<br />
Note: The default value is 30 minutes.<br />
5. Save the changes you made to file and then close the file.<br />
6. Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.
C HAPTER 12<br />
Setting Up Web Services<br />
About this chapter This chapter describes the Web options available with the <strong>Sidewinder</strong><br />
<strong>G2</strong>. It covers the following topics:<br />
An overview <strong>of</strong><br />
Web Services on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
“An overview <strong>of</strong> Web Services on <strong>Sidewinder</strong> <strong>G2</strong>” on page 12-1<br />
“Implementation options for Web access” on page 12-3<br />
“Using the HTTP proxy” on page 12-6<br />
“Using the Web proxy server” on page 12-10<br />
“Configuring the Web proxy server” on page 12-12<br />
“Configuring browsers for the Web proxy server” on page 12-19<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to control connections between your<br />
internal network(s) and the World Wide Web. Using Application<br />
Defenses, you can configure the appropriate rules to protect a client<br />
(outgoing traffic), server (incoming traffic), or both behind your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. You can also configure whether you will allow<br />
transparent, non-transparent, or both connections on a per-rule basis.<br />
Note: For information on configuring Application Defenses, see Chapter 6.<br />
The following two sections provide a summary <strong>of</strong> the three most<br />
common types <strong>of</strong> Web access that you can configure on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Web access for users on your internal network<br />
Your internal users can access Web servers on the Internet or on a<br />
trusted network. In either case, access can be regulated using a Web<br />
proxy (HTTP or HTTPS), the Web proxy server, or both. When<br />
internal users have access to an external Web server, it is called<br />
"outbound traffic."<br />
12<br />
Setting Up Web Services 12-1
12<br />
An overview <strong>of</strong> Web Services on <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure 12-1. Web access<br />
for users on your internal<br />
network<br />
Figure 12-2. Access to<br />
your Web server by<br />
untrusted external users<br />
12-2 Setting Up Web Services<br />
internal network<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
Web proxy<br />
Internet<br />
external network<br />
Web server<br />
Web site<br />
Access to your Web server by untrusted external users<br />
You can set up a Web server on a network controlled by your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The Web server should be contained on an isolated<br />
burb and network. Untrusted external users will be able to access this<br />
Web server only if a Web proxy is enabled on the <strong>Sidewinder</strong> <strong>G2</strong>. You<br />
can configure a Web proxy (HTTP/HTTPS), the Web proxy server, or<br />
both to allow external users passage through the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
the Web server. When external users have access to an internal Web<br />
server, the traffic is called "inbound traffic."<br />
internal network<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
Web proxy<br />
Internet<br />
external network<br />
external user
Figure 12-3. Access to the<br />
internal network by<br />
trusted external users<br />
Implementation<br />
options for Web<br />
access<br />
Implementation options for Web access<br />
Access to your internal network by trusted external users<br />
You can configure clientless VPN (SSL-based VPN) services for your<br />
trusted external users. Clientless VPN enables trusted external users<br />
(for example, remote employees) to establish an SSL connection to<br />
the internal network without requiring a dedicated VPN client. Trusted<br />
external users can establish a VPN connection from any client that is<br />
capable <strong>of</strong> handling SSL (such as a standard Web browser). A<br />
common example <strong>of</strong> using clientless VPN is to allow a trusted external<br />
user access to an internal mail server, such as Micros<strong>of</strong>t Exchange ®<br />
Server, as shown in Figure 12-3. For information on configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow clientless VPN for trusted remote users, see<br />
“Setting up clientless VPN access for trusted remote users” on page<br />
12-8.<br />
Web server<br />
internal mail<br />
server<br />
internal network<br />
HTTPS<br />
proxy<br />
Internet<br />
external network<br />
= VPN tunnel<br />
= Data<br />
trusted clientless<br />
VPN user<br />
Web access can be controlled using a Web proxy (HTTP or HTTPS),<br />
the Web proxy server, or both. These Web options are typically used<br />
in one <strong>of</strong> three configuration options, as shown in the following<br />
examples:<br />
Option 1: HTTP proxy regulates all Web traffic.<br />
Option 2: Web proxy server regulates all Web traffic.<br />
Option 3: Web proxy server regulates traffic from the trusted burbs<br />
and the HTTP proxy regulates traffic from the Internet burb.<br />
Setting Up Web Services 12-3
Implementation options for Web access<br />
Figure 12-4. Option 1:<br />
The HTTP proxy passes<br />
all Web traffic<br />
12-4 Setting Up Web Services<br />
Option 1: HTTP proxy passes all Web traffic<br />
Option 1 depicts a scenario in which the HTTP (or HTTPS) proxy<br />
regulates Web traffic moving between all burbs on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Using the appropriate Web Application Defenses within your HTTP/<br />
HTTPS proxy rules, you can configure URL properties, perform<br />
request and reply header filtering, perform MIME/anti-virus filtering,<br />
and deny certain types <strong>of</strong> Web content. You can also configure<br />
whether allowed connections can be transparent, non-transparent, or<br />
both. If you configure transparent HTTP, it will appear to a user that<br />
they are connecting directly to Web server rather than connecting to<br />
the <strong>Sidewinder</strong> <strong>G2</strong> first. The HTTPS proxy also allows you perform<br />
SSL decryption. Figure 12-4 illustrates the HTTP proxy regulating all<br />
Web traffic.<br />
internal user<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
HTTP proxy<br />
Internet<br />
internal network external network<br />
Option 2: Web proxy server regulates all Web traffic<br />
external user<br />
Web server<br />
Web site<br />
In Option 2, the Web proxy server regulates Web traffic between all<br />
burbs. This option is generally used in larger companies that have<br />
security policies about how employees can use the Web. The Web<br />
proxy server is the best option if you want to provide caching and<br />
SmartFilter services on the <strong>Sidewinder</strong> <strong>G2</strong>. In general, caching does<br />
not apply to Internet users that access a Web site on your internal<br />
network. (Option 3 illustrates a more likely scenarios for using the<br />
caching feature.)<br />
Note: For more information on using the Web proxy server, refer to “Using the Web proxy<br />
server” on page 12-10.
Figure 12-5. Option 2:<br />
The Web proxy server<br />
regulates all Web traffic<br />
Figure 12-6. Option 3:<br />
Web proxy server<br />
regulates traffic from the<br />
trusted burbs while HTTP<br />
proxy passes traffic from<br />
the Internet burb<br />
internal user<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
Web proxy<br />
Server<br />
Implementation options for Web access<br />
Internet<br />
internal network external network<br />
external user<br />
Web server<br />
Web site<br />
Option 3: Web proxy server regulates traffic from the internal burbs<br />
and the HTTP proxy passes traffic from the Internet burb<br />
Option 3 depicts a scenario using both the HTTP proxy and the Web<br />
proxy server. In this scenario, the HTTP proxy regulates Web traffic<br />
coming from the Internet to a Web server on a trusted internal<br />
network. The Web proxy server is configured to regulate Web traffic<br />
that is initiated from an internal burb. The Web server being accessed<br />
can reside on another isolated burb, or on the external burb.<br />
Companies may want to restrict employee access to certain sites using<br />
a Web filtering product such as Secure Computing’s SmartFilter<br />
s<strong>of</strong>tware.<br />
internal user<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
HTTP proxy<br />
Web proxy<br />
server<br />
Internet<br />
internal network external network<br />
external user<br />
Web server<br />
Web site<br />
Setting Up Web Services 12-5
Using the HTTP proxy<br />
Using the HTTP<br />
proxy<br />
12-6 Setting Up Web Services<br />
Using the appropriate Web Application Defenses, you can configure<br />
additional HTTP proxy rules that control URL properties, perform<br />
request and reply header filtering, perform MIME/anti-virus filtering,<br />
and deny certain types <strong>of</strong> Web content. You can also configure<br />
whether connections will be transparent or non-transparent. If you<br />
configure transparent HTTP, it will appear to a user that they are<br />
connecting directly to the Web server rather than connecting to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> first. See “Creating Web or Secure Web Application<br />
Defenses” on page 6-4.<br />
Using the HTTP proxy has the following limitations:<br />
SmartFilter services are not available<br />
Caching is not available<br />
If you configured your <strong>Sidewinder</strong> <strong>G2</strong> to use Standard Internet<br />
services (the default configuration option), a rule called<br />
InternetServices is automatically configured and placed in the active<br />
proxy rule group. This rule consists <strong>of</strong> a service group with the HTTP<br />
service included, allowing Web access from your internal network to<br />
external networks using the HTTP proxy. However, you must enable<br />
the HTTP proxy before the rule can pass traffic. (For information on<br />
enabling the HTTP proxy, see “Configuring proxies” on page 8-28.)<br />
Once the HTTP proxy is enabled, users on your internal network can<br />
connect to the Web using any Web browser; the connections will be<br />
routed through the <strong>Sidewinder</strong> <strong>G2</strong> on port 80.<br />
Figure 12-7 depicts access to external Web servers via an HTTP proxy<br />
rule using port 80 allowing transparent connections. Figure 12-8<br />
depicts access to Web servers via non-transparent HTTP proxy rule<br />
using ports other than 80. (Transparency is configured on a per-rule<br />
basis via Application Defenses.)<br />
Note: For information on configuring the HTTP proxy, see “HTTP/HTTPS considerations”<br />
on page 8-18.
Figure 12-7. Standard<br />
(transparent) HTTP<br />
proxy<br />
Figure 12-8. Nontransparent<br />
HTTP proxy<br />
Web<br />
browser<br />
Web<br />
browser<br />
port 8080<br />
port 80<br />
port 8080<br />
or any other<br />
port<br />
Setting up Web access using the HTTP proxy<br />
Using the HTTP proxy<br />
The following steps provide an overview <strong>of</strong> the tasks you must do to<br />
set up Web access using the HTTP proxy on port 80.<br />
1. Configure the appropriate proxy rules to restrict Web access.<br />
A rule called InternetServices is automatically configured and placed in<br />
the active proxy rule group. This rule consists <strong>of</strong> a service group that<br />
includes basic HTTP access from your internal network to external<br />
networks using the HTTP proxy. Once you enable the HTTP proxy, the<br />
proxy rule allows all internal users to access Web sites.<br />
You can create additional HTTP proxy rule(s) to control which internal<br />
systems users can browse from and to which external systems they can<br />
connect. You can also configure advanced HTTP properties (such as<br />
transparency and MIME/anti-virus filtering) for a rule via Application<br />
Defenses. (See Chapter 6 for information on creating Application<br />
Defenses, and Chapter 7 for information on creating rules.)<br />
2. Enable the HTTP proxy. The procedure to enable the HTTP proxy is<br />
described in “Configuring proxies” on page 8-28.<br />
3. Test the HTTP proxy.<br />
internal<br />
network<br />
HTTP<br />
http<br />
proxy<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
port 80<br />
internal<br />
external<br />
network network<br />
HTTP<br />
nt_http<br />
proxy<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
Internet<br />
Web site<br />
Web server<br />
port 80 Web site<br />
or any other<br />
port<br />
Web server<br />
Setting Up Web Services 12-7
Using the HTTP proxy<br />
12-8 Setting Up Web Services<br />
After you enable the proxy, you should test it by starting a Web browser<br />
from one <strong>of</strong> your internal systems, and entering the address <strong>of</strong> a Web<br />
site you know is valid—for example, you could attempt to access<br />
Secure Computing at the following URL:<br />
http://www.securecomputing.com.<br />
Note: Make sure you use a system from which you did not deny access.<br />
Setting up clientless VPN access for trusted remote users<br />
This section provides guidance on configuring clientless VPN access<br />
for your trusted remote users. When configuring clientless VPN<br />
access, you can configure whether or not the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
require proxy authentication. If you configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
require proxy authentication, you must use SSO authentication.<br />
Follow the steps below.<br />
Note: You must have SSL Decryption and Strong Cryptography licensed to configure<br />
clientless VPN services.<br />
1. Enable the HTTPS proxy for the appropriate burbs. For information on<br />
enabling proxies, see “Configuring proxies” on page 8-28.<br />
2. Create an IP address network object for the protected server to which<br />
your remote trusted users will be connecting (for example, a Micros<strong>of</strong>t<br />
Exchange Server). For information on creating an IP address network<br />
object, see “Configuring IP address objects” on page 5-15.<br />
3. Create a Secure Web Application Defense with the following<br />
configuration:<br />
Note: For more information on configuring a Secure Web Application Defense, see<br />
“Creating Web or Secure Web Application Defenses” on page 6-4.<br />
a. In the Type field, select Server.<br />
b. Select the Decrypt Web Traffic check box.<br />
c. [Optional] If you are configuring remote access to an internal<br />
Micros<strong>of</strong>t Exchange Server, select the Rewrite Micros<strong>of</strong>t OWA HTTP<br />
check box.<br />
d. Select the appropriate Firewall Certificate.<br />
e. Select the Encryption/Decryption Methods you want to allow.<br />
f. [Optional] Configure additional Secure Web Server Enforcements.<br />
g. Click the Save icon to save the new defense.
Using the HTTP proxy<br />
4. Create an HTTPS proxy rule to allow access. The fields listed below must<br />
be configured as specified:<br />
Note: You can configure rule fields that are not listed below as you see fit. For more<br />
information on creating proxy rules, see “Creating proxy rules” on page 7-4.<br />
General tab—Service Type=Proxy, Service=HTTPS, Action=Allow<br />
Source/Dest tab—Redirect Host=IP Address network object for the<br />
protected server, Redirect Port=80<br />
[Optional] Authentication tab—If you want to require users to<br />
authenticate via the proxy before being allowed access, you will<br />
need to select Authenticate using SSO.<br />
[Optional] Time tab—Configure as needed.<br />
Application Defense tab—Select the defense you created in<br />
step 3.<br />
5. Add the HTTPS proxy rule to the active proxy rule group.<br />
Once this rule is included in the active rule group, the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
ready to allow trusted remote users access to the internal network.<br />
How trusted remote users gain access to the internal network<br />
This section lists the steps required for trusted remote users to gain<br />
access to a protected internal server. The procedure will vary<br />
depending on whether you have configured the HTTPS proxy rule to<br />
require authentication.<br />
If a user is not required to authenticate via the proxy:<br />
1. Point your browser to the <strong>Sidewinder</strong> <strong>G2</strong> decrypting HTTPS proxy (for<br />
example, https://SW<strong>G2</strong>_address.com).<br />
Note: Your Web browser may prompt you to approve the certificate that is<br />
presented by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. Authenticate to the server. If your server requires authentication, an<br />
authentication prompt will appear. When you successfully authenticate,<br />
you will be allowed to access that server.<br />
If a user is required to authenticate via the proxy:<br />
1. Point your browser to the <strong>Sidewinder</strong> <strong>G2</strong> SSO direct login page and<br />
authenticate.<br />
2. [Conditional] If the server you are accessing requires certificate<br />
validation, you will need to approve the certificate before you can<br />
authenticate to the server.<br />
Setting Up Web Services 12-9
Using the Web proxy server<br />
Using the Web<br />
proxy server<br />
Figure 12-9. <strong>Sidewinder</strong><br />
<strong>G2</strong> Web proxy server<br />
12-10 Setting Up Web Services<br />
3. Authenticate to the server. If your server requires authentication, an<br />
authentication prompt will appear. When you successfully authenticate,<br />
you will be allowed to access that server.<br />
To allow Web access from an internal burb to an external burb using<br />
the Web proxy server, you will need to set up the appropriate proxy<br />
rule and enable the Web proxy server. Once the Web proxy server is<br />
enabled, users on that internal burb can connect to the Web using a<br />
Web browser by pointing at port 3128 (or whatever port you have<br />
configured to use for the Web proxy server).<br />
Figure 12-9 shows an example Web proxy server configuration.<br />
Web<br />
browser<br />
port 3128<br />
internal external<br />
network network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
port 80<br />
Web server<br />
Web site<br />
port 8080<br />
(or any port<br />
number you configured)<br />
By using the Web proxy server you gain the following advantages.<br />
Web access control using SmartFilter—When you route Web traffic<br />
through the Web proxy server, you can control access by your<br />
employees to Web sites based on content. For example, you can<br />
block access to sites that provide sexually explicit or illegal<br />
material using Secure Computing’s SmartFilter. Advanced<br />
SmartFilter properties can be configured on a per-rule basis using<br />
Application Defenses. (See Appendix E for information on using<br />
SmartFilter with the <strong>Sidewinder</strong> <strong>G2</strong>).
Using the Web proxy server<br />
Caching—The Web proxy server provides support for Web caching<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>. Web caching can improve performance <strong>of</strong> a<br />
user’s Web browser by caching Web documents in the <strong>Sidewinder</strong><br />
<strong>G2</strong> cache memory. When a user accesses a Web site, each new<br />
Web page that the caching server downloads is also saved in cache<br />
memory. The next time the user requests that page, the caching<br />
server retrieves it from the cache rather than downloading it from<br />
the network a second time.<br />
Important: If you use the Web proxy server in non-transparent mode, all Web<br />
browsers on your internal workstations must be configured to point to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> internal name and to whatever port you have configured for the Web<br />
proxy server. For information on what users need to do to configure their Web<br />
browser, see “Configuring browsers for the Web proxy server” on page 12-19.<br />
Setting up Web access using the Web proxy server<br />
The following steps provide an overview <strong>of</strong> the tasks you must do to<br />
set up Web access using the Web proxy server.<br />
1. Configure the appropriate proxy rules to restrict Web access.<br />
Once you enable the Web proxy server, you must configure one or<br />
more proxy rules to control the burbs from which users can browse, and<br />
to which burbs they can connect. See Chapter 7 for detailed<br />
information on setting up proxy rules.<br />
Note: When configuring the proxy rule for a Web proxy server connection, be sure to<br />
specify Server in the Service Type field.<br />
2. Configure and enable the Web proxy server. See “Configuring the Web<br />
proxy server” on page 12-12.<br />
3. [Optional] Configure authentication Web users.<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate all users<br />
requesting Web service using either a basic UNIX password or stronger<br />
authentication methods before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network<br />
connection. Refer to “Configuring authentication services” on page 9-11<br />
for details on the authentication methods supported by the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
4. Inform users how to configure their Web browsers. See “Configuring<br />
browsers for the Web proxy server” on page 12-19.<br />
Setting Up Web Services 12-11
Configuring the Web proxy server<br />
Configuring the<br />
Web proxy server<br />
12-12 Setting Up Web Services<br />
5. Test a Web connection.<br />
You can test the Web proxy server by starting a Web browser from one<br />
<strong>of</strong> your internal systems, and entering the address <strong>of</strong> a Web site you<br />
know is valid—for example, you could attempt to access Secure<br />
Computing at the following URL:<br />
http://www.securecomputing.com.<br />
Note: Make sure you use a system from which you did not deny access.<br />
Error messages when using the Web proxy server<br />
If you configure a Web proxy server proxy rule to deny a particular<br />
Web connection and that connection is attempted by a user, the<br />
message Access Denied by Firewall Access Rules is sent to the<br />
user. This message is stored in the following file:<br />
/usr/local/squid/etc/cvs/errors/ERR_SCC_DENIED<br />
The message that appears can be modified by editing the file above.<br />
Note: You must be in the Admn domain to edit this file.<br />
If the file does not exist or is empty, the following message is issued<br />
to the user:<br />
Forbidden by proxy ACL check<br />
To configure the Web proxy server, follow the steps below.<br />
1. In the Admin Console, select Services Configuration -> Servers. The<br />
Servers window appears.<br />
2. Select WebProxy from the Server Name list. The Control tab for the Web<br />
proxy server appears.
Figure 12-10. Web proxy<br />
server window: Control<br />
tab<br />
Configuring the Web proxy<br />
server Control tab<br />
Figure 12-11. Web Proxy<br />
Server window:<br />
Configuration tab<br />
Configuring the Web Proxy<br />
Server Configuration tab<br />
Configuring the Web proxy server<br />
The Control tab allows you to enable or disable the Web proxy server.<br />
Follow the steps below.<br />
1. Select Enable to enable the Web proxy server.<br />
2. To configure the properties for the Web proxy server, click the<br />
Configuration tab. Follow the step below to configure the Configuration<br />
tab.<br />
The WebProxy Configuration tab allows you to determine how the<br />
WebProxy server will be used in your system. Follow the steps below.<br />
Note: The authentication method used by Squid is determined by the authentication<br />
method specified within the proxy rule.<br />
Setting Up Web Services 12-13
Configuring the Web proxy server<br />
12-14 Setting Up Web Services<br />
1. If you want to use SmartFilter to control Web access, select the Enable<br />
SmartFilter Control List check box. If SmartFilter is enabled, you must<br />
enter your SmartFilter subscription information in the SmartFilter<br />
window. See “Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong>” on page A-<br />
3 for details.<br />
2. If you want the client IP address to be included in the request header,<br />
select the Include Client Address in Requests check box.<br />
3. Specify the amount <strong>of</strong> time you want to allow before a timeout occurs<br />
by entering a numeral in the Timeout for HTTP Requests field, and then<br />
select a unit <strong>of</strong> measurement from the drop-down list. The default is 30<br />
seconds.<br />
4. Configure the client connections that you want to allow. All client<br />
connections that are currently configured are displayed in the Allow<br />
Client Connections On area <strong>of</strong> the Configuration tab.<br />
Note: Do not configure more than 31 entries in this list.<br />
The following configuration options are available:<br />
New—Click this button to add a new client connection. The<br />
Configuration: Allowed Client Connections window appears. For<br />
specific information on adding a new client connection, refer to<br />
“Adding or modifying a client connection” on page 12-14.<br />
Modify—Highlight the client connection you want to modify and<br />
click this button to make changes to an existing client connection.<br />
The Configuration: Allowed Client Connections window appears.<br />
For specific information on adding a new client connection, refer<br />
to “Adding or modifying a client connection” on page 12-14.<br />
Delete—Highlight the client connection you want to delete and<br />
click this button to delete an existing client connection. A<br />
confirmation window appears. Click Yes to confirm the deletion.<br />
Click No to cancel the request without deleting the client<br />
connection.<br />
5. Click the save icon in the toolbar to save your changes.<br />
Adding or modifying a client connection<br />
To add or modify a client connection in the Configuration: Allowed<br />
Client Connections window, follow the steps below.<br />
1. Specify the burb that on which you want the WebProxy server to listen<br />
from the Burb Name drop-down list.
Figure 12-12. Web Proxy<br />
Server window: Cache<br />
tab<br />
Configuring the Web Proxy<br />
Server Cache tab<br />
Configuring the Web proxy server<br />
2. Specify the port number on which you want the WebProxy server to<br />
listen in the Port Number field. You can use the drop-down list to select<br />
a predefined port, or you can type a port number into the field.<br />
3. Specify the type <strong>of</strong> IP address that you want the WebProxy server to<br />
listen on from the Address drop-down list. The following options are<br />
available:<br />
Any—Select this option if you want to allow the Web Proxy server<br />
to listen on any IP address for the burb that you selected.<br />
Designated—Select this option if you want to specify the address<br />
on which the WebProxy server will listen. The address you specify<br />
must be located in the burb you selected in the Burb Name field.<br />
4. Click Add to add this client connection to the list <strong>of</strong> WebProxy server<br />
client connections (click OK if you are modifying the client connection).<br />
5. To add an additional client connection, repeat step 1–step 4.<br />
6. When you are finished adding or modifying client connections, click<br />
Close.<br />
Configuring caching options<br />
To configure the caching options for the Web Proxy server, select<br />
Services Configuration -> Servers. The Servers window appears. Select<br />
WebProxy from the Server Name list, and then click the Cache tab. The<br />
following window appears:<br />
The WebProxy server Cache tab allows you to define disk and memory<br />
characteristics for the Web proxy server. Disk caching allows Web<br />
browsers to store information on the <strong>Sidewinder</strong> <strong>G2</strong> for frequentlyused<br />
sites, so information does not have to be downloaded each time<br />
a site is accessed. To configure the WebProxy server using the Cache<br />
tab, follow the steps below.<br />
Setting Up Web Services 12-15
Configuring the Web proxy server<br />
Figure 12-13. Web Proxy<br />
Server window: Filtering<br />
tab<br />
12-16 Setting Up Web Services<br />
1. Specify the name <strong>of</strong> the cache root directory in the Directory field. This<br />
is the name <strong>of</strong> the directory in which cached files will be stored. The<br />
default directory is /var/cache.<br />
2. Specify the maximum amount <strong>of</strong> disk space (in MB) that can be used for<br />
disk caching in the Maximum disk usage field. You should specify a<br />
value <strong>of</strong> 1 or greater.<br />
Note 1: Specifying zero does not turn <strong>of</strong>f caching. To disable caching, you must edit<br />
the file named squid.conf.template.<br />
Note 2: The cache limit specified here is an approximate limit. That is, the actual<br />
cached data may exceed what you specify in this field.<br />
3. Specify the maximum amount <strong>of</strong> memory that can be used for disk<br />
caching in the Maximum memory usage field.<br />
4. In the Delete unused items after field, specify how long items will remain<br />
in the cache directory before they are deleted<br />
5. Click the save icon in the toolbar to save your changes.<br />
Note: It may take a few minutes for any changes on this window to take effect.<br />
Configuring HTTP filtering options<br />
Select Services Configuration -> Servers. The Servers window appears.<br />
Select WebProxy from the Server Name list, and then click the Filtering<br />
tab. The following window appears:
Configuring Web Proxy<br />
Server HTTP filtering<br />
Configuring the Web proxy server<br />
The WebProxy server Filtering tab allows you to define HTTP header<br />
filtering. To configure the WebProxy server filtering, select the type <strong>of</strong><br />
HTTP header filtering you want, if any. The following options are<br />
available:<br />
None—Select this option if you do not want to use HTTP header<br />
filtering.<br />
Standard—Select this option if you want to deny the a basic set <strong>of</strong><br />
headers (the headers that will be denied are automatically selected<br />
for you).<br />
Paranoid—Select this option if you want to allow only the headers<br />
that RFC-compliant. (All other headers will be denied.)<br />
Custom—Select this option if you want to configure which HTTP<br />
header types you will allow and deny. When you select a header<br />
in the header list, you can also determine whether to Allow or Deny<br />
the headers you select in the Filter Option field. You can also add,<br />
delete, or clear HTTP header types in the HTTP Header Types list,<br />
as follows:<br />
— To add a new HTTP header type, click New. The New Custom<br />
Header Type window appears. Enter the new header type and<br />
click OK.<br />
— To delete a custom HTTP header type, click Delete. The Select<br />
a Custom Header Type to delete window appears. This<br />
window contains a list <strong>of</strong> custom HTTP header types that have<br />
been created. To delete a custom header, select the header<br />
you want to delete and click OK. (The Delete button is grayed<br />
out if you do not have any custom headers configured.)<br />
— To de-select all HTTP header types from the HTTP Header<br />
Types list, click Clear.<br />
Manually editing the configuration file<br />
Select Services Configuration -> Servers. The Servers window appears.<br />
Select WebProxy from the Server Name list, and then click the<br />
Advanced tab. The following window appears:<br />
Setting Up Web Services 12-17
Configuring the Web proxy server<br />
Figure 12-14. Web Proxy<br />
Server window:<br />
Advanced tab<br />
Configuring the Web Proxy<br />
Server Advanced tab<br />
12-18 Setting Up Web Services<br />
The WebProxy server Advanced tab allows you to edit the<br />
squid.conf.template file directly rather than through the Web Proxy<br />
Server windows. The Advanced window contains only one button<br />
labelled Edit Squid Configuration. This button allows you to edit the<br />
squid.conf.template file manually using the File Editor.<br />
Important: If you manually edit the squid.conf.template file using the File Editor (or via<br />
command line) you will need to run cf www reconfigure to update squid.conf and reread<br />
the configuration files. Only an experienced administrator should manually edit the<br />
squid.conf.template file directly.<br />
The tabbed information on the Web Proxy Server windows is a subset<br />
<strong>of</strong> the information in the squid.conf.template file. The tabs include the<br />
information most likely to be changed. When you enter or update<br />
information on any <strong>of</strong> the tabs <strong>of</strong> the Web Proxy Server window, you<br />
are actually updating the squid.conf.template file.<br />
When you enter or update information on any <strong>of</strong> the tabs, the Edit<br />
Squid Configuration button becomes inactive until you click the Save<br />
icon in the upper left portion <strong>of</strong> the window. This is to prevent the<br />
changes that you have made using the Admin Console to become<br />
overwritten by manual changes you might make to the file. When you<br />
click the Save icon, the Edit Squid Configuration button becomes active<br />
again.<br />
Changing to transparent mode<br />
The Web proxy server is in non-transparent mode when <strong>Sidewinder</strong><br />
<strong>G2</strong> is initially installed. If you want the Web proxy server to operate in<br />
transparent mode, do the following. (For information on transparent<br />
vs. non-transparent mode, see “Transparent & non-transparent<br />
proxies” on page 8-14.)
Configuring<br />
browsers for the<br />
Web proxy server<br />
Configuring browsers for the Web proxy server<br />
1. Select Services Configuration -> Servers. Highlight WebProxy in the list <strong>of</strong><br />
server names, then click the Advanced tab.<br />
2. Click Edit Squid Configuration.<br />
Note: If desired, you can also edit this file using a text editor such as vi, pico, or<br />
emacs. The file resides in /etc/sidewinder/proxy/squid/squid.conf.template.<br />
Set the following values within the "HTTP ACCELLERATION" lines in this<br />
file.<br />
httpd_accel_host virtual<br />
httpd_accel_port 80<br />
httpd_accel_with_proxy on<br />
httpd_accel_uses_host_header on<br />
3. Save and close the file.<br />
4. Click the Configuration tab and configure the Web proxy server to listen<br />
on port 80. See “Configuring the Web Proxy Server Configuration tab”<br />
on page 12-13 for details.<br />
5. Click the save icon in the toolbar to save your changes.<br />
You should inform users on your internal network how they should<br />
configure their Web browsers to use the Web proxy server.<br />
Note: You should not need to configure your browsers if you are in transparent mode.<br />
To set up the browsers to work with the Web proxy server for Web<br />
connections, there are two basic steps:<br />
Specify the <strong>Sidewinder</strong> <strong>G2</strong> fully qualified host name or IP address<br />
in the browser’s proxy line.<br />
Specify port number 3128 or whatever port you configured for the<br />
Web proxy server.<br />
Below are the setup procedures for recent versions <strong>of</strong> Mozilla Firefox,<br />
Internet Explorer, and Netscape. If your users have older versions,<br />
consider providing them with the latest version. For other browsers,<br />
consult that browser’s documentation for defining an HTTP proxy<br />
server.<br />
Setting Up Web Services 12-19
Configuring browsers for the Web proxy server<br />
12-20 Setting Up Web Services<br />
Mozilla Firefox 1.0<br />
To configure Mozilla Firefox for the Web proxy server, do the<br />
following:<br />
1. Start the Mozilla Firefox browser and select Tools -> Options.<br />
2. Click Connection Settings.<br />
3. Select the Manual Proxy Configuration radio button.<br />
4. In the HTTP Proxy field, enter the fully qualified host name or IP address<br />
<strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
SW<strong>G2</strong>name.bizname.com<br />
5. In the corresponding Port field, enter 3128 or whatever port you<br />
configured for the Web proxy server.<br />
6. Click OK.<br />
Internet Explorer 4.0<br />
To configure Internet Explorer 4.0 for the Web proxy server, do the<br />
following:<br />
1. Open the Control Panel window.<br />
2. Double click the Internet icon.<br />
3. Click on the Connection tab. In the Proxy Server section enable the<br />
option titled Access the Internet using a proxy server.<br />
4. Fill in the text boxes next to HTTP Proxy and Port.<br />
For the HTTP Proxy field, enter the fully qualified host name or IP<br />
address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
SW<strong>G2</strong>name.bizname.com<br />
For the port field, enter 3128 or whatever port you configured for<br />
the Web proxy server.<br />
5. Click OK.
Internet Explorer 5.x/6.x<br />
Configuring browsers for the Web proxy server<br />
To configure Internet Explorer 5.x for the Web proxy server, do the<br />
following:<br />
1. Start the Internet Explorer browser and select Tools -> Internet Options.<br />
2. Click the Connections tab.<br />
3. Click LAN Settings.<br />
4. Check the Use a Proxy Server box.<br />
For the Address field, enter the fully qualified host name or IP<br />
address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
SW<strong>G2</strong>name.bizname.com<br />
For the Port field, enter 3128 or whatever port you configured for<br />
the Web proxy server.<br />
5. Click OK.<br />
Netscape version 6.x/7.x<br />
To configure Netscape 6.x/7.xfor the Web proxy server, do the<br />
following:<br />
Important: As an administrator, be aware that some versions <strong>of</strong> Netscape will<br />
remember the user ID and password after the browser is closed and will not reauthenticate<br />
a user after the browser is restarted. This is a security concern when multiple<br />
users share a workstation or do not lock their systems.<br />
1. Start the Netscape browser and select Edit -> Preferences.<br />
2. Select the Advanced -> Proxies category.<br />
3. Select Manual proxy configuration.<br />
4. Fill in the text boxes next to HTTP Proxy and Port as follows:<br />
For the HTTP Proxy field, enter the fully qualified host name or IP<br />
address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
SW<strong>G2</strong>name.bizname.com<br />
For the Port field, enter 3128 (or whatever port you configured for<br />
the Web proxy server).<br />
5. Click OK.<br />
Setting Up Web Services 12-21
Configuring browsers for the Web proxy server<br />
12-22 Setting Up Web Services<br />
Certain browsers on UNIX<br />
For some UNIX browsers that do not have a proxy configuration<br />
screen, you must set the http_proxy environment variable to<br />
http://sidewinder.com:3128/. To do so, edit either the C shell or the<br />
Bourne shell, as follows:<br />
Enter the following command in the C shell (CSH):<br />
setenv http_proxy http://SW<strong>G2</strong>name.bizname.com:3128/<br />
Enter the following command in the Bourne shell:<br />
http_proxy="http://SW<strong>G2</strong>name.bizname.com:3128/"
1<br />
C HAPTER 13<br />
Configuring Virtual Private<br />
Networks<br />
About this chapter If you have purchased the virtual private network (VPN) option for<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, you can establish encrypted data transmissions<br />
between two Internet-Protocol Security (IPSec)-compliant servers.<br />
This chapter introduces the standards <strong>of</strong> IPSec and Internet Key<br />
Exchange (IKE) and describes the <strong>Sidewinder</strong> <strong>G2</strong> embedded VPN<br />
solution. This chapter includes ‘the following topics:<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
VPN overview<br />
“<strong>Sidewinder</strong> <strong>G2</strong> VPN overview” on page 13-1<br />
“Configuring the ISAKMP server” on page 13-11<br />
“Configuring the Certificate server” on page 13-13<br />
“Understanding virtual burbs” on page 13-15<br />
“Configuring client address pools” on page 13-18<br />
“Configuring Certificate Management” on page 13-27<br />
“Importing and exporting certificates” on page 13-44<br />
“Configuring VPN Security Associations” on page 13-51<br />
“Example VPN Scenarios” on page 13-65<br />
The <strong>Sidewinder</strong> <strong>G2</strong> VPN solution provides secure data transmission<br />
through an encryption and decryption process. The <strong>Sidewinder</strong> <strong>G2</strong><br />
uses the Internet Key Exchange (IKE) to support this process. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> also supports the use <strong>of</strong> manually configured<br />
encryption keys.<br />
13<br />
Configuring Virtual Private Networks 13-1
13<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
Figure 13-1.<br />
<strong>Sidewinder</strong> <strong>G2</strong>s, an IPSec<br />
or IKE remote site, or a<br />
VPN client machine<br />
13-2 Configuring Virtual Private Networks<br />
Toronto<br />
London<br />
Certificate<br />
server<br />
Internet<br />
One <strong>of</strong> the most advanced features <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> VPN<br />
solution is the fact that VPN has been embedded into the architecture,<br />
making it an operating characteristic <strong>of</strong> the OS. This integration not<br />
only lets you apply access rules to VPNs in exactly the same way you<br />
do for physically connected networks but also means that you use the<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN solution to coordinate corporate-wide network<br />
security policies.<br />
As companies expand to new locations and employees spend more<br />
time working out <strong>of</strong> the <strong>of</strong>fice, VPN solutions are becoming more and<br />
more important to businesses. Consider the value <strong>of</strong> encrypting and<br />
authenticating data in these situations:<br />
passing traffic from <strong>Sidewinder</strong> <strong>G2</strong> to <strong>Sidewinder</strong> <strong>G2</strong> between<br />
<strong>of</strong>fices located in different cities.<br />
passing traffic from employees working remotely to your network.<br />
An introduction to IPSec technology<br />
Any IPSec<br />
remote site<br />
VPN client<br />
Sydney<br />
The Internet is a broadcast medium that is used to send information.<br />
While information is in transit, anyone can choose to monitor or<br />
intercept this information.
Protecting your<br />
information<br />
What are encryption and<br />
authentication?<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
Sending information beyond your <strong>Sidewinder</strong> <strong>G2</strong> via the Internet is<br />
like sending an unsealed envelope <strong>of</strong> important information via a<br />
courier service: you must trust that the courier will not read or steal<br />
the information.<br />
To address this danger, an organization known as IETF (Internet<br />
Engineering Task Force) developed a standard for protecting data on<br />
unprotected (or untrusted) networks such as the Internet. The<br />
standard has become known as IPSec, meaning Internet-Protocol<br />
Security. In brief, IPSec calls for encrypting the data before it leaves<br />
the local host, then decrypting it (removing its “cloak” <strong>of</strong> encryption)<br />
when it is received at the destination or remote host. Once it is<br />
decrypted, the data assumes its original form and can be read as<br />
intended. No matter how long or circuitous its route through the<br />
Internet, the data remains private by virtue <strong>of</strong> its encryption.<br />
The two main components <strong>of</strong> IPSec security are encryption and<br />
authentication.<br />
Encryption — Encryption is the means by which plain text is<br />
“cloaked.” It ensures that the transmitted data remains private and<br />
unreadable until properly decrypted. The <strong>Sidewinder</strong> <strong>G2</strong> uses an<br />
encryption key to encipher and decipher each unit <strong>of</strong> data sent<br />
between your site and the “partner” or remote VPN site. (See<br />
“About IPSec keys” on page 13-4.)<br />
Authentication — VPN authentication prevents unauthorized<br />
individuals from tampering with the contents <strong>of</strong> the data being<br />
transmitted. It also prevents them from creating messages that<br />
claim to come from a particular place but are actually sent from<br />
somewhere else (such as the hacker’s home computer).<br />
Authentication is accomplished through two methods:<br />
— Data-integrity checking, which allows the receiver to verify<br />
whether the data was modified or corrupted during transmission.<br />
— Sender identification, which allows the receiver to verify<br />
whether the data transmission originated from the source that<br />
claims to have sent it.<br />
Configuring Virtual Private Networks 13-3
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
13-4 Configuring Virtual Private Networks<br />
When used together, encryption and authentication are very much<br />
like writing an encoded message, sealing it in an envelope, and then<br />
signing your name across the flap. The receiver can first verify that the<br />
signature is yours as a means <strong>of</strong> determining the origin <strong>of</strong> the<br />
message. Next, the receiver can determine if the contents have been<br />
viewed or altered by checking that the envelope seal has not been<br />
compromised. Once the receiver is assured <strong>of</strong> the authenticity <strong>of</strong> the<br />
message, they can decode the contents and “trust” that the contents<br />
are as intended.<br />
VPN configuration options<br />
VPN involves establishing an association (or a trust relationship)<br />
between your <strong>Sidewinder</strong> <strong>G2</strong> and an IPSec-compliant remote<br />
<strong>Sidewinder</strong> <strong>G2</strong>, host, or client. (These entities are referred to as “VPN<br />
peers.”) Once this trust relationship is defined, data sent between the<br />
two ends is encrypted and then authenticated before it is transmitted.<br />
There are three important concepts that comprise the <strong>Sidewinder</strong> <strong>G2</strong><br />
VPN:<br />
IPSec keys, which determine how the information is encrypted<br />
and decrypted, and may be manually or automatically exchanged.<br />
certificates, pre-shared passwords, and extended authentication,<br />
which authenticate the VPN peer.<br />
tunnel or transport encapsulation, two methods <strong>of</strong> how header<br />
information is passed.<br />
Understanding the options associated with each concept will assist<br />
you greatly in creating your security association. Study the following<br />
information to help you determine which VPN configuration best suits<br />
your network environment.<br />
About IPSec keys<br />
A key is a number that is used to electronically sign, encrypt and<br />
authenticate data when you send it, and decrypt and authenticate<br />
your data when it is received. When a VPN is established between<br />
two sites, two keys are generated for each remote end: an encryption<br />
key and an authentication key.
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
To prevent these keys from being guessed or calculated by a third<br />
party, a key is a large number. Encryption and authentication (or<br />
session) keys are unique to each VPN security association you create.<br />
Once generated, these keys are exchanged (either automatically or<br />
manually) between the sites, so that each end <strong>of</strong> the VPN knows the<br />
other end’s keys.<br />
To generate key pairs, the <strong>Sidewinder</strong> <strong>G2</strong> gives you two options:<br />
Manual key generation — If the remote site is not Internet Key<br />
Exchange (IKE)-compliant, you may want to choose the manual<br />
method <strong>of</strong> key generation. With this method, the <strong>Sidewinder</strong> <strong>G2</strong><br />
provides randomly-generated encryption and authentication keys<br />
(or you can create your own) which you must copy and pass to<br />
the remote end <strong>of</strong> the VPN via secure e-mail, diskette, or<br />
telephone. Repeat this process each time you generate keys.<br />
Manual keys are more labor intensive than automatic keys and<br />
rarely used.<br />
Automatic key generation using IKE — If the remote end <strong>of</strong> your VPN<br />
uses the IKE protocol, the <strong>Sidewinder</strong> <strong>G2</strong> can manage the<br />
generation <strong>of</strong> session keys between sites automatically. This<br />
process also regularly changes the keys to avoid key-guessing<br />
attacks. Automatic keys are very common in today’s network<br />
environments.<br />
Authenticating IKE VPNs<br />
If you are using manual key generation, each time you generate<br />
session keys you must communicate directly with the other end <strong>of</strong> the<br />
VPN via telephone, diskette, or e-mail. By contacting the remote end<br />
<strong>of</strong> the VPN each time you change session keys, you manually verify<br />
that the remote end is actually whom they claim to be.<br />
With automatic key generation, once you gather the initial information<br />
for the remote end <strong>of</strong> the VPN, there is no further direct contact<br />
between you and the remote end <strong>of</strong> the VPN. Session keys are<br />
automatically and continually generated and updated based on this<br />
initial identifying information. As a result, the <strong>Sidewinder</strong> <strong>G2</strong> requires<br />
a way to assure that the machine with which you are negotiating<br />
session keys is actually whom they claim to be - a way to authenticate<br />
the other end <strong>of</strong> the VPN. To allow automatic key generation, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers the following authentication techniques:<br />
Configuring Virtual Private Networks 13-5
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
13-6 Configuring Virtual Private Networks<br />
a pre-shared password — When you must generate keys, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and the remote end must both use the agreed upon<br />
password, defined during the initial configuration <strong>of</strong> the VPN, to<br />
authenticate each peer.<br />
a single certificate — Single certificate authentication requires that<br />
the <strong>Sidewinder</strong> <strong>G2</strong> generate a certificate and private key to be kept<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> and a certificate and private key to be<br />
exported and installed on a client. Each certificate, once installed<br />
on its end <strong>of</strong> a VPN connection, acts as a trust point. A single<br />
certificate (also referred to as a "self-signed certificate") differs from<br />
Certificate Authority (CA) based certificates in that no root<br />
certificate is necessary.<br />
a Certificate Authority policy — The <strong>Sidewinder</strong> <strong>G2</strong> can be configured<br />
to trust certificates from a particular certificate authority (CA).<br />
Thus, it will trust any certificate that is signed by a particular CA<br />
and meets certain administrator-configured requirements on the<br />
identity contained within the certificate. Because <strong>of</strong> the nature <strong>of</strong><br />
this type <strong>of</strong> policy, Secure Computing recommends that only<br />
locally administered Certificate Authorities be used in this type <strong>of</strong><br />
policy. Certificate authorities are described further in “Configuring<br />
Certificate Management” later in this chapter.<br />
Transport mode vs. tunnel mode<br />
There are two methods for encapsulating packets in a VPN<br />
connection: transport mode and tunnel mode. The following<br />
paragraphs provide a description <strong>of</strong> each method.<br />
Transport mode — In transport mode, only the data portion <strong>of</strong> the<br />
packet gets encrypted. This means that if a packet is intercepted, a<br />
hacker will not be able to read your information, but will be able<br />
to determine where it is going and where it has originated. This<br />
mode existed before firewalls and was designed for host-to-host<br />
communications.<br />
Tunnel mode — In tunnel mode, both the header information and<br />
the data is encrypted and a new packet header is attached. The<br />
encryption and new packet header act as a secure cloak or<br />
"tunnel" for the data inside. If the packet is intercepted, a hacker<br />
will not be able to determine any information about the true<br />
origin, final destination or data contained within the packet. This<br />
mode is designed to address the needs <strong>of</strong> hosts that exist behind a<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Because the packet header is encrypted, private<br />
source or destination IP addresses can remain hidden.
Configuring hardware acceleration for VPN<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
When configuring VPNs you have the option <strong>of</strong> utilizing a <strong>Sidewinder</strong><br />
<strong>G2</strong> premium feature called VPN hardware acceleration, which is<br />
implemented using a hardware accelerator. When you use a hardware<br />
accelerator, <strong>Sidewinder</strong> <strong>G2</strong> performance may improve because the<br />
VPN encryption, decryption, and authentication tasks are pushed<br />
down to the board level. This frees up the <strong>Sidewinder</strong> <strong>G2</strong> to perform<br />
other tasks and in some cases increases the throughput <strong>of</strong> your VPN<br />
traffic.<br />
Note: Hardware acceleration cannot be used for policies protected only by<br />
authentication (known as Authentication Header or AH).<br />
To implement VPN hardware acceleration you must do the following:<br />
Install a hardware accelerator. Consult the product documentation<br />
for the accelerator and chassis.<br />
License both the VPN and the hardware acceleration premium<br />
features. See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19<br />
for licensing information.<br />
Enable the VPN hardware acceleration feature. This is<br />
accomplished in the Admin Console by selecting Firewall<br />
<strong>Administration</strong> -> Interface Configuration, then enabling the Enable<br />
vpn_acceleration check box in the Hardware Capabilities area. See<br />
“Modifying the interface configuration” on page 3-50 for details.<br />
Important: When selecting the IPSec crypto algorithms to use with VPN traffic that<br />
will be accelerated, do not use the cast128 or AES algorithms. The current supported<br />
hardware acceleration boards do not support this algorithm. The IPSec crypto<br />
algorithms are defined on the Crypto tab <strong>of</strong> the Security Associations window.<br />
Configuring a VPN client<br />
To establish an encrypted session between a laptop or desktop<br />
computer with the <strong>Sidewinder</strong> <strong>G2</strong> and gain access to a trusted<br />
network, the user needs to install a VPN client. For details on<br />
installing and configuring your VPN client, consult your product<br />
documentation.<br />
Configuring Virtual Private Networks 13-7
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
13-8 Configuring Virtual Private Networks<br />
In many cases the VPN client will be S<strong>of</strong>tRemote ® . Secure Computing<br />
and SafeNet partner to make that VPN client available from Secure<br />
Computing. When you order your S<strong>of</strong>tRemote client s<strong>of</strong>tware from<br />
Secure Computing you receive a copy <strong>of</strong> the VPN <strong>Administration</strong><br />
<strong>Guide</strong> available on the S<strong>of</strong>tRemote CD. This guide provides detailed<br />
instructions for implementing a VPN using a <strong>Sidewinder</strong> <strong>G2</strong> and<br />
S<strong>of</strong>tRemote.<br />
Extended Authentication for VPN<br />
The Extended Authentication (XAUTH) option provides an additional<br />
level <strong>of</strong> security to your VPN network. In addition to the normal<br />
authentication checks inherent during the negotiation process at the<br />
start <strong>of</strong> every VPN association, Extended Authentication goes one step<br />
further by requiring the person requesting the VPN connection to<br />
validate their identity. The Extended Authentication option is most<br />
useful if you have travelling employees that connect remotely to your<br />
network using laptop computers. If a laptop computer is stolen,<br />
without Extended Authentication it might be possible for an outsider<br />
to illegally access your network. This is because the information<br />
needed to establish the VPN connection (the self-signed certificate,<br />
etc.) is saved within the VPN client s<strong>of</strong>tware. When Extended<br />
Authentication is used, however, a connection will not be established<br />
until the user enters an additional piece <strong>of</strong> authentication information<br />
that is not saved on the computer—either a one-time password,<br />
passcode, or PIN. This additional level <strong>of</strong> authentication renders the<br />
VPN capabilities <strong>of</strong> the laptop useless when in the hands <strong>of</strong> a thief.
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
Implementing Extended Authentication on the <strong>Sidewinder</strong> <strong>G2</strong> is a<br />
simple two step process.<br />
1. Specify the authentication method(s) that are available on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> See “Supported authentication methods” on page 9-5<br />
for information on supported methods.<br />
Do this by selecting VPN Configuration -> ISAKMP Server, then enabling<br />
the desired methods in the Available Authentication Methods field. See<br />
“Configuring the ISAKMP server” on page 13-11 for details.<br />
2. Enable Extended Authentication for the desired VPN security<br />
association(s).<br />
This is accomplished by selecting VPN Configuration -> Security<br />
Associations and then clicking the Require Extended Authentication<br />
check box. See “Entering information on the Authentication tab” on<br />
page 13-56 for more details.<br />
Note: Extended Authentication must also be enabled on the remote client. See your client<br />
s<strong>of</strong>tware documentation for information on configuring and enabling Extended<br />
Authentication.<br />
What type <strong>of</strong> VPN authentication should I use?<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports four different VPN authentication<br />
methods. The characteristics <strong>of</strong> a VPN peer determine which type <strong>of</strong><br />
authentication best fits your VPN configuration. Extend authentication<br />
may be added to any automated authentication method for increased<br />
security.<br />
Note: Extended authentication not available for <strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong><br />
configurations or any configuration that uses a manual key exchange.<br />
Configuring Virtual Private Networks 13-9
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
13-10 Configuring Virtual Private Networks<br />
Table 13-1. VPN Authentication options<br />
Authentication Summary<br />
Manual key VPN authenticates using a manual key exchanged over a telephone or other secure<br />
connection - keying information is cumbersome to enter and not changed<br />
<strong>of</strong>ten, which reduces security<br />
uncommon in today’s networks, but used for resolving interoperability<br />
problems with other vendors’ IPSec products<br />
cannot be used for dynamic IP-assigned clients or gateways<br />
each VPN peer requires its own <strong>Sidewinder</strong> <strong>G2</strong> VPN configuration<br />
Automatic key<br />
shared password<br />
VPN<br />
Automatic key single<br />
certificate VPN<br />
Automatic key<br />
certificate authoritybased<br />
VPN<br />
primary authentication is password sharing with the VPN peer, recommended<br />
to use with Extended Authentication<br />
ideally suited for travelling and home users when paired with a strong<br />
extended authentication, such as SafeWord PremierAccess<br />
may be used with dynamic IP-assigned clients, but the clients must be<br />
configured to use Aggressive Mode.<br />
single <strong>Sidewinder</strong> <strong>G2</strong> VPN configuration can be used to administer many VPN<br />
clients<br />
authenticates using a self-signed public certificate - each VPN peer must first<br />
import the corresponding peer’s certificate<br />
ideally used for a small number <strong>of</strong> remote clients<br />
used with dynamic IP-assigned clients and gateways<br />
each peer certificate requires its own <strong>Sidewinder</strong> <strong>G2</strong> security association<br />
authenticates each VPN peer by using a certificate signed by a certificate<br />
authority trusted by the other peer<br />
ideally suited for roving client VPN peers (such as those using laptop<br />
computers)<br />
used with dynamic IP-assigned clients and gateways<br />
single <strong>Sidewinder</strong> <strong>G2</strong> security association can be used to administer many VPN<br />
clients.<br />
General guidelines for selecting a VPN authentication type<br />
Here are some general guidelines to follow when you are deciding<br />
which type <strong>of</strong> VPN to use:<br />
If the VPN peer is not a Secure Computing product, and all other<br />
types <strong>of</strong> VPN methods do not work, try the manual key VPN.<br />
For a small number <strong>of</strong> VPN peer clients with dynamically assigned<br />
IP addresses, the single certificate VPN is a cost-effective solution.<br />
A shared password VPN in conjunction with Extended<br />
Authentication is also an option.
Configuring the<br />
ISAKMP server<br />
Figure 13-2. ISAKMP<br />
Server window<br />
Configuring the ISAKMP<br />
Server window<br />
Configuring the ISAKMP server<br />
If the VPN peer has a static IP address, the pre-shared password<br />
VPN is the easiest to configure. Extended Authentication would<br />
not be used in a gateway to gateway configuration as there is no<br />
one to provide the challenge/response.<br />
If there is a large number <strong>of</strong> VPN peer clients with dynamically<br />
assigned-IP addresses (such as a traveling sales force), the CAbased<br />
VPN is <strong>of</strong>ten the easiest to configure and maintain. Another<br />
popular option is to use a pre-shared password VPN in<br />
conjunction with Extended Authentication.<br />
If you are using automatic key exchange, you will need to configure<br />
the Internet Security Association and Key Management Protocol<br />
(ISAKMP) server before using any automatic key VPNs. To configure<br />
the ISAKMP server, select VPN Configuration -> ISAKMP Server. The<br />
following window appears.<br />
The ISAKMP server is used by the <strong>Sidewinder</strong> <strong>G2</strong> to generate and<br />
exchange keys for VPN sessions. To configure the ISAKMP server,<br />
follow the steps below.<br />
1. In the Burbs to Listen on box, select the burbs that will have access to<br />
the ISAKMP server. A checkmark appears next to each burb that has<br />
access to the server.<br />
Configuring Virtual Private Networks 13-11
Configuring the ISAKMP server<br />
13-12 Configuring Virtual Private Networks<br />
2. To allow ISAKMP to send and receive certificates with remote peers<br />
using the ISAKMP protocol, select the Allow Certificate Negotiation<br />
check box. (If you de-select this option, all certificates used to<br />
authenticate remote peers must either be in the local certificate<br />
database or be accessible via LDAP.)<br />
3. In the P1 Retries field, specify the number <strong>of</strong> times ISAKMP will attempt<br />
to resend a packet for which it has not received a response.<br />
4. In the P1 Retry Timeout field, specify the number <strong>of</strong> seconds ISAKMP will<br />
use for an initial timeout before resending a packet.<br />
5. In the Audit Level field, select the type <strong>of</strong> auditing that should be<br />
performed on the ISAKMP server. The options are:<br />
Error—Logs only major errors.<br />
Normal—Logs only major errors and informational messages.<br />
Verbose—Logs all errors and informational messages.<br />
Debug—Logs all errors and informational messages. Also logs all<br />
debug information.<br />
Trace—Logs all errors and informational messages. Also logs<br />
debug and function trace information.<br />
6. In the Available Authentication Methods field, select the authentication<br />
method(s) you want to be made available for VPN associations that use<br />
Extended Authentication. A checkmark appears when an<br />
authentication button is selected. See “Extended Authentication for<br />
VPN” on page 13-8 for a detailed description <strong>of</strong> Extended<br />
Authentication.<br />
Note: You must configure an authentication method before it can be selected. See<br />
“Configuring authentication services” on page 9-11 for more information.<br />
7. If two or more authentication methods are selected, you should specify<br />
a default method from the Default drop-down list. If a default method is<br />
not selected, the first method selected in the list will be the default<br />
method.<br />
8. Click the Save icon in the toolbar to save your changes.
Configuring the<br />
Certificate server<br />
Allowing access to the ISAKMP server<br />
Configuring the Certificate server<br />
An ISAKMP rule is required in order to allow access to and from the<br />
ISAKMP server. “Creating proxy rules” on page 7-4 describes how to<br />
define a proxy rule. The ISAKMP proxy rule must contain the<br />
following values:<br />
Service Type = Server<br />
Service = isakmp<br />
Src Burb = the Internet burb<br />
Dest. Burb = the Internet burb<br />
Source address = All Source Addresses (or addresses <strong>of</strong> remote VPN<br />
peers)<br />
Destination address = a network object representing the IP address<br />
<strong>of</strong> the Internet burb, or a netgroup that contains a network object<br />
representing the IP address <strong>of</strong> the Internet burb<br />
This ISAKMP rule is implicitly bi-directional, meaning it enables<br />
ISAKMP traffic in both directions.<br />
Enabling/disabling the ISAKMP server<br />
Perform the following steps to enable or disable the ISAKMP server.<br />
1. In the Admin Console, select Services Configuration -> Servers.<br />
2. Select isakmp from the list <strong>of</strong> server names.<br />
3. Click Enable or Disable.<br />
4. Click the Save icon in the toolbar.<br />
The Certificate server performs a number <strong>of</strong> functions, including<br />
providing support for the certificate management daemon (CMD) and<br />
for an optional external LDAP server. If the LDAP function is<br />
configured, it can be used to automatically retrieve certificates and<br />
Certificate Revocation Lists (CRLs) from a Version 2 or Version 3<br />
Lightweight Directory Access Protocol (LDAP) Server. The <strong>Sidewinder</strong><br />
<strong>G2</strong> will attempt to retrieve any certificates and (optionally) any CRLs<br />
that it needs to validate certificates in CA-based VPN. Note that the<br />
LDAP functionality is used only for non-Netscape Certificate<br />
Authorities (for example Baltimore, Entrust, and etc.).<br />
Configuring Virtual Private Networks 13-13
Configuring the Certificate server<br />
Figure 13-3. Server<br />
Control window:<br />
Configuration tab<br />
About the Certificate Server<br />
Configuration tab<br />
13-14 Configuring Virtual Private Networks<br />
Note: In addition to configuring the Certificate server, a root certificate from the<br />
Certificate Authority must be imported into the Certificate Authorities tab for a certificate<br />
issued by the CA to validate.<br />
To configure the Certificate server, select Services Configuration -><br />
Servers. Select cmd in the list <strong>of</strong> server names, and then select the<br />
Configuration tab. The following window appears.<br />
The Certificate Server Configuration tab allows you to configure the<br />
Certificate Server. Follow the steps below.<br />
Important: Many <strong>of</strong> the functions you can perform on this window require the use <strong>of</strong><br />
the CMD server. See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19 for instructions on<br />
enabling the CMD server.<br />
1. To enable the LDAP feature, select the Use LDAP to search for Certificates<br />
and CRLs check box, and follow the sub-steps below. If enabled, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will attempt to retrieve the certificates and CRLs it needs<br />
from an LDAP server.<br />
a. In the LDAP Server Address field, type the IP address <strong>of</strong> the LDAP<br />
server.<br />
b. In the LDAP Server Port field, type the port number on which the<br />
LDAP server listens. The port number is typically 389, but the server<br />
can be configured to listen on different ports.<br />
c. In the LDAP Timeout field, specify the maximum time (in seconds)<br />
that CMD will wait while performing an LDAP search. The valid<br />
range is between 0 and 3600 seconds. The recommend value is<br />
between 5 and 300 seconds.
Understanding<br />
virtual burbs<br />
Understanding virtual burbs<br />
2. In the Maximum Validated Key Cache Size field, specify the maximum<br />
number <strong>of</strong> validated keys that will be stored in cache memory. Caching<br />
validated keys can increase system performance. Valid ranges are<br />
0–500. A value <strong>of</strong> 0 indicates that no keys will be cached. For most<br />
systems a value <strong>of</strong> 100 is sufficient.<br />
3. In the Certificate Key Cache Lifetime field, specify the maximum amount<br />
<strong>of</strong> time a certificate can remain in the validated key cache before it must<br />
be re-validated. The valid range is 0–168 hours (1 week). A value <strong>of</strong> 0<br />
indicates that the certificate keys must be re-validated with each use.<br />
4. Select the Perform CRL Checking check box to enable CRL checking. If<br />
this option is disabled, CRL lists will not be consulted when validating<br />
certificates.<br />
5. In the CRL Retrieval Interval for CAs drop-down list, specify how <strong>of</strong>ten a<br />
CA is queried in order to retrieve a new CRL.<br />
6. In the Audit Level drop-down list, select the type <strong>of</strong> auditing that should<br />
be performed on this server. The options are:<br />
Error—Logs only major errors.<br />
Normal—Logs only major errors and informational messages.<br />
Verbose—Logs all errors and informational messages.<br />
Debug—Logs all errors and informational messages. Also logs all<br />
debug information.<br />
Trace—Logs all errors and informational messages. Logs all debug<br />
and function trace information.<br />
7. Click the Save icon in the toolbar.<br />
A virtual burb is a burb that does not contain a network interface card<br />
(NIC). The sole purpose <strong>of</strong> a virtual burb is to serve as a logical<br />
endpoint for a VPN association. Terminating a VPN association in a<br />
virtual burb accomplishes two important goals:<br />
It separates VPN traffic from non-VPN traffic.<br />
It enables you to enforce a security policy that applies strictly to<br />
your VPN users.<br />
Configuring Virtual Private Networks 13-15
Understanding virtual burbs<br />
Figure 13-4. Virtual burb<br />
vs. a non-virtual burb<br />
VPN implementation<br />
13-16 Configuring Virtual Private Networks<br />
Consider a VPN policy that is implemented without the use <strong>of</strong> a virtual<br />
burb. Not only will VPN traffic mix with non-VPN traffic, but there is<br />
no way to enforce a different set <strong>of</strong> rules for the VPN traffic. This is<br />
because proxies and rules are applied on burb basis, not to specific<br />
traffic within a burb. By terminating the VPN in a virtual burb you<br />
effectively isolate the VPN traffic from non-VPN traffic. Plus, you are<br />
able to configure a unique set <strong>of</strong> rules for the virtual burb that allow<br />
you to control precisely what your VPN users can or cannot do.<br />
Figure 13-4 illustrates this concept.<br />
VPN without a virtual burb<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internal<br />
network<br />
Trusted<br />
burb<br />
Proxies<br />
Internet<br />
burb<br />
VPN with a virtual burb<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internal<br />
network<br />
Trusted<br />
burb<br />
Proxies<br />
Proxies<br />
Virtual<br />
burb<br />
= VPN tunnel<br />
= Data<br />
Internet<br />
burb<br />
Internet<br />
Internet<br />
Non-VPN<br />
Client<br />
VPN<br />
Client<br />
Non-VPN<br />
Client<br />
VPN<br />
Client<br />
Note: Both VPN implementations depicted in Figure 13-4 represent "proxied" VPNs<br />
because proxies must be used to move VPN data between burbs. The use <strong>of</strong> proxies enables<br />
you to control the resources that a VPN client has access to on your internal network.<br />
A virtual burb can support all the same services as a normal burb. If<br />
traffic coming from the virtual burb is destined to the <strong>Sidewinder</strong> <strong>G2</strong><br />
itself (for example, DNS or SSH) the rule that allows traffic across that<br />
burb must specify a NAT address <strong>of</strong> localhost. If localhost is not<br />
specified, the <strong>Sidewinder</strong> <strong>G2</strong> will not be able to route traffic back to<br />
the originator.
Understanding virtual burbs<br />
You can define up to 24 physical and virtual burbs. For example, if<br />
you have two distinct types <strong>of</strong> VPN associations and you want to<br />
apply a different set <strong>of</strong> rules to each type, create two virtual burbs,<br />
then configure the required proxies and rules for each virtual burb.<br />
One question that might come to mind when using a virtual burb is:<br />
"How does VPN traffic get to the virtual burb if it doesn’t have a<br />
network card?" All VPN traffic originating from the Internet initially<br />
arrives via the network interface card in the Internet burb. A VPN<br />
security association, however, can internally route and logically<br />
terminate VPN traffic in any burb on the <strong>Sidewinder</strong> <strong>G2</strong>. By defining a<br />
security association to terminate the VPN in a virtual burb, the VPN<br />
traffic is automatically routed to that virtual burb within the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Thus, the trusted network now recognizes the virtual<br />
burb as the source burb for your VPN traffic. From the virtual burb, a<br />
proxy and rule are needed to move the traffic to a trusted burb with<br />
network access.<br />
Creating and using a virtual burb with a VPN<br />
This section explains how to create a virtual burb on the <strong>Sidewinder</strong><br />
<strong>G2</strong> and how to use it in a VPN association.<br />
Create the virtual burb 1. In the Admin Console, select Firewall <strong>Administration</strong> -> Burb<br />
Configuration.<br />
2. Click New.<br />
a. In the Burb Name field, type the name for your virtual burb.<br />
b. Click OK.<br />
3. Click the Save icon.<br />
Configure proxies and rules 4. In the Admin Console, select Services Configuration -> Proxies and<br />
enable the desired proxies in the virtual burb.<br />
Configuring Virtual Private Networks 13-17
Configuring client address pools<br />
Terminate the desired VPN<br />
association in the virtual<br />
burb<br />
Configuring client<br />
address pools<br />
13-18 Configuring Virtual Private Networks<br />
5. Select Policy Configuration -> Rules and define the rules that allow<br />
access to and from the virtual burb.<br />
Note: Be sure to add any rules you create to the active proxy rule group.<br />
The virtual burb should be specified as either the source or destination<br />
burb, depending on the type <strong>of</strong> rule being defined.<br />
6. Terminate the desired VPN security association(s) in the virtual burb.<br />
See “Configuring VPN Security Associations” on page 13-51 for<br />
information on creating or modifying a VPN association.<br />
Client address pools are used to simplify the management <strong>of</strong> VPN<br />
clients. They do so by having the <strong>Sidewinder</strong> <strong>G2</strong> manage certain<br />
configuration details on behalf <strong>of</strong> the client. All the client needs is:<br />
Client s<strong>of</strong>tware that supports ISAKMP mode-config exchange<br />
Authorization information (a client certificate, a password, etc.)<br />
The address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
Here is how it works: you create a "pool" <strong>of</strong> IP addresses that will be<br />
used by remote clients when they attempt to make a VPN connection.<br />
When a client attempts a connection, the <strong>Sidewinder</strong> <strong>G2</strong> assigns it one<br />
<strong>of</strong> the IP addresses available in the address pool. The <strong>Sidewinder</strong> <strong>G2</strong><br />
also negotiates with the client to determine other VPN requirements,<br />
such as which DNS and/or WINS servers will be made available to the<br />
client. If the negotiation is successful, the client is connected and the<br />
VPN association is established.<br />
Note: To date, not all VPN client s<strong>of</strong>tware supports the negotiation <strong>of</strong> every client address<br />
pool parameter. Be sure to verify that your client(s) support the necessary features.<br />
The number <strong>of</strong> IP addresses available in the client address pool is<br />
dictated by the value defined in the Virtual Subnet field. Even though<br />
the client may have a fixed IP address, the address used within the<br />
VPN association is the address assigned to it from the address pool.<br />
The address pool works for both fixed and dynamic clients. This<br />
means that in the scenarios described at the end <strong>of</strong> this chapter,<br />
address pools could be used in scenario 2 or scenario 3.<br />
You can create multiple client address pools if desired. Grouping VPN<br />
clients into distinct pools allows you to limit the resources the clients<br />
in each group can access.<br />
The following sections explain how to configure client address pools.
Figure 13-5. Client<br />
Address Pools<br />
About the Client Address<br />
Pools window<br />
Configuring a new client address pool<br />
Configuring client address pools<br />
To configure a new Client Address Pool, select VPN Configuration -><br />
Client Address Pools. The following window appears.<br />
This window allows you to create and modify client address pools.<br />
You can perform the following actions in this window:<br />
Create a new client address pool—To create a new client address<br />
pool, click New in the Pools area. The New Pool window appears.<br />
See “About the New Pool window” on page 13-20.<br />
Delete a client address pool—To delete a client address pool,<br />
highlight the pool in the Pool list and click Delete. Click Yes to<br />
confirm the deletion.<br />
Configure a client address pool—To configure the client address pool<br />
tabs, see the following:<br />
— For information on configuring the Subnets tab, see<br />
“Configuring the Subnets tab” on page 13-20.<br />
— For information on configuring the Servers tab, see<br />
“Configuring the DNS and/or WINS servers” on page 13-22.<br />
— For information on configuring the Fixed IP Map tab, see<br />
“Configuring the fixed IP map” on page 13-24.<br />
Configuring Virtual Private Networks 13-19
Configuring client address pools<br />
About the New Pool<br />
window<br />
13-20 Configuring Virtual Private Networks<br />
The New Pool window allows you to create a new client address<br />
pool. Follow the steps below.<br />
1. In the Pool Name field, type the name <strong>of</strong> the new address pool.<br />
2. In the Virtual Subnet field, specify the network portion <strong>of</strong> the IP<br />
addresses that will be used in the client address pool, and the number<br />
<strong>of</strong> bits to use in the network mask. The network mask specifies the<br />
significant portion <strong>of</strong> the IP address.<br />
3. In the Define the Local Subnets available to remote clients area, configure<br />
the local networks that will be available to remote clients that establish<br />
a VPN association using an address from the client address pool. The<br />
following options are available:<br />
Create a new local subnet—Click New to define a new entry in the<br />
Local Subnet List. See “Adding or modifying a subnet address” for<br />
details.<br />
Modify a local subnet—Highlight the subnet you want to modify<br />
and click Modify to modify an existing entry in the Local Subnet<br />
List. See “Adding or modifying a subnet address” on page 13-22 for<br />
details.<br />
Delete a local subnet—Highlight the subnet you want to delete<br />
and click Delete to delete an existing entry from the Local Subnet<br />
List.<br />
4. Click Add to add the new client address pool. To configure the Server<br />
tab, see “Configuring the Subnets tab” on page 13-20. To configure the<br />
Fixed IP Map tab, see “Configuring the DNS and/or WINS servers” on<br />
page 13-22.<br />
Configuring the Subnets tab<br />
To configure the virtual subnet address, select VPN Configuration -><br />
Client Address Pools and select the client address pool that you want to<br />
configure from the Pools list. The following tab appears.
Figure 13-6. Client<br />
Address Pools: Subnets<br />
tab<br />
Configuring the Subnets<br />
tab<br />
Configuring client address pools<br />
The Subnets tab allows you to define the virtual address subnet for<br />
this address pool. You can also specify any local networks that you<br />
want to be accessible to remote clients using this pool. Follow the<br />
steps below.<br />
1. Configure the Virtual Subnet List. This list defines the virtual subnets<br />
that define the IP address ranges that are available within this pool. The<br />
following options are available:<br />
Create a new virtual subnet—Click New to define a new entry in<br />
the Local Subnet List. See “Adding or modifying a subnet address”<br />
for details.<br />
Modify a virtual subnet—Highlight the subnet you want to modify<br />
and click Modify to modify an existing entry in the Local Subnet<br />
List. See “Adding or modifying a subnet address” on page 13-22 for<br />
details.<br />
Delete a virtual subnet—Highlight the subnet you want to delete<br />
and click Delete to delete an existing entry from the Local Subnet<br />
List.<br />
Configuring Virtual Private Networks 13-21
Configuring client address pools<br />
Adding or modifying a<br />
subnet address<br />
13-22 Configuring Virtual Private Networks<br />
2. Configure the Local Subnet List. This list defines the local networks<br />
available to remote clients that establish a VPN association using an<br />
address from the client address pool. The following options are<br />
available:<br />
Create a new local subnet—Click New to define a new entry in the<br />
Local Subnet List. See “Adding or modifying a subnet address” for<br />
details.<br />
Modify a local subnet—Highlight the subnet you want to modify<br />
and click Modify to modify an existing entry in the Local Subnet<br />
List. See “Adding or modifying a subnet address” on page 13-22 for<br />
details.<br />
Delete a local subnet—Highlight the subnet you want to delete<br />
and click Delete to delete an existing entry from the Local Subnet<br />
List.<br />
Important: The client machine’s IP address should not match the internal network’s<br />
subnet, as this configuration could cause internal routing and connectivity issues.<br />
To add or modify an IP address/netmask combination in the New/<br />
Modify Virtual/Local Subnet window, follow the steps below.<br />
1. In the Virtual/Local Subnet field, type the IP address that will be used to<br />
define:<br />
For the Virtual Subnet field—The network portion <strong>of</strong> the IP<br />
addresses used in the client address pool.<br />
For the Local Subnet List—The network portion <strong>of</strong> the local<br />
network that will be made available to the VPN clients.<br />
2. In the netmask field, specify the number <strong>of</strong> bits to use in the network<br />
mask. The network mask specifies the significant portion <strong>of</strong> the IP<br />
address.<br />
3. Click Add.<br />
4. Click the Save icon.<br />
Configuring the DNS and/or WINS servers<br />
To configure the DNS and/or WINS servers, select VPN Configuration -><br />
Client Address Pools. Create a new entry or select an existing one, and<br />
then select the Servers tab. The following window appears.
Figure 13-1. Client<br />
Address Pools:<br />
Servers tab<br />
Configuring client address pools<br />
Configuring the Servers tab The Servers tab is used to define the DNS server(s) and/or the WINS<br />
server(s) that will be made available to remote clients. These servers<br />
provide name and address resolution services for devices within the<br />
local network. The DNS servers you specify can reside on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> or be located on another machine in a local or remote<br />
network. WINS servers are never located on the <strong>Sidewinder</strong> <strong>G2</strong>. To<br />
configure the Servers tab, follow the steps below.<br />
1. The DNS Servers box lists the DNS servers that will be made available to<br />
VPN clients that establish a connection using an address from the client<br />
address pool. The following options are available:<br />
New—Click this button to create a new DNS server. See “Adding or<br />
modifying a server” for details.<br />
Modify—Select a DNS server and click Modify to modify an<br />
existing DNS server. See “Adding or modifying a server” for details.<br />
Delete—Select the DNS server and click Delete to delete an<br />
existing DNS server.<br />
Configuring Virtual Private Networks 13-23
Configuring client address pools<br />
Adding or modifying a<br />
server<br />
13-24 Configuring Virtual Private Networks<br />
2. The NBNS/WINS Servers box lists the NBNS and WINS servers that will be<br />
made available to VPN clients that establish a connection using an<br />
address from the client address pool. The following options are<br />
available:<br />
New: Click this button to create a new NBNS/WINS server. See<br />
“Adding or modifying a server” on page 13-24 for details.<br />
Modify: Select a NBNS/WINS server and click Modify to modify an<br />
existing NBNS/WINS server. See “Adding or modifying a server” on<br />
page 13-24 for details.<br />
Delete: Select the NBNS/WINS server and click Delete to delete an<br />
existing NBNS/WINS server.<br />
To add or modify a server entry in the New/Modify DNS or NBNS/<br />
WINS server window, follow the steps below.<br />
1. In the DNS Server or NBNS/WINS field, type or change the IP address that<br />
specifies the location <strong>of</strong> the DNS or WINS server.<br />
2. Click Add to add the IP address to the server list.<br />
3. Repeat step 1 and step 2 for each additional IP address you want to add.<br />
4. When you are finished adding/modifying IP addresses, click Add.<br />
5. To save changes to the Servers tab, click the Save icon.<br />
Configuring the fixed IP map<br />
To configure the fixed IP map, select VPN Configuration -> Client<br />
Address Pools. Create a new entry or select an existing one, and then<br />
select the Fixed IP Map tab. The following window appears.
Figure 13-2. Client<br />
Address Pools:<br />
Fixed IP Map tab<br />
Configuring client address pools<br />
About the Fixed IP Map tab The Fixed IP Map tab is used to define fixed addresses for selected<br />
clients. It enables each <strong>of</strong> the specified clients to connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using their own unique IP address. It effectively<br />
reserves a specific IP address for a specified client. The fixed<br />
addresses you specify must be within the range <strong>of</strong> available IP address<br />
as defined by the client address pools.<br />
Caution: Do not use network or broadcast addresses when mapping IP addresses to<br />
client IDs. These addresses are reserved and are not considered valid values for client<br />
address mappings. For example, if your address range is 192.168.105.0/24, then<br />
192.168.105.0 (the network address) and 192.168.105.255 (the broadcast address) should<br />
not be used in a fixed IP client mapping. The network address is that address whose<br />
masked portion is all 0s, and the broadcast address is that address whose masked portion<br />
is all 1s.<br />
One <strong>of</strong> the benefits <strong>of</strong> assigning fixed IP addresses to selected clients<br />
is that it allows you to govern what each client can do. For example,<br />
you might restrict access to certain clients, and you might grant<br />
additional privileges to other clients. You do this by creating a<br />
network object for a selected IP address and then using the network<br />
object within a rule.<br />
The Fixed IP Map tab contains a Fixed IP Client Address Mappings box<br />
that lists the current IP address/client mappings. Each unique IP<br />
address can appear in the table only once. Multiple identities<br />
representing a single client, however, can be mapped to one IP<br />
address. You can add, modify, or delete entries by using one <strong>of</strong> the<br />
buttons described below.<br />
Configuring Virtual Private Networks 13-25
Configuring client address pools<br />
Adding or modifying fixed<br />
IP entries<br />
13-26 Configuring Virtual Private Networks<br />
New—Click this button to define a new fixed IP client address<br />
mapping. See “Adding or modifying fixed IP entries” on page 13-<br />
26 for details.<br />
Modify—Select an entry and click this button to modify a fixed IP<br />
client address mapping. See “Adding or modifying fixed IP entries”<br />
on page 13-26 for details.<br />
Delete—Select an entry and click this button to delete a fixed IP<br />
client address mapping.<br />
The Fixed IP Map tab allow you to create a client address mapping<br />
entry or to modify an existing entry. Each entry consists <strong>of</strong> two fields:<br />
an IP address and one or more client IDs. To add or modify a fixed IP<br />
entry, follow the steps below.<br />
1. In the IP Address field, enter the fixed IP address that will be associated<br />
with this mapping. The IP address must be within the virtual subnet for<br />
this pool.<br />
2. Configure the client identification strings for this entry. All entries listed<br />
in the Client Identification Strings box will be mapped to the associated<br />
IP address. Because a client can use one <strong>of</strong> several different IDs (a<br />
distinguished name, an e-mail address, etc.) when negotiating a session,<br />
you can map multiple IDs to one IP address. However, you cannot map<br />
two separate clients to the same address.<br />
Defining all the possible IDs for a client means you will be ready<br />
regardless <strong>of</strong> which ID is presented during the negotiation. Note that if<br />
a user will be using Extended Authentication, their user name will<br />
override any other ID. Use the following buttons to configure client<br />
identification strings:<br />
Note: Each client identification string must be entered separately.<br />
New—Click this button to add a new client identifier. See “Adding<br />
or modifying a client identification string” on page 13-27 for<br />
details.<br />
Modify—Click this button to modify an existing client identifier.<br />
See “Adding or modifying a client identification string” on page 13-<br />
27 for details.<br />
Delete—Click this button to delete an existing client identifier.<br />
3. When you have finished configuring the client identification strings,<br />
click Add to add the new pool entry to the list.<br />
Note: Clicking Close without clicking Add first will cancel any changes.
Adding or modifying a<br />
client identification string<br />
Configuring<br />
Certificate<br />
Management<br />
Configuring Certificate Management<br />
To create or modify a client identifier, follow the steps below.<br />
1. Type the new client identifier in the Client ID field. You can type any <strong>of</strong><br />
the possible identifiers:<br />
Distinguished name<br />
E-mail address<br />
Domain name<br />
IP address<br />
XAUTH username<br />
Tip: The XAUTH username overrides all other client identification values. If the user<br />
will be using extended authentication, you should only add that user name for fixed<br />
IP mapping.<br />
2. Click Add to add the client ID to the list.<br />
3. To create additional client IDs, repeat step 1 and step 2 for each client ID.<br />
4. Click the Save icon.<br />
If you are using automatic key generation and intend to use<br />
certificates for authentication, you should configure the certificate<br />
and/or Certificate Authority (CA) server information before you set up<br />
the VPN. This eliminates the need to configure certificates and CAs<br />
during the VPN process. To configure certificate or CA information,<br />
follow these general steps.<br />
1. Review the section “Selecting a trusted source” on page 13-31 for<br />
details on certificates and CAs.<br />
2. Decide if you will use a public CA server, your private CA server, or selfsigned<br />
certificates generated by the <strong>Sidewinder</strong> <strong>G2</strong> (which can be used<br />
between two <strong>Sidewinder</strong> <strong>G2</strong>s or between a <strong>Sidewinder</strong> <strong>G2</strong> and a VPN<br />
client machine).<br />
3. If you are using a public or private CA server, go to “Configuring and<br />
displaying CA root certificates” on page 13-32. You may also want to<br />
add remote identities to be used in conjunction with a Certificate<br />
Authority policy. See “Configuring and displaying Remote Identities” on<br />
page 13-35.<br />
4. If you are using self-signed certificates, refer to the section titled<br />
“Configuring and displaying firewall certificates” on page 13-37.<br />
Configuring Virtual Private Networks 13-27
Configuring Certificate Management<br />
13-28 Configuring Virtual Private Networks<br />
5. If you are configuring a VPN between the <strong>Sidewinder</strong> <strong>G2</strong> and a machine<br />
running the client version <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> VPN solution, and if you<br />
are not using a CA, you must create a remote certificate, export it, then<br />
import the certificate into the VPN client. Refer to the section titled<br />
“Exporting remote or firewall certificates” on page 13-48.<br />
Understanding Distinguished Name syntax<br />
The Certificate Manager supports using distinguished names (DN) for<br />
a number <strong>of</strong> purposes, including identifying the subject <strong>of</strong> an X.509<br />
certificate. DNs need to be entered using the proper syntax. As<br />
defined in the X.500 specifications, a DN is an Abstract Syntax<br />
Notation One (ASN.1) value. Within an X.509 certificate, a DN is<br />
represented as a binary value. When it is necessary to represent a DN<br />
in a human–readable format, as when entering information into the<br />
Certificate Manager, the <strong>Sidewinder</strong> <strong>G2</strong> uses the string syntax defined<br />
by RFC 2253. This section summarizes the DN string syntax through a<br />
series <strong>of</strong> examples.<br />
Note: For more information on this string syntax, visit http://www.ietf.org/rfc.html and<br />
search for RFC 2253, “Lightweight Directory Access Protocol (v3): UTF-8 String<br />
Representation <strong>of</strong> Distinguished Names.”<br />
A distinguished name (DN) consists <strong>of</strong> a sequence <strong>of</strong> identity<br />
components, each composed <strong>of</strong> a type tag and a value. The<br />
components <strong>of</strong> a DN are sets <strong>of</strong> attribute type/value pairs. The<br />
attribute type indicates the type <strong>of</strong> the item, and the attribute value<br />
holds its contents. Each type/value pair consists <strong>of</strong> an X.500 attribute<br />
type and attribute value, separated by an equal sign (‘=’). In the<br />
example CN=Jane Smith, “CN” is the attribute type and “Jane Smith”<br />
is the value.<br />
The attribute type/value pairs are separated by commas (‘,’). This<br />
example shows a DN made up <strong>of</strong> three components:<br />
CN=Jane Smith, OU=Sales, O=Secure Computing<br />
Plan out your organization’s certificate identification needs before<br />
creating any DNs. DNs have a hierarchical structure, reading from<br />
most specific to least specific. No preset hierarchy <strong>of</strong> attribute type<br />
exists, but the structure for a given organization need to be consistent.<br />
In this example, the organization Secure Computing has<br />
organizational units, making the organizational unit attribute type<br />
more specific than the organization attribute type.<br />
CN=Jane Smith, OU=Sales, O=Secure Computing<br />
CN=Ira Stewart, OU=Engineering, O=Secure Computing
Configuring Certificate Management<br />
An attribute type is specified by a tag string associated with the X.500<br />
attribute being represented. The <strong>Sidewinder</strong> <strong>G2</strong> supports the attribute<br />
tag strings displayed in Table 13-1, which includes the most common<br />
ones recommended by RFC 2253. The tag strings are not case<br />
sensitive.<br />
Table 13-1. Supported X.500 Attribute Type Tags<br />
Tag String<br />
X.500 Attribute<br />
Name<br />
Character String<br />
Type<br />
C CountryName PrintableString 2<br />
CN CommonName DirectoryString 64<br />
Email Address EmailAddress IA5String 128<br />
L LocalityName DirectoryString 128<br />
O OrganizationName DirectoryString 64<br />
OU OrganizationUnitName DirectoryString 64<br />
SN Surname DirectoryString 128<br />
ST StateName DirectoryString 128<br />
Street StreetAddress DirectoryString 128<br />
UID UserID DirectoryString 128<br />
Max. # <strong>of</strong><br />
Characters<br />
The attribute value holds the actual content <strong>of</strong> the identity<br />
information, and is constrained by the associated attribute type. For<br />
the supported attribute types, Table 13-1 shows the corresponding<br />
string type (which limits the allowed set <strong>of</strong> characters) and its<br />
maximum length. For example, given “CN=Jane Smith” as a name<br />
component, the string “Jane Smith” is <strong>of</strong> type DirectoryString, and is<br />
constrained to a maximum <strong>of</strong> 64 characters. The maximum number <strong>of</strong><br />
characters allowed in a DN (that is, the number <strong>of</strong> characters for all<br />
attribute values added together) is 1024.<br />
Table 13-1 defines the allowed character set for each <strong>of</strong> the character<br />
string types used in Table 13-1.<br />
Configuring Virtual Private Networks 13-29
Configuring Certificate Management<br />
13-30 Configuring Virtual Private Networks<br />
Table 13-1. Character String Types<br />
Character String<br />
Type<br />
Allowed Characters<br />
DirectoryString All 8 bit characters without encoding<br />
All non–8 bit characters with UTF–8 encoding<br />
PrintableString A–Z, a–z, 0–9, ()+-./:=?, comma (‘,’), space (‘ ‘), apostrophe (‘’’)<br />
IA5String All 7 bit characters<br />
When representing attribute values, be careful when using special<br />
characters. The following characters have special meaning in the<br />
string syntax and must be escaped with a backslash character (‘\’):<br />
comma (‘,’)<br />
equal sign (‘=’)<br />
plus sign (‘+’)<br />
less than sign (‘’)<br />
pound sign (‘#’)<br />
semicolon (‘;’)<br />
backslash (‘\’)<br />
quotation (‘”’).<br />
All other printable ASCII characters represent themselves. Non–<br />
printable ASCII must be escaped by preceding the ordinal value <strong>of</strong> the<br />
character in two-digit hexadecimal with a backslash (for example. the<br />
BEL character, which has an ordinal value <strong>of</strong> seven, would be<br />
represented by \07). Here are some examples <strong>of</strong> the escape<br />
conventions:<br />
CN=Jane Smith\,DDS, OU=Sales, O=Secure Computing<br />
CN=\4a\61\6e\65\20Smith, OU=Sales, O=Secure Computing<br />
Attribute values may optionally be contained within double-quote<br />
characters, in which case only the backslash (‘\’), double quote (‘”’),<br />
and non–printable ASCII characters need to be escaped. Here the<br />
double-quotes eliminate the need to escape the CN’s comma:<br />
CN=”Jane Smith,DDS”, OU=Sales, O=Secure Computing<br />
Note: Entries containing backslashes or double–quotes will appear “normalized”<br />
(without extra characters or spaces) in the GUI once they are saved.
Single certificate versus<br />
Certificate Authority<br />
trusted sources<br />
Public versus private<br />
Certificate Authorities<br />
Configuring Certificate Management<br />
Use this supported syntax when entering information on the Admin<br />
Console’s Certificate Manager tabs.<br />
Note: For additional information on DN syntax, see RFCs 2044, 2252, 2253, and 2256.<br />
Selecting a trusted source<br />
If you have decided to use certificate authentication, you must choose<br />
whether to use a single certificate or Certificate Authority root<br />
certificate. In both methods, when a key is generated, the trust point<br />
(the <strong>Sidewinder</strong> <strong>G2</strong> or a trusted CA like Netscape, Baltimore, Entrust,<br />
etc.) places the key in an electronic envelope called an X.509<br />
certificate. Every certificate contains a collection <strong>of</strong> information about<br />
the entity possessing the private key (the <strong>Sidewinder</strong> <strong>G2</strong> or VPN<br />
client). This information may include an identity, a company name,<br />
and a residency.<br />
Note: If you select Netscape as a CA server, note that only Netscape version 4.2 is<br />
supported at this time.<br />
To validate this information, a certificate must be electronically<br />
verified and witnessed by a trusted source. A CA based trusted source<br />
is best designed for larger deployments and allows for greater<br />
flexibility, as both the root (general authoritative certificate from the<br />
CA) and personal certificates may be retrieved online. However, a CA<br />
configuration does require managing the Certificate Authority server<br />
or paying someone else to manage it for you. A <strong>Sidewinder</strong> <strong>G2</strong> selfsigned<br />
trust source is best for very small deployments, as a separate<br />
security association must be created for each client. Certificates must<br />
be exported from the <strong>Sidewinder</strong> <strong>G2</strong> and then installed on each client.<br />
If you are planning to use a specific Certificate Authority to validate<br />
certificates created on the <strong>Sidewinder</strong> <strong>G2</strong>, or as part <strong>of</strong> a group <strong>of</strong><br />
trusted CAs from which <strong>Sidewinder</strong> <strong>G2</strong> can directly import certificates,<br />
you should set up these CAs before you begin configuring a VPN. You<br />
can use the following types <strong>of</strong> CA servers:<br />
Configuring Virtual Private Networks 13-31
Configuring Certificate Management<br />
Figure 13-7.<br />
Certificate Management:<br />
Certificate Authorities<br />
tab<br />
13-32 Configuring Virtual Private Networks<br />
a private CA server — You can purchase and install your own CA<br />
server and configure this server as the trusted authority for any<br />
VPNs you establish. This is an ideal solution for companies that<br />
prefer to only allow VPNs with certificates signed by a CA server<br />
on their own protected network.<br />
Note: Before you begin, you must install the CA server and make its URL accessible<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>. For details on installing and configuring a private CA server,<br />
review the manufacturer’s documentation.<br />
a public CA server — you can choose to accept certificates signed by<br />
trusted CAs administered elsewhere. This option allows remote<br />
machines to use one certificate for VPNs with more than one<br />
corporate partner.<br />
Configuring and displaying CA root certificates<br />
This section explains how to configure the Certificate Authorities tab<br />
and display the imported signed root certificate.<br />
In the Admin Console, select Services Configuration -> Certificate<br />
Management, then click the Certificate Authorities tab. The following<br />
window appears.
About the Certificate<br />
Authorities tab<br />
Adding a Certificate<br />
Authority<br />
Configuring Certificate Management<br />
The Certificate Authorities tab allows you to view the list <strong>of</strong> available<br />
certificate authorities (CAs). CAs are used to validate (sign) certificates<br />
that are used in a VPN connection. To display the properties <strong>of</strong> a<br />
specific certificate, select the certificate from within the Cert Authorities<br />
list. Its properties are displayed on the right portion <strong>of</strong> the window.<br />
For a description <strong>of</strong> these properties, see “Adding a Certificate<br />
Authority” on page 13-33.<br />
From this tab, you can perform the following actions:<br />
Add a new certificate to the list—Click New and see “Adding a<br />
Certificate Authority” on page 13-33 for details.<br />
Delete a certificate from the list—Highlight the certificate you want to<br />
delete and click Delete.<br />
Note: A Certificate Authority cannot be deleted if it is currently being used by one or<br />
more Security Associations (the Delete button is disabled).<br />
Retrieve a certificate—Click Get CA Cert to query the CA and import a<br />
certificate for the selected CA. The selected CA must be either<br />
Netscape 4.2 or an SCEP CA.<br />
Export a certificate—Click Export to export a CA certificate from<br />
local cache to a file and/or a screen.<br />
Retrieve a CRL—Click Get CRL to manually retrieve a new Certificate<br />
Revocation List (CRL) for this CA. A CRL identifies certificates that<br />
have been revoked. CRLs expire on a regular basis, which is why<br />
you must periodically obtain a new CRL. You generally only need<br />
to manually get a CRL for Netscape CAs when the CA is initially<br />
added. After that CRLs are automatically updated every 15 minutes<br />
or so for Netscape CAs.<br />
Note: If you do not have access to either a Netscape CA or have access to an LDAP<br />
directory, you should disable the Perform CRL Checking button on the Certificate<br />
Server window.<br />
The New Certificate Authority window enables you to add a new<br />
Certificate Authority to the list <strong>of</strong> CAs used when authorizing<br />
certificates in a <strong>Sidewinder</strong> <strong>G2</strong> VPN connection. To add a new<br />
Certificate Authority, follow the steps below.<br />
1. In the CA Name field, type a name for this certificate authority. Only<br />
alphanumeric characters are accepted in this field.<br />
Configuring Virtual Private Networks 13-33
Configuring Certificate Management<br />
13-34 Configuring Virtual Private Networks<br />
2. In the Type drop-down list, select the type <strong>of</strong> CA used by your location.<br />
Valid options are:<br />
Manual—Indicates the necessary files are obtained and loaded by<br />
an administrator rather than by a CA.<br />
Netscape 4.2—Indicates that a Netscape version 4.2 CA is being<br />
defined.<br />
SCEP (Simple Certificate Enrollment Protocol)—Indicates the CA<br />
being defined supports this widely-used certificate enrollment<br />
protocol. The CA can be <strong>of</strong> any type (Netscape 4.2, Baltimore,<br />
Entrust, VeriSign, etc.) as long as it supports SCEP.<br />
3. [Conditional] In the File field, type the name and location <strong>of</strong> the root<br />
certificate for the CA, or click Browse to browse your network directories<br />
for the location <strong>of</strong> the root certificate. The root certificate is used to<br />
verify certificates issued by this CA. (This field is available only if you<br />
select Manual in the Type field.)<br />
Note: Valid file formats are .pem and .der. For information on obtaining a root<br />
certificate, see the documentation that accompanied the CA.<br />
4. [Conditional] In the URL field, type the URL address <strong>of</strong> the Netscape CA<br />
in the URL field. Certificates that need to be signed by the CA are sent to<br />
this address. (This field is available only if you select Netscape or SCEP in<br />
the Type field.)<br />
5. [Optional] In the CA Id field, type the value used to identify this specific<br />
CA. Check with your CA administrator to determine the identifier to use.<br />
Many administrators use the fully-qualified domain name <strong>of</strong> the CA as<br />
the identifier. (This field is available only if you select SCEP in the Type<br />
field.)<br />
6. Click Add to add the CA to the Certificate Authority list. To define<br />
another certificate authority, repeat step 1–step 5.<br />
7. Click the Save icon.
Figure 13-8.<br />
Remote Identities tab<br />
About the Remote<br />
Identities tab<br />
Configuring Certificate Management<br />
Configuring and displaying Remote Identities<br />
Remote Identities can be created for two purposes. If you choose to<br />
have a Certificate Authority policy defined for a VPN (whereby a<br />
group <strong>of</strong> trusted CAs is authorized to issue certificates for access to the<br />
VPN), you will also require a list <strong>of</strong> Remote Identities. Remote<br />
Identities are used as part <strong>of</strong> a Security Association to determine<br />
which remote certificates from a CA may be used to authenticate to a<br />
VPN. You may also be required to configure a remote identity to be<br />
used in a Security Association for a s<strong>of</strong>tware client, such as the<br />
SafeNet S<strong>of</strong>tRemote client, using pre-shared passwords.<br />
In the Admin Console, select Services Configuration -> Certificate<br />
Management, then select the Remote Identities tab. The following<br />
window appears.<br />
In this tab you can view and modify the list <strong>of</strong> available remote<br />
identities. Remote identities are used to identify the authorized users<br />
who take part in a Security Association and either have been issued a<br />
certificate from a particular CA or use a VPN client configured with a<br />
pre-shared password. For example, as part <strong>of</strong> a remote identity you<br />
might define a Distinguished Name that authorizes only people from<br />
the Sales department <strong>of</strong> Bizco corporation.<br />
In this tab, you can perform the following actions:<br />
Configuring Virtual Private Networks 13-35
Configuring Certificate Management<br />
Adding or modifying a<br />
Remote Identity<br />
13-36 Configuring Virtual Private Networks<br />
To display the properties <strong>of</strong> a specific identity, select the identity<br />
from within the list. Its properties are displayed on the right<br />
portion <strong>of</strong> the window.<br />
To modify an identity, make the desired changes and click the Save<br />
icon. For specific information on modifying the properties that<br />
appear for a remote identity, see “Adding or modifying a Remote<br />
Identity” on page 13-36.<br />
To create a new remote identity, click New, and see “Adding or<br />
modifying a Remote Identity” on page 13-36 for details.<br />
To delete an existing identity, highlight the identity you want to<br />
delete and click Delete.<br />
The Create New Remote Identity window enables you to add a new<br />
remote identity. You can also modify an existing remote identity<br />
within the Remote Identities tab. To add or modify a remote identity,<br />
follow the steps below.<br />
Tip: An asterisk can be used as a wildcard when defining the fields on this window. (Other<br />
special characters are not allowed.) For example; *, O=bizco, C=us represents all users at<br />
Bizco.<br />
1. In the Identity Name field, type a name for this Remote Identity.<br />
2. In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 13-28 for<br />
information on the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the order<br />
listed in the certificate.<br />
3. [Optional] In the E-Mail Address field, enter the e-mail address(es) to<br />
which you want to restrict access. Enter one e-mail address per identity<br />
or use a wildcard to indicate all e-mail addresses, such as *@bizco.net.<br />
4. [Optional] In the Domain Name field, type the specific domain name to<br />
which you want to restrict access. Enter one domain name per identity<br />
or use a wildcard to indicate all domain names, such as *.bizco.net.<br />
5. [Optional] In the IP Address field, type the unique IP address or group <strong>of</strong><br />
IP addresses to which you want to restrict access. For example:<br />
182.19.0.0/16 indicates that only users with IP addresses beginning with<br />
182.19 (as contained in the certificate) will be authorized to use the VPN.<br />
6. Click Add to add the identity to the Identities list.<br />
7. To define additional remote IDs, repeat step 1–step 6.<br />
8. Click the Save icon.
Figure 13-9.<br />
Firewall certificates<br />
About the Firewall<br />
Certificates tab<br />
Configuring Certificate Management<br />
Configuring and displaying firewall certificates<br />
A firewall certificate is used to identify the <strong>Sidewinder</strong> <strong>G2</strong> to a<br />
potential peer in a VPN connection. When creating a certificate for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, you have the option to submit the certificate to a CA<br />
for validation, or have the <strong>Sidewinder</strong> <strong>G2</strong> generate a self-signed<br />
certificate. You should create these certificates before you begin<br />
configuring a VPN.<br />
Note: CA-signed certificates may be used as the firewall certificate for SSL termination. To<br />
do so, you must import the root and/or intermediate certificates in the certificate chain for<br />
the given CA-signed certificate (not the chain). If the browser does not have the<br />
intermediate/root certificates loaded, a security warning or error will appear indicating<br />
that the CA-signed certificate presented by <strong>Sidewinder</strong> <strong>G2</strong> is not trusted. You can import<br />
the intermediate/root CA certificate using the Certificates Authorities tab in the Certificate<br />
Management window.<br />
In the Admin Console, select Services Configuration -> Certificate<br />
Management, then select the Firewall Certificates tab. The following<br />
window appears.<br />
The Firewall Certificates tab enables you to view the list <strong>of</strong> available<br />
certificates. The <strong>Sidewinder</strong> <strong>G2</strong> will use a firewall certificate to identify<br />
itself to a peer in a VPN connection. To display the properties <strong>of</strong> a<br />
specific certificate, select the certificate from within the list and its<br />
properties are displayed on the right portion <strong>of</strong> the window. For a<br />
description <strong>of</strong> these properties, see “Adding a firewall certificate” on<br />
page 13-38.<br />
Configuring Virtual Private Networks 13-37
Configuring Certificate Management<br />
13-38 Configuring Virtual Private Networks<br />
From this tab, you can perform the following actions:<br />
Note: You cannot modify the properties <strong>of</strong> a certificate from this window. To modify a<br />
certificate you must delete it and then add it back using the new properties.<br />
Add a firewall certificate—Click New to add a certificate to the<br />
Certificate list. See “Adding a firewall certificate” on page 13-38 for<br />
details.<br />
Delete a firewall certificate—Highlight the certificate and click Delete<br />
to remove the selected certificate from the Certificate list.<br />
Note: A certificate cannot be deleted if it is currently used by one or more areas (for<br />
example, Security Associations, Application Defenses, etc.).<br />
Import a firewall certificate—Click Import to import an existing<br />
certificate and its related private key file. See “Importing a firewall<br />
certificate” on page 13-46 for more information.<br />
Export a firewall certificate—Click Export to export the selected<br />
certificate to a file. The export function is generally used when<br />
capturing the certificate information needed by a remote partner<br />
such as a VPN client. See “Exporting remote or firewall certificates”<br />
on page 13-48 for more details.<br />
Retrieve a certificate—If a certificate request has been submitted to<br />
be signed by a CA, click the Query button to query the CA to see if<br />
the certificate is approved. If yes, the Status field will change to<br />
SIGNED and the approved certificate will be retrieved.<br />
If the certificate request is Manual PKCS10, click the Load button to<br />
load the signed certificate from a file supplied by the CA.<br />
Note: By default, Netscape CAs and CAs that support the Simple Certificate Enrollment<br />
Protocol (SCEP) are checked every 15 minutes for any certificates waiting to be signed.<br />
Adding a firewall certificate The Create New Firewall Certificate window enables you to add a<br />
certificate to the Firewall Certificate list. To add a certificate, follow the<br />
steps below.<br />
Note: The default certificate key size is 1024 bits. The default lifetime for self-signed<br />
certificates created on the <strong>Sidewinder</strong> <strong>G2</strong> is five years.<br />
1. In the Certificate Name field, type a name for this certificate.<br />
2. In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 13-28 for<br />
information on the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the order<br />
listed in the certificate.
Configuring Certificate Management<br />
Note: Some CAs will not support the optional identity types specified in step 3<br />
through step 5.<br />
3. [Optional] In the E-Mail Address field, type the email address associated<br />
with this firewall certificate.<br />
4. [Optional] In the Domain Name field, type the domain name associated<br />
with this firewall certificate.<br />
5. [Optional] In the IP Address field, type the IP address associated with this<br />
firewall certificate.<br />
6. In the Submit to CA drop-down list, select the enrollment method to<br />
which the certificate will be submitted for signing. The valid options are:<br />
Self Signed—Indicates the new certificate will be signed by the<br />
firewall rather than by a CA.<br />
Manual PKCS10—Indicates the certificate enrollment request will<br />
be placed in a PKCS10 envelope and exported to the file<br />
designated in the Generated PKCS10 File field.<br />
The name <strong>of</strong> the CA to which the certificate is submitted for<br />
signing. The CA can be either private (one you own and manage)<br />
or it can be public (a trusted CA administered elsewhere).<br />
7. In the Signature Type field, select the encryption format that will be<br />
used when signing the certificate. Valid options are RSA or DSA.<br />
8. [Conditional] Depending on the method you select in the Submit to CA<br />
field, the Other Parameters area may contain additional fields, as<br />
described below:<br />
If you selected Manual PKCS10 in the Submit to CA field, the<br />
Generated PKCS10 File field appears. Specify the name and location<br />
<strong>of</strong> the file that will contain the signed certificate, or click Browse to<br />
browse the network directories for the location <strong>of</strong> the file you want<br />
to specify. This file contains a PKCS10 "envelope" that is used to<br />
send a certificate to a CA for signing.<br />
If you selected a method that uses SCEP, you will need to provide a<br />
password in the SCEP Password field that appears.<br />
9. [Conditional] In the Format field, select the appropriate format for your<br />
PKCS10 certificate request.<br />
10. Click Add to add the certificate to the Certificates list. To define<br />
additional certificates repeat step 1 through step 9.<br />
11. Click the Save icon.<br />
Configuring Virtual Private Networks 13-39
Configuring Certificate Management<br />
Figure 13-10.<br />
Remote certificates<br />
defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
About the Remote<br />
Certificates tab<br />
13-40 Configuring Virtual Private Networks<br />
Configuring and displaying remote certificates<br />
A remote certificate identifies one or more peers that can be involved<br />
in a VPN connection with a <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong> <strong>G2</strong> can<br />
import existing certificates into its Remote Certificates database, or it<br />
can create new remote certificates. In either case, all certificates<br />
should be in place before you begin configuring a VPN.<br />
In the Admin Console, select Services Configuration -> Certificate<br />
Management, then select the Remote Certificates tab. The following<br />
window appears.<br />
The Remote Certificates tab enables you to view the list <strong>of</strong> available<br />
remote certificates. These certificates represent the potential peers<br />
with which <strong>Sidewinder</strong> <strong>G2</strong> can establish a VPN connection. To display<br />
the properties <strong>of</strong> a specific certificate, select the certificate from within<br />
the list. Its properties are displayed on the right portion <strong>of</strong> the<br />
window. For a description <strong>of</strong> these properties, see “Adding a remote<br />
certificate”.<br />
Note: You cannot modify the properties <strong>of</strong> a certificate from this window. To modify a<br />
certificate you must delete it and then add it back using the new properties.
Configuring Certificate Management<br />
From this window, you can perform the following actions:<br />
Add a new certificate to the Certificate list—Click New and see “Adding<br />
a remote certificate” on page 13-41 for details.<br />
Delete a certificate from the list—Highlight the certificate you want to<br />
delete and click Delete.<br />
Import certificates—Click Import and see “Importing a remote<br />
certificate” on page 13-47.<br />
Export certificates—Click Export and see “Exporting remote or<br />
firewall certificates” on page 13-48.<br />
Query the CA for Certificate status—If a certificate request has been<br />
submitted to be signed by a CA, click the Query button to query<br />
the CA to see if the certificate is approved. If yes, the Status field<br />
will change to SIGNED and the approved certificate will be<br />
retrieved.<br />
If the certificate request is Manual PKCS10, click the Load button to<br />
query and retrieve the signed certificate.<br />
Note: By default, Netscape CAs and CAs that support the Simple Certificate Enrollment<br />
Protocol (SCEP) are checked every 15 minutes for any certificates waiting to be signed.<br />
Adding a remote certificate The Create New Remote Certificate window enables you to add a<br />
certificate to the Remote Certificate list. To add a remote certificate,<br />
follow the steps below.<br />
Note: The default certificate key size is 1024 bits. The default lifetime for self-signed<br />
certificates created on the <strong>Sidewinder</strong> <strong>G2</strong> is five years.<br />
1. In the Certificate Name field, type a name for this certificate.<br />
2. In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 13-28 for<br />
information on the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the order<br />
listed in the certificate.<br />
Note: Some CAs will not support the optional identity types specified in step 3<br />
through step 5.<br />
3. [Optional] In the E-Mail Address field, type the email address associated<br />
with this remote certificate.<br />
4. [Optional] In the Domain Name field, type the domain name associated<br />
with this remote certificate.<br />
Configuring Virtual Private Networks 13-41
Configuring Certificate Management<br />
13-42 Configuring Virtual Private Networks<br />
5. [Optional] In the IP Address field, type the IP address associated with this<br />
remote certificate.<br />
6. In the Submit to CA drop-down list, select the enrollment method to<br />
which the certificate will be submitted for signing. The valid options are:<br />
Self Signed: Indicates the new certificate will be signed by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> rather than by a CA.<br />
Manual PKCS10: Indicates the certificate enrollment request will be<br />
placed in a PKCS10 envelope and exported to the file designated<br />
in the Generated PKCS10 File field.<br />
The name <strong>of</strong> the CA to which the certificate is submitted for<br />
signing. The CA can be either private (one you own and manage)<br />
or it can be public (a trusted CA administered elsewhere).<br />
Note: The CA option is only available if a CA is already configured on the Certificate<br />
Authorities tab.<br />
7. In the Signature Type box, select the encryption format that will be used<br />
when signing the certificate. Valid options are RSA or DSA.<br />
8. [Conditional] In the Generated PKCS10 File field, specify the name and<br />
location <strong>of</strong> the file that will contain the signature request, or click<br />
Browse to browse the network directories for the file location.<br />
This file contains a PKCS10 “envelope” that is used to send a certificate<br />
to a CA for signing. This field is available only if Manual PKCS10 is<br />
specified in the Submit to CA field.<br />
Note: To create a new file using the Browse button, enter the name and extension<br />
(allowed file formats are binary or .pem).<br />
9. [Conditional] In the Format field, select the appropriate format for your<br />
PKCS10 certificate request.<br />
10. [Conditional] In the SCEP Password field, type a password for this<br />
certificate. You will need this password if you ever need the CA to<br />
revoke this certificate. The password may not contain spaces or single<br />
quotes. This field is available only if the Submit to CA field displays a CA<br />
<strong>of</strong> type SCEP.<br />
11. Click Add to add the certificate to the Certificates list.<br />
12. To define additional certificates, repeat step 1–11 for each certificate<br />
you want to add.<br />
13. Click the Save icon.
Figure 13-11. SSL<br />
Certificates tab<br />
Configuring Certificate Management<br />
Assigning new certificates for Admin Console and<br />
synchronization services<br />
The default SSL certificates are unique to each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
However, if you would like to change your default certificate for any<br />
reason, follow the steps in this section.<br />
Note: Keep in mind, it is the certificates on the <strong>Sidewinder</strong> <strong>G2</strong> end that you are changing,<br />
not on the client end.<br />
Before assigning a new certificate to these services you must first<br />
create the new certificates. You should create two new certificates,<br />
one for the Admin Console service and one for the synchronization<br />
server. You create the certificates from the Firewall Certificates tab. Each<br />
certificate must be:<br />
a firewall certificate<br />
a self-signed certificate<br />
<strong>of</strong> type RSA<br />
See “Configuring and displaying firewall certificates” on page 13-37<br />
for information on creating a firewall certificate.<br />
To assign a new certificate for the Admin Console or the<br />
synchronization server, in the Admin Console, select Services<br />
Configuration -> Certificate Management, then select the SSL Certificates<br />
tab.<br />
Configuring Virtual Private Networks 13-43
Importing and exporting certificates<br />
Configuring the SSL Cert<br />
tab<br />
Selecting a new proxy<br />
certificate<br />
Importing and<br />
exporting<br />
certificates<br />
13-44 Configuring Virtual Private Networks<br />
This tab is used to assign a new SSL certificate to the Admin Console<br />
service (cobra) or the synchronization server (synchronization).<br />
The SSL Certificate tab allows you to view the proxies to which you<br />
can assign new certificates and identifies the name <strong>of</strong> the certificate<br />
currently assigned to each proxy. The certificate will either be 1) the<br />
default certificate or 2) a self-signed, RSA firewall certificate that is<br />
defined on the Firewall Certificates tab.<br />
To assign a new certificate to a selected proxy, click Modify. See<br />
“Selecting a new proxy certificate” on page 13-44 for details.<br />
Note: You will receive a warning message if you click Modify and there is not at<br />
least one self-signed RSA firewall certificate currently defined on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
See “Configuring and displaying firewall certificates” on page 13-37 for information<br />
on defining this type <strong>of</strong> certificate.<br />
The Proxy Certificate Selection window is used to assign a new<br />
certificate to the selected proxy. To assign a certificate to a proxy,<br />
follow the steps below.<br />
1. In the Certificate drop-down list, select the new certificate to assign to<br />
this proxy (the proxy name is displayed in the Proxy Name field). Only<br />
self-signed, RSA firewall certificates that are defined on the Firewall<br />
Certificate tab are displayed in this list.<br />
2. Click OK to save the change and to exit the window, or click Cancel to<br />
exit the window without saving the change.<br />
3. Click the Save icon.<br />
Once the certificates have been generated, they need to be exported<br />
and transferred to a VPN client such as SafeNet S<strong>of</strong>tRemote or to<br />
another <strong>Sidewinder</strong> <strong>G2</strong>. Similarly, you may want to import certificates<br />
into the <strong>Sidewinder</strong> <strong>G2</strong> originally created on another system. This<br />
section walks you through importing and exporting certificates on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Loading manual remote or firewall certificates<br />
If you chose to create a manual certificate, you must retrieve the<br />
certificate after it is signed by the CA; the <strong>Sidewinder</strong> <strong>G2</strong> will not<br />
retrieve it automatically. For this process, the Load button appears<br />
when an unsigned requested certificate name is highlighted. Clicking<br />
this button will initiate the process to retrieve and import the<br />
certificate. After clicking Load, the following window appears.
Figure 13-3. Load<br />
Certificate for PKCS 10<br />
Request window<br />
About the Load Certificate<br />
for PKCS 10 Request<br />
window<br />
Importing and exporting certificates<br />
The Load Certificate for PKCS 10 Request window is used to load<br />
signed certificates. It also functions to query an LDAP server for<br />
wether or not a requested certificated is signed. To load a signed<br />
certificate, follow the steps below.<br />
1. In the Certificate Source field, select the source location <strong>of</strong> the<br />
certificate. The following options are available:<br />
File: Indicates you will manually specify the location <strong>of</strong> the<br />
certificate.<br />
LDAP: Indicates you will access the services <strong>of</strong> an LDAP<br />
(Lightweight Directory Access Protocol) directory to locate the<br />
certificate. The LDAP server can be version 2 or version 3.<br />
Pasted PEM Certificate: Indicates you will paste or type in the<br />
certificate from another source, such as another open application<br />
window or personal communication.<br />
2. [Conditional] In the Certificate from File field, if the certificate source is a<br />
file, type the location or Browse to the location.<br />
3. [Conditional] In the Manual (pasted) PEM Certificate field, if the<br />
certificate source is a Pasted PEM Certificate, type or paste the certificate<br />
in this field.<br />
4. Click OK to issue a query command for your requested certificate, or<br />
click Cancel cancel the certificate request.<br />
If you click OK and the certificate is available, it will automatically be<br />
imported and the status will change to SIGNED.<br />
5. Click the Save icon.<br />
Configuring Virtual Private Networks 13-45
Importing and exporting certificates<br />
Figure 13-12. Import<br />
Firewall Certificate<br />
window<br />
Configuring the Import<br />
Firewall Certificate window<br />
13-46 Configuring Virtual Private Networks<br />
Importing a firewall certificate<br />
You can import a certificate to the list <strong>of</strong> firewall certificates defined<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
To import a firewall certificate, in the Admin Console, select Services<br />
Configuration -> Certificate Management, then select the Firewall<br />
Certificates tab and click Import. The following window appears.<br />
Note: The displayed fields will vary slightly, depending on the which import source you<br />
select.<br />
The Import Firewall Certificate window is used to import a certificate<br />
to the Firewall Certificates list. To import a certificate, follow the steps<br />
below.<br />
1. In the Import Source field, select either File or Encrypted FIle (PKCS12).<br />
Note: The fields that are available will vary based on the import source you select.<br />
If you select File, you must identify the file on the Import Certificate<br />
From File field.<br />
If you select Encrypted FIle (PKCS12), specify the certificate and key<br />
file.<br />
2. In the Certificate Name field, type a local name for the certificate you are<br />
importing.
Figure 13-13. Import<br />
Remote Certificate<br />
window<br />
Configuring the Import<br />
Remote Certificate window<br />
Importing and exporting certificates<br />
3. In the Import Certificate From File or the Import Certificate/Key field,<br />
type the name and location <strong>of</strong> the certificate file you will import. You<br />
may also click Browse to browse the network directories for the location<br />
<strong>of</strong> the file(s) you want to specify.<br />
4. [Conditional] In the Private Key File field, type the name and location <strong>of</strong><br />
the private key file associated with this certificate, or click Browse to<br />
browse the network directories for the location <strong>of</strong> the file(s) you want to<br />
specify. The file can be in either PK1 or PK8 format. (This field is only<br />
available if the Import Source field displays File.)<br />
5. [Conditional] In the Password field, enter the password to decrypt the<br />
imported file. This password must match the password given when the<br />
file was encrypted. (This field is only available if the Import Source field<br />
displays Encrypted File(PKCS12).)<br />
Importing a remote certificate<br />
To import a certificate to the list <strong>of</strong> remote certificates defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, using the Admin Console select Services Configuration -<br />
> Certificate Management, then select the Remote Certificates tab and<br />
click Import. The following window appears.<br />
The Import Remote Certificate window is used to import a certificate<br />
to the Remote Certificates list. To import a remote certificate, follow<br />
the steps below.<br />
Configuring Virtual Private Networks 13-47
Importing and exporting certificates<br />
13-48 Configuring Virtual Private Networks<br />
1. In the Import source field, select the source location <strong>of</strong> the certificate.<br />
File: Indicates you will manually specify the location <strong>of</strong> the<br />
certificate file.<br />
Encrypted File: Indicates you will manually specify the locations <strong>of</strong><br />
the certificate and private key file.<br />
LDAP: Indicates that you will access the services <strong>of</strong> an LDAP<br />
(Lightweight Directory Access Protocol) directory to locate the<br />
certificate. The LDAP server can be version 2 or version 3.<br />
Paste PEM Certificate: Indicates you will import the certificate by<br />
performing a cut and paste. The Distinguished Name field will<br />
change to become the Manual (pasted) PEM Certificate field. Paste<br />
the certificate into this area.<br />
2. In the Certificate Name field, type a local name for the certificate you are<br />
importing.<br />
3. [Conditional] In the Import Certificate From File field, type the name and<br />
location <strong>of</strong> the certificate file you will import, or click Browse to browse<br />
the network directories for the location. (This field is available only if the<br />
Import source field displays File.)<br />
4. [Conditional] In the Password field, enter the password to decrypt the<br />
imported file. This password must match the password given when the<br />
file was encrypted. (This field is only available if the Import Source field<br />
displays Encrypted File.)<br />
5. [Conditional] In the Distinguished Name field, create a distinguished<br />
name. See “Understanding Distinguished Name syntax” on page 13-28<br />
for information on the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the order<br />
listed in the certificate.<br />
6. Click OK to import the remote certificate, or click Cancel to cancel the<br />
request.<br />
7. Click the Save icon.<br />
Exporting remote or firewall certificates<br />
You can export certificates from either the Remote Certificates tab or<br />
the Firewall Certificates tab. The procedure you use is very simple and<br />
is the same from either tab. The reasons you export a certificate from<br />
one tab rather than the other, however, are quite different, as<br />
described below.
Figure 13-14. Export<br />
Firewall Certificate<br />
window<br />
Configuring the Export<br />
Certificate window<br />
Importing and exporting certificates<br />
Exporting a Remote Certificate—You are most likely to export a<br />
remote certificate if users in your organization use a VPN client to<br />
establish a VPN connection between their laptops or desktop PCs<br />
and the <strong>Sidewinder</strong> <strong>G2</strong>. The VPN client requires the use <strong>of</strong> a<br />
certificate to identify itself during the VPN connection negotiations.<br />
It is possible to use the <strong>Sidewinder</strong> <strong>G2</strong> to create a self-signed<br />
certificate for the VPN client. Once it is created it may be<br />
converted to a new file format and then exported. From there it is<br />
imported to the VPN client program.<br />
Exporting a Firewall Certificate—This is used to export the firewall<br />
certificate to a remote peer. This allows the remote peer to<br />
recognize the <strong>Sidewinder</strong> <strong>G2</strong>. On the remote peer the firewall<br />
certificate is imported as a remote certificate.<br />
To export a certificate, in the Admin Console, select Services<br />
Configuration -> Certificate Management, then select either the Remote<br />
Certificates tab or the Firewall Certificates tab. Select the certificate you<br />
wish to export and click Export. The following window appears.<br />
Note: The tab you select depends upon your reason for exporting the certificate. See the<br />
explanation in the previous paragraphs.<br />
The Export Certificate window allows you to export the selected<br />
certificate from the <strong>Sidewinder</strong> <strong>G2</strong> to a separate file and/or to the<br />
screen. The certificate can be written to a file on the hard drive <strong>of</strong> a<br />
workstation, or it can be written to a transportable medium such as a<br />
floppy diskette or an zip disk. You can export only the certificate, or<br />
both the certificate and the private key.<br />
Configuring Virtual Private Networks 13-49
Importing and exporting certificates<br />
13-50 Configuring Virtual Private Networks<br />
Exporting only the certificate<br />
To export a certificate only, follow the steps below.<br />
1. Select the Export Certificate (Typical) radio button.<br />
2. Select the export destination:<br />
Export Certificate To File—To export the certificate to a file, select<br />
this option and proceed to step 3.<br />
Export Certificate To Screen—Select this option to export the<br />
certificate to the screen.<br />
3. [Conditional] If you are exporting the certificate to file, do the following:<br />
In the File field, type the name and location <strong>of</strong> the file to which the<br />
client (or firewall) certificate will be written. If you want to<br />
overwrite an existing file, but you are not certain <strong>of</strong> the path name<br />
or the file name, click Browse.<br />
In the Format field, select the appropriate format for the file.<br />
4. Click OK to export the certificate to the desired location.<br />
Exporting both the certificate and private key<br />
To export both a certificate and private key, follow the steps below.<br />
1. Specify whether the certificate and private key will be exported as one<br />
file or two files by selecting one <strong>of</strong> the following options:<br />
Export Certificate and Private Key as one file (PKCS12)—Select this<br />
option to export both the certificate and private key as a single file,<br />
and proceed to<br />
Export Certificate and Private Key as two files (PKCS1, PKCS8,<br />
X.509)—Select this option to export the certificate and private key<br />
as two separate files.<br />
2. [Conditional] To export the certificate and private key as a single file, do<br />
the following:<br />
a. In the File field, type the name and location <strong>of</strong> the file to which the<br />
client (or firewall) certificate will be written. If you want to overwrite<br />
an existing file but you are not certain <strong>of</strong> the path name or the file<br />
name, click Browse. (The Format displays the file format.)<br />
b. In the Password field, enter the password that will be used to<br />
encrypt the certificate file.
Configuring VPN<br />
Security<br />
Associations<br />
Configuring VPN Security Associations<br />
c. In the Confirm Password field, re-enter the password that your<br />
entered in the Password field.<br />
d. Click OK to export the certificate and private key as a single file.<br />
3. [Conditional] To export the certificate and private key as two separate<br />
files, do the following:<br />
a. In the Certificate File field, type the name and location <strong>of</strong> the file to<br />
which the client or firewall certificate will be written. If you want to<br />
overwrite an existing file but you are not certain <strong>of</strong> the path name or<br />
the file name, click Browse. In the Format field, select the appropriate<br />
format for the file.<br />
b. In the Private Key File field, type the name and location <strong>of</strong> the file to<br />
which the key will be written. If you want to overwrite an existing<br />
file but you are not certain <strong>of</strong> the path name or the file name, click<br />
Browse. In the Format field, select the appropriate format for the file.<br />
Important: If you use a transportable medium to store the private key file (for<br />
example .pk1, .pk8, or pk12), the medium should be destroyed or reformatted<br />
after the private key information has been imported to the appropriate VPN<br />
client.<br />
c. Click OK to export the certificate and private key as separate files.<br />
To configure a new VPN, you must perform the following steps:<br />
1. Choose whether the VPN is connecting to a single machine or a<br />
gateway that provides access for multiple machines.<br />
2. Determine whether the IP address the VPN is connecting to is always<br />
the same (static) or whether it changes (dynamic). If it is static, you must<br />
provide the IP address <strong>of</strong> the machine.<br />
Important: The remote end can only be dynamic if automatic key management is<br />
chosen.<br />
Configuring Virtual Private Networks 13-51
Configuring VPN Security Associations<br />
Figure 13-15.<br />
VPNs defined on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
About the Security<br />
Associations window<br />
13-52 Configuring Virtual Private Networks<br />
3. Decide if you want to automatically manage the exchange and use <strong>of</strong><br />
keys (using IKE) or if you want to enter the session key manually at the<br />
remote end.<br />
For automatic key exchange, you must decide on the type <strong>of</strong><br />
authentication (either password or certificate) to be used between<br />
the <strong>Sidewinder</strong> <strong>G2</strong> and the remote end.<br />
For manual key exchange, you must decide on the type <strong>of</strong><br />
authentication and encryption used between the <strong>Sidewinder</strong> <strong>G2</strong><br />
and the remote end and exchange these keys and Security<br />
Parameters Index (SPI) values with the remote end via a secure<br />
method (diskette, encrypted e-mail or telephone). You are also<br />
required to provide the authentication and encryption keys<br />
provided by the remote end.<br />
Displaying and configuring a VPN Security Association<br />
This section explains how to display and configure VPN associations.<br />
In the Admin Console, select VPN Configuration -> Security Associations.<br />
The following window appears.<br />
You use the Security Associations window to view the current list <strong>of</strong><br />
VPN associations currently defined on the <strong>Sidewinder</strong> <strong>G2</strong> and check<br />
the status <strong>of</strong> VPNs. You can also add, modify, or delete VPN<br />
associations.<br />
To add or modify a VPN association, click Add or Modify and see<br />
“Defining a VPN Security Association” on page 13-53 for details.
Figure 13-16. Security<br />
Associations: Active<br />
VPNs window<br />
About the Active VPNs<br />
window<br />
Configuring VPN Security Associations<br />
To delete a VPN association, select the VPN association you want to<br />
delete, and click Delete.<br />
To display which VPNs have active sessions, click Current VPN Status.<br />
The Security Associations: Active VPNs window appears.<br />
This window allows you to view the status <strong>of</strong> all configured VPNs.<br />
The various statuses include:<br />
Idle—No active session.<br />
Active—One or more VPNs have active sessions established for this<br />
VPN.<br />
To update the information displayed, click Refresh. Click Close to<br />
return to the main Security Association window.<br />
Defining a VPN Security Association<br />
When you click New or Modify from the Security Associations window,<br />
the VPN Properties window appears. This window is used to add or<br />
modify VPN associations. The window contains four tabs that are<br />
used to enter distinct information about a VPN association.<br />
Configuring Virtual Private Networks 13-53
Configuring VPN Security Associations<br />
Figure 13-17. General<br />
tab on the VPN<br />
Properties window<br />
13-54 Configuring Virtual Private Networks<br />
Configuring the General tab<br />
The General tab is used to enter basic information about the VPN<br />
association. To configure the General tab, follow the steps below.<br />
1. In the Name field, type the name <strong>of</strong> this VPN.<br />
2. In the Enabled field, select Yes to enable this VPN association, or select<br />
No to disable it.<br />
3. In the Encapsulation field, select one <strong>of</strong> the following:<br />
Tunnel—The more popular form <strong>of</strong> VPN encapsulation. Both the<br />
data and the source and destination IP addresses are encrypted<br />
within the encapsulated payload.<br />
Transport—The native form <strong>of</strong> VPN. Transport mode encrypts the<br />
data but the source and destination IP addresses are not<br />
concealed.<br />
See “Transport mode vs. tunnel mode” on page 13-6 for a more detailed<br />
explanation <strong>of</strong> these terms.<br />
4. In the Burb drop-down list, select the burb to which you want to assign<br />
this VPN. The <strong>Sidewinder</strong> <strong>G2</strong> terminates each VPN in a burb so that<br />
access rules may be applied to the VPN.
Configuring VPN Security Associations<br />
5. In the Mode field, specify how the remote end is operating. The valid<br />
options are:<br />
Fixed IP—Select this option if the IP address <strong>of</strong> the remote end is<br />
always the same. You must also provide the IP address <strong>of</strong> the<br />
remote end in the Remote IP field.<br />
Dynamic IP Client—Select this option if the remote end is a device<br />
whose IP address is not fixed. Example: A salesperson that gains<br />
Internet access from a laptop.<br />
Dynamic IP Restricted Client—Select this option if the remote end<br />
is a device whose IP address is not fixed. Example: A salesperson<br />
that gains Internet access from a laptop. The difference between<br />
this option and Dynamic IP Client is that the remote end is assigned<br />
a virtual IP address from a range specified by using either a Client<br />
Address Pool or a range <strong>of</strong> acceptable external IP addresses. You<br />
restrict the range <strong>of</strong> IP addresses available to the remote end by<br />
using either the Client Address Pool field or the Dynamic Virtual<br />
Address Range field.<br />
Important: You can only use Dynamic IP Client or Dynamic IP Restricted Client if<br />
automatic key management is used.<br />
6. [Conditional] Determine if you want remote clients to make<br />
connections using only the IP addresses contained within one <strong>of</strong> the<br />
available client address pools. If so, use the Client Address Pool dropdown<br />
list arrow to select the client address pool you want to use. With<br />
this option, the <strong>Sidewinder</strong> <strong>G2</strong> selects an IP address from the available<br />
pool and assigns it to the client. (This field is available only if you select<br />
Fixed IP or Dynamic IP Restricted Client in the Mode field.)<br />
Important: See “Configuring client address pools” on page 13-18 for information<br />
on creating a client address pool.<br />
7. In the Local IP field, select one <strong>of</strong> the following:<br />
Use Localhost IP—Select this option to use the default localhost IP<br />
address.<br />
Specify IP—Select this option to configure a specific IP address. In<br />
the corresponding field, enter the IP address.<br />
8. To add or modify a local network address to the Local Network/IP list (a<br />
list <strong>of</strong> network names or IP addresses the <strong>Sidewinder</strong> <strong>G2</strong> can use in a<br />
VPN association), click New or Modify, respectively. See “Adding or<br />
modifying an IP address” for details.<br />
9. [Conditional] In the Remote IP field, type the IP address <strong>of</strong> the remote<br />
client. This field is available only if you select Fixed IP in the Mode field.<br />
Configuring Virtual Private Networks 13-55
Configuring VPN Security Associations<br />
Adding or modifying<br />
an IP address<br />
13-56 Configuring Virtual Private Networks<br />
10. [Conditional] If you selected Fixed IP in the Mode field, to add or modify<br />
an entry to the Remote Network / IP list, click New or Modify,<br />
respectively. This lists the IP addresses with which a VPN association can<br />
be made. The addresses specified here typically represent a real<br />
network located behind the client’s <strong>Sidewinder</strong> <strong>G2</strong>. See “Adding or<br />
modifying an IP address” for details.<br />
11. [Conditional] If you selected Dynamic IP Restricted Client in the Mode<br />
field, to add or modify an entry to the Dynamic Virtual Address Range<br />
list, click New or Modify, respectively. This list defines the range <strong>of</strong><br />
addresses a client can use when initiating a VPN connection. The<br />
addresses specified here do not represent a real network but are virtual<br />
addresses. With this option the client assigns their own IP address,<br />
although the address must be within the approved address range.<br />
12. [Optional] In the Comments field, type a short description for this VPN<br />
association.<br />
Note: You must input information from the Authentication tab before you can save this<br />
Security Association entry. See “Configuring password information on the Authentication<br />
tab” on page 13-57 for instructions.<br />
The Local Network List window is used to define the range <strong>of</strong> IP<br />
addresses that can be used in a VPN association. To add or modify an<br />
IP address, follow the steps below.<br />
1. In the IP Address field, type the IP address used in this VPN association.<br />
2. In the Number <strong>of</strong> bits in Netmask field, use the up/down arrows to select<br />
the number <strong>of</strong> bits that are significant in the network mask. The value<br />
specified is used to identify the network portion <strong>of</strong> the IP address.<br />
3. Click Add to add the IP address, and then click Close. To exit the window<br />
without adding the IP address, click Close without clicking Add.<br />
Entering information on the Authentication tab<br />
To prevent access to the VPN from Internet hosts masquerading as the<br />
VPN peer, various means <strong>of</strong> authenticating the peer are available. The<br />
Authentication tab defines the authentication method that will be used<br />
in this VPN association. It also defines the characteristics <strong>of</strong> the<br />
selected authentication method. You can select four different<br />
methods:
Configuring password<br />
information on the<br />
Authentication tab<br />
Configuring VPN Security Associations<br />
Password—Select this option if you and the remote end want to use<br />
a password to verify the key exchange. The same password must<br />
be used on both ends <strong>of</strong> this association. See “Configuring<br />
password information on the Authentication tab” on page 13-57 for<br />
detailed information.<br />
Certificate + Certificate Authority—Select this option if you want to<br />
use one or more trusted CAs and Remote Identities to validate the<br />
certificate <strong>of</strong> the remote end. This method is commonly used by<br />
organizations that have many remote users who must access<br />
resources behind the <strong>Sidewinder</strong> <strong>G2</strong>. See “Entering Certificate +<br />
Certificate Authority information on the Authentication tab” on<br />
page 13-59 for detailed information.<br />
Single certificate—Select this option if you want to validate the<br />
remote end using a self-signed certificate generated by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, or using a certificate generated by a CA server.<br />
This method is commonly used by organizations that have a small<br />
number <strong>of</strong> people that travel but need secure access to your<br />
network. See “Entering Single Certificate information on the<br />
Authentication tab” on page 13-61 for detailed information.<br />
Manual—Select this option if you want to exchange session keys<br />
manually (for example over the phone). See “Entering Manual<br />
information on the Authentication tab” on page 13-62 for detailed<br />
information.<br />
The first three methods are automatic methods, meaning the session<br />
keys are managed automatically between the <strong>Sidewinder</strong> <strong>G2</strong> and the<br />
remote end. The ISAKMP server must be enabled on the <strong>Sidewinder</strong><br />
<strong>G2</strong> in order to automatically generate and exchange session keys. See<br />
“Configuring the ISAKMP server” on page 13-11 for information. The<br />
remote end <strong>of</strong> the VPN must also support ISAKMP.<br />
With the manual method, matching session keys must be entered<br />
manually at the <strong>Sidewinder</strong> <strong>G2</strong> remote end. Each <strong>of</strong> these<br />
authentication methods are described in the following sections.<br />
The password information tabs in the Authentication window are<br />
used to define password authentication for this VPN association. The<br />
password is used to authenticate both peers in a potential VPN<br />
association. To configure password information, follow the steps<br />
below.<br />
Note: Password-based authentication should only be used with fixed IP-configured VPN<br />
or with extended authentication.<br />
Configuring Virtual Private Networks 13-57
Configuring VPN Security Associations<br />
13-58 Configuring Virtual Private Networks<br />
On the General sub-tab<br />
1. In the Enter Password field, type the password to be used each time<br />
automatic key exchange takes place.<br />
2. In the Verify Password field, confirm the password in the field provided.<br />
3. [Conditional] Select the Require Extended Authentication check box if<br />
you want to use Extended Authentication. This check box is available<br />
only if an authentication method is configured for the ISAKMP server.<br />
See “Extended Authentication for VPN” on page 13-8 for more<br />
information on extended authentication.<br />
On the Identities sub-tab<br />
The Identities sub-tab is used to define unique identities for the<br />
following:<br />
Firewall Identity is included in the response to the remote client and<br />
confirms to the client that it has established a VPN association with<br />
the correct endpoint.<br />
Remote Identity is used to match a client identity with a particular<br />
security association; the <strong>Sidewinder</strong> <strong>G2</strong> can then use this<br />
information to determine the password the client should be using.<br />
The remote identity is optional for Fixed IP VPN associations<br />
because the <strong>Sidewinder</strong> <strong>G2</strong> can use the IP address to determine<br />
who the client is and thus what password the client should be<br />
using.<br />
1. In the Firewall Identity Type field, select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Valid options are:<br />
E-mail address<br />
Fully Qualified Domain Name<br />
IP Address<br />
Note: E-mail addresses are not recommended, as they are rarely used in the context<br />
<strong>of</strong> a security gateway.<br />
2. In the Value field, type the actual value used as the firewall identity. The<br />
value must be <strong>of</strong> the type specified in the Firewall Identity Type field (for<br />
example, if you selected IP Address in the Firewall Identity Type field, you<br />
must type an IP address in the Value field.<br />
3. Select the Gateway IP Address radio button if the <strong>Sidewinder</strong> <strong>G2</strong> should<br />
use the IP address <strong>of</strong> a Fixed IP client to determine what password the<br />
client should be using.
Entering Certificate +<br />
Certificate Authority<br />
information on the<br />
Authentication tab<br />
Configuring VPN Security Associations<br />
4. Select the Remote Identities radio button if the <strong>Sidewinder</strong> <strong>G2</strong> should<br />
use a remote identity to determine the ID <strong>of</strong> the client. Valid identities<br />
for this association should be moved from the Available list to the<br />
Trusted list.<br />
5. [Optional] Click Remote Identities to go the Remote Identities window.<br />
This is useful if you want to use an identity that has yet to be created.<br />
When you add the identity and click Close, you will return to the<br />
Password Authentication Identities tab.<br />
6. Complete this tab by doing one <strong>of</strong> the following:<br />
If you intend to change the Crypto or Advanced tab settings, go<br />
directly to the next tab without clicking Add or Close.<br />
If you do not intend to change the Crypto or Advanced tab<br />
settings, click Add and then click Close. Click the Save icon.<br />
If you do not want to save this Security Association entry, click<br />
Close without clicking Add.<br />
The Certificate + Certificate Authority tabs in the Authentication<br />
window are used to define certificate and certificate authority<br />
authentication for this VPN association. This means each peer must be<br />
validated using certificates and remote identities before entering into<br />
this VPN association. To configure the certificate and certificate<br />
authority tabs, follow the steps below.<br />
1. Select the Firewall Credentials sub-tab.<br />
2. In the Firewall Certificate drop-down list, select the certificate that will<br />
be used to identify the <strong>Sidewinder</strong> <strong>G2</strong> to the remote peer. You can also<br />
click the Firewall Certificates button to go to the Firewall Certificates<br />
window. This is useful if you want to use a certificate that has yet to be<br />
created.<br />
Configuring Virtual Private Networks 13-59
Configuring VPN Security Associations<br />
13-60 Configuring Virtual Private Networks<br />
3. In the Firewall Identity Type field, select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Valid options are:<br />
E-Mail<br />
Fully Qualified Domain Name<br />
IP Address<br />
Distinguished Name<br />
Note: Only those identities defined within the selected firewall certificate will be<br />
available in this field.<br />
Note: The Value field contains the actual value used as the <strong>Sidewinder</strong> <strong>G2</strong> identity.<br />
This value is filled-in automatically using the information from the selected<br />
certificate. The field cannot be edited.<br />
4. [Conditional] Select the Require Extended Authentication check box if<br />
you want to use Extended Authentication. This check box is available<br />
only if an authentication method is configured for the ISAKMP server.<br />
See “Extended Authentication for VPN” on page 13-8 for more<br />
information on extended authentication.<br />
5. Select the Remote Credentials sub-tab.<br />
6. In the list <strong>of</strong> Available Certificate Authorities, select a CA you want to<br />
add as a trusted CA and click the ==>> button to add the CA to the<br />
Trusted List. You can add several trusted CAs. To select a CA that has yet<br />
to be defined, click the Cert Authorities button to go to the Certificate<br />
Authorities window. In this window you can define the needed CA, and<br />
then return here.<br />
7. In the list <strong>of</strong> Available Remote Identities, select a remote identity you<br />
want to add to the Trusted identity list and click the ==>> button. You<br />
can add several trusted remote identities. To select an identity that has<br />
yet to be defined, click the Remote Identities button to go to the<br />
Remote Identities window. This window allows you to define the<br />
needed identity, and then return here.<br />
8. Complete this tab by doing one <strong>of</strong> the following:<br />
If you intend to change the Crypto or Advanced tab settings, go<br />
directly to the next tab without clicking Add or Close.<br />
If you do not intend to change the Crypto or Advanced tab<br />
settings, click Add and then click Close. Click the Save icon to save<br />
your changes.<br />
If you do not want to save this Security Association entry, click<br />
Close without clicking Add.
Entering Single<br />
Certificate information<br />
on the Authentication tab<br />
Configuring VPN Security Associations<br />
The Single Certificate screen in the Authentication window is used to<br />
define single certificate authentication for this VPN association. This<br />
means the remote peer must use the selected remote certificate for<br />
authentication before entering into this VPN association. To enter<br />
certificate authentication information, follow the steps below.<br />
1. In the Firewall Certificate drop-down list <strong>of</strong> available certificates, select<br />
the certificate used to authenticate the key exchange. To create or<br />
import a certificate, click the Firewall Certs button to go to the Firewall<br />
Certificates window. See “Configuring and displaying firewall<br />
certificates” on page 13-37 and “Importing a firewall certificate” on page<br />
13-46 earlier in this chapter for details.<br />
2. In the Remote Certificate drop-down list, select the certificate used on<br />
the remote end <strong>of</strong> the VPN. To create or import a certificate, click the<br />
Remote Certs button to go to the Remote Certificates window. See<br />
“Configuring and displaying remote certificates” on page 13-40 and<br />
“Importing a remote certificate” on page 13-47 for details.<br />
3. In the Firewall Identity Type field select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Valid options are:<br />
Distinguished Name<br />
E-mail address<br />
Fully Qualified Domain Name<br />
IP Address<br />
Note: Only those identities defined within the selected firewall certificate will be<br />
available in this field.<br />
Note: The Value field contains the actual value used as the firewall identity. This<br />
value is filled-in automatically using the information from the selected certificate.<br />
The field cannot be edited.<br />
4. [Conditional] Select the Require Extended Authentication check box if<br />
you want to use Extended Authentication. This check box is available<br />
only if an authentication method is configured for the ISAKMP server.<br />
See “Extended Authentication for VPN” on page 13-8 for more<br />
information on extended authentication.<br />
5. Complete this tab by doing one <strong>of</strong> the following:<br />
If you intend to change the Crypto or Advanced tab settings, go<br />
directly to the next tab without clicking Add or Close.<br />
If you do not intend to change the Crypto or Advanced tab<br />
settings, click Add and then click Close. Click the Save icon to save<br />
your changes.<br />
If you do not want to save this Security Association entry, click<br />
Close without clicking Add.<br />
Configuring Virtual Private Networks 13-61
Configuring VPN Security Associations<br />
Entering Manual<br />
information on the<br />
Authentication tab<br />
13-62 Configuring Virtual Private Networks<br />
The Manual screen in the Authentication window is used to define<br />
manual authentication for this VPN association. This means that only a<br />
remote peer that has entered the exact same manual key value will<br />
have access through this VPN association. To configure manual<br />
authentication, follow the steps below.<br />
1. In the IPSEC Transformations drop-down list, select the appropriate form<br />
<strong>of</strong> IPsec transformation. The valid options are:<br />
Authentication Header (AH)—Provides authentication only.<br />
Encapsulating Security Payload (ESP)—Provides encryption only.<br />
Separate AH + ESP—Performs separate transformations for<br />
authentication and encryption.<br />
Combined ESP + AH—Performs a single transformation that<br />
provides authentication and encryption.<br />
2. In the Authentication Hash drop-down list, select the type <strong>of</strong><br />
authentication you and the remote end have chosen to use. The valid<br />
options are:<br />
HMAC-SHA1-96<br />
HMAC-MD5-96<br />
3. In the Encryption drop-down list, select the type <strong>of</strong> encryption you and<br />
the remote end have chosen to use. The choices are:<br />
Encryption type Key length<br />
AES256 256-bit<br />
AES128 128-bit<br />
CAST128 128-bit<br />
3DES 168-bit<br />
DES 56-bit<br />
Null 0<br />
4. To define keys and SPI index values, click Generate Keys. You can type<br />
your own unique key and SPI index, but it is not recommended.<br />
Since manually generating random keys is difficult, the <strong>Sidewinder</strong> <strong>G2</strong><br />
provides randomly generated authentication and encryption keys and<br />
Security Parameters Index (SPI) value for you and the remote end to use.<br />
It is highly recommended that you use the default keys provided. You<br />
must send these keys and SPI values to the remote end for them to use.
Configuring VPN Security Associations<br />
Note: The individual key and SPI fields listed below may become available or<br />
unavailable depending on the value selected in the IPsec Transformations field.<br />
AH Inbound Key and SPI<br />
AH Outbound Key and SPI<br />
ESP Inbound Key and SPI<br />
ESP Outbound Key and SPI<br />
Important: Once you have chosen the keys, they must be kept a secret. You should<br />
only exchange the keys by a secure method, such as floppy disk, encrypted e-mail<br />
(such as PGP) or via the telephone. If attackers learn the key, they can decrypt all <strong>of</strong><br />
your VPN traffic.<br />
5. To complete the manual key exchange, you must exchange these keys<br />
and Security Parameters Index (SPI) values with the remote end via a<br />
secure method (diskette, encrypted e-mail or telephone).<br />
Note: The inbound and outbound keys/SPIs are entered in the opposite fields on the<br />
remote end.<br />
In the Authentication section, type the key and SPI used by the<br />
remote end.<br />
In the Encryption section, type the key and SPI used by the remote<br />
end.<br />
Important: You must be sure to type the key correctly or the VPN will not work.<br />
Entering information on the Crypto tab<br />
The Crypto tab defines the cryptographic and hashing algorithms used<br />
to authenticate the peer in this VPN association. The information on<br />
this tab is only used with automatic key exchange (that is,<br />
Authentication Method = Password, Certificate + Certificate Authority,<br />
or Single Certificate on the Authentication tab). To configure the<br />
Crypto tab follow the steps below.<br />
1. In the IPSEC Crypto Algorithms area, select an algorithm from the<br />
Available list <strong>of</strong> available encryption algorithms, and click the ==>><br />
button to move it to the Accept list. You can have multiple algorithms in<br />
the Accept list.<br />
Use the Up and Down buttons to organize the algorithms according to<br />
your preference. The first algorithm that appears in the Accept list will<br />
be used.<br />
Note: The Null option contains an encryption header but does not specify an<br />
encryption algorithm. It is generally only used during testing. Compare this to the<br />
None option, which does not contain an encryption header.<br />
Configuring Virtual Private Networks 13-63
Configuring VPN Security Associations<br />
Entering information on the<br />
Advanced tab<br />
13-64 Configuring Virtual Private Networks<br />
2. In the IPSEC Hashing Algorithms area, select an algorithm from the<br />
Available list <strong>of</strong> available hashing algorithms, and click the ==>> button<br />
to move it to the Accept list. You can have multiple algorithms in the<br />
Accept list.<br />
Use the Up and Down buttons to organize the algorithms according to<br />
your preference. The first algorithm that appears in the Accept list will<br />
be used.<br />
The Advanced tab defines some <strong>of</strong> the more arcane points <strong>of</strong> a VPN<br />
association. As a general rule only administrators that are highlyschooled<br />
in the nuts and bolts <strong>of</strong> VPN should modify the information<br />
on this tab. The information on this tab is only used with automatic<br />
key exchange (that is Authentication Method = Password, Certificate +<br />
Certificate Authority, or Single Certificate on the Authentication tab).<br />
The Advanced tab contains the following fields and buttons.<br />
Phase 1 (ISAKMP) Rekey data fields<br />
Hard Limits—Indicates how <strong>of</strong>ten the system must negotiate for<br />
new ISAKMP keys and how much ISAKMP traffic this phase can<br />
protect. The defaults are 3600 seconds (1 hour) and 0 (meaning no<br />
limit to the amount <strong>of</strong> traffic).<br />
S<strong>of</strong>t Percentage—Indicates how far in advance <strong>of</strong> the hard limit to<br />
begin negotiating for new keys. This makes sure you have some<br />
new keys on hand by the time the hard limit expires.<br />
P1 Crypto—Specifies the crypto algorithm to use during Phase 1.<br />
P1 Hash: Specifies the hash algorithm to use during Phase 1.<br />
P1 Oakley—Indicates the Diffie-Hellman group to use for the PFS<br />
derivation <strong>of</strong> ISAKMP keys.<br />
Force XAuth on Rekey—Select this option to force XAuth to be<br />
performed each time the phase 1 session is started or renegotiated.<br />
Phase 2 (IPSEC) Rekey data fields<br />
Hard Lifetimes—Indicates how <strong>of</strong>ten the system must negotiate for<br />
new IPsec keys and how much traffic it can encrypt. The defaults<br />
are 700 seconds and 0 (meaning no traffic limit).<br />
S<strong>of</strong>t Percentage—Indicates how far in advance <strong>of</strong> the hard limit to<br />
begin negotiating for new keys. This makes sure you have some<br />
new keys on hand by the time the hard limit expires.
Example VPN<br />
Scenarios<br />
Example VPN Scenarios<br />
Negotiate As Single Host—If this option is enabled it indicates that<br />
every possible combination <strong>of</strong> source and destination must<br />
establish a separate VPN association. Do not use this option unless<br />
directed to do so by Secure Computing Corporation.<br />
Forced Rekey—Forces the association to rekey when the limits are<br />
reached, even if no traffic has passed through the VPN since the<br />
last rekey.<br />
Important: SCC strongly recommends enabling the Forced Rekey option if you<br />
are using SafeNet S<strong>of</strong>tRemote and have XAUTH configured.<br />
Caution: Do not enable the Forced Rekey option if you have One-To-Many<br />
configured and are using static IP addresses for your VPNs. Doing so will cause all<br />
<strong>Sidewinder</strong> <strong>G2</strong>s in the cluster to attempt to instantiate the VPN at the same time,<br />
resulting in failure.<br />
PFS—(Perfect Forward Secrecy) If this option is enabled it ensures<br />
that the key material associated with each IPsec security<br />
association cannot be derived from the key material used to<br />
authenticate the remote peer during the ISAKMP negotiation. If a<br />
key is compromised by a hacker, the information available to that<br />
hacker is dependent on whether you select Identity or Key Only.<br />
— Identity: Indicates that a Phase 1 negotiation is performed for<br />
every Phase 2. This means the identity will not be revealed<br />
even if the key is compromised; only the data protected by<br />
that key will be accessible. The downside is that system<br />
performance may be hurt because <strong>of</strong> the many negotiations.<br />
— Key Only: Phase 1 negotiations are not performed for every<br />
Phase 2. This will increase performance but may allow access<br />
to the identity if the key is compromised.<br />
Oakley Group: Indicates the Diffie-Hellman group to use for the PFS<br />
derivation <strong>of</strong> IPsec keys. Available only if the PFS option is<br />
enabled.<br />
The following sections describe three typical VPN scenarios. Each<br />
scenario begins by describing a particular VPN requirement. It then<br />
explains how to implement the solution using the Admin Console.<br />
These scenarios assume the following:<br />
The VPN feature is licensed for your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The CMD server is enabled on the <strong>Sidewinder</strong> <strong>G2</strong>. (This server will<br />
be enabled by default.)<br />
Configuring Virtual Private Networks 13-65
Example VPN Scenarios<br />
Figure 13-18. VPN<br />
between two corporate<br />
<strong>of</strong>fices<br />
13-66 Configuring Virtual Private Networks<br />
The ISAKMP server is enabled on the appropriate burb. See<br />
“Configuring the ISAKMP server” on page 13-11 for information on<br />
enabling this server. In the scenarios that follow, it is assumed the<br />
server is enabled on the Internet burb.<br />
The proper rule(s) are defined to allow ISAKMP traffic on the<br />
proper burb(s). In the scenarios that follow it is assumed a rule has<br />
been defined that allows ISAKMP traffic on the Internet burb.<br />
Note: The values used in the following scenarios are for demonstration purposes only.<br />
Scenario 1: <strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong> VPN via<br />
shared password<br />
The easiest type <strong>of</strong> VPN association to configure is one that uses a<br />
shared password for authentication. A shared password is typically<br />
used to establish a VPN association between two corporate <strong>of</strong>fices<br />
that have static IP addresses. Such a situation occurs if you have a<br />
business partner that requires access to your network, or if you have<br />
one or more corporate divisions located in different cities.<br />
The following figure provides the sample configuration information<br />
used in this scenario.<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
50.1.0.0/16 100.1.1.1<br />
fw.west.bizco.net<br />
The requirements This VPN scenario requires the following:<br />
A VPN connection between two corporate <strong>of</strong>fices<br />
Shared password authentication<br />
200.1.1.1<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
burb<br />
Trusted<br />
burb<br />
fw.east.bizco.net<br />
Static IP addresses for each peer in the VPN association<br />
250.1.1.0/24
Example VPN Scenarios<br />
How it is done The following steps show the fields on the VPN menus that must be<br />
defined in order to create this VPN association. The configuration<br />
steps are performed on the <strong>Sidewinder</strong> <strong>G2</strong> named fw.east.bizco.net.<br />
In the Admin Console, select VPN Configuration -> Security Associations,<br />
and then click New to configure a new association.<br />
1. On the General tab:<br />
Name = corporate_west<br />
Encapsulation = Tunnel<br />
Mode = Fixed IP<br />
Enabled = Yes<br />
Burb = Trusted<br />
Local IP = localhost<br />
Remote IP = 100.1.1.1<br />
Client Address Pool = <br />
Local Network / IP = 250.1.1.0/24<br />
Remote Network / IP = 50.1.0.0/16<br />
Note: When configuring the <strong>Sidewinder</strong> <strong>G2</strong> named fw.west.bizco.net, the Local Network/<br />
IP and the Remote Network/IP values are reversed and the Remote IP value is 200.1.1.1.<br />
2. On the Authentication tab:<br />
Authentication method = password<br />
Enter password = samplepassword<br />
Verify password = samplepassword<br />
3. On the Crypto tab: Order the algorithms to match that <strong>of</strong> the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
4. On the Advanced tab: No changes needed.<br />
5. Click Add to save the new VPN security association.<br />
6. Click the Save icon.<br />
Summary And that is it. The VPN can be used as soon as the other <strong>Sidewinder</strong><br />
<strong>G2</strong> is configured. The same type <strong>of</strong> information is entered at the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>, changing the IP addresses as appropriate.<br />
Configuring Virtual Private Networks 13-67
Example VPN Scenarios<br />
Figure 13-19. One VPN<br />
association per client<br />
13-68 Configuring Virtual Private Networks<br />
Scenario 2: Simple deployment <strong>of</strong> remote users<br />
A common reason for using a VPN is to allow your travelling<br />
employees to connect to your corporate network from a remote site.<br />
This connection is typically made between an employee’s laptop<br />
computer and your corporate <strong>Sidewinder</strong> <strong>G2</strong>. In this type <strong>of</strong> VPN<br />
association, single (also known as "self-signed") certificates are<br />
generated by the <strong>Sidewinder</strong> <strong>G2</strong> and distributed to each client. This<br />
type <strong>of</strong> VPN can be used with dynamic IP-assigned clients and<br />
gateways. One association must be created for each client, so this type<br />
<strong>of</strong> VPN is typically used only if you have a small number <strong>of</strong> remote<br />
clients.<br />
The following figure provides the sample configuration information<br />
used in this scenario. Note that the remote end <strong>of</strong> this VPN connection<br />
(from the <strong>Sidewinder</strong> <strong>G2</strong> point <strong>of</strong> view) is a laptop that will be using a<br />
dynamic IP address.<br />
VPN<br />
Client A<br />
VPN<br />
Client B<br />
Internet<br />
The assumptions This VPN scenario assumes the following:<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
200.1.1.1 Internet<br />
burb<br />
Trusted<br />
burb<br />
250.1.1.0/24<br />
Host<br />
Virtual<br />
burb<br />
fw.east.bizco.net<br />
Router<br />
192.168.182.0<br />
A VPN connection between a remote computer and the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
A self-signed firewall certificate that is generated by the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
One or more remote certificates that is generated by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and distributed to the clients<br />
One VPN association per client<br />
Each VPN association is terminated in the Virtual burb<br />
VPN clients should have access to the 250.1.1.0 network but not<br />
the 192.168.182.0 network<br />
Host
Example VPN Scenarios<br />
All clients make connections using a virtual IP address assigned<br />
from a client address pool<br />
All clients use VPN client s<strong>of</strong>tware that supports mode-config<br />
Important: When determining your deployment method, consider what steps will you<br />
take to ensure the protection <strong>of</strong> your private key material. Allowing unauthorized access to<br />
your private key material could compromise your entire network.<br />
How it is done The following steps show the fields on the VPN menus that must be<br />
defined in order to create this VPN association. The basic idea is to:<br />
— Create a firewall certificate that identifies the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Export this certificate to each client.<br />
— Create a remote certificate that uniquely identifies each client.<br />
Export each certificate to the respective client.<br />
— Create a client address pool.<br />
— Create a VPN association for each client.<br />
1. In the Admin Console, select Services Configuration -> Certificate<br />
Management, and then enter the following information on each tab:<br />
a. On the Firewall Certificates tab, click New and create a firewall<br />
certificate by specify the following:<br />
Certificate Name = MyFirewall_cert<br />
Distinguished Name: CN=MyFirewall,O=bizco,C=US<br />
Submit to CA = Self Signed<br />
Signature Type = RSA<br />
Click Add.<br />
Click the Save icon.<br />
b. [Optional] On the Firewall Certificates tab, click Export and export<br />
the firewall certificate by specify the following:<br />
Destination = File<br />
Export Private Key to File: Click Browse and specify where you<br />
want to save the private key. The private key is <strong>of</strong>ten saved to an<br />
accessible location (portable storage device or protected<br />
network) for distribution to the client.<br />
Export Firewall Certificate to File: Click Browse and specify where<br />
you want to save the firewall certificate. The firewall certificate is<br />
<strong>of</strong>ten saved to an accessible location (portable storage device or<br />
protected network) for distribution to the client.<br />
Click OK.<br />
Configuring Virtual Private Networks 13-69
Example VPN Scenarios<br />
13-70 Configuring Virtual Private Networks<br />
c. On the Remote Certificates tab click New and create a self-signed<br />
certificate for a client by specify the following:<br />
Certificate Name = Sales_A<br />
Distinguished Name: CN=Sales_A,O=bizco,C=US<br />
Submit to CA = Self Signed<br />
Signature Type = RSA<br />
Important: If you are using SafeNet S<strong>of</strong>tRemote as your client s<strong>of</strong>tware, you must<br />
create this file using the PKS12 extension.<br />
Click Add.<br />
Click the Save icon.<br />
d. Repeat step 1c for each remote client.<br />
e. On the Remote Certificates tab, click Export and export the remote<br />
certificate by specify the following:<br />
Destination = File<br />
Export Client Private Key to File: Click Browse and specify where<br />
you want to save the private key.<br />
Export Client Certificate to File: Click Browse and specify where<br />
you want to save the client certificate.<br />
Format: Select the appropriate format for the client private key<br />
and client certificate in the corresponding Format drop-down<br />
lists.<br />
Click OK.<br />
f. Repeat step 1e for each remote client. When you are finished you<br />
should have the firewall certificate as well as either the PKCS12formatted<br />
object or the certificate/key file pair for that client saved<br />
to a location accessible by the remote client (portable storage<br />
device or network)<br />
2. In the Admin Console, select VPN Configuration -> Client Address Pools,<br />
and then click New to create a new client address pool.<br />
Using a client address pool lets you define which local networks the<br />
clients can access. For this example, assume you want to permit access<br />
to the 250.1.1.0 network but not the 192.168.182 network.<br />
Note: Your client s<strong>of</strong>tware must support this capability. SafeNet S<strong>of</strong>tRemote<br />
currently does not support this capability—it must be manually configured with<br />
information about the locally protected subnet.<br />
a. Enter New Pool Name = SalesPool<br />
b. Virtual Subnet = 10.1.1.32/27
Example VPN Scenarios<br />
c. Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click<br />
Add.<br />
d. Click Add to add the new pool.<br />
Note: The Subnet and Number <strong>of</strong> Bits in Netmask fields work in concert to<br />
determine the network portion <strong>of</strong> the addresses in the pool as well as the total<br />
number <strong>of</strong> addresses in the pool. The values shown here provide 30 possible<br />
addresses: 10.1.1.33 - 10.1.1.62. Modify these two values as appropriate for your<br />
situation. (For example, in this scenario you might alternatively specify IP Address =<br />
10.1.1.16 and Netmask = 28, creating 14 possible addresses: 10.1.1.17 - 10.1.1.30.)<br />
e. On the Servers tab: If the client s<strong>of</strong>tware you are using supports this<br />
mode-config capability, specify your internal DNS and WINS servers<br />
here.<br />
f. Click Add.<br />
3. In the Admin Console, select VPN Configuration -> Security Associations,<br />
and then click New to configure a new association.<br />
a. On the General tab:<br />
Name = Sales_A<br />
Encapsulation = Tunnel<br />
Mode = Dynamic IP Restricted Client<br />
Enabled = Yes<br />
Burb = Virtual<br />
Local IP = localhost<br />
Client Address Pool = SalesPool<br />
b. On the Authentication tab:<br />
Authentication method = Single Certificate<br />
Firewall Certificate = Select the certificate you created in step 1A<br />
Remote Certificate = Select the certificate you created in step 1C<br />
for this client<br />
c. On the Crypto tab: Order the algorithms to match that <strong>of</strong> the client<br />
d. On the Advanced tab: No changes needed<br />
e. Click Add to save the new VPN association.<br />
f. Click the Save icon to save your changes.<br />
4. Repeat step 3 for each client, changing the name in step 3A and the<br />
remote certificate in step 3B as appropriate.<br />
Configuring Virtual Private Networks 13-71
Example VPN Scenarios<br />
Summary Each individual VPN connection can be used as soon as the remote<br />
clients are configured. Each client will need the client-specific<br />
certificate and private key information you saved in steps 1B and 1C<br />
in order to configure their end <strong>of</strong> the VPN connection. If you saved<br />
this information to diskette you can either hand it to them in person,<br />
mail it to them, or perform the imports while the machine is within a<br />
trusted network. It is not safe to distribute certificate and private key<br />
information via e-mail.<br />
Figure 13-20. One VPN<br />
association for all clients<br />
13-72 Configuring Virtual Private Networks<br />
Note: The configuration described above restricts VPN traffic by terminating it in a virtual<br />
burb. Proxies and rule entries must be configured to specify what access the VPN clients<br />
have to the trusted network.<br />
Scenario 3: Large scale deployment <strong>of</strong> clients<br />
This scenario is similar to Scenario 2 except that instead <strong>of</strong> a small<br />
number <strong>of</strong> remote clients it assumes you have hundreds or even<br />
thousands <strong>of</strong> remote clients. Because it is unreasonable to create a<br />
unique VPN association for each client, a Certificate Authority (CA)<br />
will be used. The CA, in conjunction with the remote identities you<br />
define, allows you to create one VPN that is accessible by all <strong>of</strong> the<br />
clients.<br />
The following figure provides the sample configuration information<br />
used in this scenario.<br />
VPN<br />
Client A<br />
VPN<br />
Client B<br />
VPN<br />
Client ZZZ<br />
Internet<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
200.1.1.1 Internet<br />
burb<br />
Trusted<br />
burb<br />
250.1.1.0/24<br />
Host<br />
Virtual<br />
burb<br />
fw.east.bizco.net<br />
Host<br />
Router<br />
192.168.182.0
The assumptions This VPN scenario assumes the following:<br />
Example VPN Scenarios<br />
A VPN connection between a <strong>Sidewinder</strong> and many clients<br />
A Certificate Authority-based VPN<br />
A single VPN association for all clients with a like security policy<br />
rather than one association per client<br />
The VPN association is terminated in a virtual burb<br />
The clients can have dynamic or static IP addresses<br />
VPN clients should have access to the 250.1.1.0 network but not<br />
the 192.168.182.0 network<br />
All clients make connections using a virtual IP address assigned<br />
from a client address pool<br />
All clients are using VPN client s<strong>of</strong>tware that supports mode-config<br />
Note: It is assumed in this scenario that the clients do not have access to the CA and must<br />
rely on the <strong>Sidewinder</strong> <strong>G2</strong> to create and distribute the necessary certificates and private<br />
keys.<br />
How it is done The following steps show the fields on the VPN menus that must be<br />
defined in order to create this VPN association. The basic idea is to:<br />
— Define the CA used with this VPN<br />
— Create a firewall certificate that is signed by the CA<br />
— Create one or more identities that define who is authorized to<br />
use this VPN<br />
— Create a client address pool<br />
— Create the VPN security association<br />
— Create the client certificates for each client<br />
— Provide certificate information and/or files to clients as<br />
necessary<br />
Tip: Some VPN client s<strong>of</strong>tware, such as SafeNet S<strong>of</strong>tRemote, allow users to self-enroll<br />
online to obtain their personal certificates, which can greatly reduce administrative effort.<br />
See the VPN Admin <strong>Guide</strong> for more details.<br />
Configuring Virtual Private Networks 13-73
Example VPN Scenarios<br />
13-74 Configuring Virtual Private Networks<br />
1. In the Admin Console, select Services Configuration -> Certificate<br />
Management, and then enter the following information on each tab.<br />
a. On the Certificate Authorities tab, click New and create a CA by<br />
specifying the following:<br />
CA Name = BizcoCA<br />
Type = SCEP (or whatever value is appropriate)<br />
URL = http://10.18.128.8<br />
Click Add.<br />
Click the Save icon to save your changes.<br />
Click Get CA Cert (Retrieves the CA Cert from the URL address.)<br />
Click Get CRL (Retrieves the Certificate Revocation List for this CA.)<br />
b. On the Firewall Certificates tab, click New and create a firewall<br />
certificate by specifying the following:<br />
Certificate Name = BizcoFW_by_CA<br />
Distinguished Name: CN=BizcoFW_by_CA,O=Bizco,C=US<br />
Submit to CA = BizcoCA<br />
Signature Type = RSA<br />
Click Add.<br />
Click the Save icon to save your changes.<br />
At this point the Status field for this certificate will be PENDING. This is<br />
because the request has been sent to the CA but the certificate has yet<br />
to be created. The status will remain PENDING until the CA<br />
administrator approves your request.<br />
Click Query. This queries the CA to see if the certificate is<br />
approved. If yes, the Status field will change to SIGNED and the<br />
certificate is imported.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> automatically queries the CA every 15 minutes to see if the<br />
request has been accepted. If the request has been accepted, the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
retrieve the resulting certificate.<br />
c. On the Remote Identities tab, click New and create one or more<br />
identities that define who is authorized to use this VPN.<br />
Identity Name = Sales_force<br />
Distinguished Name: CN=*,OU=sales,O=bizco,C=us<br />
Click Add.<br />
Click Close.<br />
Click the Save icon to save your changes.
Example VPN Scenarios<br />
2. In the Admin Console, VPN Configuration -> Client Address Pools, and<br />
then click New to create a new client address pool.<br />
Using a client address pool lets you define which local networks the<br />
clients can access. For this example, assume you want to permit access<br />
to the 250.1.1.0 network but not the 192.168.182 network.<br />
Note: Your client s<strong>of</strong>tware must support this capability. SafeNet S<strong>of</strong>tRemote<br />
currently does not support this capability—it must be manually configured with<br />
information about the locally protected subnet.<br />
a. Enter New Pool Name = SalesPool<br />
b. Virtual Subnet = 10.1.1.0/24<br />
c. Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click<br />
Add.<br />
d. Click Add to add the new pool.<br />
Note: The IP Address and Number <strong>of</strong> Bits in Netmask fields work in concert to<br />
determine the network portion <strong>of</strong> the addresses in the pool as well as the total<br />
number <strong>of</strong> addresses in the pool. The values shown here provide 254 possible<br />
addresses: 10.1.1.0–10.1.1.255. Modify these two values as appropriate for your<br />
situation.<br />
e. On the Servers tab:<br />
If the client s<strong>of</strong>tware you are using supports this mode-config<br />
capability, specify your internal DNS and WINS servers here.<br />
f. Click Add.<br />
g. Click the Save icon to save your changes.<br />
3. In the Admin Console, VPN Configuration -> Security Associations, and<br />
then click New to configure a new association.<br />
a. On the General tab:<br />
Name = Large_scale_sales<br />
Encapsulation = Tunnel<br />
Mode = Dynamic IP Restricted Client<br />
Enabled = Yes<br />
Burb = Virtual<br />
Local IP = localhost<br />
Client Address Pool = VPNPool<br />
Configuring Virtual Private Networks 13-75
Example VPN Scenarios<br />
13-76 Configuring Virtual Private Networks<br />
b. On the Authentication tab:<br />
Authentication method = Certificate + Certificate Authority<br />
Firewall Certificate = BizcoFW_by_CA (created in step 1B)<br />
Certificate Authorities = BizcoCa (created in step 1A)<br />
Remote Identities = Sales_force (created in step 1C)<br />
c. On the Crypto tab: Order the algorithms to match that <strong>of</strong> the client.<br />
d. On the Advanced tab: No changes needed<br />
e. Click Add to save the new VPN association.<br />
f. Click the Save icon to save your changes.<br />
4. In the Admin Console, Services Configuration -> Certificate Management.<br />
On the Remote Certificates tab click New and create a certificate for a<br />
client by specifying the following:<br />
Note: You can skip this step and step 5 for those clients that have online access to<br />
the CA. These clients can create and retrieve their own certificates.<br />
Certificate Name = Sales_A<br />
Distinguished Name: CN=Sales_A,OU=sales,O=bizco,C=US<br />
Submit to CA = BizcoCA<br />
Signature Type = RSA<br />
Private Key: Click Browse and specify where you want to save the<br />
private key associated with this certificate. In this scenario it is<br />
common to save the certificate to the same location as the<br />
exported firewall certificate.<br />
Certificate: Click Browse and specify where you want to save this<br />
certificate. In this scenario it is common to save the certificate to<br />
the same location as the private key and the exported firewall<br />
certificate.<br />
Click Add.<br />
Click the Save icon to save your changes.<br />
5. In the Admin Console, Services Configuration -> Certificate Management.<br />
Export the CA certificate and the firewall certificate to the same location<br />
used in step 4.
Example VPN Scenarios<br />
a. On the Certificate Authorities tab, select the CA certificate you<br />
created in step 1A, then click Export and export the certificate by<br />
specifying the following:<br />
Destination = File<br />
Generated CA Certificate File: Click Browse and specify where you<br />
want to save the CA certificate. Add the .pem extension to the file<br />
name.<br />
Click OK.<br />
b. [Optional] On the Firewall Certificates tab, select the firewall<br />
certificate you created in step 1B, then click Export and export the<br />
certificate by specifying the following:<br />
Destination = File<br />
Export Firewall Certificate to File: Click Browse and specify where<br />
you want to save the firewall certificate. Add the .pem extension<br />
to the file name.<br />
Click OK.<br />
6. Repeat steps 4 and 5 for each remote client.<br />
When you are finished your storage location should have four items for<br />
each remote client: the CA certificate, the firewall certificate, the unique<br />
private key for the client, and the remote certificate for the client.<br />
Summary <strong>Sidewinder</strong> is ready to accept connections across this VPN as soon as<br />
the remote clients are configured. In order to configure their end <strong>of</strong><br />
the VPN connection, each client will need the client-specific certificate<br />
and private key information you saved in step 4 as well as the firewall<br />
and CA certificates created in step 5. If you saved this information to<br />
diskette you can either distribute the information in person or mail it<br />
to them, or perform the imports while the machine is within a trusted<br />
network. It is not safe to distribute certificate and private key<br />
information via e-mail.<br />
Note: The configuration described above restricts VPN traffic by terminating the VPN<br />
association in a virtual burb. Proxies and rules must be configured to specify what access<br />
the VPN clients have to the trusted network.<br />
Configuring Virtual Private Networks 13-77
Example VPN Scenarios<br />
13-78 Configuring Virtual Private Networks
C HAPTER 14<br />
Configuring the SNMP<br />
Agent<br />
About this chapter This section introduces SNMP concepts and explains how to configure<br />
the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. It also explains what needs to be<br />
done to allow the <strong>Sidewinder</strong> <strong>G2</strong> to send or route messages to remote<br />
systems in an external network. The following topics are covered:<br />
SNMP and<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
“SNMP and <strong>Sidewinder</strong> <strong>G2</strong>” on page 14-1<br />
“Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong>” on page 14-8<br />
“About the management station” on page 14-10<br />
“Communication with systems in an external network” on page 14-<br />
11<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports SNMPv1 and SNMPv2c. SNMP is the<br />
industry standard for network management. You can set up SNMP<br />
agent s<strong>of</strong>tware that allows the <strong>Sidewinder</strong> <strong>G2</strong> to be monitored by<br />
SNMP compliant network management stations located on an internal<br />
or external network. You can also configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
route SNMP messages between a management station inside the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and an SNMP agent on a system in an external<br />
network.<br />
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP agent is<br />
allowed to operate on the <strong>Sidewinder</strong> <strong>G2</strong>, access through other burbs is supported using<br />
the UDP proxy. In addition, SNMP will only accept requests addressed to the first interface<br />
in a burb.<br />
14<br />
Configuring the SNMP Agent 14-1
14<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure 14-1. Managing<br />
distributed systems<br />
using SNMP<br />
14-2 Configuring the SNMP Agent<br />
SNMP basics<br />
A network that is managed using SNMP involves two primary<br />
components: a manager (management station) and a number <strong>of</strong><br />
managed nodes. The management station is typically a PC or UNIX<br />
workstation running network management s<strong>of</strong>tware such as Hewlett-<br />
Packard’s OpenView ® Windows or Novell ManageWise. Managed<br />
nodes are networking devices such as routers or <strong>Sidewinder</strong> <strong>G2</strong>s that<br />
contain an SNMP agent. Figure 14-1 shows a management station<br />
communicating with SNMP nodes to obtain network configuration<br />
information.<br />
SNMP<br />
Management<br />
Station<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
(managed<br />
node)<br />
R<br />
router<br />
(managed node)<br />
server<br />
(managed node)<br />
The management station displays a graphical representation <strong>of</strong> a<br />
network’s topology through a Windows-based environment. In<br />
general, network managers can monitor each SNMP node (including<br />
the <strong>Sidewinder</strong> <strong>G2</strong>) by clicking on an icon representing each node in<br />
the network’s topology.<br />
A management station in the internal or external network can request<br />
information from a managed node’s SNMP agent. The SNMP<br />
management station sends a managed node Get and GetNext SNMP<br />
messages to retrieve node-specific parameters and variables, called<br />
objects. The message response from the managed system provides the<br />
SNMP administrator with information on a node’s device names,<br />
status, network connections, etc.<br />
Important: SNMPv1 agents typically allow Get, GetNext, and Set requests from the<br />
management station. However, the <strong>Sidewinder</strong> <strong>G2</strong> SNMPv1 agent does not support Set<br />
requests. This prevents a management system from sending commands to change<br />
variables or parameters in the <strong>Sidewinder</strong> <strong>G2</strong>.
Figure 14-2. Community<br />
name within an SNMP<br />
message<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
Each managed node can send an unsolicited event notification<br />
message, called a trap, to a management station when it detects<br />
certain system events. For example, you can configure the SNMP<br />
agent in the <strong>Sidewinder</strong> <strong>G2</strong> to issue a trap whenever an unauthorized<br />
user tries to read, write, or execute a protected file on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. (Refer to “<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps” on page 14-4” for a list <strong>of</strong><br />
all traps supported by the <strong>Sidewinder</strong> <strong>G2</strong>.)<br />
When setting up SNMP management, a network administrator assigns<br />
the management station and the nodes it will manage a community<br />
name. As shown in Figure 14-2, the community name is in the<br />
authentication header in each SNMP message exchanged between a<br />
management station and a managed node.<br />
VERSION<br />
COMMUNITY<br />
NAME<br />
SNMP COMMAND: GET, GETNEXTREQUEST, ETC.<br />
The SNMP agent treats the community name like a password to<br />
validate the identity <strong>of</strong> a management station. For example, suppose a<br />
management station sends a get request to retrieve information from<br />
a managed node’s SNMP agent. If the community name within the<br />
get request is not also used by the SNMP agent, the agent will not<br />
return information to the management station.<br />
Caution: To increase security on your network, DO NOT use common default names<br />
such as "public" or "private," which can be easily guessed.<br />
Both the management station and the managed node also contain<br />
Management Information Bases (MIBs) that store information about<br />
the managed objects. Currently, the SNMP agent on the <strong>Sidewinder</strong><br />
<strong>G2</strong> supports standard MIB II objects, the Host Resources MIB<br />
(RFC1514), and the <strong>Sidewinder</strong> <strong>G2</strong>-specific MIB objects. MIBs are<br />
discussed in greater detail later in this chapter.<br />
Note: The MIBs used for compiling the SNMP agent for the <strong>Sidewinder</strong> <strong>G2</strong> are located in<br />
/etc/sidewinder/snmp.<br />
If you need more information on SNMP, an excellent source is<br />
Managing Internetworks with SNMP by Mark A. Miller, P.E. (M&T<br />
Books).<br />
Configuring the SNMP Agent 14-3
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
14-4 Configuring the SNMP Agent<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
An SNMP trap is an alert message that is sent as an unsolicited<br />
transmission <strong>of</strong> information from a managed node (router, <strong>Sidewinder</strong><br />
<strong>G2</strong>, etc.) to a management station. Most management stations can be<br />
configured to either: (1) display received traps in a pop-up window,<br />
or (2) automatically dial a phone number; such as a pager number.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent supports a basic trap, called the<br />
ColdStart trap, that is sent whenever the SNMP agent in the <strong>Sidewinder</strong><br />
<strong>G2</strong> is enabled. It is also sent if the SNMP configuration file<br />
(/etc/sidewinder/snmp/snmpd.conf) is modified by the Admin<br />
Console.<br />
Note: You cannot disable the ColdStart trap.<br />
You also have the option to configure the <strong>Sidewinder</strong> <strong>G2</strong> to send<br />
audit alarm SNMP traps when an audit event triggers an alarm in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Pre-defined alarm events in the <strong>Sidewinder</strong> <strong>G2</strong> are<br />
contained in the 200 range (for example, 201, 202). You also have the<br />
option to create your own custom traps as well. Custom traps will<br />
return messages that contain numbers 215–225. For a list <strong>of</strong> available<br />
SNMP traps, see the<br />
cf snmptrap man page.<br />
To configure the <strong>Sidewinder</strong> <strong>G2</strong> to send the following pre-defined<br />
traps, refer to “Configuring alarm events and event responses” on<br />
page 17-1.<br />
ATTACK_ATTEMPT—This trap is sent when an attack attempt (that is,<br />
any suspicious occurrence) is identified by one <strong>of</strong> the services on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. For example, if the Network Services Sentry<br />
(NSS) detects a suspicious IP address on an incoming connection,<br />
it will issue an attack attempt trap.<br />
FAILOVER_EVENT—This trap is sent any time a <strong>Sidewinder</strong> <strong>G2</strong><br />
changes its status in an HA cluster from secondary to primary, or<br />
from primary to secondary.<br />
MAIL_FILTER_FAILURE—This trap is sent when SMTP mail messages<br />
fail a configured mail filter. For example, if a mail message failed<br />
the Key Word Search filter, a mail filter failure event would be<br />
logged.<br />
Note: The mail filter map configuration determines what is done with failed<br />
messages.
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
IPSEC_FAILURE—This trap is sent when IPSec errors exceed the<br />
configured threshold values.<br />
LICEXCEED_FILTER—This trap is sent when users are denied access<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> due to a user license cap violation.<br />
LOG_FILE_OVERFLOW—This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong><br />
audit logs are close to filling the partition.<br />
PROBE_ATTEMPT—This trap is sent when network probe attempts<br />
are detected (that is, any time a user attempts to connect or send a<br />
message to a TCP or UDP port that either has no service associated<br />
with it or it is associated with an unsupported service). The<br />
<strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers two methods for your site to ignore network<br />
probe attempts:<br />
— Create an IP Filter Deny rule: You can create an IP Filter deny rule<br />
to discard probes coming from recognized <strong>of</strong>fenders. For<br />
information on creating an IP Filter deny rule, see “Creating IP<br />
Filter rules” on page 7-12.<br />
— Create an ignore list: You can create an ignore list that will<br />
ignore probe attempts and generate an audit event. For<br />
information on creating an ignore list, see “Ignoring network<br />
probe attempts” on page 17-17.<br />
ACCESS_CONTROL—This trap is sent when the number <strong>of</strong> denied<br />
access attempts to services exceeds a specified number. For<br />
example, you may set up your system so that internal users cannot<br />
FTP to a certain Internet address. If a user tried to connect to that<br />
address, the attempt would be logged as a denial.<br />
UPS_POWER_FAILURE—This trap is sent when a connected<br />
Uninterruptible Power Supply (UPS) has a power failure and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is running on UPS battery power.<br />
PROXY_FLOOD—This trap is sent when potential connection attack<br />
attempts are detected. A connection attack is defined as one or<br />
more addresses launching numerous proxy connection attempts to<br />
try and flood the system. When NSS receives more connection<br />
attempts than it can handle for a proxy, that proxy is briefly<br />
stopped (to allow the proxy to "catch up") and is then restarted,<br />
and an audit event is created.<br />
DENIED_AUTH—This trap is sent when a user attempts to<br />
authenticate and enters invalid data. For example, if a user is<br />
required to enter a password and entered it incorrectly, the denied<br />
auth_filter would log the event.<br />
Configuring the SNMP Agent 14-5
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
14-6 Configuring the SNMP Agent<br />
Note: This type <strong>of</strong> event is not logged when an administrator attempts to switch to<br />
an unauthorized role (srole) or enter incorrect login information.<br />
UPS_SYSTEM_SHUTDOWN—This trap is sent when the <strong>Sidewinder</strong><br />
<strong>G2</strong> has been running on UPS battery power for the estimated<br />
battery time. (See “Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS”<br />
on page 3-58 for additional information on UPS)<br />
SYN_FLOOD_ATTACK—This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong><br />
encounters a SYN attack.<br />
TE_VIOLATION—This trap is sent when an unauthorized user or<br />
process attempts to perform an illegal operation on a file on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
NETWORK_TRAFFIC—This trap is sent when the number <strong>of</strong> traffic<br />
audit events written by the various proxies (WWW, Telnet, FTP,<br />
etc.) going through the <strong>Sidewinder</strong> <strong>G2</strong> exceeds a specified number<br />
in a specified time period. This information can be useful for<br />
monitoring the use <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> services by internal users.<br />
Note: Network traffic thresholds are reported as number <strong>of</strong> events per second, and<br />
not as number <strong>of</strong> bytes per second.<br />
CRIT_COMP_FAILURE—This trap when the <strong>Sidewinder</strong> <strong>G2</strong> detects<br />
that a critical component has failed. For example, this trap occurs<br />
when daemond detects a s<strong>of</strong>tware module has failed.<br />
VIRUSMIME—This trap occurs when the number <strong>of</strong> mail or HTTP<br />
messages that failed the MIME/Virus filter exceeds a specified<br />
threshold in a specified time period.<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP MIBs<br />
Management Information Bases (MIBs) are associated with both the<br />
management station and the SNMP agent in the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP agent supports two MIB structures (as well as a<br />
Host MIB).<br />
mib2—This is a standard SNMP MIB as defined in RFC-1213.<br />
sccMibSw—This is a <strong>Sidewinder</strong> <strong>G2</strong>-specific MIB provided by<br />
Secure Computing Corporation. Figure 14-3 shows the location <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong> MIB structures within the SNMP root hierarchy.<br />
Note: MIBs that are used to compile the SNMP agent for the <strong>Sidewinder</strong> <strong>G2</strong> are located in<br />
/etc/sidewinder/snmp.
Figure 14-3. MIBs<br />
supported by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP<br />
agent<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
All individual objects (parameters and variables) managed by an<br />
SNMP management station are part <strong>of</strong> an object group within an MIB.<br />
For example, the swProxy group stores information about currentlydefined<br />
proxies on the system. The information might include the<br />
proxy name and the current status <strong>of</strong> the proxy.<br />
When a management station requests information from the<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP agent, the SNMP agent may or may not<br />
associate the returned information with a specific burb.<br />
system<br />
interfaces<br />
mgmt<br />
mib2<br />
iso<br />
org<br />
dod<br />
internet<br />
ip tcp<br />
icmp udp<br />
snmp<br />
private<br />
enterprises<br />
scc<br />
sccMibs<br />
sccMibSw<br />
swProxy swBurb<br />
Note: A burb is a type enforced network area used to isolate network interfaces from<br />
each other. A burb is identified by a unique name (internal, external, etc.) as assigned<br />
during the <strong>Sidewinder</strong> <strong>G2</strong> installation process.<br />
Configuring the SNMP Agent 14-7
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong><br />
Setting up the<br />
SNMP agent on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Figure 14-4. SNMP<br />
Configuration window<br />
Entering information on the<br />
SNMP Server Configuration<br />
tab<br />
14-8 Configuring the SNMP Agent<br />
This section explains how to use the Admin Console to configure the<br />
SNMP agent on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The SNMP agent may be enabled in any single burb that is not the<br />
Firewall burb. It cannot be enabled on multiple burbs. To allow SNMP<br />
management stations that reside in other burbs for the SNMP agent,<br />
you must create an allow rule for SNMP and enable the SNMP proxy<br />
in the appropriate burb(s). The source burb for this rule should<br />
consist <strong>of</strong> a network object group that contains only SNMP<br />
management station IP addresses. The destination burb should specify<br />
the destination IP address for the burb in which SNMP is running. For<br />
information on configuring network objects, see “Displaying network<br />
objects and netgroups” on page 5-10. For information on configuring<br />
an SNMP Application Defense, see “Creating SNMP Application<br />
Defenses” on page 6-42.<br />
Note: If you are configuring SNMP on a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, all<br />
<strong>Sidewinder</strong> <strong>G2</strong> queries must use the HA cluster address.<br />
To set up the SNMP agent, in the Admin Console select Services<br />
Configuration -> Servers. Select snmpd in the list <strong>of</strong> server names, and<br />
then click the Configuration tab. The following window appears.<br />
This window is used to enter configuration information for the SNMP<br />
agent. Follow the steps below.
Defining a community<br />
name<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong><br />
1. [Optional] In the Location field, type a description <strong>of</strong> the physical<br />
location <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. [Optional] In the Contact field, type your <strong>Sidewinder</strong> <strong>G2</strong> administrator<br />
user name.<br />
3. In the Enable Authentication Failure Trap field, select Yes to enable<br />
authentication failure traps, or No to disable authentication failure traps.<br />
If you click Yes, the <strong>Sidewinder</strong> <strong>G2</strong> will send authentication failure traps<br />
to all configured management stations whenever the <strong>Sidewinder</strong> <strong>G2</strong><br />
detects an unauthenticated Get command.<br />
4. In the Allowed Get Communities you can view all <strong>of</strong> the community<br />
names authorized to retrieve MIB information. The community name is<br />
part <strong>of</strong> the authentication header in all SNMP messages. The <strong>Sidewinder</strong><br />
<strong>G2</strong> SNMP agent checks the community name in all SNMP messages it<br />
receives to verify the identity <strong>of</strong> a manager.<br />
To add, modify, or delete communities, use the New, Modify, and Delete<br />
buttons located directly beneath the list. See “Defining a community<br />
name” on page 14-9 for information on adding or modifying a<br />
community name.<br />
Note: The SNMP daemon will not start unless a community name is specified. By<br />
default, if you do not specify an Allowed Get Community name, the only Allowed<br />
Get Community is “public.”<br />
5. In the Trap Destinations field, you can view all <strong>of</strong> the hosts that will<br />
receive traps generated by the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. To add,<br />
modify, or delete trap destinations, use the New, Modify, and Delete<br />
buttons located directly beneath the list. See “Defining a trap<br />
destination” on page 14-10 for information on adding a new trap<br />
destination name or IP address.<br />
Note: By default, if you do not specify a trap destination community name, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses the community name “public.”<br />
6. Click the Save icon in the toolbar to apply the changes. If the SNMP<br />
agent is enabled, a ColdStart trap is issued to all configured trap<br />
destinations whenever you save configuration changes.<br />
The Allowed Get Community window enables you to add or modify<br />
names in the list <strong>of</strong> authorized community names. As an SNMP agent,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> will only respond to requests from management<br />
stations that belong to a community in this list. Follow the steps<br />
below.<br />
1. In the Community Name field, type the name you want added to the list<br />
<strong>of</strong> allowed communities.<br />
Configuring the SNMP Agent 14-9
About the management station<br />
14-10 Configuring the SNMP Agent<br />
2. Click Add to add the community to the list (or OK if you are modifying a<br />
community) and return to the Configuration tab.<br />
Defining a trap destination The Trap Destination window enables you to define a new host or to<br />
modify an existing host in the Trap Destination list. The hosts in this<br />
list will receive traps issued by the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps<br />
below.<br />
About the<br />
management<br />
station<br />
1. In the Host Name or Address field, type the name or IP address <strong>of</strong> the<br />
host you want added to the Trap Destinations list.<br />
2. [Optional] In the Community name field, type the community name<br />
associated with this host.<br />
3. Click Add to add the trap destination to the list (or OK if you are<br />
modifying a trap destination) and return to the Configuration tab.<br />
Enabling/disabling the SNMP server<br />
Perform the following steps to enable or disable the SNMP server.<br />
1. In the Admin Console select Services Configuration -> Servers.<br />
2. Select snmpd from the list <strong>of</strong> server names, and then click the Control<br />
tab.<br />
3. Select the burb for which the SNMP agent will be enabled or disabled.<br />
The SNMP agent can only be enabled for one burb, and it cannot be<br />
enabled for the Firewall burb.<br />
4. Click the Save icon.<br />
Note: You must define an allow all rule for the SNMP agent before SNMP queries will be<br />
allowed through the <strong>Sidewinder</strong> <strong>G2</strong>. For information on creating rules, see “Creating proxy<br />
rules” on page 7-4.<br />
Note: Enabling the SNMP server will cause the <strong>Sidewinder</strong> <strong>G2</strong> to send a ColdStart trap to<br />
the management station(s).<br />
The administrator <strong>of</strong> the SNMP management station should be made<br />
aware <strong>of</strong> the following in order to retrieve information from the<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP agent:
Communication<br />
with systems in an<br />
external network<br />
Communication with systems in an external network<br />
<strong>Sidewinder</strong> <strong>G2</strong> host name or IP address<br />
This is needed to set up communication with the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note 1: If the burb in which the SNMP agent is running contains more than one<br />
interface, specify the address <strong>of</strong> the first interface in the burb. The SNMP agent will<br />
only respond to the first interface in the burb.<br />
Note 2: If you are using High Availability (HA), specify the shared HA cluster IP<br />
address or host name, not the actual interface address or host name.<br />
Community names configured in the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent<br />
This is needed to allow the management station to retrieve MIB<br />
objects from the SNMP agent.<br />
MIB information<br />
This may be needed to properly translate the object identifications.<br />
Be sure to inform the administrator that the <strong>Sidewinder</strong> <strong>G2</strong> supports<br />
the Host Resources MIB.<br />
Important: On the <strong>Sidewinder</strong> <strong>G2</strong>, all Secure Computing Corporation MIB files are<br />
located in the /etc/sidewinder/snmp directory. If for some reason these files cannot<br />
be accessed from the <strong>Sidewinder</strong> <strong>G2</strong>, they can be downloaded via an FTP client or<br />
Web browser. The MIB files are scc-mib and scc-sw-mib.<br />
To retrieve the files using anonymous FTP, use an FTP client and log in to<br />
ftp.securecomputing.com. The directory where the files are located is /pub/mibs.<br />
To retrieve the files using a Web browser, point the browser to<br />
ftp://ftp.securecomputing.com/pub/mibs/.<br />
You can route (or forward) SNMP messages between a management<br />
station behind the <strong>Sidewinder</strong> <strong>G2</strong> and any SNMP managed node on<br />
the other side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. You can also allow an external<br />
management station to access the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. Both <strong>of</strong><br />
these scenarios require the use <strong>of</strong> a UDP proxy.<br />
Important: A UDP proxy is not needed to allow the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent to<br />
communicate with a management station in an internal network (behind the <strong>Sidewinder</strong><br />
<strong>G2</strong>).<br />
Figure 14-5 summarizes which SNMP configurations require you to<br />
configure a UDP proxy.<br />
Configuring the SNMP Agent 14-11
Communication with systems in an external network<br />
Figure 14-5. <strong>Sidewinder</strong><br />
<strong>G2</strong> serving as an SNMP<br />
agent for internal or<br />
external management<br />
station<br />
14-12 Configuring the SNMP Agent<br />
internal<br />
SNMP mgmt.<br />
station<br />
(OpenView)<br />
no<br />
proxy<br />
needed<br />
internal<br />
network<br />
SNMP<br />
agent<br />
UDP<br />
proxy<br />
external<br />
network<br />
UDP<br />
proxy<br />
SNMP<br />
agent<br />
Internet<br />
The <strong>Sidewinder</strong> <strong>G2</strong> UDP proxy sends SNMP requests and messages<br />
via UDP port 161. The <strong>Sidewinder</strong> <strong>G2</strong> UDP proxy sends SNMP traps<br />
to an external management station via UDP port 162.<br />
Important: Refer to “Setting up a new proxy” on page 8-31 for information on<br />
configuring a UDP proxy.<br />
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP agent is<br />
allowed to operate on the <strong>Sidewinder</strong> <strong>G2</strong>, access through other burbs is supported using<br />
the UDP proxy.<br />
R<br />
external<br />
SNMP mgmt.<br />
station<br />
(OpenView)
C HAPTER 15<br />
One-To-Many Clusters<br />
About this chapter This chapter describes the <strong>Sidewinder</strong> <strong>G2</strong> clustering features that<br />
allow you to manage multiple <strong>Sidewinder</strong> <strong>G2</strong> Security Appliances.<br />
This chapter covers the following topics:<br />
“Overview” on page 15-1<br />
“Example scenario using a One-To-Many cluster” on page 15-4<br />
“Configuring One-To-Many” on page 15-5<br />
“Understanding the One-To-Many tree structure” on page 15-13<br />
Overview If your organization uses two or more <strong>Sidewinder</strong> <strong>G2</strong>s, the One-To-<br />
Many feature allows you to easily manage your <strong>Sidewinder</strong> <strong>G2</strong>s at one<br />
time. Changes you make in the Admin Console to your primary<br />
<strong>Sidewinder</strong> <strong>G2</strong> are automatically replicated to each secondary<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The changes are made to each secondary <strong>Sidewinder</strong><br />
<strong>G2</strong> immediately, in real time.<br />
You are most likely to use One-To-Many if you are managing several<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that are located in the same network, which is the<br />
case if you are using load balancing hardware. This scenario is<br />
depicted in Figure 15-1.<br />
Note: When implementing One-To-Many, the preferred setup is to configure each<br />
<strong>Sidewinder</strong> <strong>G2</strong> with a dedicated cluster burb, allowing all communication between cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong>s to be contained within its own burb.<br />
15<br />
One-To-Many Clusters 15-1
15<br />
Overview<br />
Figure 15-1. A typical<br />
One-To-Many and<br />
Cloning implementation<br />
15-2 One-To-Many Clusters<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
administrator<br />
Load<br />
balancing<br />
hardware<br />
Your local<br />
network<br />
Primary<br />
Secondary<br />
Secondary<br />
The One-To-Many feature is implemented in a "clustering" scheme.<br />
Clustering is used when you introduce a load balancing tool (as<br />
shown in Figure 15-1) into your network. All <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s<br />
reside in the same network and are basically either backups <strong>of</strong> one<br />
another or are being used to share the network load. In this scenario,<br />
each <strong>Sidewinder</strong> <strong>G2</strong> will have the same basic configuration (excluding<br />
host names and IP addresses).<br />
Tip: If you require centralized management to handle many <strong>Sidewinder</strong> <strong>G2</strong>s across<br />
multiple networks, you may want to consider implementing the <strong>Sidewinder</strong> <strong>G2</strong> Enterprise<br />
Manager INSTEAD <strong>of</strong> using One-To-Many. For information on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Enterprise Manager, go to Secure Computing’s Web site at www.securecomputing.com.<br />
Considerations when using One-To-Many<br />
Load<br />
balancing<br />
hardware<br />
Please note the following considerations when using One-To-Many.<br />
All <strong>Sidewinder</strong> <strong>G2</strong>s must be at the same version level.<br />
Internet<br />
You can define only one primary <strong>Sidewinder</strong> <strong>G2</strong> for each cluster.<br />
A <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster cannot participate in<br />
a One-To-Many cluster.<br />
You cannot use a <strong>G2</strong> Enterprise Manager to manage a <strong>Sidewinder</strong><br />
<strong>G2</strong> that belongs to a One-To-Many cluster.
Overview<br />
DNS services must be configured identically on all <strong>Sidewinder</strong> <strong>G2</strong>s<br />
that are part <strong>of</strong> the cluster.<br />
You should not connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is<br />
designated as a secondary <strong>Sidewinder</strong> <strong>G2</strong>, unless you are<br />
configuring DNS.<br />
Note: See “Understanding the One-To-Many tree structure” on page 15-13 for<br />
details on configuring non-synchronized areas for secondary <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
If you have VPNs configured, you must ensure that your load<br />
balancers are configured to send all traffic for a given VPN security<br />
association to a single <strong>Sidewinder</strong> <strong>G2</strong> within the cluster.<br />
The burb names must be identical for each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The corresponding burbs and NICs on each <strong>Sidewinder</strong> <strong>G2</strong> must<br />
all be on the same networks. For example:<br />
Burb Primary A Secondary B Secondary C<br />
Internet 10.1.182.15 10.1.182.25 10.1.182.35<br />
Web 192.168.183.15 192.168.183.25 192.168.183.35<br />
Cluster 192.168.184.15 192.168.184.25 192.168.184.35<br />
Using IP aliases, redirected addresses, and multiple address<br />
translation in proxy rules<br />
If you use IP aliases, redirected addresses, or multiple address<br />
translation (MAT) in any <strong>of</strong> the rules created on either the primary<br />
<strong>Sidewinder</strong> <strong>G2</strong> or on a secondary <strong>Sidewinder</strong> <strong>G2</strong>, this may cause<br />
problems in a One-To-Many cluster. This is because IP aliases,<br />
redirected addresses, and MAT define addresses that are specific to a<br />
<strong>Sidewinder</strong> <strong>G2</strong>. A <strong>Sidewinder</strong> <strong>G2</strong> that requires a unique IP address in<br />
a rule is not a good candidate for inclusion in a One-To-Many<br />
relationship.<br />
However, if a <strong>Sidewinder</strong> <strong>G2</strong> uses IP aliases or redirected addresses,<br />
you can still include it in a One-To-Many cluster by doing the<br />
following:<br />
Note: This procedure will not work with MAT.<br />
1. Define a group that contains all the alias IP addresses and redirected<br />
addresses used by your <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
One-To-Many Clusters 15-3
Example scenario using a One-To-Many cluster<br />
Example scenario<br />
using a One-To-<br />
Many cluster<br />
15-4 One-To-Many Clusters<br />
2. Use the group name in the rule rather than the specific IP address.<br />
The group name will replace the unique IP alias or a redirected address<br />
in the rule.<br />
In the following example, there are three <strong>Sidewinder</strong> <strong>G2</strong>s protecting a<br />
local network. Network traffic is load balanced across the <strong>Sidewinder</strong><br />
<strong>G2</strong>s using a load balancing tool such as Radware FirePro<strong>of</strong> or F5<br />
Networks BIG-IP ® Controller, similar to the configuration depicted in<br />
Figure 15-1.<br />
Because each <strong>Sidewinder</strong> <strong>G2</strong> will be configured almost identically, the<br />
One-To-Many feature simplifies the management process. Any<br />
configuration changes you make from the primary <strong>Sidewinder</strong> <strong>G2</strong> will<br />
automatically be implemented on each <strong>of</strong> the secondary <strong>Sidewinder</strong><br />
<strong>G2</strong>s, ensuring that all <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>s remain synchronized.<br />
Example scenario requirements<br />
This scenario requires the following:<br />
Two or more <strong>Sidewinder</strong> <strong>G2</strong>s running at the same version.<br />
A load balancing tool such as a Radware FirePro<strong>of</strong> or F5 Networks<br />
BIG-IP ® Controller.<br />
The IP addresses used to access each <strong>Sidewinder</strong> <strong>G2</strong> must all<br />
reside in a burb <strong>of</strong> the same name. For example, in the sample<br />
network configuration shown in Figure 15-2, if you are accessing<br />
the <strong>Sidewinder</strong> <strong>G2</strong>s from the internal network, all IP addresses<br />
used to access the <strong>Sidewinder</strong> <strong>G2</strong> must reside in the burb named<br />
internal.
Figure 15-2. Sample<br />
network configuration<br />
for One-To-Many<br />
Configuring One-<br />
To-Many<br />
External Network = 192.168.182.x<br />
192.168.182.1<br />
Burb Name:<br />
external<br />
Burb Name:<br />
cluster<br />
Burb Name:<br />
internal<br />
A<br />
10.1.183.1<br />
Internal Network = 10.1.183.x<br />
Burb Name:<br />
external<br />
Burb Name:<br />
internal<br />
Configuring One-To-Many<br />
The following steps explain how to initiate a One-To-Many<br />
relationship between multiple <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
B<br />
192.168.182.2<br />
10.1.183.2<br />
Burb Name:<br />
external<br />
192.168.182.3<br />
10.1.0.1 Burb Name: 10.1.0.2 Burb Name: 10.1.0.3<br />
cluster<br />
cluster<br />
Burb Name:<br />
internal<br />
10.1.183.3<br />
Note: A <strong>Sidewinder</strong> <strong>G2</strong> cannot participate in a One-To-Many relationship if it is part <strong>of</strong> an<br />
HA cluster.<br />
Note: If a participating <strong>Sidewinder</strong> <strong>G2</strong> has rules that use an IP alias or a redirect address,<br />
see “Using IP aliases, redirected addresses, and multiple address translation in proxy rules”<br />
on page 15-3.<br />
Configuring a dedicated cluster burb for each <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Secure Computing recommends configuring a dedicated cluster burb<br />
when setting up One-To-Many. This should be done prior to<br />
configuring your <strong>Sidewinder</strong> <strong>G2</strong>s for One-To-Many. To add and<br />
configure the cluster burb, follow the steps below.<br />
1. Ensure that the <strong>Sidewinder</strong> <strong>G2</strong> has an interface that can be dedicated to<br />
internal One-To-Many communication.<br />
2. In the Admin Console, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and select Firewall<br />
Management -> Burb Configuration and create a cluster burb.<br />
Important: The burb name for the cluster burb must be the same for each<br />
<strong>Sidewinder</strong> <strong>G2</strong> this will be participating in the One-To-Many cluster.<br />
Note: See “Modifying the burb configuration” on page 3-48 for more information.<br />
C<br />
One-To-Many Clusters 15-5
Configuring One-To-Many<br />
15-6 One-To-Many Clusters<br />
3. Click the Save icon on the toolbar.<br />
4. Go to Firewall <strong>Administration</strong> -> Interface Configuration to assign an<br />
address and the cluster burb to the appropriate interface. (Be sure to<br />
select Enable Interface.)<br />
Note: See “Modifying the interface configuration” on page 3-50 for more<br />
information.<br />
5. Click the Save icon on the toolbar. (You do not need to reboot at this<br />
time.)<br />
6. Repeat these steps for each <strong>Sidewinder</strong> <strong>G2</strong> that will be participating in<br />
the One-To-Many cluster.<br />
Configuring the primary in a new One-To-Many cluster<br />
This section provides instruction on configuring your primary for<br />
One-To-Many. Follow the steps below.<br />
Important: It is recommended that you perform a system backup before configuring<br />
One-To-Many. See “Backing up system files” on page A-4 for details.<br />
Note: The entrelayd server will automatically become enabled in the cluster burb when<br />
you configure One-To-Many.<br />
1. Start the Admin Console, and log in to the <strong>Sidewinder</strong> <strong>G2</strong> that will<br />
become the primary.<br />
2. In the tool bar, select the icon to launch the State Change Wizard.<br />
(You can also access the State Change Wizard by clicking on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> icon in the Admin Console tree and then clicking State<br />
Change Wizard.) The Welcome window appears.<br />
3. Click Next.<br />
4. Select Not Enterprise Managed and click Next.<br />
5. Select One-To-Many Cluster and click Next.<br />
6. Select Create New Cluster and click Next.<br />
7. In the One-To-Many Communication Configuration window, do the<br />
following:<br />
a. In the Cluster Burb field, select the burb that will be used for intracluster<br />
policy communication. This is generally a dedicated burb. For<br />
information on creating a dedicated cluster burb, see “Configuring a<br />
dedicated cluster burb for each <strong>Sidewinder</strong> <strong>G2</strong>” on page 15-5.
Configuring One-To-Many<br />
b. In the Primary IP Address field, select the IP address <strong>of</strong> the burb you<br />
selected in step a.<br />
Note: This address is required when you are joining additional <strong>Sidewinder</strong> <strong>G2</strong>s to<br />
the One-To-Many cluster.<br />
8. Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
If you want to make changes to your configuration before executing,<br />
click Back to navigate to the appropriate window(s) and make the<br />
necessary changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If<br />
the transition is successful, the Success window appears displaying the<br />
new state.<br />
To add an additional cluster member, see “Adding a secondary” on page<br />
15-7.<br />
Adding a secondary<br />
Once you have created a One-To-Many cluster with a primary, you<br />
can add one or more secondaries to be managed. Adding a secondary<br />
to a One-To-Many cluster creates a placeholder for that <strong>Sidewinder</strong><br />
<strong>G2</strong> within that cluster. Once you have added the <strong>Sidewinder</strong> <strong>G2</strong>, you<br />
will need to join that <strong>Sidewinder</strong> <strong>G2</strong> to the cluster before it can be<br />
managed by the primary.<br />
Using the Admin Console, connect to the primary One-To-Many<br />
cluster member, and click One To Many Management in the Admin<br />
Console tree. The One To Many Management window appears.<br />
Tip: You can also get to this window by clicking the icon in the toolbar.<br />
One-To-Many Clusters 15-7
Configuring One-To-Many<br />
Figure 15-3. One To<br />
Many Management<br />
window<br />
About the One To Many<br />
Management window<br />
About the Add Cluster<br />
Member window<br />
15-8 One-To-Many Clusters<br />
In this window, you can do the following:<br />
Add a secondary—To add a secondary to your One-To-Many cluster,<br />
click New. The Add Cluster Members window appears. See “About<br />
the Add Cluster Member window” on page 15-8 for information on<br />
configuring this window.<br />
View the status <strong>of</strong> a One-To-Many cluster—To view the status <strong>of</strong> a One-<br />
To-Many cluster, click Cluster Status. The Cluster Member Status<br />
window appears. For information on viewing the status <strong>of</strong> a<br />
cluster, see “Viewing the status <strong>of</strong> a One-To-Many cluster” on page<br />
15-10.<br />
Modify the primary IP address—To change the primary IP address,<br />
click Modify Primary Address. The Modify Primary Address window<br />
appears. For information on modifying the IP address to determine<br />
which <strong>Sidewinder</strong> <strong>G2</strong> is the primary, see “Changing the primary in<br />
a One-To-Many cluster” on page 15-11.<br />
This window allows you to add a secondary to a One-To-Many<br />
cluster.<br />
Note: You will need to join the <strong>Sidewinder</strong> <strong>G2</strong> to the One-To-Many cluster once you have<br />
added the placeholder before it can participate in the One-To-Many cluster.<br />
1. In the Cluster Member Name field, type the name <strong>of</strong> the secondary.<br />
2. In the IP Address field, type the IP address in the cluster burb <strong>of</strong> the<br />
secondary.
Configuring One-To-Many<br />
3. In the Registration Key field, create the registration key for this<br />
<strong>Sidewinder</strong> <strong>G2</strong>. This is a one-time key that you will use to register the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the One-To-Many cluster.<br />
The key must be at least one character long and may consist <strong>of</strong><br />
alphanumeric characters, hyphens (-), and underscores (_).<br />
4. Click Add to return to the One To Many Management window. The<br />
secondary will appear in the One To Many Cluster Members table.<br />
5. To register this <strong>Sidewinder</strong> <strong>G2</strong> to a One-To-Many cluster, go to “Joining a<br />
secondary to an existing One-To-Many cluster” on page 15-9.<br />
Joining a secondary to an existing One-To-Many cluster<br />
To join a <strong>Sidewinder</strong> <strong>G2</strong> to an existing One-To-Many cluster, follow<br />
the steps below.<br />
Note: You must add a placeholder for the <strong>Sidewinder</strong> <strong>G2</strong> in the One-To-Many cluster<br />
before it can join the One-To-Many cluster. See “Adding a secondary” on page 15-7.<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will be joining the One-To-Many<br />
cluster using the Admin Console.<br />
2. In the tool bar, select the icon to launch the State Change Wizard.<br />
(You can also access the State Change Wizard by clicking on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> icon in the Admin Console tree and then clicking State<br />
Change Wizard.) The Welcome window appears.<br />
3. Click Next.<br />
4. Select Not Enterprise Managed and click Next.<br />
5. Select One-To-Many Cluster and click Next.<br />
6. Select Join Existing Cluster and click Next.<br />
7. In the Gathering information to join cluster window, configure the<br />
following fields:<br />
a. In the Primary IP Address field, type the IP address in the cluster burb<br />
<strong>of</strong> the primary to which you are registering the secondary.<br />
b. In the Cluster Member Name field, enter the name <strong>of</strong> the secondary<br />
that you are registering (this is the name you entered when you<br />
added the <strong>Sidewinder</strong> <strong>G2</strong> to the One-To-Many cluster).<br />
One-To-Many Clusters 15-9
Configuring One-To-Many<br />
15-10 One-To-Many Clusters<br />
c. In the Registration Key field, enter the registration key for this One-<br />
To-Many cluster (this is the unique, one-time key that you created<br />
for the secondary when you added it to the One-To-Many cluster).<br />
8. Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
If you want to make changes to your configuration before executing,<br />
click Back to navigate to the appropriate window(s) and make the<br />
necessary changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If<br />
the transition is successful the Success window appears, displaying the<br />
new state.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully joined to the One-To-Many<br />
cluster, it will reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it<br />
will be synchronized with the primary, and the One-To-Many cluster will<br />
appear in the Admin Console tree as a single <strong>Sidewinder</strong> <strong>G2</strong> icon. See<br />
“Understanding the One-To-Many tree structure” on page 15-13 for<br />
information on managing your One-To-Many cluster.<br />
Viewing the status <strong>of</strong> a One-To-Many cluster<br />
To view the status <strong>of</strong> a One-To-Many cluster, using the Admin<br />
Console, connect to the primary and select One to Many Management.<br />
The One to Many Management window appears. Follow the steps<br />
below.<br />
1. In the One to Many Management window, click Cluster Status. The<br />
Cluster Member Status window appears.<br />
The Cluster Member Status window consists <strong>of</strong> a table that lists each<br />
<strong>Sidewinder</strong> <strong>G2</strong> in the One-To-Many cluster by row, and provides the<br />
following information:<br />
Member Name—This column lists the name <strong>of</strong> each <strong>Sidewinder</strong> <strong>G2</strong><br />
that is included in the One-To-Many cluster.<br />
Registration State—This column indicates whether the <strong>Sidewinder</strong><br />
<strong>G2</strong> is Active (synchronized and running), Unregistered (running but<br />
not registered and synchronized), or Inactive (registered, but has<br />
not yet been initially synchronized with the primary).
About the Modify Primary<br />
Address window<br />
Configuring One-To-Many<br />
Communications—This column indicates whether a remote<br />
<strong>Sidewinder</strong> <strong>G2</strong> is responding. A value <strong>of</strong> Up indicates that<br />
communication is available. A value <strong>of</strong> Down indicates that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is <strong>of</strong>fline or otherwise not responding.<br />
Policy State—This column indicates whether the <strong>Sidewinder</strong> <strong>G2</strong><br />
policy is synchronized with the primary. A value <strong>of</strong> Up to date<br />
indicates that the <strong>Sidewinder</strong> <strong>G2</strong> is synchronized with the primary<br />
configuration. A value <strong>of</strong> Not up to date indicates that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is not synchronized with the primary.<br />
Changing the primary in a One-To-Many cluster<br />
Under certain circumstances, you may need to designate a secondary<br />
as the primary (for example, if the primary will be down indefinitely).<br />
To transfer primary status to a secondary, follow the steps below.<br />
Note: When you change the primary, all <strong>of</strong> the secondaries will be rebooted.<br />
1. In the Admin Console, add a new <strong>Sidewinder</strong> <strong>G2</strong> icon for the secondary<br />
that you want to become the primary by clicking the New Firewall<br />
icon and entering the appropriate information. (This is necessary<br />
because when you register a secondary to a One-To-Many cluster, the<br />
icon for the secondary is removed by default.)<br />
Note: For information on adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see<br />
“Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 2-4.<br />
2. Connect directly to the secondary by clicking on the secondary that<br />
you added in the previous step. You will receive a warning message<br />
stating that you should only modify information on the primary. Ignore<br />
this message.<br />
3. Select the One To Many Management option at the top <strong>of</strong> the secondary<br />
tree. The One To Many Management window appears.<br />
4. In the One To Many Cluster Member window, select Modify Primary<br />
Address. The Modify Primary Address window appears. See “About the<br />
Modify Primary Address window” on page 15-11.<br />
This window allows you to select a new <strong>Sidewinder</strong> <strong>G2</strong> to take over<br />
as the primary.<br />
1. In the Cluster Burb drop-down list, select the cluster burb.<br />
2. In the One to Many Primary IP Address drop-down list, select the cluster<br />
IP address for this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
One-To-Many Clusters 15-11
Configuring One-To-Many<br />
15-12 One-To-Many Clusters<br />
3. Click OK. You will be prompted to verify your decision. Click Yes to<br />
transfer primary status to this <strong>Sidewinder</strong> <strong>G2</strong>. The secondaries that will<br />
be managed by the new primary will be rebooted at this time. When<br />
the secondaries finish rebooting, they will recognize the new primary.<br />
Removing <strong>Sidewinder</strong> <strong>G2</strong>s from a One-To-Many cluster<br />
The following procedures allow you to delete one or more<br />
<strong>Sidewinder</strong> <strong>G2</strong>s from a One-To-Many cluster. This will cause the<br />
<strong>Sidewinder</strong> <strong>G2</strong>(s) to revert to a stand-alone <strong>Sidewinder</strong> <strong>G2</strong>. Follow the<br />
steps below.<br />
Removing a secondary from a One-To-Many cluster<br />
To remove a secondary from a One-To-Many cluster, follow the steps<br />
below. Repeat for each secondary you want to remove.<br />
1. Using the Admin Console, connect to the primary.<br />
2. Select the One To Many Management option at the top <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> tree. The One To Many Cluster Management window<br />
appears.<br />
3. Highlight the <strong>Sidewinder</strong> <strong>G2</strong> that you want to remove from the cluster,<br />
and click Delete. You will be prompted to confirm your decision. Click<br />
Yes.<br />
A pop-up window appears informing you that the secondary will be<br />
rebooted. Click OK to reboot the secondary. When the <strong>Sidewinder</strong> <strong>G2</strong><br />
reboots, it will no longer be part <strong>of</strong> the One-To-Many cluster and will be<br />
managed by making a direct connection to that <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Changes will no longer be replicated to the <strong>Sidewinder</strong> <strong>G2</strong>. To make a<br />
direct connection to the stand-alone <strong>Sidewinder</strong> <strong>G2</strong>, you will need to<br />
create a new <strong>Sidewinder</strong> <strong>G2</strong> icon in the Admin Console tree branch. See<br />
“Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 2-4.<br />
Removing the primary from a One-To-Many cluster<br />
To remove the primary from a One-To-Many cluster, follow the steps<br />
below.<br />
Note: You must remove all <strong>of</strong> the secondaries from the One-To-Many cluster before you<br />
can access the State Change Wizard to remove the primary.
Understanding<br />
the One-To-Many<br />
tree structure<br />
Understanding the One-To-Many tree structure<br />
1. Connect to the One-To-Many cluster using the Admin Console.<br />
2. In the tool bar, select the icon to launch the State Change Wizard.<br />
(You can also access the State Change Wizard by clicking on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> icon in the Admin Console tree and then clicking State<br />
Change Wizard.) The Welcome window appears.<br />
3. Click Next.<br />
4. Select Change To Standalone Firewall.<br />
5. Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If<br />
the transition is successful the Success window appears, displaying the<br />
new state.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully removed from the One-To-<br />
Many cluster, it will reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong><br />
reboots, it will be a standalone <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Admin Console tree structure is slightly different in a One-To-<br />
Many cluster environment. When you configure One-To-Many, all<br />
<strong>Sidewinder</strong> <strong>G2</strong>s are managed within a single Admin Console<br />
connection to the primary. All secondary icons are removed from the<br />
tree.<br />
Areas within the primary connection that are synchronized (that is,<br />
areas in which the information for all <strong>Sidewinder</strong> <strong>G2</strong>s must be the<br />
same) will appear as a single tree option within the primary. When<br />
you modify information within those areas, it will automatically be<br />
applied to all <strong>Sidewinder</strong> <strong>G2</strong>s that are part <strong>of</strong> the One-To-Many<br />
cluster.<br />
Information specific to individual <strong>Sidewinder</strong> <strong>G2</strong>s within the One-To-<br />
Many cluster that cannot be synchronized between <strong>Sidewinder</strong> <strong>G2</strong>s<br />
(such as Configuration Backup and Audit) will include a sub-folder<br />
within the primary that provides an icon for each <strong>Sidewinder</strong> <strong>G2</strong> in<br />
the One-To-Many cluster. To modify these features, select the<br />
individual <strong>Sidewinder</strong> <strong>G2</strong> icon and make the changes. These changes<br />
will apply only to the <strong>Sidewinder</strong> <strong>G2</strong> that you have selected and will<br />
not be overwritten by the primary.<br />
One-To-Many Clusters 15-13
Understanding the One-To-Many tree structure<br />
Figure 15-4. Example <strong>of</strong><br />
an individually<br />
configured area<br />
15-14 One-To-Many Clusters<br />
Important: DNS is the only exception to this structure. To configure DNS settings on a<br />
secondary, you will need to add the secondary server icon and connect directly to that<br />
<strong>Sidewinder</strong> <strong>G2</strong>. All other features should be configured using the primary connection to<br />
avoid being overwritten. (For information on adding a <strong>Sidewinder</strong> <strong>G2</strong> server icon, see<br />
“Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 2-4.)<br />
Figure 15-4 below demonstrates the difference between individually<br />
configured areas <strong>of</strong> the One-To-Many cluster (Configuration Backup<br />
and Date and Time) and a synchronized area <strong>of</strong> the One-To-Many<br />
cluster (Burb Configuration).<br />
To modify individually configured information for a particular<br />
<strong>Sidewinder</strong> <strong>G2</strong>, simply select that icon for the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
make the desired changes. Changes to an individual <strong>Sidewinder</strong> <strong>G2</strong><br />
will be applied only to that <strong>Sidewinder</strong> <strong>G2</strong> and will not be overwritten<br />
by changes made to the other <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The following tables summarize which features are synchronized and<br />
which features are configured individually in a One-To-Many cluster:<br />
Features that are synchronized in a One-To-Many cluster<br />
Policy Configuration Burb Configuration<br />
Proxies SmartFilter<br />
Servers (excludes sendmail<br />
configuration files))<br />
VPN Configuration<br />
Scanner Alarm Configuration<br />
Static Routing UI Access Control<br />
Authentication<br />
Certificate Management<br />
Firewall Accounts<br />
Burb Configuration is<br />
synchronized (changes made are<br />
sent to all <strong>Sidewinder</strong> <strong>G2</strong>s within<br />
the One-To-Many cluster, and you<br />
cannot select a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Configuration Backup and Date<br />
and Time are configured on an<br />
individual <strong>Sidewinder</strong> <strong>G2</strong> basis.
Understanding the One-To-Many tree structure<br />
Features that are configured individually in a One-To-Many cluster<br />
Servers: Sendmail only DNS a<br />
Routing (Dynamic and<br />
Routed)<br />
Audit Viewing<br />
Firewall Monitoring Reports<br />
Configuration Backup Interface Configuration<br />
Date and Time Firewall License<br />
S<strong>of</strong>tware Management System Shutdown<br />
Reconfigure DNS<br />
File Editor<br />
Reconfigure Mail<br />
a. DNS must be configured by connecting directly to the secondary. All other<br />
features listed in this table are configured using the primary connection. To<br />
connect directly to the secondary, you will need to create a new <strong>Sidewinder</strong><br />
<strong>G2</strong> icon for the secondary and then connect to the <strong>Sidewinder</strong> <strong>G2</strong> using that<br />
<strong>Sidewinder</strong> <strong>G2</strong> icon. (This is because the icon for the secondary is removed<br />
from the Admin Console tree branch when it is successfully added to a cluster.)<br />
For information on adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see “Adding<br />
a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 2-4.<br />
One-To-Many Clusters 15-15
Understanding the One-To-Many tree structure<br />
15-16 One-To-Many Clusters
C HAPTER 16<br />
High Availability<br />
About this chapter This chapter describes how to set up the optional High Availability<br />
(HA) feature. HA allows you to configure load sharing between two<br />
<strong>Sidewinder</strong> <strong>G2</strong>s, or configure a hot backup <strong>Sidewinder</strong> <strong>G2</strong> in your<br />
network. This chapter contains the following topics:<br />
How High<br />
Availability works<br />
“How High Availability works” on page 16-1<br />
“HA configuration options” on page 16-3<br />
“Configuring HA” on page 16-6<br />
“Managing an HA cluster” on page 16-17<br />
High Availability requires two <strong>Sidewinder</strong> <strong>G2</strong>s that can be configured<br />
either for load sharing (both the primary and secondary <strong>Sidewinder</strong><br />
<strong>G2</strong>s actively process traffic), or with one <strong>Sidewinder</strong> <strong>G2</strong> acting as a<br />
standby <strong>Sidewinder</strong> <strong>G2</strong> that does not process traffic unless it is called<br />
upon to take over for the primary in the event that the current primary<br />
becomes unavailable. A cluster <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong>s configured and<br />
registered for HA are known as an HA cluster.<br />
As shown in Figure 16-1, configuring an HA cluster requires at least<br />
three burbs for each <strong>Sidewinder</strong> <strong>G2</strong>: an internal burb, an external<br />
burb, and a heartbeat burb. Creating a separate heartbeat burb allows<br />
all HA cluster traffic (including the heartbeat message as well as any<br />
stateful session IP Filter traffic) to pass between the HA cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong>s in its own burb, and does not impact regular network<br />
traffic. HA cluster <strong>Sidewinder</strong> <strong>G2</strong>s must reside on the same network<br />
and can be connecting to one another using a cross-over cable.<br />
Note: For information on configuring stateful session IP Filter rules, see “Creating IP Filter<br />
rules” on page 7-12.<br />
16<br />
High Availability 16-1
16<br />
How High Availability works<br />
16-2 High Availability<br />
Figure 16-1. Basic HA<br />
configuration<br />
aaa.aaa.aaa.1<br />
aaa.aaa.aaa.5*<br />
cluster common<br />
IP address<br />
aaa.aaa.aaa.3<br />
*In a load sharing HA cluster,<br />
the internal and external<br />
cluster common IP addresses<br />
are shared between<br />
<strong>Sidewinder</strong> <strong>G2</strong>s. In a failover<br />
HA cluster, they are assigned to<br />
the primary.<br />
To implement an HA cluster in your network, you will need one<br />
additional “cluster common” IP address for each network. The HA<br />
cluster will use these addresses as IP alias addresses. The table below<br />
summarizes the IP addresses needed for this HA configuration.<br />
internal burb external burb heartbeat burb<br />
primary IP aaa.aaa.aaa.1 bbb.bbb.bbb.1 ccc.ccc.ccc.1<br />
secondary/standby<br />
IP<br />
cluster common IP aaa.aaa.aaa.5 a<br />
primary <strong>Sidewinder</strong> <strong>G2</strong><br />
internal burb external burb<br />
heartbeat burb<br />
ccc.ccc.ccc.1<br />
ccc.ccc.ccc.5<br />
cluster common<br />
IP address<br />
ccc.ccc.ccc.3<br />
secondary/standby<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
bbb.bbb.bbb.1<br />
bbb.bbb.bbb.5*<br />
cluster common<br />
IP address<br />
bbb.bbb.bbb.3<br />
Internet<br />
aaa.aaa.aaa.3 bbb.bbb.bbb.3 ccc.ccc.ccc.3<br />
bbb.bbb.bbb.5 a ccc.ccc.ccc.5<br />
a. In a load sharing HA cluster, the internal and external cluster common IP<br />
addresses are shared between <strong>Sidewinder</strong> <strong>G2</strong>s. In a failover HA cluster, they<br />
are assigned to the primary.
HA configuration<br />
options<br />
HA configuration options<br />
In this example, all users in the internal or external network must use<br />
the cluster address (aaa.aaa.aaa.5 or bbb.bbb.bbb.5, respectively).<br />
Only system administrators should know about the other IP addresses.<br />
The same concept applies for DNS names.<br />
Tip: When configuring an existing single <strong>Sidewinder</strong> <strong>G2</strong> configuration to become an HA<br />
cluster, consider using the existing interface addresses as the cluster addresses and getting<br />
new IP addresses for the actual NICs. This lessens the impact on your users, who will not<br />
have to change their perception <strong>of</strong> the "<strong>Sidewinder</strong> <strong>G2</strong>" address.<br />
You can configure HA to perform load sharing (with both <strong>Sidewinder</strong><br />
<strong>G2</strong>s actively processing traffic) or failover (with one <strong>Sidewinder</strong> <strong>G2</strong><br />
processing traffic and the other <strong>Sidewinder</strong> <strong>G2</strong> standing by as a hot<br />
backup). The following sections discuss each HA configuration<br />
option.<br />
Load sharing HA<br />
Load sharing HA consists <strong>of</strong> two <strong>Sidewinder</strong> <strong>G2</strong>s that actively process<br />
traffic in a load sharing capacity. When a secondary is registered to an<br />
HA cluster, synchronized areas will be overwritten by the HA cluster<br />
configuration to match the primary. (To determine which areas are<br />
synchronized, see “Managing an HA cluster” on page 16-17.) Each<br />
<strong>Sidewinder</strong> <strong>G2</strong> maintains its own private (individual) address, the<br />
cluster common address for each interface (excluding the heartbeat<br />
interface), and any other alias addresses. The <strong>Sidewinder</strong> <strong>G2</strong>s are then<br />
able to coordinate traffic processing on a single shared IP address<br />
using a multicast Ethernet address to ensure that each connection<br />
(and the packets associated with that connection) is handled by the<br />
same <strong>Sidewinder</strong> <strong>G2</strong>. To configure load sharing HA, both <strong>Sidewinder</strong><br />
<strong>G2</strong>s must have the same hardware configuration (e.g., CPU speed,<br />
memory, active NICs).<br />
In a load sharing HA configuration, the primary is assigned the cluster<br />
address for the heartbeat burb as an alias, allowing it to communicate<br />
with the secondary. When the secondary or standby is brought online,<br />
it activates its interface IP addresses. The primary will then begin to<br />
"multicast" a heartbeat message. The heartbeat uses IPSec<br />
authentication (AH) to ensure that the messages are correct. The<br />
secondary “listens” for this heartbeat and sends an acknowledgement<br />
to the primary. If one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s become unavailable (that<br />
is, a heartbeat message or acknowledgement is not received by a<br />
<strong>Sidewinder</strong> <strong>G2</strong> for the specified amount <strong>of</strong> time), the remaining<br />
<strong>Sidewinder</strong> <strong>G2</strong> takes over and assumes responsibility for processing<br />
all traffic.<br />
High Availability 16-3
HA configuration options<br />
16-4 High Availability<br />
If one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s unexpectedly becomes unavailable and<br />
the remaining <strong>Sidewinder</strong> <strong>G2</strong> takes over processing all traffic, any<br />
active proxy sessions and non-stateful IP filter sessions that were<br />
assigned to the unavailable <strong>Sidewinder</strong> <strong>G2</strong> will be lost. IP Filter<br />
sessions that are configured for stateful session failover will not be<br />
lost.<br />
If you know in advance that a <strong>Sidewinder</strong> <strong>G2</strong> will need to be shut<br />
down, you can reduce the number <strong>of</strong> lost connections by scheduling<br />
the shutdown (rather than shutting down immediately). When a<br />
shutdown is scheduled for a later time, a s<strong>of</strong>t shutdown will be<br />
performed to reduce the number <strong>of</strong> sessions that are lost. For<br />
information on s<strong>of</strong>t shutdown, see “Scheduling a s<strong>of</strong>t shutdown for an<br />
HA cluster <strong>Sidewinder</strong> <strong>G2</strong>” on page 16-27.<br />
Certain connections in a load sharing HA cluster will be assigned to<br />
the primary. For example, connections that are used for <strong>Sidewinder</strong><br />
<strong>G2</strong> management purposes (Admin Console, telnet, SSH) that are<br />
addressed to the shared cluster address will be assigned to the<br />
primary. In the event that the primary becomes unavailable, new<br />
connections will be assigned to the new primary, and existing<br />
connections will remain in tact. SNMP connections that are addressed<br />
to the shared address will also be assigned to the primary.<br />
Connections that are specifically addressed to an individual<br />
<strong>Sidewinder</strong> <strong>G2</strong> address, will be assigned to the specified <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Failover HA<br />
Failover HA consists <strong>of</strong> one <strong>Sidewinder</strong> <strong>G2</strong> (the primary) actively<br />
processing traffic with the standby acting as a hot backup. When a<br />
standby <strong>Sidewinder</strong> <strong>G2</strong> is registered to an HA cluster, synchronized<br />
areas will be overwritten by the HA cluster configuration. (To<br />
determine which areas are synchronized, see “Managing an HA<br />
cluster” on page 16-17.) Once registered, the standby monitors the<br />
primary through an Ethernet-based "heartbeat" mechanism that<br />
functions between <strong>Sidewinder</strong> <strong>G2</strong>s. If the standby determines that the<br />
primary is unavailable, the standby takes over and assumes the role <strong>of</strong><br />
the primary. When a standby takes over networking functions, any<br />
active proxy sessions through the primary are lost. IP Filter sessions<br />
that are configured for stateful session failover will not be lost.
You can configure failover HA in one <strong>of</strong> two ways:<br />
HA configuration options<br />
primary-standby—In a primary-standby configuration, if the primary<br />
becomes unavailable, the standby takes over as the acting primary<br />
only until the primary becomes available again. (This option is<br />
generally used if you have <strong>Sidewinder</strong> <strong>G2</strong>s that do not share the<br />
same hardware configuration.)<br />
peer-to-peer— In a peer-to-peer configuration, both <strong>Sidewinder</strong><br />
<strong>G2</strong>s are configured as standbys with the same takeover time<br />
setting. This allows whichever <strong>Sidewinder</strong> <strong>G2</strong> boots up first to act<br />
as the primary. If the primary becomes unavailable, the peer<br />
<strong>Sidewinder</strong> <strong>G2</strong> (acting as the standby) will take over as the<br />
primary and will remain as the acting primary until it becomes<br />
unavailable, at which time the peer will again take over as the<br />
acting primary. This is the recommended failover HA<br />
configuration. However, to configure peer-to-peer HA, both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s must have similar hardware configurations.<br />
When the primary is brought online, it activates both the cluster and<br />
interface IP addresses. (Remember, you must inform all users that the<br />
cluster address is the <strong>Sidewinder</strong> <strong>G2</strong> address, so all traffic still passes<br />
through the primary.) When the secondary or standby is brought<br />
online, it activates its interface IP addresses. The primary will then<br />
begin to "multicast" a heartbeat message. The heartbeat uses IPSec<br />
authentication (AH) to ensure that the messages are correct. The<br />
secondary or standby "listens" for this heartbeat.<br />
Suppose the primary is accidentally powered <strong>of</strong>f for a period <strong>of</strong> time.<br />
When the standby does not receive a heartbeat signal for a number <strong>of</strong><br />
seconds (based on the takeover setting <strong>of</strong> the standby), it sets the<br />
cluster common IP addresses on its interfaces. In the process, the<br />
standby clears its address resolution protocol (ARP) cache and<br />
attempts to generate a "gratuitous ARP." Most systems will immediately<br />
determine that the standby is now responsible for the addresses by<br />
which the primary is known, and new connections will be established<br />
through the new acting primary.<br />
Note: Unfortunately, there may be a number <strong>of</strong> reasons why the gratuitous ARP is not<br />
received: a remote system may not recognize the message, the message may be blocked by<br />
certain switches, it may fail due to timing issues, etc. Often this can be resolved by flushing<br />
the ARP caches in the remote system. Many <strong>of</strong> these remote systems have ways to shorten<br />
the time that entries stay in the ARP cache; these should be set to time periods in the three<br />
to five minute range.<br />
High Availability 16-5
Configuring HA<br />
16-6 High Availability<br />
If you configured a primary-standby configuration, when the<br />
<strong>Sidewinder</strong> <strong>G2</strong> that is configured as the primary is powered on or<br />
reactivated, it will begin sending a heartbeat message. When the<br />
standby (temporarily acting as the primary) receives the heartbeat<br />
message, it immediately drops the cluster common IP addresses so the<br />
primary can again assume responsibility. Established connections<br />
through the standby will continue to run for a period <strong>of</strong> time, but<br />
eventually all traffic will again pass through the primary. (In a peer-topeer<br />
configuration, the <strong>Sidewinder</strong> <strong>G2</strong> that takes over as the acting<br />
primary will remain as the primary until it becomes unavailable.)<br />
Note: When a takeover event occurs, there can be a number <strong>of</strong> netprobe events detected<br />
when connections take time to detect the switch <strong>of</strong> systems.<br />
Configuring HA This section provides the basic information you need to configure an<br />
HA cluster. Before you begin, sketch a diagram showing your planned<br />
configuration (similar to the diagram in Figure 16-1) for reference.<br />
Include the following items on your diagram:<br />
interfaces<br />
IP addresses<br />
HA cluster common IP addresses<br />
burb names<br />
Before you configure HA, the following conditions must be met:<br />
Both <strong>Sidewinder</strong> <strong>G2</strong>s must be at the same version.<br />
A dedicated heartbeat burb and interface must be configured on<br />
each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: For load sharing HA, the interface used for the heartbeat burb must be at<br />
least as fast as the fastest load sharing interfaces on your <strong>Sidewinder</strong> <strong>G2</strong>. For<br />
information on configuring the heartbeat burb, see “Configuring the heartbeat<br />
burbs” on page 16-7.<br />
The following areas must be configured identically on both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s before you configure HA:<br />
— number and types <strong>of</strong> interfaces<br />
— number <strong>of</strong> burbs<br />
— burb names (burb names are case-sensitive)<br />
— burb indices<br />
— user-defined proxies
Configuring HA<br />
— DNS configuration (For example, if the primary is configured<br />
to use transparent DNS, the secondary must also be<br />
configured to use transparent DNS. If the DNS configuration<br />
types are not the same, DNS will not work on the secondary<br />
once HA is configured.)<br />
Note: All other configuration information will be overwritten on the<br />
secondary/standby when HA is configured.<br />
Configuring the heartbeat burbs<br />
You must configure a dedicated heartbeat burb and interface on each<br />
<strong>Sidewinder</strong> <strong>G2</strong> before configuring an HA cluster. Follow the steps<br />
below for each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1. Ensure that the <strong>Sidewinder</strong> <strong>G2</strong> has an interface that can be dedicated to<br />
HA traffic.<br />
Note: For load sharing, the interface used for the heartbeat burb must be at least as<br />
fast as the fastest load sharing interfaces on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2. In the Admin Console, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and create a<br />
heartbeat burb (select Firewall <strong>Administration</strong> -> Burb Configuration).<br />
For troubleshooting purposes, select the Respond to ICMP echo and<br />
timestamp check box.<br />
Note: See “Modifying the burb configuration” on page 3-48 for detailed information<br />
on creating a new burb.<br />
3. Click the Save icon in the toolbar.<br />
4. Go to Firewall <strong>Administration</strong> -> Interface Configuration and assign the<br />
heartbeat burb and IP address to the appropriate interface. (Be sure to<br />
enable the interface.)<br />
Note: See “Modifying the interface configuration” on page 3-50 for detailed<br />
information on configuring a new interface.<br />
5. Click the Save icon in the toolbar. (You do not need to reboot at this<br />
time.)<br />
6. Repeat these steps for each <strong>Sidewinder</strong> <strong>G2</strong> that will be participating in<br />
the HA cluster.<br />
Important: When you have configured a heartbeat burb and interface for each<br />
<strong>Sidewinder</strong> <strong>G2</strong>, be sure to test the network connectivity between the two <strong>Sidewinder</strong><br />
<strong>G2</strong>s for the heartbeat interface. Network connectivity must exist between the<br />
<strong>Sidewinder</strong> <strong>G2</strong>s on this burb to successfully configure HA.<br />
High Availability 16-7
Configuring HA<br />
16-8 High Availability<br />
Configuring <strong>Sidewinder</strong> <strong>G2</strong> for HA<br />
Once you have configured a heartbeat burb for each <strong>Sidewinder</strong> <strong>G2</strong><br />
and have verified network connectivity between the <strong>Sidewinder</strong> <strong>G2</strong>s<br />
on the heartbeat interface, you can configure the <strong>Sidewinder</strong> <strong>G2</strong>s for<br />
HA. Follow the steps below.<br />
Important: It is recommended that you perform a system backup before configuring<br />
HA. See “Backing up system files” on page A-4 for details.<br />
Configuring the first <strong>Sidewinder</strong> <strong>G2</strong> in a new HA cluster<br />
To configure the first <strong>Sidewinder</strong> <strong>G2</strong> in a new HA cluster, follow the<br />
steps below.<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will become the primary using the<br />
Admin Console.<br />
Note: If you are planning to configure a load sharing or peer-to-peer HA cluster, it<br />
does not matter which <strong>Sidewinder</strong> <strong>G2</strong> you configure first.<br />
2. Configure all functions and features other than HA.<br />
3. Verify that you have a dedicated heartbeat burb and interface<br />
configured for HA on this <strong>Sidewinder</strong> <strong>G2</strong>. See “Configuring the<br />
heartbeat burbs” on page 16-7 for instructions.<br />
4. In the tool bar, click to launch the State Change Wizard. (You can<br />
also access the State Change Wizard by clicking on the <strong>Sidewinder</strong> <strong>G2</strong><br />
icon in the Admin Console tree and then clicking State Change Wizard.)<br />
The Welcome window appears. Read the Welcome window and then<br />
click Next.<br />
5. Select Not Enterprise Managed and then click Next.<br />
6. Select HA Cluster and then click Next.<br />
7. Select Create New Cluster and then click Next.
Configuring HA<br />
8. Select the HA configuration that you want to create, and then click Next.<br />
Peer-To-Peer HA—Both <strong>Sidewinder</strong> <strong>G2</strong>s are configured as standbys<br />
with the same takeover time setting. Whichever <strong>Sidewinder</strong> <strong>G2</strong><br />
boots up first will act as the primary. If the primary becomes<br />
unavailable, the peer (acting as the standby) will take over as the<br />
primary and will remain as the acting primary until it becomes<br />
unavailable, at which time the peer will again take over as the<br />
acting primary. This is the recommended failover HA configuration.<br />
Load-Sharing HA—Load sharing HA consists <strong>of</strong> two <strong>Sidewinder</strong><br />
<strong>G2</strong>s that actively process traffic in a load sharing capacity. For more<br />
information on load sharing HA, see “Load sharing HA” on page 16-<br />
3.<br />
Primary-Standby HA—If the primary becomes unavailable, the<br />
standby takes over as the acting primary only until the primary<br />
becomes available again. (This option is generally used if you have<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that do not share the same hardware<br />
configuration.) For more information on primary-standby HA, see<br />
“Failover HA” on page 16-4.<br />
Note: To configure peer-to-peer HA or load sharing HA, both <strong>Sidewinder</strong> <strong>G2</strong>s<br />
must have the same hardware configuration.<br />
9. [Conditional] In the High Availability Takeover Time window, specify the<br />
number <strong>of</strong> seconds that the primary must be unavailable before the<br />
secondary/standby will begin the takeover process. The default value is<br />
13 seconds.<br />
Note: This window does not appear if you selected the primary-secondary HA<br />
option. For primary-secondary HA, the takeover time is 3 seconds for the primary and<br />
13 seconds for the secondary by default and cannot be modified in the State Change<br />
Wizard.<br />
Click Next. The High Availability Cluster Common Addresses window<br />
appears.<br />
10. The High Availability Cluster Common Addresses window allows you to<br />
configure the cluster common addresses for the interfaces in your HA<br />
cluster. It also allows you to specify the heartbeat burb, which is<br />
responsible for sending and receiving heartbeats. Do the following, and<br />
then click Next:<br />
a. Select the interface row that you want to configure, and click<br />
Configure. The High Availability Aliases window appears.<br />
b. In the Cluster Common IP Address field, type the common IP address<br />
for the interface that will be shared between <strong>Sidewinder</strong> <strong>G2</strong>s within<br />
the HA cluster.<br />
High Availability 16-9
Configuring HA<br />
16-10 High Availability<br />
Note: The cluster address is the address most systems should use to<br />
communicate with or through the <strong>Sidewinder</strong> <strong>G2</strong>, meaning that DNS, default<br />
routes, etc. need to be aware <strong>of</strong> this address.<br />
c. Click OK.<br />
d. Repeat step a through step c for each interface that will use HA.<br />
e. In the Heartbeat Burb drop-down list, select the burb that HA will<br />
use to send or receive heartbeats. (A heartbeat is a short message<br />
that is sent out at specific intervals to verify whether a <strong>Sidewinder</strong><br />
<strong>G2</strong> is operational.) This must be a dedicated burb.<br />
f. [Optional] If you want to skip the advanced configuration windows<br />
and use the default values, select the Use default advanced High<br />
Availability properties and skip advanced screens check box.<br />
If you select this check box, the following configuration options will<br />
be made automatically:<br />
IPSec authentication password and authentication type will be<br />
automatically selected.<br />
HA identification cluster ID and multicast address will be<br />
automatically assigned.<br />
Remote test configuration options will not be configured.<br />
If you want to modify or configure any <strong>of</strong> these properties, deselect<br />
the Use default advanced High Availability properties and skip<br />
advanced screens check box and click Next to access the Advanced<br />
General Properties and Advanced Network Properties windows.<br />
11. [Conditional] The High Availability Advanced General Properties<br />
window allows you to configure IPSec Authentication values and High<br />
Availability identification values. Modify any <strong>of</strong> the following values:<br />
Note: This window does not appear if you selected the Use default advanced High<br />
Availability properties and skip advanced screens check box in the High<br />
Availability Cluster Common Addresses window.<br />
High Availability Password—Type the password that will be used<br />
to generate the authentication key for IPSec. This password must<br />
be the same for both <strong>Sidewinder</strong> <strong>G2</strong>s because they share the same<br />
virtual firewall ID.<br />
Authentication Type—Select one <strong>of</strong> the following:<br />
— SHA1: Select this option if using HMAC-SHA1 authentication.<br />
— MD5: Select this option if using HMAC-MD5 authentication.
Configuring HA<br />
Cluster ID—Select an ID that will be assigned to the HA cluster.<br />
This allows you to distinguish between and manage multiple HA<br />
clusters, if needed. Each <strong>Sidewinder</strong> <strong>G2</strong> with an HA cluster must be<br />
assigned the same cluster ID. Valid values are 1–255.<br />
Multicast Address—This field displays the address <strong>of</strong> the multicast<br />
group used for HA purposes in the heartbeat burb. The default<br />
address is 239.192.0.1. To modify the address, click Edit Address.<br />
When you have finished configuring this window, click Next.<br />
12. [Conditional] The High Availability Advanced Network Properties<br />
window allows you to configure interface testing and force ARP reset<br />
properties. To configure interface testing and/or ARP reset properties,<br />
do the following and then click Next.<br />
Note: For more information on interface testing with HA, see “Interface<br />
configuration issues with HA” on page F-34.<br />
Note: This window does not appear if you selected the Use default advanced High<br />
Availability properties and skip advanced screens check box in the High<br />
Availability Cluster Common Addresses window.<br />
a. In the Interface Test area, configure any remote test IP addresses for<br />
networks that you want to periodically ping, as follows:<br />
Highlight the network row that you want to modify, and click<br />
Modify. The Remote Test window appears.<br />
In the Remote Test IP field, enter the IP address that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will periodically ping. The remote address must be<br />
a highly reliable system that is directly attached to the <strong>Sidewinder</strong><br />
<strong>G2</strong> network. For example, if you use a VRRP (Virtual Router<br />
Redundancy Protocol) cluster, you can specify the VRRP address <strong>of</strong><br />
the router as your remote ping address. (However, some VRRP<br />
routing clusters will only respond to pings if the configured<br />
primary router is currently acting as the primary. If you are using<br />
this type <strong>of</strong> VRRP routing cluster, you should use an alternative<br />
remote address.)<br />
For load sharing HA, if remote ping fails on one <strong>of</strong> the two cluster<br />
members, that member will become unavailable until the remote<br />
interface is again detected. If there is only one active cluster<br />
member and a remote ping failure is detected, that member will<br />
audit the failure and remain in the cluster until another member<br />
joins the cluster (without a ping failure), or until the remote<br />
system is detected.<br />
Note: If you specify 255.255.255.255 in this field, HA will only test the status <strong>of</strong> the<br />
interface rather than send data to verify that the interface is up.<br />
Click OK to return to the High Availability Advanced Network<br />
Properties window.<br />
High Availability 16-11
Configuring HA<br />
16-12 High Availability<br />
b. In the Ping the Remote Test IP field, specify how <strong>of</strong>ten (in seconds)<br />
the HA cluster will ping the remote address to ensure that an<br />
interface and path are operational.<br />
c. In the Consecutive ping failures before takeover field, specify the<br />
number <strong>of</strong> failed ping attempts that must occur before a secondary/<br />
standby takes over as the primary.<br />
If the primary becomes unavailable immediately after a ping<br />
attempt has been issued, the time it takes for a secondary/standby<br />
to take over will be slightly longer (this is because it will take close to<br />
an entire test interval before the first failure is detected).<br />
d. [Conditional] The Force ARP Reset area lists the IP address and burb<br />
<strong>of</strong> each system that you determine needs to update its ARP cache<br />
with the new cluster alias IP. Use this area to list all systems that are<br />
known to ignore gratuitous ARPs, but that need to know the new<br />
cluster alias.<br />
Note: This area is not available if you are configuring Load Sharing HA.<br />
To define a system to be included in the Force ARP Reset list, click<br />
New. The Force ARP Reset window appears. Enter the IP Address and<br />
select the burb for the system, and then click OK.<br />
To modify an entry, highlight the appropriate entry and click Modify.<br />
To delete an IP address from the list, highlight the address and click<br />
Delete.<br />
13. The State Change Summary window displays a list <strong>of</strong> the actions that<br />
will be performed when you click Execute.<br />
Important: The <strong>Sidewinder</strong> <strong>G2</strong> will be automatically rebooted after the transition<br />
process is complete. Carefully review the changes before you click Execute, as<br />
changes you make after initially executing the state change will require an additional<br />
reboot.<br />
If you want to make changes to your configuration before executing,<br />
click Back to navigate to the appropriate window(s) and make the<br />
necessary changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If<br />
the transition is successful the Success window appears, displaying the<br />
new state, and the <strong>Sidewinder</strong> <strong>G2</strong> will automatically reboot. Click Finish.<br />
To add an additional cluster member, see “Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an<br />
existing HA cluster” on page 16-13.
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster<br />
Configuring HA<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster, requires two steps:<br />
Add a placeholder in the HA cluster for that <strong>Sidewinder</strong> <strong>G2</strong> in the<br />
High Availability Common Parameters window. See “Adding a<br />
placeholder in the HA cluster” on page 16-13.<br />
Join the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster using the State Change<br />
Wizard. See “Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster” on<br />
page 16-14.<br />
Note: You must have a dedicated heartbeat burb configured on each <strong>Sidewinder</strong> <strong>G2</strong> that<br />
you register to an HA cluster. See “Configuring the heartbeat burbs” on page 16-7 for<br />
instructions.<br />
Adding a placeholder in the HA cluster<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster creates a placeholder for<br />
that <strong>Sidewinder</strong> <strong>G2</strong> within that HA cluster. Once you have added the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster, you will need to join the <strong>Sidewinder</strong><br />
<strong>G2</strong> to the HA cluster using the State Change Wizard.<br />
To add a placeholder for the new <strong>Sidewinder</strong> <strong>G2</strong> in the existing HA<br />
cluster, do the following:<br />
1. Connect to the HA cluster using the Admin Console, and select High<br />
Availability in the Admin Console tree. The High Availability Common<br />
Parameters tab appears.<br />
2. In the Pair Members area, click New. The Add New Firewall window<br />
appears.<br />
3. In the Name field, enter the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> you are adding<br />
the HA cluster.<br />
4. [Conditional] If you selected the Primary/Standby HA mode, in the<br />
Takeover Time field, select the number <strong>of</strong> seconds that the primary<br />
must be unavailable before the secondary/standby will begin the<br />
takeover process. The default value is 13 seconds.<br />
Note: This field does not appear if you selected peer-to-peer HA or load-sharing HA.<br />
5. In the IP Address in Heartbeat Burb field, enter the individual IP address<br />
(in the heartbeat burb) <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> that you are adding to the<br />
HA cluster.<br />
High Availability 16-13
Configuring HA<br />
16-14 High Availability<br />
6. In the Registration Key field, create the registration key for this HA<br />
cluster. The key must be at least one character long and may consist <strong>of</strong><br />
alphanumeric characters, hyphens (-), and underscores (_).<br />
Important: You will need the registration key when you join the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
the HA cluster using the State Change Wizard.<br />
7. Click Add to add the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster. You can now join<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster using the State Change Wizard. See<br />
“Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster” on page 16-14.<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster<br />
To join a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster, follow the steps<br />
below.<br />
Note: You must add a placeholder for the <strong>Sidewinder</strong> <strong>G2</strong> in the HA cluster before you will<br />
be able to join the HA cluster. See “Adding a placeholder in the HA cluster” on page 16-13.<br />
1. Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will be joining the HA cluster using<br />
the Admin Console.<br />
2. In the tool bar, click to launch the State Change Wizard. (You can<br />
also access the State Change Wizard by clicking on the <strong>Sidewinder</strong> <strong>G2</strong><br />
icon in the Admin Console tree and then clicking State Change Wizard.)<br />
The Welcome window appears.<br />
3. Click Next.<br />
4. Select Not Enterprise Managed and click Next.<br />
5. Select HA Cluster and click Next.<br />
6. Select Join Existing HA Cluster and click Next.<br />
7. In the Gathering information to join cluster window, configure the<br />
following fields:<br />
Partner’s Heartbeat Burb IP Address—Enter the heartbeat IP<br />
address <strong>of</strong> the HA partner.<br />
Important: This is the actual heartbeat IP address for the HA partner, not the<br />
cluster common heartbeat IP address.<br />
Cluster Member Name—Enter the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> that<br />
you are joining to the HA cluster (the name you entered when you<br />
added this <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster).<br />
Registration Key—Enter the registration key for the HA cluster (the<br />
key that you created when you added this <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
HA cluster in step 6 on page 16-14).
Configuring HA<br />
8. Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
Important: The <strong>Sidewinder</strong> <strong>G2</strong> will be rebooted after the transition process is<br />
complete. Carefully review the changes before you click Execute, as changes you<br />
make after initially executing the state change will require an additional reboot.<br />
If you want to make changes to your configuration before executing,<br />
click Back to navigate to the appropriate window(s) and make the<br />
necessary changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If<br />
the transition is successful the Success window appears, displaying the<br />
new state.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully joined to the HA cluster, it will<br />
reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it will be<br />
synchronized with the primary, and the HA cluster will appear in the<br />
Admin Console tree as a single <strong>Sidewinder</strong> <strong>G2</strong> icon. See “Managing an<br />
HA cluster” on page 16-17 for information on managing your HA cluster.<br />
Enabling and disabling load sharing for an HA cluster<br />
If you have an HA cluster configured and want to enable or disable<br />
load sharing, follow the steps below.<br />
Note: For more information on load sharing HA, see “Load sharing HA” on page 16-3.<br />
1. In the Admin Console, connect to the HA cluster and select<br />
High Availability.<br />
2. Click on the plus sign (+)in front <strong>of</strong> the High Availability branch to<br />
display the individual icons for each <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA<br />
cluster.<br />
3. Select the primary icon. The Local Parameters tab appears.<br />
To determine which <strong>Sidewinder</strong> <strong>G2</strong> is the primary, select High<br />
Availability, and then select the Common Parameters tab and click<br />
Cluster Status.<br />
High Availability 16-15
Configuring HA<br />
Removing a secondary/<br />
standby from an HA cluster<br />
16-16 High Availability<br />
4. In the Cluster Mode area, enable or disable load sharing by selecting the<br />
appropriate cluster mode as follows:<br />
Designate as part <strong>of</strong> a Load Sharing High Availability Cluster—<br />
Select this option if you want to enable load sharing for the HA<br />
cluster (both <strong>Sidewinder</strong> <strong>G2</strong>s actively process traffic).<br />
Designate as part <strong>of</strong> a Primary/Standby High Availability Cluster—<br />
Select this option if you want to disable load sharing HA and<br />
convert the HA cluster to a failover HA cluster (only one<br />
<strong>Sidewinder</strong> <strong>G2</strong> processes traffic, with the other <strong>Sidewinder</strong> <strong>G2</strong><br />
acting as a hot backup).<br />
5. Click the Save icon in the toolbar.<br />
6. Wait 60 seconds to allow the <strong>Sidewinder</strong> <strong>G2</strong>s to synchronize, and then<br />
reboot each <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA cluster. It is important<br />
that the second <strong>Sidewinder</strong> <strong>G2</strong> be rebooted before the primary is<br />
finished rebooting.<br />
Important: If you do not begin the reboot process for the second <strong>Sidewinder</strong> <strong>G2</strong><br />
before the primary finishes rebooting, it will detect that the second <strong>Sidewinder</strong> <strong>G2</strong> is<br />
configured for a different cluster mode, and the HA cluster will not function properly.<br />
If this happens, you will need to reboot each <strong>Sidewinder</strong> <strong>G2</strong> to synchronize the HA<br />
cluster.<br />
Removing a <strong>Sidewinder</strong> <strong>G2</strong> from an HA cluster<br />
To remove a secondary/standby from an HA cluster, follow the steps<br />
below.<br />
1. Connect to the HA cluster and select High Availability in the Admin<br />
Console tree. The Common Parameters window appears.<br />
2. In the Pair Members table, highlight the secondary/standby and then<br />
click Delete.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is removed from the HA cluster, it will<br />
automatically reboot and become a functioning stand-alone<br />
<strong>Sidewinder</strong> <strong>G2</strong>.
Removing the primary from<br />
an HA cluster<br />
Managing an HA<br />
cluster<br />
Managing an HA cluster<br />
You must remove the secondary/standby from the HA cluster before<br />
you can remove the primary from the HA cluster. Once you have<br />
removed the secondary/standby from an HA cluster, follow the steps<br />
below to remove the primary from the HA cluster:<br />
1. Connect to the HA cluster.<br />
2. Access the State Change Wizard by selecting the <strong>Sidewinder</strong> <strong>G2</strong> icon in<br />
the Admin Console tree and then clicking State Change Wizard. The<br />
Welcome window appears.<br />
3. Click Next.<br />
4. Select Change To Standalone State, and then click Next.<br />
5. The State Change Summary window appears listing the actions that will<br />
be performed when you click Execute. To remove the primary from the<br />
HA cluster and return it to the standalone state, click Execute. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> will automatically reboot. Once the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
rebooted, it will become a functioning standalone <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Important: Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished rebooting, the IP address in the<br />
Admin Console Connection window will still display the cluster common IP address.<br />
Before connecting to the standalone <strong>Sidewinder</strong> <strong>G2</strong>, you will need to manually<br />
change the IP address back to the <strong>Sidewinder</strong> <strong>G2</strong>’s individual address.<br />
Note: To cancel the wizard without making any changes, click Cancel.<br />
Once you have configured an HA cluster, the HA cluster will be<br />
represented in the Admin Console tree by a single <strong>Sidewinder</strong> <strong>G2</strong><br />
icon. When you connect to the HA cluster, you will use the HA cluster<br />
common IP address that you created when you configured HA. This<br />
allows you to manage both <strong>Sidewinder</strong> <strong>G2</strong>s by connecting to the HA<br />
cluster.<br />
Important: If you connect directly to a single <strong>Sidewinder</strong> <strong>G2</strong> outside <strong>of</strong> the HA cluster,<br />
changes you make to synchronized areas for that <strong>Sidewinder</strong> <strong>G2</strong> will be overwritten by the<br />
HA cluster configuration. For information on when and how to connect directly to a single<br />
<strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, see “Connecting directly to a secondary/<br />
standby” on page 16-29.<br />
Caution: If you modify your hardware interface configuration, HA will not function until<br />
the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted.<br />
High Availability 16-17
Managing an HA cluster<br />
Figure 16-2. Example <strong>of</strong><br />
an individually<br />
configured area<br />
16-18 High Availability<br />
Understanding the HA cluster tree structure<br />
The Admin Console tree structure is slightly different for an HA<br />
cluster. As explained above, when you configure an HA cluster, both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s are managed within a single Admin Console<br />
connection.<br />
Areas <strong>of</strong> the HA cluster that are synchronized (that is, areas in which<br />
the information for both <strong>Sidewinder</strong> <strong>G2</strong>s must be the same and<br />
remains in synch via the synchronization server) will appear with a<br />
single tree option. When you modify information within those areas,<br />
the information will automatically be updated for both <strong>Sidewinder</strong><br />
<strong>G2</strong>s.<br />
Information specific to individual <strong>Sidewinder</strong> <strong>G2</strong>s within the HA<br />
cluster (such as configuration backup and restore) will include a subfolder<br />
(indicated by a plus [+] sign) that contains an icon for each<br />
<strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA cluster. To modify information<br />
within these areas, expand the tree branch, select the appropriate<br />
<strong>Sidewinder</strong> <strong>G2</strong>, and make the desired changes. Non-synchronized<br />
modifications to an individual <strong>Sidewinder</strong> <strong>G2</strong> will be applied only to<br />
that <strong>Sidewinder</strong> <strong>G2</strong> and will not be overwritten by changes made to<br />
the other <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Figure 16-2 below demonstrates the difference between an<br />
individually configured area <strong>of</strong> the HA cluster (Reports) and a<br />
synchronized area <strong>of</strong> the HA cluster (Burb Configuration).<br />
Reporting is configured on an<br />
individual <strong>Sidewinder</strong> <strong>G2</strong> basis.<br />
Burb Configuration is<br />
synchronized, and does not allow<br />
you to select a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The High Availability and Interface Configuration areas within the HA<br />
cluster tree include some areas that are synchronized and some areas<br />
are configured on an individual <strong>Sidewinder</strong> <strong>G2</strong> basis, as shown in<br />
Figure 16-3 below.
Figure 16-3. Special HA<br />
and Interface<br />
Configuration options<br />
Managing an HA cluster<br />
The following lists summarize the features that are synchronized and<br />
the features that are configured individually in an HA cluster.<br />
Features that are synchronized within an HA cluster<br />
Synchronized HA information is configured by<br />
selecting the main HA option.<br />
HA information specific to a single <strong>Sidewinder</strong><br />
<strong>G2</strong> is configured by selecting a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Synchronized information is configured by<br />
selecting the main Interface Config. option.<br />
Interface information specific to a single<br />
<strong>Sidewinder</strong> <strong>G2</strong> is configured by selecting a<br />
Policy Configuration Certificate Management<br />
Proxies SmartFilter<br />
Servers a<br />
Alarm Configuration<br />
DNS a UI Access Control<br />
Scanner High Availability (Common Parameters)<br />
Routing Firewall Accounts<br />
Authentication Burb Configuration<br />
VPN Interface Alias IP addresses<br />
a. If your <strong>Sidewinder</strong> <strong>G2</strong>s are configured for secure split SMTP mail servers or<br />
hosted DNS, those areas must be managed for the secondary/standby by connecting<br />
directly to that <strong>Sidewinder</strong> <strong>G2</strong>. All other features listed in this table are<br />
configured using the HA cluster connection. To connect directly to the secondary/standby,<br />
you will need to add a new <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console<br />
using the <strong>Sidewinder</strong> <strong>G2</strong>’s actual IP address, and then connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> directly. (This is because the secondary/standby is removed<br />
from the Admin Console tree branch when it is successfully added to the HA<br />
cluster.) For information on adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see<br />
“Connecting directly to a secondary/standby” on page 16-29.<br />
High Availability 16-19
Managing an HA cluster<br />
Figure 16-1. Common<br />
Parameters tab<br />
16-20 High Availability<br />
Features that are configured individually within an HA cluster<br />
Firewall Monitoring Reports<br />
High Availability (Local<br />
Parameters)<br />
Configuration Backup<br />
Interface Configuration Date and Time<br />
Firewall License S<strong>of</strong>tware Management<br />
System Shutdown Tools<br />
Audit File Editor<br />
Modifying HA common parameters<br />
The Common Parameters tab allows you to configure properties that<br />
are common to the HA cluster. To configure common HA parameters,<br />
connect to the HA cluster using the Admin Console and select High<br />
Availability. The following window appears:
About the Common<br />
Parameters tab<br />
Managing an HA cluster<br />
The Common Parameters tab specifies the parameters that will affect<br />
all <strong>Sidewinder</strong> <strong>G2</strong>s in your HA configuration. Follow the steps below.<br />
1. In the High Availability Identification area, do the following:<br />
a. In the Cluster ID field, select an ID that is assigned to the HA cluster.<br />
This allows you to distinguish between and manage multiple HA<br />
clusters, if needed. Each <strong>Sidewinder</strong> <strong>G2</strong> with an HA cluster must be<br />
assigned the same cluster ID. Valid values are 1–255.<br />
b. The Multicast Group Address field displays the address <strong>of</strong> the<br />
multicast group used for HA purposes on the heartbeat burb. The<br />
default address is 239.192.0.1. To modify the address, click Edit<br />
address. See “Changing the multicast address” on page 16-23 for<br />
details on modifying the multicast group address.<br />
c. In the Heartbeat Burb drop-down list, select the burb that HA will<br />
use to send or receive a heartbeat. (A heartbeat is a short message<br />
that is sent out at specific intervals to verify whether a <strong>Sidewinder</strong><br />
<strong>G2</strong> is operational.) This must be a dedicated heartbeat burb. For<br />
information on configuring a dedicated heartbeat burb, see<br />
“Configuring the heartbeat burbs” on page 16-7.<br />
2. In the IPSec Authentication area, do the following:<br />
a. In the Authentication Type field, select the type <strong>of</strong> IPSec<br />
authentication to use for HA:<br />
—SHA1: Select this option if using HMAC-SHA1 authentication.<br />
—MD5: Select this option if using HMAC-MD5 authentication<br />
b. In the Password field, type the password that will be used to<br />
generate the authentication key for IPSec. This password must be<br />
the same for both <strong>Sidewinder</strong> <strong>G2</strong>s because they share the same<br />
virtual firewall ID.<br />
3. [Conditional] The Pair Members table lists the <strong>Sidewinder</strong> <strong>G2</strong>s that have<br />
been added to the HA cluster. To add a <strong>Sidewinder</strong> <strong>G2</strong> to the Pair<br />
Members table, see “Adding a placeholder in the HA cluster” on page<br />
16-13. To view the status <strong>of</strong> the cluster, click Cluster Status. A pop-up<br />
window will appear displaying the status <strong>of</strong> each <strong>Sidewinder</strong> <strong>G2</strong>. To<br />
close the status information window, click Close.<br />
This table is not available until you successfully promote a primary.<br />
Once the primary has been promoted, you can add a second<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster. However, you must join the second<br />
<strong>Sidewinder</strong> <strong>G2</strong> before it will become functional within the HA cluster.<br />
See “Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster” on page 16-14<br />
for information on registering a <strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster.<br />
High Availability 16-21
Managing an HA cluster<br />
16-22 High Availability<br />
4. [Conditional] To define a system that requires ARP cache updates, in the<br />
Force ARP Reset area, click New and see “Configuring an entry in the<br />
Force ARP Reset area” on page 16-23. (This option is not used for load<br />
sharing HA.)<br />
The Force ARP Reset area lists the IP address and burb <strong>of</strong> each system<br />
that you determine needs to update its ARP cache with the new cluster<br />
alias IP. Use this area to list all systems that are known to ignore<br />
gratuitous ARPs, but that need to know the new cluster alias. (To delete<br />
an IP address from the list, highlight the address and click Delete.)<br />
5. In the Interface Test area, do the following:<br />
a. In the Time Between Tests field, specify how <strong>of</strong>ten (in seconds) the<br />
HA cluster will ping the remote address to ensure that an interface<br />
and path are operational.<br />
b. In the Consecutive Failures field, specify the number <strong>of</strong> failed ping<br />
attempts that must occur before a secondary/standby takes over as<br />
the primary.<br />
Note: If the primary becomes unavailable immediately after a ping attempt has<br />
been issued, the time it takes for a secondary/standby to take over will be slightly<br />
longer (this is because it will take close to an entire test interval before the first failure<br />
is detected).<br />
6. The Interfaces table identifies the burb, HA cluster address, network<br />
address, remote test IP address, and cluster MAC address for each<br />
interface.<br />
Note: The Cluster MAC column is a read-only column that displays the MAC<br />
address for each cluster interface that is defined. Depending on the type <strong>of</strong> router you<br />
are using, this address may be required to configure the router if you have load<br />
sharing HA configured. The Cluster MAC is used for all shared cluster addresses and<br />
aliases on that interface.<br />
You must define a shared address for each interface being backed up<br />
via HA. To define a new interface, click New. To modify an HA cluster IP<br />
address, highlight the interface you want to modify, and click Modify.<br />
See “Configuring an entry in the Interfaces table” on page 16-24 for<br />
details. To delete an interface, highlight the interface and click Delete.<br />
Important: If multiple IP addresses are desired on a single NIC and HA is<br />
configured on the <strong>Sidewinder</strong> <strong>G2</strong>, only the HA cluster IP address is defined here. All<br />
non-HA alias IP addresses are defined in the Interface Configuration window.<br />
7. When you are finished configuring the HA parameters for this<br />
<strong>Sidewinder</strong> <strong>G2</strong>, click the Save icon to save your changes.<br />
Important: You must reboot before your changes will take effect.
Changing the multicast address<br />
Managing an HA cluster<br />
The Edit Multicast Group window allows you to specify different<br />
multicast addresses for an HA cluster. Do not specify an address that<br />
conflicts with other multicast groups on the heartbeat burb. Addresses<br />
in the range <strong>of</strong> 239.192.0.0 to 239.251.255.255 have been reserved by<br />
RFC 2365 for locally administered multicast addresses. Boundary<br />
routers should be configured to not pass your selected address if such<br />
a feature exists.<br />
To restore the default address (239.192.0.1), click Restore Default.<br />
Important: If the default is not used, you should change the reverse lookup files in DNS<br />
to allow DNS reverse resolution <strong>of</strong> the multicast address. Refer to the<br />
/etc/namedb.u/failover.rev file.<br />
Configuring an entry in the Force ARP Reset area<br />
The Force ARP Reset window allows you to specify the IP address<br />
and its associated burb for each system that would ignore the<br />
gratuitous ARP containing the new cluster alias. To add this<br />
information, follow the steps below.<br />
Note: The Force ARP Reset area is not used for load sharing HA.<br />
1. In the IP Address field, enter the system’s IP address.<br />
2. In the Burb field, select the burb that connects to that system’s network.<br />
3. Click OK to save the information, or click Close to close the window<br />
without saving your changes.<br />
High Availability 16-23
Managing an HA cluster<br />
16-24 High Availability<br />
Configuring an entry in the Interfaces table<br />
The Cluster IP window allows you to specify the cluster common IP<br />
address for your interfaces. You will need to configure a cluster IP<br />
address for each interface that uses HA. Follow the steps below.<br />
Note: Be sure to add the cluster IP address and the associated domain name to your DNS<br />
service.<br />
1. In the Burb drop-down list, select the appropriate burb.<br />
Note: The Network Address field displays the local IP address for this <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
2. In the Cluster IP Address field, type the cluster IP address for the<br />
interface that is shared between the primary and secondaries when<br />
they become active.<br />
The cluster address is the address most systems should use to<br />
communicate with or through the <strong>Sidewinder</strong> <strong>G2</strong>, meaning that DNS,<br />
default routes, etc. need to know this address.<br />
3. [Optional] In the Remote Test IP field, specify the address that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will periodically ping.<br />
The remote address must be a highly reliable system that is directly<br />
attached to the <strong>Sidewinder</strong> <strong>G2</strong> network. For example, if you use a VRRP<br />
(Virtual Router Redundancy Protocol) cluster, you can specify the VRRP<br />
address <strong>of</strong> the router as your remote ping address. (However, some<br />
VRRP routing clusters will only respond to pings if the configured<br />
primary router is currently acting as the primary. If you are using this<br />
type <strong>of</strong> VRRP routing cluster, you should use an alternative remote<br />
address.)<br />
For load sharing HA, if remote ping fails on one <strong>of</strong> the two cluster<br />
members, that member will become unavailable until the remote<br />
interface is again detected. If there is only one active cluster member<br />
and a remote ping failure is detected, that member will audit the failure<br />
and remain in the cluster until another member joins the cluster<br />
(without a ping failure), or until the remote system is detected.<br />
Note: If you specify 255.255.255.255 in this field, HA will only test the status <strong>of</strong> the<br />
interface rather than send data to verify that the interface is up.<br />
4. Click OK to save the cluster address information and return to the Local<br />
Parameters tab. (To exit the window without saving your changes, click<br />
Cancel.)
Figure 16-2. Local<br />
Parameters tab<br />
About the Local Parameters<br />
tab<br />
Modifying HA local parameters<br />
Managing an HA cluster<br />
To configure local HA parameters, connect to the <strong>Sidewinder</strong> <strong>G2</strong><br />
using the Admin Console and select Firewall <strong>Administration</strong> -> High<br />
Availability. (If you have already configured HA, the High Availability<br />
option will appear directly beneath the <strong>Sidewinder</strong> <strong>G2</strong> icon.) Select<br />
the Local Parameters tab. The following window appears:<br />
The Local Parameters tab specifies the parameters that are unique to a<br />
particular <strong>Sidewinder</strong> <strong>G2</strong> in your HA configuration. Follow the steps<br />
below.<br />
1. In the Cluster Mode area, select one <strong>of</strong> the following options:<br />
Designate as part <strong>of</strong> a Load Sharing High Availability Cluster—<br />
Select this option if you want to configure load sharing HA (both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s actively process traffic).<br />
Designate as part <strong>of</strong> a Primary/Standby High Availability Cluster—<br />
Select this option if you want to configure failover HA (only one<br />
<strong>Sidewinder</strong> <strong>G2</strong> processes traffic, with the other <strong>Sidewinder</strong> <strong>G2</strong><br />
acting as a hot backup).<br />
Note: To configure load sharing HA or peer-to-peer failover HA, the<br />
<strong>Sidewinder</strong> <strong>G2</strong>s must have the same hardware configuration. For more<br />
information on each HA configuration option, see “HA configuration options”<br />
on page 16-3.<br />
High Availability 16-25
Managing an HA cluster<br />
16-26 High Availability<br />
2. [Conditional] If you selected Primary-Standby in the previous step,<br />
select one <strong>of</strong> the following options in the Cluster Mode area:<br />
Primary—Select this option if this will be the primary in your<br />
network. (This option is only used for the dedicated primarystandby<br />
HA configuration.)<br />
Standby—Select this option if this <strong>Sidewinder</strong> <strong>G2</strong> is a standby in<br />
your network, or if you are configuring peer-to-peer HA.<br />
Note: For peer-to-peer HA, you must configure EACH <strong>Sidewinder</strong> <strong>G2</strong> as a<br />
standby.<br />
3. In the Control field, select Enabled to enable HA for this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
(To disable HA, select Disabled.)<br />
Note: You must reboot before the HA configuration will take effect.<br />
4. [Conditional] In the Takeover Time field specify the number <strong>of</strong> seconds<br />
that the primary must be unavailable before the secondary/standby will<br />
begin the takeover process.<br />
Note: If the primary in an HA cluster goes into failure mode and the secondary/<br />
standby is not available, the primary will remain as the primary, but the Takeover<br />
Time value for that <strong>Sidewinder</strong> <strong>G2</strong> will change to one, ensuring that if a secondary/<br />
standby becomes available, it can take over as the primary.<br />
The secondary/standby Takeover Time value will differ depending on<br />
the type <strong>of</strong> HA configuration you are using:<br />
Load sharing Takeover Time—The takeover time for load sharing<br />
HA cluster <strong>Sidewinder</strong> <strong>G2</strong>s must be the same for EACH <strong>Sidewinder</strong><br />
<strong>G2</strong> that is participating in the HA configuration. The default value is<br />
13 seconds for load sharing configurations.<br />
Primary-standby Takeover Time—The takeover time for the<br />
primary is 3 seconds by default and cannot be modified. This value<br />
ensures that the designated primary will become the actual<br />
primary when it is activated. The default for the standby is 13.<br />
Note: If you assign a standby Takeover Time value that is too close to 3<br />
seconds, the standby may attempt to take over as the primary during periods<br />
when the primary is too busy processing data traffic to send the heartbeat.<br />
Peer-to-peer Takeover Time—The takeover time for load sharing<br />
HA cluster <strong>Sidewinder</strong> <strong>G2</strong>s must be the same for EACH <strong>Sidewinder</strong><br />
<strong>G2</strong> that is participating in the HA configuration. The default value is<br />
13 seconds for load sharing configurations.
Managing an HA cluster<br />
Scheduling a s<strong>of</strong>t shutdown for an HA cluster <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
When a <strong>Sidewinder</strong> <strong>G2</strong> that belongs to an HA cluster is shutdown by<br />
an administrator (for example, to perform scheduled maintenance), a<br />
s<strong>of</strong>t shutdown will automatically occur (assuming the shutdown time<br />
is not immediate). A s<strong>of</strong>t shutdown provides a buffer period before<br />
the actual shutdown occurs, allowing the <strong>Sidewinder</strong> <strong>G2</strong> to stop<br />
accepting new connections, while allowing most existing connections<br />
to complete before the <strong>Sidewinder</strong> <strong>G2</strong> actually shuts down. IP filter<br />
processing is also transferred to the remaining <strong>Sidewinder</strong> <strong>G2</strong>.<br />
By default, the s<strong>of</strong>t shutdown process will begin 30 minutes prior to a<br />
scheduled shutdown. If the shutdown is scheduled to occur in less<br />
than 30 minutes, the s<strong>of</strong>t shutdown process will begin immediately<br />
and will remain in effect until the actual shutdown time occurs. You<br />
can also manually increase or decrease the length <strong>of</strong> the s<strong>of</strong>t<br />
shutdown period.<br />
For example, suppose you configure the <strong>Sidewinder</strong> <strong>G2</strong> to shutdown<br />
in two hours using the default s<strong>of</strong>t shutdown <strong>of</strong> 30 minutes. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> will continue to accept and process connections for<br />
1.5 hours. When the <strong>Sidewinder</strong> <strong>G2</strong> is 30 minutes from the shutdown<br />
time, it will stop accepting new connections and existing connections<br />
will have 30 minutes to complete. After the s<strong>of</strong>t shutdown period<br />
completes, the <strong>Sidewinder</strong> <strong>G2</strong> will shutdown and will be unavailable<br />
until it is rebooted.<br />
The s<strong>of</strong>t shutdown feature is specified via command line. If you<br />
schedule a shutdown using the Admin Console, the default s<strong>of</strong>t<br />
shutdown time will be applied. The following bullets provide<br />
examples <strong>of</strong> configuring an HA cluster <strong>Sidewinder</strong> <strong>G2</strong> for shutdown:<br />
If you want the s<strong>of</strong>t shutdown process to begin immediately, use<br />
the following command (the <strong>Sidewinder</strong> <strong>G2</strong> must be shutdown or<br />
manually rebooted once the s<strong>of</strong>t shutdown process is complete):<br />
cf failover s<strong>of</strong>tshutdown<br />
To configure s<strong>of</strong>t shutdown to occur for a specific amount <strong>of</strong> time,<br />
as follows:<br />
shutdown -s [s<strong>of</strong>t_shutdown_time] [shutdown_time]<br />
High Availability 16-27
Managing an HA cluster<br />
16-28 High Availability<br />
The s<strong>of</strong>t_shutdown_time specifies that amount <strong>of</strong> time that s<strong>of</strong>t<br />
shutdown will occur. The shutdown_time specifies the time at<br />
which the actual shutdown will occur. Each variable can be specified<br />
either as a number <strong>of</strong> minutes or as an exact date and time. If<br />
you are specifying the number <strong>of</strong> minutes, you must include a plus<br />
(+) sign in front <strong>of</strong> the minutes.<br />
For example, if you want the <strong>Sidewinder</strong> <strong>G2</strong> to shutdown on Saturday,<br />
June 12, 2004 at 11:00 am with a 15 minute s<strong>of</strong>t shutdown<br />
period, you would enter the following command:<br />
shutdown -s +15 0406121100<br />
In this case, the s<strong>of</strong>t shutdown process would begin at 10:45 am,<br />
and the <strong>Sidewinder</strong> <strong>G2</strong> would shutdown at 11:00 am on the specified<br />
day.<br />
If you want the <strong>Sidewinder</strong> <strong>G2</strong> to begin the s<strong>of</strong>t shutdown at 6:00<br />
am with an actual shutdown at 6:20 am, you would enter the following<br />
command:<br />
shutdown -s 0600 0620<br />
Note: For a complete listing <strong>of</strong> shutdown options, refer to the shutdown man<br />
page.<br />
You can cancel a scheduled shutdown at anytime prior to the final 30<br />
minute period by entering the shutdown -c command. However,<br />
once the <strong>Sidewinder</strong> <strong>G2</strong> has entered s<strong>of</strong>t shutdown mode, this<br />
command will no longer cancel the s<strong>of</strong>t shutdown process. When the<br />
s<strong>of</strong>t shutdown process is complete, you will need to reboot the<br />
<strong>Sidewinder</strong> <strong>G2</strong> before it will properly function as part <strong>of</strong> the HA<br />
cluster.
Connecting directly to a secondary/standby<br />
Managing an HA cluster<br />
When you have an HA cluster configured, most areas for each<br />
<strong>Sidewinder</strong> <strong>G2</strong> are managed by connecting to the HA cluster address.<br />
However, if your <strong>Sidewinder</strong> <strong>G2</strong>s are configured for secure split SMTP<br />
mail and/or hosted DNS, you will need to connect directly to the<br />
secondary/standby to manage those areas. (You can still manage the<br />
primary for these areas by connecting to the HA cluster.)<br />
To connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster,<br />
do the following:<br />
1. In the Admin Console, add the <strong>Sidewinder</strong> <strong>G2</strong> to which you want to<br />
connect. See “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page<br />
2-4. Be sure to use the <strong>Sidewinder</strong> <strong>G2</strong>’s actual IP address, not the<br />
common IP address.<br />
2. Connect directly to that <strong>Sidewinder</strong> <strong>G2</strong>, and make the necessary<br />
changes.<br />
Note: When you connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, a<br />
warning message will appear explaining that any changes you make may be<br />
overwritten by the cluster configuration. Modifications made to the SMTP and/or<br />
DNS areas will not be overwritten if you have configured secure split SMTP mail and/<br />
or hosted DNS.<br />
High Availability 16-29
Managing an HA cluster<br />
16-30 High Availability
C HAPTER 17<br />
Alarm Events and<br />
Responses<br />
About this chapter This chapter explains alarm events and assists you in configuring<br />
alarm events and event responses for your site. This chapter includes<br />
the following topics:<br />
Configuring alarm<br />
events and event<br />
responses<br />
“Configuring alarm events and event responses” on page 17-1<br />
“Example alarm event scenario” on page 17-13<br />
“Sample Strikeback results” on page 17-15<br />
“Ignoring network probe attempts” on page 17-17<br />
“Checking system status” on page 17-19<br />
“Checking network status” on page 17-22<br />
<strong>Sidewinder</strong> <strong>G2</strong> alarm events (also referred to as auditbots) allow you<br />
to monitor your network for potentially threatening activities ranging<br />
from an attempted attack to an audit overflow. Using the Admin<br />
Console, you can configure how many events for a particular alarm<br />
must occur within a particular time frame before an event response is<br />
triggered.<br />
When activity that matches alarm event criteria is encountered, the<br />
event response you configured for that alarm event determines how<br />
the <strong>Sidewinder</strong> <strong>G2</strong> will respond. The <strong>Sidewinder</strong> <strong>G2</strong> can be<br />
configured to respond by notifying an administrator <strong>of</strong> the event via<br />
email or pager, as well as performing a Strikeback. You can configure<br />
Strikebacks to gather information about users who are making<br />
network access violations, and track down additional information<br />
regarding an attempted attack. You can also configure a Strikeback to<br />
ignore packets from a particular host for a specified period <strong>of</strong> time.<br />
The configuration options you select will depend mainly on your<br />
site’s security policy and to some extent on your own experiences<br />
using the features. You may want to start with the default options and<br />
make adjustments as necessary to meet your site’s needs.<br />
17<br />
Alarm Events and Responses 17-1
17<br />
Configuring alarm events and event responses<br />
Figure 17-1. Alarm Event<br />
List<br />
About the Alarm Event List<br />
tab<br />
17-2 Alarm Events and Responses<br />
Alarm events are generated on the <strong>Sidewinder</strong> <strong>G2</strong> using a daemon<br />
called auditbotd. This daemon listens to the audit device and detects<br />
various types <strong>of</strong> alarm events (also known as "auditbots") as they<br />
occur. Alarm events are defined in the /etc/sidewinder/<br />
audit_filters.conf file.<br />
Tip: Default Strikeback event responses are automatically configured on the <strong>Sidewinder</strong><br />
<strong>G2</strong> during initial configuration. See “Configuring alarm events” on page 17-6.<br />
Configuring alarm events<br />
To view or configure alarm events, start the Admin Console and select<br />
Reports & Monitoring -> Alarm Configuration. The Alarm Configuration<br />
window appears. This window contains two tabs that are used to<br />
enter information about an alarm event. The Alarm Event List tab<br />
(described below), and the Event Responses tab (described in<br />
“Displaying and configuring event responses” on page 17-8).<br />
Note: To view all event settings, use the scroll bar or resize the window.<br />
This tab allows you to view the list <strong>of</strong> currently configured alarm<br />
event types. The following table describes the fields displayed for<br />
each alarm event in the table.
Table 17-1. Alarm event column descriptions<br />
Window Column Description<br />
Configuring alarm events and event responses<br />
Event Name Lists the names <strong>of</strong> the configurable alarm events.<br />
Filter Name Specifies the name <strong>of</strong> the filter that is being used to detect<br />
alarm events.<br />
Enabled Specifies whether the alarm event is enabled.<br />
Strikeback Specifies the Strikeback response that is selected for an alarm<br />
event.<br />
Threshold Specifies the number <strong>of</strong> times the alarm event must occur in<br />
a specified period before an alarm will be triggered.<br />
Period Specifies the amount <strong>of</strong> time during which the number <strong>of</strong><br />
events (specified in the Threshold field) must occur before an<br />
alarm will be triggered.<br />
Interval Specifies the amount <strong>of</strong> time (in seconds) before you will be<br />
notified <strong>of</strong> an additional alarm event <strong>of</strong> this type once an<br />
alarm has been triggered.<br />
For example, if you have an alarm event that detects<br />
netprobes, and you set the Interval to 300, when an alarm is<br />
triggered, you will not be notified <strong>of</strong> any additional alarm<br />
events <strong>of</strong> this type for 300 seconds.<br />
Note: You will still receive audit data for the additional alarm<br />
events.<br />
Reset Specifies whether the alarm event count will be reset when<br />
the threshold number is reached.<br />
Always Strikeback Specifies whether a Strikeback will be performed every time<br />
an alarm event is triggered (even if an Administrator is not<br />
notified <strong>of</strong> the event).<br />
Threshold<br />
Percentage<br />
Specifies the percentage <strong>of</strong> alarm events that must be<br />
initiated from the same source address before a Strikeback is<br />
triggered. (The percentage is based on the Threshold value.)<br />
The threshold percentage value may cause multiple<br />
strikebacks to occur for an alarm event.<br />
Alarm Events and Responses 17-3
Configuring alarm events and event responses<br />
17-4 Alarm Events and Responses<br />
Table 17-2. Pre-defined filter descriptions<br />
Filter Name Description<br />
attack_filter Detects attack attempts (that is, any suspicious<br />
occurrence) identified by one <strong>of</strong> the services on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. For example, if the Network Services<br />
Sentry (NSS) detects a suspicious IP address on an<br />
incoming connection, it will issue an attack attempt.<br />
deniedauth_filter Detects when a user attempts to authenticate and<br />
enters invalid data. For example, if a user is required to<br />
enter a password and entered it incorrectly, the denied<br />
auth_filter would log the event. (Note that this type <strong>of</strong><br />
event is not logged when users attempt to switch to an<br />
unauthorized role or enter incorrect login information.)<br />
failover_filter Detects any time a <strong>Sidewinder</strong> <strong>G2</strong> changes its status in<br />
an HA cluster from secondary to primary, or from<br />
primary to secondary.<br />
filterfail_filter Detects SMTP mail messages that fail a configured mail<br />
filter. For example, if a mail message failed the Key Word<br />
Search filter, a mail filter failure event would be logged.<br />
hardware_s<strong>of</strong>tware_fail Detects failure <strong>of</strong> a critical component. For example, this<br />
trap occurs when daemond detects a s<strong>of</strong>tware module<br />
has failed.<br />
ipsec_filter Detects IPSec errors that exceed the configured<br />
threshold values.<br />
licexceed_filter Detects when the <strong>Sidewinder</strong> <strong>G2</strong> has begun denying<br />
users access due to a user license cap violation.<br />
logoverflow_filter Detects when the <strong>Sidewinder</strong> <strong>G2</strong> audit logs are close to<br />
filling the partition.<br />
netprobe_filter Detects network probe attempts (that is, any time a user<br />
attempts to connect or send a message to a TCP or UDP<br />
port that either has no service associated with it or it is<br />
associated with an unsupported service). See “Ignoring<br />
network probe attempts” on page 17-17 for more<br />
information.<br />
networkacl_filter Detects when the number <strong>of</strong> denied access attempts to<br />
services exceeds a specified number. For example, you<br />
may set up your system so that internal users cannot<br />
FTP to a certain Internet address. If a user tried to<br />
connect to that address, the attempt would be logged<br />
as a denial.<br />
More . . .
Filter Name Description<br />
Configuring alarm events and event responses<br />
powerfail_filter Detects when a connected Uninterruptible Power<br />
Supply (UPS) has a power failure and the <strong>Sidewinder</strong> <strong>G2</strong><br />
is running on UPS battery power.<br />
proxyflood_filter Detects potential connection attack attempts. A<br />
connection attack is defined as one or more addresses<br />
launching numerous proxy connection attempts to try<br />
and flood the system. When NSS receives more<br />
connection attempts than it can handle for a proxy, new<br />
connections to that proxy are briefly delayed, (to allow<br />
the proxy to ’’catch up") and an audit event is created.<br />
shutdown_filter Detects when the <strong>Sidewinder</strong> <strong>G2</strong> is being shut down<br />
after running on UPS battery power for the amount <strong>of</strong><br />
time specified in the UPS server window (see<br />
“Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS” on page<br />
3-58 for additional information on UPS).<br />
synattack_filter Detects when the <strong>Sidewinder</strong> <strong>G2</strong> encounters a SYN<br />
attack.<br />
te_filter Detects an unauthorized user or process that attempts<br />
to perform an illegal operation on a file on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
traffic_filter Detects when the number <strong>of</strong> traffic audit events written<br />
by the various proxies (WWW, Telnet, FTP, etc.) going<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> exceeds a specified number<br />
in a specified time period. This information can be<br />
useful for monitoring the use <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
services by internal users.<br />
Note: Network traffic thresholds are reported as number<br />
<strong>of</strong> events per second, and not as number <strong>of</strong> bytes per<br />
second.<br />
virusmime Detects when the number <strong>of</strong> mail or HTTP messages<br />
that failed the MIME/Virus filter exceeds a specified<br />
threshold in a specified time period.<br />
To delete an alarm event from this table, highlight the alarm event<br />
you want to delete and click Delete. You will be asked to confirm your<br />
selection.<br />
To create a new alarm event, click New. To modify an existing alarm<br />
event, highlight the alarm event you want to modify and click Modify<br />
(or double-click the alarm event). The Alarm Event Information<br />
window appears.<br />
Alarm Events and Responses 17-5
Configuring alarm events and event responses<br />
Figure 17-2. Alarm Event<br />
Information window<br />
Configuring alarm events The Alarm Event Information window is used to configure a new<br />
alarm event or to modify an existing alarm event configuration.<br />
Follow the steps below.<br />
17-6 Alarm Events and Responses<br />
1. [In the Event Name field, type a descriptive name for the alarm event.<br />
The entry can consist <strong>of</strong> 1–32 alpha-numeric characters, hyphens (-), or<br />
underscores (_).<br />
2. In the Filter Name field, select the filter that you want this alarm event to<br />
use. The filter determines what type <strong>of</strong> alarm event(s) will be detected<br />
by the auditbot daemon on the <strong>Sidewinder</strong> <strong>G2</strong>. There are 26 predefined<br />
filters. Each pre-defined filter type is described below.<br />
Note: To create custom filters, refer to the sacap_filter man page.<br />
3. In the Event Responses area, select the type <strong>of</strong> event response(s) that<br />
will occur for each response type if this alarm event is triggered. (For<br />
more information on configuring event responses, see “Displaying and<br />
configuring event responses” on page 17-8.<br />
EMAIL—Select the name <strong>of</strong> the E-mail event response that<br />
contains the e-mail address(es) you want contacted if an alarm is<br />
triggered. The default E-mail event response will send e-mail to the<br />
root address. (Select None if you do not want e-mail sent if an<br />
event occurs.)<br />
PAGER—Select the name <strong>of</strong> the Pager event response that<br />
contains the pager number you want contacted if an alarm is<br />
triggered. The default pager event response is set to 1111111.<br />
(Select None if you do not want anyone to be paged.)
Configuring alarm events and event responses<br />
STRIKEBACK—Select the name <strong>of</strong> the Strikeback event response<br />
that contains the Strikeback actions you want performed if an<br />
alarm is triggered. The default Strikeback event response will issue<br />
the dig command. Select None if you do not want a Strikeback to<br />
occur.<br />
SNMP Trap—Select this check box if you want to issue an SNMP<br />
trap if an alarm is triggered. See Chapter 14 for details about SNMP.<br />
4. Select the Enabled check box to enable this alarm event. A check mark<br />
appears when the event is enabled. (To disable this alarm event at any<br />
time, de-select this check box.)<br />
5. In the Threshold field, type the number <strong>of</strong> times this type <strong>of</strong> event must<br />
occur before an alarm will be triggered. Valid values include any nonzero,<br />
positive integer.<br />
6. In the Event Period field, type the number <strong>of</strong> seconds during which the<br />
number <strong>of</strong> events specified in the Threshold field must occur before an<br />
alarm will be triggered. Valid values include zero (which indicates<br />
infinity) or any positive integer.<br />
For example, if you have configured an alarm event to filter for netprobe<br />
attempts, and you want to trigger an alarm event if 5 or more probe<br />
attempts occur within 30 a second period, you would select 5 in the<br />
Threshold field, and 30 in the Event Period field. If you do not enter an<br />
event period, a zero value (which indicates infinity) is used as the<br />
default.<br />
7. In the Alarm Interval field, type the number <strong>of</strong> seconds to wait once an<br />
alarm has been triggered before another alarm can be triggered for the<br />
same event type. Valid values include any non-zero, positive integer (in<br />
seconds).<br />
For example, suppose you configure an alarm event to trigger when 5<br />
or more probe attempts occur in 30 second period, and you configure<br />
an Alarm Interval value <strong>of</strong> 300 seconds (five minutes).<br />
In this configuration, if an intruder launches 5 probe attempts in a 30<br />
second period, an alarm event is triggered. However, if the intruder<br />
sends 5 more probe attempts during the next 30 seconds, a new alarm<br />
will not be triggered. After five minutes, if the threshold is again<br />
reached, another alarm will be triggered.<br />
Alarm Events and Responses 17-7
Configuring alarm events and event responses<br />
17-8 Alarm Events and Responses<br />
8. Select the Reset Event Count on Threshold check box if you want the<br />
event count to be reset and the audit list cleared each time the<br />
threshold number is reached within the specified time period.<br />
Note: If you de-select this check box, when the threshold number is reached, the<br />
event count will not be reset, and the event list will not be cleared. This may cause the<br />
same audit events to be used to generate additional alarms.<br />
9. Select the Perform Strikeback if Alarm Dropped check box to run the<br />
Strikeback commands you have configured for each alarm event that<br />
occurs within the alarm interval (rather than only when the number <strong>of</strong><br />
events reaches the threshold value and triggers an additional alarm).<br />
Note: If you de-select this check box, Strikeback commands will be performed only<br />
when an event response is triggered.<br />
10. In the Strikeback Percentage Threshold field, type the percentage <strong>of</strong><br />
threshold alarm events that must be initiated from a single source<br />
address before a Strikeback will occur. This allows you to configure<br />
Strikebacks to occur only on source addresses that initiate a certain<br />
percentage <strong>of</strong> events, and prevents the system from extraneously<br />
performing Strikebacks on simple error events (such as a single bad<br />
login attempt by a user) when the threshold is reached.<br />
11. Click Add to add the new alarm event. (If you are modifying an alarm<br />
event, click OK to save your changes.)<br />
12. To add another alarm event, repeat the above procedure.<br />
Displaying and configuring event responses<br />
Event responses are used to specify an appropriate response when an<br />
alarm is triggered in your system. The <strong>Sidewinder</strong> <strong>G2</strong> is preconfigured<br />
with several default responses.<br />
To view the default responses and to add or modify event responses,<br />
click the Event Responses tab on the Alarm Configuration window. The<br />
Event Responses tab appears.
Figure 17-3. Event<br />
Response tab<br />
About the Event Response<br />
tab<br />
Configuring alarm events and event responses<br />
This tab is used to view, create, and modify event responses. An event<br />
response is the action that will occur when an alarm is triggered. The<br />
Event Responses list contains a list <strong>of</strong> the currently defined event<br />
responses. An event response is only used when it is specified within<br />
an alarm event entry.<br />
If you click on an event response in this list, information about the<br />
entry appears in the right-hand portion <strong>of</strong> the window. You can<br />
modify the parameters for a particular event directly from this<br />
window.<br />
To create a new event response, click New and select an event<br />
response type from the Select Event Response Type drop-down list. For<br />
details on creating or modifying a specific event response type, refer<br />
to one <strong>of</strong> the following:<br />
E-Mail events—For information on configuring e-mail event<br />
responses, see “Adding or modifying an E-Mail response” on page<br />
17-10.<br />
Pager events—For information on configuring pager event<br />
responses, see “Adding or modifying a Pager response” on page<br />
17-10.<br />
Strikeback events—For information on configuring Strikeback event<br />
responses, see “Adding or modifying a Strikeback response” on<br />
page 17-11.<br />
Alarm Events and Responses 17-9
Configuring alarm events and event responses<br />
17-10 Alarm Events and Responses<br />
To delete an event response, highlight the event response you want to<br />
delete, and click Delete. You will be asked to confirm the deletion.<br />
Adding or modifying an E-Mail response<br />
To add or modify an e-mail response follow the steps below.<br />
1. In the E-Mail Name field, type a name for this e-mail response. The name<br />
can consist <strong>of</strong> 1–32 characters.<br />
2. In the E-Mail Address field, click New. The E-mail Address window<br />
appears.<br />
Note: To delete an existing e-mail address, highlight the address you want to delete,<br />
and click Delete.<br />
3. Type the e-mail address <strong>of</strong> the person you want to receive the audit and<br />
Strikeback results, and then click Close.<br />
4. To add another e-mail address, repeat step 1 and step 3. When you are<br />
finished adding e-mail addresses, click Apply.<br />
Adding or modifying a Pager response<br />
To add or modify a Pager response, follow the steps below. When a<br />
pager response is initiated, a number representing the type <strong>of</strong> alarm<br />
event that was triggered will be sent to your pager. For information on<br />
these values, see “Example alarm event scenario” on page 17-13.<br />
Note: You may not receive a page if a shutdown_filter event causes the <strong>Sidewinder</strong> <strong>G2</strong><br />
to halt due to a low UPS battery. This is because the UPS may halt the <strong>Sidewinder</strong> <strong>G2</strong> before<br />
the modem can dial the pager number.<br />
1. In the Pager Name field, type a name for this pager response. The name<br />
can consist <strong>of</strong> 1–32 characters.<br />
2. In the Pager Number field, type the pager number you want called<br />
when an alarm event is triggered. This number will be called as soon as<br />
the specified device (see step 3) is available. The pager number can<br />
consist <strong>of</strong> any valid modem string.<br />
3. In the Device field, type the name <strong>of</strong> the device being used for the<br />
modem that will contact the pager. This device is configured in your<br />
system’s /etc/ttys file by default.
Configuring alarm events and event responses<br />
4. In the Pager Wait field, type the number <strong>of</strong> seconds that the system will<br />
wait for the service to answer the phone and prompt for the touch-tone<br />
response. (Your pager service should be able to provide you with the<br />
correct value for your pager.)<br />
5. Click Apply to save your changes (or click Cancel to cancel any changes).<br />
Adding or modifying a Strikeback response<br />
To add or modify a Strikeback response, follow the steps below.<br />
1. In the Strikeback Name field, type a descriptive name for this Strikeback<br />
response. The name can consist <strong>of</strong> 1–32 characters.<br />
2. In the Strikeback Commands to Perform area, determine which<br />
commands you want to be performed when an alarm is triggered. To<br />
enable commands, select the appropriate check box(es) To disable<br />
commands, de-select the appropriate check box(es).<br />
Note: Some filters will not allow a Strikeback to be performed, because the events<br />
they detect do not contain source IP addresses.<br />
Sample output for each command is described in “Sample Strikeback<br />
results” on page 17-15. The following commands are available. (For<br />
more information on using these commands, refer to the appropriate<br />
man page.)<br />
dig—The Domain Information Groper (dig) command provides<br />
essentially the same information as the nslookup command.<br />
However, the options make it easier to use from the UNIX<br />
command line, and it is easier to obtain a host name given the IP<br />
address. Selecting this option is equivalent to entering the<br />
following UNIX command:<br />
/usr/bin/dig -x ipaddress<br />
finger—This command allows you to obtain information about<br />
Internet users. Internet systems can run a finger daemon that<br />
allows anyone to obtain this data (although some sites turn it <strong>of</strong>f to<br />
protect users’ privacy). If the daemon is turned <strong>of</strong>f at the target site,<br />
finger will not work during the Strikeback. When you use the<br />
finger command, you can find out the user names <strong>of</strong> people at a<br />
site and obtain specific user information such as their e-mail<br />
addresses and home directories, the exact terminal they are<br />
logged in on, when they were last logged in and when they last<br />
received and read e-mail. This option is equivalent to entering the<br />
following UNIX command:<br />
/usr/bin/finger @ipaddress<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> does not run a finger daemon.<br />
Alarm Events and Responses 17-11
Configuring alarm events and event responses<br />
17-12 Alarm Events and Responses<br />
traceroute—This command provides information on the gateways<br />
an IP packet must pass through to get to a destination. As input,<br />
the command needs the hostname or IP address <strong>of</strong> the<br />
destination system. It then sends these IP packets from your<br />
<strong>Sidewinder</strong> <strong>G2</strong> to that address. As output, it lists the hostnames<br />
and IP addresses <strong>of</strong> each system the packets were handed <strong>of</strong>f to<br />
and how long it took to send each packet back and forth. This<br />
option is equivalent to entering the following UNIX command:<br />
/usr/sbin/traceroute -m 50 -p 33500 ipaddress<br />
ping: This command determines whether an Internet system is<br />
running by sending packets that the remote system should echo<br />
back. As output, ping lists how much time it took for the<br />
message to travel to the other system and back. This option is<br />
equivalent to entering the following UNIX command:<br />
/bin/ping -c 5 ipaddress<br />
nslookup—This command queries the DNS database to obtain all<br />
<strong>of</strong> the information that is available about a particular address. The<br />
output includes the name and address <strong>of</strong> the DNS server used to<br />
provide the information, the name <strong>of</strong> the system you asked about<br />
and other data that might be available (for example, where e-mail<br />
is delivered for the domain). This option is equivalent to entering<br />
the following UNIX command:<br />
/usr/bin/nslookup -d 2 ipaddress<br />
whois—This command queries the Network Information Center<br />
(NIC) database to obtain information regarding a particular<br />
domain name.<br />
3. To enable the Host Discard field, select the corresponding check box<br />
and specify the amount <strong>of</strong> time (in seconds) that packets from a<br />
particular host will be ignored within a specific burb. If this field is<br />
enabled, when a strikeback occurs, any attempts by the <strong>of</strong>fending<br />
source host to send IP packets will be prevented for the time specified.<br />
Valid values include any positive integer (in seconds). The default value<br />
is 0 (disabled).<br />
Changing other options<br />
This section provides information on additional audit options you can<br />
configure by manually editing the appropriate configuration file.<br />
strikeback_data_ttl—One option you may want to change is the<br />
strikeback_data_ttl using:<br />
cf audit set strikeback.data.ttl=x
Example alarm<br />
event scenario<br />
Example alarm event scenario<br />
Where x defines the number <strong>of</strong> seconds the system should cache<br />
data from previous Strikebacks. If you want the latest Strikeback<br />
information on an IP address every time, set this value to zero. For<br />
example, if you do not want information on an IP address<br />
involved in an alarm to be more than one minute old, set the value<br />
to 60. The default is set at 43200, or 12 hours. To change the<br />
option, open the file in any editor.<br />
Strikeback timeout—To configure the Strikeback timeout option, use<br />
the following command:<br />
cf audit set strikeback.timeout=x<br />
Where x defines the maximum amount <strong>of</strong> time (in seconds) that a<br />
Strikeback process should take (600 is the default).<br />
As described in the previous section, the <strong>Sidewinder</strong> <strong>G2</strong> can track a<br />
number alarm event types. Using the Admin Console, you can<br />
configure how many <strong>of</strong> these events must occur within a specific time<br />
frame before an alarm is triggered, and what should happen when an<br />
alarm is triggered.<br />
The steps below walk you through the events that take place when an<br />
alarm occurs:<br />
1. The auditbot daemon determines that an alarm event should be<br />
triggered.<br />
The system is configured with default event responses for each type <strong>of</strong><br />
alarm event, but you can also define and select your own options (see<br />
“Configuring alarm events” on page 17-2). For example, you may set up<br />
your system so that five probe attempts in 30 seconds will trigger an<br />
alarm.<br />
2. The <strong>Sidewinder</strong> <strong>G2</strong> notifies the appropriate user.<br />
At system startup, the <strong>Sidewinder</strong> <strong>G2</strong> reads the auditbotd configuration<br />
file to determine which user should be notified if an alarm is triggered.<br />
By default, the system automatically sends an e-mail message to root<br />
(although you can also configure it to send e-mail to other users, or to<br />
notify an administrator <strong>of</strong> the alarm).<br />
If you connect a modem to the <strong>Sidewinder</strong> <strong>G2</strong>, and your administrators<br />
use pagers, you can also configure the system to automatically send a<br />
numeric message to a specified user’s pager when an alarm is triggered.<br />
Alarm Events and Responses 17-13
Example alarm event scenario<br />
17-14 Alarm Events and Responses<br />
The message contains one <strong>of</strong> the following numbers, indicating which<br />
type <strong>of</strong> event generated the alarm:<br />
Numbers 1–14 and 26–27 are alarm events that are pre-defined in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. However, you also have the option to create your own<br />
custom filters as well. Custom filters will return a message that contains<br />
numbers 15–25. If you define custom filters that are assigned numbers<br />
higher than 25, you will receive a 15 message by default.<br />
The default values are as follows:<br />
1=Network traffic<br />
2=Attack attempt/Proxy flood<br />
3=Type Enforcement<br />
4=Access control<br />
5=Bad proxy authentication<br />
6=Network probe<br />
7=Mail filter failure<br />
8=IPSEC error<br />
9=Failover<br />
10=Log overflow<br />
11=SYN attack<br />
12=UPS power failure<br />
13=UPS shutdown<br />
14=User license exceeded<br />
16=User-defined default<br />
17-25=User-defined alarm events<br />
26=Hardware-s<strong>of</strong>tware failure<br />
27=MIME/virus<br />
3. The <strong>Sidewinder</strong> <strong>G2</strong> performs the appropriate Strikeback(s).<br />
Strikebacks are specified in the auditbotd.conf file. Strikeback is a feature<br />
the <strong>Sidewinder</strong> <strong>G2</strong> uses to gather information on the alarm event and<br />
the identity <strong>of</strong> any possible intruders. By default, the system runs the<br />
dig command to retrieve information about the IP addresses involved<br />
in the audit event—you can also select additional commands.<br />
After it compiles the information, the <strong>Sidewinder</strong> <strong>G2</strong> e-mails the results<br />
to root (by default) or another user you specify.<br />
4. The administrator reviews the data.<br />
The administrator reviews the audit and Strikeback data he or she was<br />
e-mailed. The data is also stored in files.
Sample<br />
Strikeback results<br />
Sample Strikeback results<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> performs a Strikeback, a complete report on<br />
its findings is mailed to the e-mail address record specified for the<br />
alarm event that triggered the Strikeback. This includes a list <strong>of</strong> the<br />
<strong>of</strong>fending addresses and information about each <strong>of</strong> them. The<br />
information generated will depend on which Strikeback commands<br />
you configured to execute for an alarm event.<br />
The Strikeback report file is in ASCII format and contains the<br />
following sections:<br />
Auditbot alarm and Strikeback runtime information—Alarm condition<br />
information and how the Strikeback was run.<br />
Summary information—The IP addresses <strong>of</strong> the potential intruders<br />
found in the audit events.<br />
System utilities output—Verbatim output <strong>of</strong> the Strikeback<br />
commands.<br />
A sample <strong>of</strong> the Strikeback information is shown on the following<br />
pages. The data is from an actual report, but the IP addresses and<br />
hostnames are fictitious.<br />
For more information on finger, ping, dig, and traceroute, refer<br />
to the man pages, or see “Adding or modifying a Strikeback<br />
response” on page 17-11.<br />
Alarm Events and Responses 17-15
Sample Strikeback results<br />
17-16 Alarm Events and Responses<br />
########################################################<br />
Results from: dig<br />
########################################################<br />
; DiG 8.3 -x<br />
;; res options: init recurs defnam dnsrch<br />
;; got answer:<br />
;; ->>HEADER
Ignoring network<br />
probe attempts<br />
Ignoring network probe attempts<br />
If a host on the network attempts to connect to the <strong>Sidewinder</strong> <strong>G2</strong> for<br />
a service that is not running, an audit record is generated and may<br />
trigger an alarm. An ignore list can be set up to ignore unimportant<br />
network probe audit events, but save the audit to keep track <strong>of</strong> the<br />
probe attempts. However, if connection attempts are frequent and are<br />
coming from a trusted network, then it may be desirable to ignore<br />
them completely and not audit the connection attempt by configuring<br />
the appropriate IP Filter rules.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can cause network probe attempts between<br />
services running on the system. These probe attempts usually indicate<br />
one <strong>of</strong> the services is responding slowly, and do not show that a<br />
problem exists on the <strong>Sidewinder</strong> <strong>G2</strong>. By default, auditing these<br />
loopback network probes is disabled. To turn on auditing for the<br />
network probe attempts between services running on the system,<br />
enter the following command in the admin role:<br />
sysctl -w kern.audit_netprobe_loopback=1<br />
Important: If you want to ensure that this remains configured, you should also add this<br />
command to the end <strong>of</strong> the /etc/rc.local file.<br />
The following services can be useful in ignoring network probe<br />
attempts:<br />
Ignore list—The ignore list defines a collection <strong>of</strong> network probe<br />
attempt audit events to be ignored by the auditbot. These netprobe<br />
audit events are saved by auditd to /var/log/audit.raw. Auditd<br />
collects the audit, so the auditor can manually view the audit trail.<br />
The ignore list also uses wildcards in its configuration, so your site<br />
can have more flexibility in what it decides to ignore.<br />
IP Filter deny rules—You can create IP Filter rules to deny<br />
connection requests for specific ports. For example, if you have<br />
problems with netbios generating netprobes on the <strong>Sidewinder</strong><br />
<strong>G2</strong>, you can discard them and prevent audit events by creating an<br />
IP Filter with the following key values:<br />
Type: UDP Audit Level: None<br />
Action: Deny Direction: Uni-directional<br />
Source/Dest Burbs: internal: Source/Dest: All (subnet 0.0.0.0:0)<br />
Source/Dest Ports: 137<br />
Alarm Events and Responses 17-17
Ignoring network probe attempts<br />
17-18 Alarm Events and Responses<br />
Configuring the ignore list<br />
The data items in the ignore list define the network probe audit<br />
events to ignore. The ignore list is only used by the<br />
netprobe_filter auditbot.<br />
Note: The ignore list is configured in the /etc/sidewinder/auditbotd.conf file.<br />
Important: Packets in the ignore list will still be logged to the audit.raw file.<br />
The netprobe_filter auditbot collects audit data on network probe<br />
attempts occurring on your system, but does not take action on<br />
network probe attempt audit events that match entries in the ignore<br />
list. The ignore list fields read as follows:<br />
ignore(burb protocol src_host src_port dst_host<br />
dst_port)<br />
Unlike the discard service, the ignore list allows you to use wildcards<br />
in all <strong>of</strong> its configured fields. Besides the wildcard, the fields can<br />
contain the following values:<br />
burb<br />
0 through 24 or the wildcard “*”<br />
protocol<br />
A numerical protocol, a protocol name from /etc/protocols (such as<br />
udp or tcp), or “*”.<br />
src_host and dst_host<br />
A host name, a dotted IP address, or an asterisk (*) representing<br />
the source or destination host.<br />
Note: IP addresses cannot be sub-wildcarded, (that is, dotted IP addresses are valid<br />
only as a full IP address or asterisk [*] with no rule-type wildcarding).<br />
src_port and dst_port<br />
A numerical port number, a service name from /etc/services, or an<br />
asterisk (*) represents the source or destination port<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains the following default ignore list entry to<br />
disregard ident probes from all sources:<br />
ignore (* tcp * * * ident)
Checking system<br />
status<br />
Checking system status<br />
An example <strong>of</strong> how to make additions to the ignore list follows:<br />
If you want to ignore SNMP packets (probe attempts) from an internal<br />
machine, called master.foo.com, destined for a host called slave.bar.com,<br />
do the following:<br />
1. Check the /etc/services file for the name <strong>of</strong> the service you want to<br />
ignore. You can use the port number, the name <strong>of</strong> an existing service for<br />
the port number you want your network to ignore, or you can add an<br />
entry /etc/services.<br />
Note: The name must exist in /etc/services.<br />
2. Using a text editor, add the appropriate line to /etc/sidewinder/<br />
auditbotd.conf.<br />
For the above example you would use the following line:<br />
ignore(0 udp master.foo.com * slave.bar.com snmp)<br />
3. Save the file, and quit the text editor.<br />
The change will take effect the next time auditbotd reads the<br />
configuration file, which is done each time you reload or restart<br />
auditbot. This is done by entering one <strong>of</strong> the following commands:<br />
cf server reload auditbotd<br />
OR<br />
cf server restart auditbotd<br />
In addition to configuring alarm events and strikeback options, you<br />
can display information on the current status <strong>of</strong> your network<br />
connections and take a look at what is happening on the system.<br />
CPU usage<br />
CPU Usage allows you to obtain information on system performance.<br />
To view CPU usage information, enter the following commands at<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
/usr/sbin/vmstat<br />
/usr/bin/uptime<br />
/usr/contrib/bin/top<br />
Alarm Events and Responses 17-19
Checking system status<br />
17-20 Alarm Events and Responses<br />
Process status<br />
To view the status <strong>of</strong> all processes currently running on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong><br />
command prompt.<br />
/bin/ps -axd<br />
This information is useful for tasks such as determining which<br />
processes are using a lot <strong>of</strong> CPU time. The ps command allows you to<br />
look at information about the processes running on the system. This<br />
command is a variation on the standard UNIX process status<br />
command in that it includes information on the <strong>Sidewinder</strong> <strong>G2</strong><br />
domains. To display process information from the UNIX prompt, enter<br />
one <strong>of</strong> the following commands at a <strong>Sidewinder</strong> <strong>G2</strong> command<br />
prompt.<br />
To list process information as well as information on the real<br />
domains in which processes are operating, enter the ps -D<br />
command. Real domains control the interaction between one<br />
process and other processes.<br />
To list process information as well as information on the effective<br />
domains in which processes are operating, enter the ps -d<br />
command. Effective domains control the interaction between a<br />
process and files.<br />
Note: In most cases, the information displayed for either the real domain (RDOM) or<br />
the effective domain (EDOM) will be the same.<br />
In addition to the information you normally get with the ps<br />
command, you see domain information similar to the following.<br />
RDOM PID TT STAT TIME COMMAND
Rlg0 7418 p2 IW+ 0:01.30.u (tcsh)<br />
tcp0 9806 pd Is+ 0:02.05-tcsh (tcsh)<br />
where:<br />
Checking system status<br />
EDOM or RDOM—domain name<br />
PID—process identification number<br />
TT—terminal line from which the process was initiated<br />
STAT—current status <strong>of</strong> the process<br />
TIME—total amount <strong>of</strong> CPU time used by the process<br />
COMMAND—command line used to start the process<br />
Disk usage<br />
To view statistics about the amount <strong>of</strong> free disk space on a file system,<br />
enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
/bin/df<br />
This information is useful to determine which file systems are using<br />
the most disk space.<br />
who<br />
To view who is currently logged onto your <strong>Sidewinder</strong> <strong>G2</strong>, enter the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> prompt.<br />
/usr/bin/who<br />
When you use this utility, you can see the user’s log in name, console<br />
name, the date and time <strong>of</strong> their login, and their host name, if it is not<br />
a local host.<br />
lloyd console Aug 8 16:12 (rock.foo.bar)<br />
lloyd ttyp0 Aug 7 21:34 (10.1.1.1)<br />
Alarm Events and Responses 17-21
Checking network status<br />
Checking network<br />
status<br />
17-22 Alarm Events and Responses<br />
finger<br />
To obtain information about local <strong>Sidewinder</strong> <strong>G2</strong> users, type the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> prompt.<br />
/usr/bin/finger<br />
When you use this command, you can find out the user names <strong>of</strong><br />
people at your site, the exact terminal they are logged in on, when<br />
they last logged in, and how long they have been logged on.<br />
Login Name Tty Idle Login Time Office Office Phone<br />
lloyd Lloyd Frank *p0 2 Aug 8 16:12 ABC,Inc. 555-1234<br />
lloyd Lloyd Frank *p3 19:03 Aug 7 21:34 ABC,Inc. 555-1234<br />
You can display information on the status <strong>of</strong> your network<br />
connections, routing tables, and network utilities. Using the<br />
commands described in the sections that follow, you can get<br />
"snapshots" <strong>of</strong> different aspects <strong>of</strong> your system.<br />
Note: Output for netstat -i queries will display shared addresses with a plus (+)<br />
sign.<br />
Active network connections<br />
To view the status <strong>of</strong> any active TCP or UDP connections on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, enter the following command:<br />
/usr/sbin/netstat -f inet<br />
Active connections/services<br />
To view the status <strong>of</strong> all sockets on the <strong>Sidewinder</strong> <strong>G2</strong>, enter the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
/usr/sbin/netstat -af inet
Network interfaces<br />
Checking network status<br />
To view the status <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s network interfaces, enter<br />
the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
/usr/sbin/netstat -i -n<br />
Routing tables<br />
To view the status <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> Operational kernel’s available<br />
routes and their status, enter the following command at a <strong>Sidewinder</strong><br />
<strong>G2</strong> command prompt:<br />
/usr/sbin/netstat -r<br />
route get<br />
The route get command looks up the route for a destination, and<br />
displays the route in the window. To view this information, enter the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
/sbin/route get ipaddress<br />
The following shows sample output for this command.<br />
route to: rock<br />
destination: rock<br />
gateway: xx.xx.xx.xx<br />
interface: ef2<br />
if address: xx.xx.xx.x<br />
burb: y<br />
flags:<br />
Alarm Events and Responses 17-23
Checking network status<br />
17-24 Alarm Events and Responses<br />
nslookup<br />
The nslookup command queries the DNS database to get all <strong>of</strong> the<br />
information that is available about a particular address. The output<br />
includes the name and address <strong>of</strong> the DNS server used to provide the<br />
information, the name <strong>of</strong> the system you asked about and other data<br />
that might be available, such as where e-mail is delivered for the<br />
domain.<br />
To view this information, enter either <strong>of</strong> the following commands at a<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
/usr/bin/nslookup ipaddress<br />
OR<br />
/usr/sbin/nslookup hostname<br />
The following shows sample output for this command.<br />
dig<br />
Server: localhost.foo.bar<br />
Address: 10.2.2.2<br />
Non-authoritative answer:<br />
Name: sharon.foo.bar<br />
Address: 10.1.1.1<br />
The dig (Domain Information Groper) command gathers<br />
information from DNS based on an IP address, and obtains the<br />
corresponding host name.<br />
/usr/bin/dig -x ipaddress any any
Checking network status<br />
; Dig 2.1 homer<br />
;; res options: init recurs defnam dnsrch<br />
;; got answer:<br />
“->>HEADER
Checking network status<br />
17-26 Alarm Events and Responses<br />
ping<br />
Generic Records, Inc.<br />
1234 Elm Avenue<br />
St. Paul, MN 01234-5678<br />
Domain Name: ROCK.FOO.BAR<br />
Administrative Contact, <strong>Technical</strong> Contact, Zone<br />
Contact:<br />
Frank, Lloyd (DS1234) lloyd@rock.foo.bar<br />
(567) 555-1234<br />
Record last updated on 13-Mar-02.<br />
Record created on 18-Feb-01.<br />
Domain servers in listed order:<br />
LOCALHOST.FOO.BAR10.1.1.1<br />
AB.CD.NET10.2.2.2<br />
The ping command checks whether an Internet system is running by<br />
sending packets that the remote system should echo back. As output,<br />
ping lists how much time it took for the message to travel to the other<br />
system and back, the total number <strong>of</strong> packets sent and received, the<br />
percent <strong>of</strong> packets lost, and the average and maximum time it took for<br />
a round trip. To view this information, enter the following command:<br />
/bin/ping -c 5 ipaddress<br />
traceroute<br />
The traceroute command provides information on the gateways an<br />
IP packet must pass through to get to a destination. As input, the<br />
command needs the host name or IP address <strong>of</strong> the destination<br />
system. It then sends these IP packets from your <strong>Sidewinder</strong> <strong>G2</strong> to<br />
that address. As output, it lists the host names and IP addresses <strong>of</strong><br />
each system the packets were handed <strong>of</strong>f to and how long it took to<br />
send each packet back and forth.<br />
To view this information, enter the following command at a<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
/usr/sbin/traceroute -m 50 -p 33500 ipaddress
C HAPTER 18<br />
Monitoring, Auditing, and<br />
Reporting<br />
About this chapter This chapter contains information on monitoring the current state <strong>of</strong><br />
your <strong>Sidewinder</strong> <strong>G2</strong>. It also explains the <strong>Sidewinder</strong> <strong>G2</strong>’s unique<br />
auditing features and describes how messages are logged on the<br />
system. Using the audit information, you can generate detailed reports<br />
that provide information on security violations, failed login attempts,<br />
and network traffic, as well as many other reports.<br />
Overview <strong>of</strong> the<br />
audit process<br />
Note: The auditing log files can become large quickly and take up a lot <strong>of</strong> hard disk space.<br />
To solve this problem, the log files are automatically rotated. See "Understanding<br />
automatic (cron) jobs" in Appendix A for details.<br />
This chapter includes the following topics:<br />
“Overview <strong>of</strong> the audit process” on page 18-1<br />
“Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status” on page 18-3<br />
“Auditing on the <strong>Sidewinder</strong> <strong>G2</strong>” on page 18-5<br />
“Logging application messages using Syslog” on page 18-21<br />
“Generating and viewing reports using the Admin Console” on<br />
page 18-23<br />
“Viewing auto-generated reports” on page 18-30<br />
“Generating exportable reports” on page 18-30<br />
“Using third party reporting tools” on page 18-31<br />
Monitoring, auditing, and reporting are closely related pieces <strong>of</strong> the<br />
audit process that function together to provide information to you<br />
about the activity on your <strong>Sidewinder</strong> <strong>G2</strong>. On the <strong>Sidewinder</strong> <strong>G2</strong>, you<br />
can monitor the status <strong>of</strong> various processes in real-time, view stored<br />
audit information, and generate detailed reports. The diagram below<br />
demonstrates how these pieces are related in the audit flow.<br />
18<br />
Monitoring, Auditing, and Reporting 18-1
18<br />
Overview <strong>of</strong> the audit process<br />
Figure 18-1. The audit<br />
flow<br />
18-2 Monitoring, Auditing, and Reporting<br />
Monitoring<br />
Using the Admin Console,<br />
you can monitor <strong>Sidewinder</strong><br />
<strong>G2</strong> activity and status in<br />
real-time.<br />
Auditing<br />
auditd reads /dev/audit<br />
and places the<br />
information into<br />
audit.raw.<br />
This is the recorded<br />
audit stream. This is now<br />
"history" and contains<br />
everything that might<br />
be worth viewing.<br />
Reporting<br />
programs kernel<br />
live audit stream<br />
aka /dev/audit.....<br />
auditd<br />
/var/log/audit.raw<br />
auditdbd<br />
auditdb<br />
auditbotd<br />
auditbotd has a threshold<br />
and can trigger an event<br />
response (see Chapter 17).<br />
Using the Admin Console,<br />
you can filter and view<br />
audit information.<br />
This is an SQL database <strong>of</strong><br />
information maintained by<br />
auditdbd. It contains all<br />
relevant audit information.<br />
Using the Admin Console,<br />
you can generate detailed,<br />
easy-to-read reports.
Monitoring<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
status<br />
Figure 18-2. Firewall<br />
Monitoring window<br />
About the Firewall<br />
Monitoring window<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status<br />
The Admin Console allows you to display status information on any<br />
<strong>Sidewinder</strong> <strong>G2</strong> you have configured via the Monitoring window. You<br />
can have several Monitoring windows running simultaneously, each<br />
monitoring a single <strong>Sidewinder</strong> <strong>G2</strong>. Once launched, each window is a<br />
self-contained program capable <strong>of</strong> running completely on its own.<br />
That is, the Monitoring window will continue to run even if you exit<br />
the Admin Console.<br />
To view a Monitoring window, using the Admin Console select<br />
Reports & Monitoring -> Firewall Monitoring. A login window appears.<br />
Enter your user name and authentication information and click OK.<br />
The Firewall Monitoring window appears.<br />
This window is used to report the status <strong>of</strong> various processes,<br />
network, and proxy traffic for a particular <strong>Sidewinder</strong> <strong>G2</strong>. The name<br />
<strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> being monitored is shown in the window’s title<br />
bar. You can monitor the following information:<br />
Load Average—This area displays the number <strong>of</strong> processes in the<br />
system run queue that is averaged over a period <strong>of</strong> time.<br />
Disk Use—This area displays how much <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s<br />
hard disk space is currently being used.<br />
Memory Use—This area displays the amount <strong>of</strong> memory currently<br />
being used by programs operating on this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Monitoring, Auditing, and Reporting 18-3
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status<br />
18-4 Monitoring, Auditing, and Reporting<br />
TCP Connections—This area displays the number <strong>of</strong> TCP<br />
connections that are currently open on this <strong>Sidewinder</strong> <strong>G2</strong>. To<br />
view details, click TCP Connections.<br />
UDP Connections—This area displays the number <strong>of</strong> UDP<br />
connections that currently exist for this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
IP Filter Sessions—This area displays the number <strong>of</strong> IP Filter sessions<br />
that currently exist for this <strong>Sidewinder</strong> <strong>G2</strong>. To view details for<br />
these sessions, click IP Filter Sessions.<br />
Process—This area displays the status <strong>of</strong> each process that is<br />
currently running on this <strong>Sidewinder</strong> <strong>G2</strong>. It provides the following<br />
details for each process:<br />
— CPU: This field displays the percentage <strong>of</strong> CPU currently being<br />
used to run each process.<br />
— Process Size: This field displays the amount <strong>of</strong> memory a<br />
process is using.<br />
— Resident memory: This field displays the amount <strong>of</strong> physical<br />
memory a process is using.<br />
Network Traffic—This area provides traffic information for each <strong>of</strong><br />
the network interfaces on this <strong>Sidewinder</strong> <strong>G2</strong>. The name <strong>of</strong> each<br />
network interface is displayed in the left column. The second and<br />
third columns indicate the average number <strong>of</strong> inbound and<br />
outbound packets processed per second by each interface,<br />
respectively.<br />
(You can also view this information by typing netstat -is at the<br />
command prompt.)<br />
Proxy Traffic—This area lists each proxy that is currently passing<br />
traffic and the number <strong>of</strong> instances.<br />
Uptime—This area displays the amount <strong>of</strong> time since the last<br />
reboot.<br />
Refresh Rate—This field indicates how <strong>of</strong>ten the Monitoring<br />
window will refresh. Valid values range from 5 seconds to 10<br />
minutes. The default is 30 seconds.<br />
When you modify the refresh rate, the change will not take effect<br />
until the next scheduled refresh time. To make the change take<br />
effect immediately, press Enter after changing the refresh value.
Auditing on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Auditing is one <strong>of</strong> the most important features on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> generates audit each time the <strong>Sidewinder</strong> <strong>G2</strong> or<br />
any <strong>Sidewinder</strong> <strong>G2</strong> service is stopped or started. Audit is also<br />
generated when any <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s audit facilities are<br />
modified. Other relevant audit information that is captured includes<br />
identification and authentication attempts (successful and failed),<br />
network communication (including the presumed addresses <strong>of</strong> the<br />
source and destination subject), administrative connections (such as<br />
changing to the srole), and modifications to your security policy or<br />
system configuration (including all administrator activity, such as<br />
changing the system time).<br />
The <strong>Sidewinder</strong> <strong>G2</strong>’s audit facilities also monitor the state <strong>of</strong> log files<br />
to minimize the risk <strong>of</strong> lost data. Log files are compressed, labelled,<br />
and stored on a daily basis, and a new “current” log file is created.<br />
Using this mechanism, no audit data is lost during the storage<br />
transition.<br />
The amount <strong>of</strong> available audit storage space is monitored very closely<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> via the rollaudit and logcheck utilities to<br />
monitor the log file size and rotate log files as needed. (For<br />
information on using rollaudit, see “Rollaudit cron jobs” on page A-16.<br />
For information on using the logcheck utility, refer to the logcheck<br />
man page.)<br />
There are three main components to the <strong>Sidewinder</strong> <strong>G2</strong> audit process:<br />
auditd—This is the audit logging daemon. This daemon listens to<br />
the <strong>Sidewinder</strong> <strong>G2</strong> audit device and writes the information to log<br />
files. The log files provide a complete record <strong>of</strong> audit events that<br />
can be viewed by an administrator. auditd sends all audit data to<br />
a binary file called /var/log/audit.raw.<br />
Note: You configure this daemon by editing the /etc/sidewinder/auditd.conf file.<br />
In this file, you can specify that auditd append the host names <strong>of</strong> the source and<br />
destination IP addresses to the audit event. By default, this option is turned <strong>of</strong>f in the<br />
/etc/sidewinder/auditd.conf file. When turned on, IP addresses are resolved using<br />
the non-blocking resolver, nbresd.<br />
auditbotd—The <strong>Sidewinder</strong> <strong>G2</strong> uses a process called the<br />
auditbot (referred to as alarms in the Admin Console) which also<br />
runs as a daemon (auditbotd). This daemon listens to the audit<br />
device and gathers the security-relevant information it finds. The<br />
auditbot process looks for specific types <strong>of</strong> events that are defined<br />
in the /etc/sidewinder/audit_filters.conf file.<br />
Monitoring, Auditing, and Reporting 18-5
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
18-6 Monitoring, Auditing, and Reporting<br />
The auditbot daemon tracks these events and uses information in<br />
its configuration file to determine when the data might be indicating<br />
a problem, such as an attempted break-in. For more information<br />
on configuring auditbots (alarms) and event responses, refer<br />
to Chapter 17.<br />
auditdbd—This is the daemon that maintains the audit database.<br />
auditdbd monitors the audit stream and sends reporting<br />
information to be stored in the MySQL database called auditdb.<br />
The auditdbd server is disabled by default.<br />
Note: Reporting services are not available until the auditdbd server is enabled. For<br />
information on enabling the auditdbd server, see “Enabling and disabling servers” on<br />
page 3-30.<br />
To view a list <strong>of</strong> audit databases, enter the following command:<br />
cf audit listdb<br />
A list <strong>of</strong> audit databases appears. The database named auditdb_1<br />
generally contains the previous days’s information. The database<br />
named auditdb_2 is generally from two days ago, and so on.<br />
Understanding audit file names<br />
The /var/log/audit.raw files contains all audit information and<br />
network probe audits contained on the <strong>Sidewinder</strong> <strong>G2</strong> in a binary<br />
format. When the file is rolled, a timestamp is appended to the file<br />
name. The easiest method for viewing the contents <strong>of</strong> the audit.raw<br />
files is to use the Admin Console’s Audit Viewing window. Refer to<br />
“Viewing audit information” on page 18-7.<br />
Tip: If you prefer to view the file contents via command line, refer to the showaudit<br />
and acat man pages.<br />
Audit files use one <strong>of</strong> two file suffixes:<br />
*.gz—This suffix is for files in compressed format. These files may<br />
be decompressed using acat or showaudit. You also have the<br />
option <strong>of</strong> using the gunzip program. (For information on using<br />
acat or showaudit, refer to the appropriate man pages.)<br />
*.raw—This suffix is for files in raw audit format. These are binary<br />
formatted files that can be viewed in ASCII format using the Admin<br />
Console (or if you prefer using the command line, via the<br />
showaudit or acat programs).
Figure 18-3. Audit<br />
Viewing: View Mode tab<br />
Viewing audit information<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Using the Admin Console, you can view the information contained in<br />
the /var/log/audit.raw file. The Admin Console Audit Viewing<br />
window allows you to view audit information in real-time, or for a<br />
specific timeframe that you select. You can also apply filters to view<br />
specific types <strong>of</strong> audit information within a specific timeframe. To<br />
view audit information using the Admin Console, follow the steps<br />
below.<br />
1. In the Admin Console, select Reports and Monitoring -> Audit Viewing. A<br />
Login window appears.<br />
2. Enter your username and the appropriate authentication information,<br />
and click OK. The Audit Viewing window appears with the View Mode<br />
tab displayed.<br />
About the View Mode tab This tab allows you to configure the type <strong>of</strong> audit information you<br />
want to view. You can view the audit events via the Admin Console,<br />
or you can export the audit events to a text file for viewing or<br />
printing. Follow the steps below.<br />
Monitoring, Auditing, and Reporting 18-7
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
18-8 Monitoring, Auditing, and Reporting<br />
1. In the Select a Viewing Mode area, select one <strong>of</strong> the following:<br />
Real Time—Select this option and go to step 3 if you want to view<br />
streaming audit in real time.<br />
Snapshot—Select this option and continue to step 2 if you want to<br />
view audit messages within a specific timeframe.<br />
Important: The Audit Data Timespan field (located in the top portion <strong>of</strong> the<br />
Audit Data window) displays the range <strong>of</strong> audit data that is available on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> for viewing. If you select Snapshot mode, the audit timeframe you<br />
select must fall within this range.<br />
2. [Conditional] If you selected Snapshot mode, specify the start and end<br />
time for the period <strong>of</strong> audit data that you want to view, as follows:<br />
a. Select the start and end months in the corresponding month dropdown<br />
lists.<br />
b. Select the start and end years in the corresponding year lists. You<br />
can either use the up and down arrows to advance the time ahead<br />
or back, or you can click in the field and modify it manually.<br />
c. Select the start and end days in the corresponding calendars by<br />
clicking on the appropriate dates.<br />
d. Select the start and end time in the corresponding Time fields. You<br />
can either use the up and down arrows to advance the time ahead<br />
or back, or you can click in the field and modify it manually.<br />
Tip: To set the start date to the earliest available date, click Start <strong>of</strong> Data. To set the<br />
end date to the current date and time, click Now. The date and time fields will<br />
automatically fill in the correct information.<br />
3. In the Lines Per Page field, type the number <strong>of</strong> audit events that you<br />
want available within each page <strong>of</strong> audit. Valid values are 1–100. For<br />
example, if you select 50 audit events per page, you can scroll through<br />
50 events at a time.<br />
Note: Use the scroll bar to view all audit events within a page if needed.<br />
4. [Conditional] If you want to set up filtering options for the audit data,<br />
select the Filtering tab and see “Filtering audit data” on page 18-12.
Figure 18-4. Snapshot<br />
Audit Data window<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
5. Once you have configured the timeframe <strong>of</strong> audit events, do one <strong>of</strong> the<br />
following:<br />
To export the audit information to a text file that you can edit and<br />
print, click Export and see “Exporting audit data” on page 18-11.<br />
Note: The Export option is only available if you selected Snapshot in step 1.<br />
To view the results <strong>of</strong> your audit query in the Audit Data window,<br />
click View. The Audit Data window appears as a separate pop-up<br />
window.<br />
About the Audit Data window<br />
This window allows you to view the audit events that you selected in<br />
the Audit Viewing window. Each audit event appears as a single row<br />
in the table. Use the scroll bars to view all <strong>of</strong> the information in the<br />
table. If you selected Real-Time audit data, the table will be grayed<br />
out and will populate with audit events as they happen in real time.<br />
You cannot modify the table or events while real-time audit is<br />
running.<br />
The number <strong>of</strong> audit events you can scroll through on each page is<br />
dependent on the Lines Per Page value you entered in the Audit<br />
Viewing window (see page -7). For example, if you selected 50 audit<br />
events per page, you can scroll through 50 events at a time. To move<br />
to the next 50 events, click Next Page or Previous Page, accordingly.<br />
When you click on an audit event in the table, the detailed audit<br />
information for an audit event is displayed in the bottom portion <strong>of</strong><br />
the window (it also appears in the Info column). The following<br />
information is displayed in the table:<br />
Monitoring, Auditing, and Reporting 18-9
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
18-10 Monitoring, Auditing, and Reporting<br />
Note: Some audit types will not contain information for each table column. If a column is<br />
blank, that information does not apply for that particular audit event.<br />
— Time—This row lists the time at which an audit event<br />
occurred.<br />
— Type—This row lists the type <strong>of</strong> each audit event (for example,<br />
cfg_change indicates that the audit event represents a<br />
configuration change made on the <strong>Sidewinder</strong> <strong>G2</strong>).<br />
— Service—This row lists the service type associated with an<br />
audit event.<br />
— Source IP—This row lists the source IP address associated with<br />
an audit event.<br />
— Source Burb—This row lists the source burb associated with an<br />
audit event.<br />
— Destination IP—This row lists the destination IP address<br />
associated with an audit event.<br />
— Destination Burb—This row lists the destination burb associated<br />
with an audit event.<br />
— Info—This row provides detailed audit information associated<br />
with an audit event. (This information is also displayed in the<br />
bottom portion <strong>of</strong> the window if you click on an audit event.)<br />
Ordering the audit event table<br />
Initially, the audit events are listed in chronological order. However,<br />
you can filter any column <strong>of</strong> the table to re-order the results by rightclicking<br />
on a row and selecting one <strong>of</strong> the filtering options. For<br />
information on filtering tables, see “Admin Console conventions” on<br />
page 2-11.<br />
Note: To view the details <strong>of</strong> a particular audit event in the real-time audit results, you<br />
must first click Stop to end real-time audit. This will enable the table and allow you to use<br />
the window as you would if you were viewing a snapshot <strong>of</strong> audit events.<br />
Important: If you click Stop when viewing audit events in real time and then click<br />
Start, the table will be cleared and new real-time audit events will be displayed as they<br />
happen.
Figure 18-5. Export Audit<br />
Data window<br />
Saving audit events<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
To save some or all audit events listed in the Audit Viewing window,<br />
do one <strong>of</strong> the following:<br />
To save all <strong>of</strong> the audit events listed, click Save All. The Export<br />
Audit Data window appears. (Click Browse to specify a location in<br />
which to save the audit information.) To save the information click<br />
Save (or click Save and View to save the file and launch the file for<br />
viewing).<br />
To save selected audit events, press and hold the Ctrl key while<br />
clicking in the row <strong>of</strong> each audit events you want to save. When<br />
you have highlighted all <strong>of</strong> the audit events you want to save, click<br />
Save Selected. The Export Audit Data window appears. (Click<br />
Browse to specify a location in which to save the audit<br />
information.) To save the information click Save (or click Save and<br />
View to save the file and launch the file for viewing).<br />
Exporting audit data<br />
To export audit data to a text file that can be viewed and printed, click<br />
Export in the Audit Viewing window (or Save/Save and View in the<br />
Audit Data window). A message appears warning you that the export<br />
process may take awhile depending on the number <strong>of</strong> results you are<br />
exporting. Click Yes to continue the Export process. The Export Audit<br />
Data window appears. (If you want to cancel the export action, click<br />
No.)<br />
Tip: If you do not want the warning message to appear each time you export audit data,<br />
select the Don’t Show Dialog Again check box.<br />
Monitoring, Auditing, and Reporting 18-11
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
About the Export Audit<br />
Data window<br />
18-12 Monitoring, Auditing, and Reporting<br />
This window allows you to export the audit data you specified in the<br />
Audit Viewing or Audit Data window. Follow the steps below.<br />
1. In the Filename field, specify the file name and location for the audit<br />
data you are exporting.<br />
2. To specify the location where the file will be saved, click Browse and<br />
select the desired path.<br />
3. In the Export Format area, select one <strong>of</strong> the following:<br />
ASCII Audit—Select this option to save the audit information in<br />
ASCII format. This allows you to open the file using any standard<br />
text editor, such as Notepad.<br />
ASCII <strong>Sidewinder</strong> Export Format—Select this option if you want to<br />
convert the data into ASCII text and export it using the <strong>Sidewinder</strong><br />
Export Format (SEF) tool.<br />
4. To save the file, select one <strong>of</strong> the following:<br />
Click Save to save the file to the specified location for later viewing.<br />
Click Save and View to save the file to the specified location and<br />
launch the file using a standard text editing program (such as<br />
Notepad).<br />
Click Close to exit the window without saving the file.<br />
Filtering audit data<br />
To filter the type <strong>of</strong> audit data you want to view, select the Filtering<br />
tab in the Audit Viewing window. The Filtering tab appears.
Figure 18-6. Audit<br />
Filtering tab<br />
About the Audit Viewing:<br />
Filtering tab<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
This tab allows you to configure filters to display or exclude certain<br />
types <strong>of</strong> audit events. Follow the steps below.<br />
1. In the Audit Types area, select the types <strong>of</strong> audit events that you want to<br />
view. (For a description <strong>of</strong> each pre-defined filter, see Table 18-1 on page<br />
-14.) To select all <strong>of</strong> the filters, click Select All. To deselect all <strong>of</strong> the filters<br />
and clear any selections are currently selected, click Deselect All.<br />
2. In the Advanced area, you can further refine the filter(s) you selected by<br />
specifying any <strong>of</strong> the following information:<br />
Source Burb—Select this option to receive audit events generated<br />
by the source burb.<br />
Source IP—Select this option to receive audit events generated by<br />
the source IP address.<br />
Number <strong>of</strong> Bits—If you selected Source IP, type the number <strong>of</strong> bits<br />
for the source IP address that you want to filter.<br />
Destination Burb—Select this option to receive audit events<br />
generated by the destination burb.<br />
Destination IP—Select this option to receive audit events<br />
generated by the destination burb.<br />
Number <strong>of</strong> Bits—If you selected Destination IP, type the number <strong>of</strong><br />
bits for the destination IP address that you want to filter.<br />
Service—Select this option and select a service from the dropdown<br />
list to receive only audit events generated by the type <strong>of</strong><br />
service you specify.<br />
Monitoring, Auditing, and Reporting 18-13
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Table 18-1. Pre-defined audit filters<br />
Filter Type Description<br />
18-14 Monitoring, Auditing, and Reporting<br />
3. To customize the filter expression to view more specialized audit<br />
information, select the Custom check box. For example, if you want to<br />
view HTTP network traffic audit events for a user named Veronica, you<br />
would type the following information in this field:<br />
type AUDIT_T_NETTRAFFIC and service WebProxy and<br />
username Veronica<br />
You can also use the pre-defined filters as building blocks to create your<br />
own custom filter. To do this, you will need to deselect the Custom<br />
check box, select the pre-defined filters that you want to use, and then<br />
select the Custom check box. You can then modify the filter as needed<br />
without having to create it completely from scratch.<br />
You cannot save a customized filter that you create in the Audit Filtering<br />
window. However, you can create and save custom filters in the<br />
audit_filters.conf file. Filters that you create and save in the<br />
audit_filters.conf file will appear in the filter list when you log in to the<br />
Audit window. You can access the audit_filters.conf file using the Admin<br />
Console File Editor. For detailed instructions on creating custom audit<br />
filters in the audit_filters.conf file, refer to the sacap_filter man page.<br />
all_audit Displays all audit events contained in the audit.raw file.<br />
attack_filter Displays audit information for detected attack attempts (that is, any suspicious<br />
occurrence) identified by one <strong>of</strong> the services on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
deniedauth_filter Displays audit events generated when a user attempts to authenticate and enters invalid<br />
data.<br />
failover_filter Displays audit information generated when a failover IP address changes on the system.<br />
filterfail_filter Displays audit information generated when an SMTP mail message fails a configured mail<br />
filter. For example, if a mail message failed the Key Word Search filter, a mail filter failure<br />
event would be logged.<br />
Note: The mail filter map configuration determines what is done with failed messages.<br />
hardware_s<strong>of</strong>tware_f<br />
ail<br />
Displays audit information generated when a recognized hardware or s<strong>of</strong>tware<br />
component fails.<br />
ipsec_filter Displays audit information generated when IPSec errors exceed the configured threshold<br />
values.<br />
More . . .
Filter Type Description<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
licexceed_filter Displays audit information generated when users are denied access due to a user license<br />
cap violation.<br />
logoverflow_filter Displays audit events generated when audit logs are close to filling the partition.<br />
netprobe_filter Displays audit events generated when network probe attempts occur (that is, any time a<br />
user attempts to connect or send a message to a TCP or UDP port that either has no<br />
service associated with it or it is associated with an unsupported service).<br />
networkacl_filter Displays audit events generated when the number <strong>of</strong> denied access attempts to services<br />
exceeds a specified number.<br />
powerfail_filter Displays audit events generated when an Uninterruptible Power Supply (UPS) has a power<br />
failure and the <strong>Sidewinder</strong> <strong>G2</strong> is running on UPS battery power.<br />
proxyflood_filter Displays audit events generated when potential connection attack attempts are detected.<br />
shutdown_filter Displays audit events generated when the <strong>Sidewinder</strong> <strong>G2</strong> is shut down by a UPS that is<br />
running out <strong>of</strong> battery power or has been on UPS battery power for the estimated battery<br />
time.<br />
synattack_filter Displays audit events generated when the <strong>Sidewinder</strong> <strong>G2</strong> encounters a SYN attack.<br />
te_filter Displays audit events generated when an unauthorized user or process that attempts to<br />
perform an illegal operation on a file on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
traffic_filter Displays audit events generated when the number <strong>of</strong> traffic audit events written by the<br />
various proxies (WWW, Telnet, FTP, etc.) going through the <strong>Sidewinder</strong> <strong>G2</strong> exceeds a<br />
specified number in a specified time period. This information can be useful for monitoring<br />
the use <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> services by internal users.<br />
Note: Network traffic thresholds are reported as number <strong>of</strong> events per second, and not as<br />
number <strong>of</strong> bytes per second.<br />
Note: Proxy and server rules with an audit level <strong>of</strong> Errors Only will generate only a subset <strong>of</strong><br />
auditable events.<br />
virusmime Displays audit events generated when a virus or denied MIME type is detected.<br />
showaudit_aclviolati<br />
on<br />
Displays audit events generated by rule violations.<br />
showaudit_error Displays audit events generated by system errors.<br />
showaudit_nettraffic Displays audit events generated by network traffic.<br />
Note: Proxy and server rules with an audit level <strong>of</strong> Errors Only will generate only a subset <strong>of</strong><br />
auditable events.<br />
More . . .<br />
Monitoring, Auditing, and Reporting 18-15
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Filter Type Description<br />
showaudit_authfailur<br />
e<br />
18-16 Monitoring, Auditing, and Reporting<br />
Displays audit events generated by each failed authentication attempt for both users or<br />
administrators.<br />
showaudit_netprobe Displays audit events generated by netprobe attempts.<br />
showaudit_syslog Displays audit events generated by syslog.<br />
showaudit_te Displays audit events generated by the Type Enforcement policy engine.<br />
showaudit_vpn Displays audit events generated by VPN.<br />
showaudit_conf Displays audit events generated by configuration changes (for example, database<br />
modifications).<br />
showaudit_not_conf Displays all audit events other than configuration changes.<br />
Creating custom audit filters<br />
The Custom option in the Filter By field allows you to define a custom<br />
filter to view more specialized audit information. The basic structure<br />
includes specifying the type (AUDIT_T_TYPE) or facility<br />
(AUDIT_F_FACILITY) for which you want to search, followed by<br />
additional fields to further specify the audit results. The fields are<br />
separated by Boolean operators (and, or, not) and grouped by<br />
parenthesis. The following examples demonstrate the basic structure<br />
used to create custom audit filters.<br />
Note: Table 18-2 provides a list <strong>of</strong> the available fields (for example, facility, type, service,<br />
user, etc.) that you can use to filter your audit search.<br />
Example 1: Filtering for login records<br />
The following example shows the format used to display all system<br />
login records (successful and unsuccessful):<br />
facility AUDIT_F_LOGIN<br />
If you want to view login records for a specific user, you would<br />
include a username, as follows:<br />
facility AUDIT_F_LOGIN and username Josephine
Example 2: Filtering for services and users<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The following example shows the format used to display http network<br />
traffic audit records for a user named Lloyd:<br />
type AUDIT_T_NETTRAFFIC and service WebProxy and<br />
username Lloyd<br />
where:<br />
type AUDIT_T_NETTRAFFIC—This field will filter audit records for all<br />
network traffic events.<br />
service WebProxy—This field will filter the network traffic audit<br />
events to include only WebProxy service records.<br />
username Lloyd—This field will filter the WebProxy network traffic<br />
events to include only events that are specific to actions performed<br />
by a username <strong>of</strong> “Lloyd.”<br />
Example 3: Filtering for specific ports and IP addresses<br />
The following example shows the format used to display all network<br />
probe events on port 37337 on subnet 192.168.124.0/24 originating<br />
from burbs 3 or 4:<br />
type AUDIT_T_NETPROBE and dst_port 37337 and dst_ip<br />
192.168.124.0/24 and (src_burb 3 or src_burb 4)<br />
where:<br />
type AUDIT_T_NETPROBE—This field will filter audit records for all<br />
network probe events.<br />
dst_port 37337—This field will filter the network probe events to<br />
include only records with a destination port <strong>of</strong> 37337.<br />
dst_ip 192.168.124.0/24—This field will filter the network probe<br />
events to include only records with a destination IP address <strong>of</strong><br />
192.168.124.0/24.<br />
(src_burb 3 or src_burb 4)—This information will filter the network<br />
probe events to include only records with a source burb <strong>of</strong> 3 or 4.<br />
Monitoring, Auditing, and Reporting 18-17
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
18-18 Monitoring, Auditing, and Reporting<br />
Example 4: Excluding information in a filter<br />
You can explicitly exclude certain types <strong>of</strong> audit information by<br />
placing the word “not” in front <strong>of</strong> a field. For example, the custom<br />
filter shown below will display all audit records EXCEPT network<br />
traffic records originating for the source IP address 172.17.9.28:<br />
not type AUDIT_T_NETTRAFFIC and src_ip 172.17.9.28<br />
where:<br />
Table 18-2. Custom audit filter fields<br />
Field Description<br />
not type AUDIT_T_NETTRAFFIC—This field will exclude any network<br />
traffic-based audit events.<br />
src_ip 172.17.9.28—This field will filter for all non-network traffic<br />
audit records generated from the source address 172.17.9.28.<br />
facility Specify an event facility code (such as AUDIT_F_LOGIN, AUDIT_F_PROXY, etc.). For a complete list <strong>of</strong><br />
the available facility codes, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the srole command and then enter<br />
the following command: acat -c | more<br />
type Specify an event type code (for example, type AUDIT_T_NETTRAFFIC). For a complete list <strong>of</strong> the<br />
available type codes, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the srole command and then enter the<br />
following command: acat -c | more<br />
pid Specify the process ID <strong>of</strong> the auditing process.<br />
pgid Specify the process group ID <strong>of</strong> the auditing process.<br />
ruser Specify the real user ID <strong>of</strong> the auditing process.<br />
euser Specify the effective user ID <strong>of</strong> the auditing process.<br />
username Specify a user name.<br />
src_ip Specify the source IP address using the dotted decimal IP version 4 notation, with optional mask bits<br />
separated by a slash (/).<br />
dst_ip Specify the destination IP address using the dotted decimal IP version 4 notation, with optional mask<br />
bits separated by a slash (/).<br />
src_port Specify the TCP or UDP source port.<br />
dst_port Specify the TCP or UDP destination port.<br />
More . . .
Field Description<br />
src_burb Specify the destination burb number.<br />
dst_burb Specify the destination burb number.<br />
service Specify the type <strong>of</strong> service (for example, Telnet, FTP, WebProxy, etc.).<br />
Understanding audit messages<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
vpn_l_gw Specify a VPN local gateway using the standard dotted decimal IP version 4 notation with optional<br />
mask bits separated by a slash (/).<br />
vpn_r_gw Specify a VPN remote gateway using the dotted decimal IP version 4 notation with optional mask<br />
bits separated by a slash (/).<br />
When viewing audit messages in the Admin Console, the form may<br />
vary depending on the purpose and content <strong>of</strong> the message. The form<br />
<strong>of</strong> the first two lines is the same for all audit messages, and provides<br />
general information about the process generating or causing the audit.<br />
The third line will vary, but usually includes Type Enforcement<br />
information and possibly some additional information. The other lines<br />
<strong>of</strong> an audit message will vary depending on the type <strong>of</strong> audit<br />
message.<br />
Important: To view audit message files, see “Viewing audit information” on page 18-7.<br />
Sample audit message<br />
The message below is an example <strong>of</strong> a Type Enforcement audit<br />
message (using the te_filter filter). The first three lines <strong>of</strong> this format<br />
applies to all audit message types except netprobes and attack events.<br />
Jan 10 14:56:58 2004 f_kernel a_rover t_ddtviolation<br />
p_major<br />
pid: 5398 ruid: 101 euid: 101 pgid: 5398 fid: 1005379<br />
cmd:‘grep’<br />
domain: User edomain: User<br />
permwanted: 1 permgranted: 0 srcdmn: User filedom: Kern<br />
filetyp: stup<br />
file: ufs_access: rc.local perm wanted: 0x1 perm<br />
granted: 0x0<br />
Monitoring, Auditing, and Reporting 18-19
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
18-20 Monitoring, Auditing, and Reporting<br />
Line 1: This line lists the date and time, the facility that audited the<br />
message (such as the Kernel, FTP or Telnet), the location, known<br />
as the area), in the facility that audited the message (such as<br />
general area or <strong>Sidewinder</strong> <strong>G2</strong> library), the type <strong>of</strong> audit message<br />
(such as Domain Definition Table Type Enforcement violation or<br />
access control list) and the priority <strong>of</strong> the message (such as major<br />
or minor).<br />
Note: Network probe attempts do not contain lines two or three.<br />
Line 2: This line lists the process ID, the real user ID, the effective<br />
user ID, the process group ID, the process family ID (<strong>Sidewinder</strong><br />
<strong>G2</strong>-specific) and the command associated with the process ID.<br />
Line 3: This line lists the real domain the process is running in and<br />
the effective domain (the domain that the process for which<br />
permission is given).<br />
Lines 4 and 5: These lines provide eight pieces <strong>of</strong> data. The fourth<br />
line, which always begins with “permwanted,” contains the integer<br />
representation <strong>of</strong> the permissions requested by the process and<br />
granted to the process, the domain <strong>of</strong> the requesting process, and<br />
the type <strong>of</strong> file that the process is requesting access to. The fifth<br />
line contains the filename and the permissions wanted and granted<br />
for the file.<br />
In general, the data in an audit message is a tag name followed by a<br />
colon and the value <strong>of</strong> the tag. Table 18-3 contains examples and<br />
descriptions <strong>of</strong> some <strong>of</strong> the tags used in audit messages that appear in<br />
the audit results window.
Logging<br />
application<br />
messages using<br />
Syslog<br />
Table 18-3. Audit data field examples<br />
Name Type Description<br />
Logging application messages using Syslog<br />
srcip 32 bit_integer source IP address<br />
dstip 32 bit_integer destination IP address<br />
srcport 16 bit_integer source port number<br />
srcservice string source service name (/etc/services)<br />
dstport 16 bit_integer destination port number<br />
dstservice string destination service name<br />
(/etc/services)<br />
srcburb 32 bit_integer source burb number<br />
dstburb 32 bit_integer destination burb number<br />
bytes_written<br />
_to_client<br />
bytes_written<br />
_to_server<br />
64 bit_integer number <strong>of</strong> bytes sent to a client<br />
64 bit_integer number <strong>of</strong> bytes sent to a server<br />
netsessid 64 bit_integer a network traffic session ID<br />
srchostname string source host name<br />
dsthostname string destination host name<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses the UNIX syslog facility to log messages<br />
sent by programs running on the system. These messages can be<br />
useful in tracking down unauthorized system users or in analyzing<br />
hardware or s<strong>of</strong>tware problems. All syslog data is stored in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s audit log files.<br />
Logging is set up to be handled automatically on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
As an administrator, you will not need to intervene unless you want to<br />
change options, such as where log files are stored. Listed below are<br />
some basic points about syslog and how it works on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Note: Secure Computing recommends that you edit these files only if you are an<br />
experienced UNIX administrator.<br />
Monitoring, Auditing, and Reporting 18-21
Logging application messages using Syslog<br />
18-22 Monitoring, Auditing, and Reporting<br />
syslog runs as a daemon process called syslogd.<br />
Each application determines whether it will use syslog and the<br />
types <strong>of</strong> messages that will be generated. Normally, applications<br />
generate messages <strong>of</strong> different severity levels, such as<br />
informational and critical.<br />
The syslog configuration file, /etc/syslog.conf, specifies what<br />
syslogd should do with messages that are sent to it. You can<br />
specify what should be done with each type <strong>of</strong> message. For<br />
example, you might choose to discard informational messages and<br />
store more important messages in a file. In addition, you can<br />
choose to send messages that may require immediate attention<br />
directly to a specific user’s screen or to send output to a different<br />
system on the network. You can edit the configuration file if you<br />
want to handle messages differently or send files to different<br />
locations. See the next section and the syslog.conf man page for<br />
details.<br />
Hackers will <strong>of</strong>ten try to edit syslog files to cover any evidence <strong>of</strong><br />
their break-ins. The <strong>Sidewinder</strong> <strong>G2</strong> uses Type Enforcement to<br />
protect the syslog files from being modified by unauthorized<br />
users.<br />
A copy <strong>of</strong> the syslog data is sent to the <strong>Sidewinder</strong> <strong>G2</strong> audit log<br />
files.<br />
The log files generated by syslogd can get large and start using a<br />
lot <strong>of</strong> hard disk space. To solve this problem, the log files on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> are periodically rotated. See “Understanding<br />
automatic (cron) jobs” on page A-15 for more information on file<br />
rotation.<br />
Redirecting audit output<br />
Important: While it is permitted to redirect your audit output, it is not recommended.<br />
This is because all syslog data on the <strong>Sidewinder</strong> <strong>G2</strong> is automatically sent to the audit<br />
file.<br />
If, after weighing all the options, you determine that you do want to<br />
send audit output to the syslog facility, you need to edit the<br />
following files:<br />
/etc/syslog.conf<br />
/etc/sidewinder/auditd.conf
Generating and<br />
viewing reports<br />
using the Admin<br />
Console<br />
Generating and viewing reports using the Admin Console<br />
You might choose to do this if you want one file to contain all logging<br />
information or if you want to send audit data to another host system<br />
on your network.<br />
Viewing syslog messages<br />
To view syslog messages, display the following files.<br />
/var/log/messages<br />
/var/log/daemon.log<br />
The following illustrates sample Logfile Messages.<br />
Mar 25 14:05:41 MyFirewall kernel: ef0: interfaces:<br />
AUI, 10Base2<br />
Mar 25 14:05:41 MyFirewall kernel: ef0: rxf=5119<br />
txf=3068<br />
Mar 25 14:05:41 MyFirewall kernel: ef1 at isa0 iobase<br />
0x300<br />
Mar 25 14:05:41 MyFirewall kernel: ef1: 3C509-COMBO,<br />
Important: If you receive a message “Response from unexpected source” it usually<br />
indicates name service responses sent by multihomed servers. Some multihomed servers<br />
select the wrong source IP address when sending the response. When the <strong>Sidewinder</strong> <strong>G2</strong><br />
receives the response, it ignores it and logs a message in /var/log/messages. The example<br />
below displays what you would see in the syslog when this happens.<br />
Aug 31 12:57:56 shore named (1) [85]: Response<br />
from unexpected source ([192.55.214.1].53)<br />
Aug 31 12:57:57 shore named (1) [85]: Response<br />
from unexpected source ([199.199.125.108].53)<br />
Aug 31 13:03:51 shore named (1) [85]: Response<br />
from unexpected source ([204.52.248.130].53)<br />
The <strong>Sidewinder</strong> <strong>G2</strong> Reports window in the Admin Console allows you<br />
to generate commonly used reports based on pre-defined report<br />
formats, such as administrative user connections, network probe<br />
attempts, traffic information, and active rule (ACL) usage to name a<br />
few.<br />
Monitoring, Auditing, and Reporting 18-23
Generating and viewing reports using the Admin Console<br />
18-24 Monitoring, Auditing, and Reporting<br />
The report information that is displayed is pulled from the audit<br />
database. When audit events are generated, information relevant to<br />
each event (such as a date and time, process identification<br />
information, user identity, and address information) is automatically<br />
appended to the audit information to help an administrator identify<br />
and categorize the audit data that is stored. If the report is comprised<br />
<strong>of</strong> numerous areas, the information in the report is appropriately<br />
categorized for ease <strong>of</strong> viewing.<br />
For example, if you run the traffic report, you will receive a summary<br />
<strong>of</strong> the various types <strong>of</strong> proxy traffic as follows: service, source host,<br />
destination, and user. If you want to view only traffic generated by<br />
users, you could instead run the user_traffic report to view only a<br />
summary <strong>of</strong> all user traffic.<br />
You can further refine your results by running the user_activity report<br />
and specify a single user whose activity you want to view. When you<br />
run the user_activity report, you will receive a detailed report <strong>of</strong> all <strong>of</strong><br />
that user’s system activity, organized into sections (such as general<br />
traffic, root access attempts, rule violations, and so on). The<br />
information contained in a report will depend on the timeframe you<br />
specify.<br />
Note: To view reports using a command line interface, see the cf_reports man page.<br />
To generate reports using the Admin Console, follow the steps below.<br />
Important: You must enable the auditdbd server before you can generate reports. See<br />
“Enabling and disabling servers” on page 3-30 for information on enabling the auditdbd<br />
server.<br />
1. In the Admin Console, select Reports and Monitoring -> Reports. A login<br />
window appears.<br />
2. Enter your user name and authentication information, and then click<br />
OK. The main Reports window appears.
Figure 18-7. Firewall<br />
Reports window<br />
Generating and viewing reports using the Admin Console<br />
About the Reports window In this window you can generate commonly used reports based on a<br />
pre-defined report template. Follow the steps below.<br />
1. In the Report Period field, select the time frame for which you want to<br />
run a report.<br />
2. Highlight the report you want to run by clicking on the appropriate<br />
table row. (For a description <strong>of</strong> each report, see Table 18-4 on page -26.)<br />
Tip: You can create custom reports using the cf_reports tool. Any reports you create<br />
using the cf_reports tool will appear in the Report list the next time you log in to the<br />
Reports window. For information on creating custom reports, refer to the cf_reports man<br />
page.<br />
3. If you want the report to resolve any IP addresses, select the Resolve IP<br />
Addresses check box.<br />
4. [Conditional] If you are running a host or user activity report, you will<br />
need to enter information in the Template Parameter field as follows:<br />
Host Activity—When you highlight the Host Activity report, the<br />
Template Parameter area will become available. In the Host field,<br />
enter the host name or IP address that will be used to generate the<br />
report.<br />
User Activity—When you highlight the User Activity report, the<br />
Template Parameter area will become available. In the User Name<br />
field, enter the name <strong>of</strong> the user that will be used to generate the<br />
report.<br />
Monitoring, Auditing, and Reporting 18-25
Generating and viewing reports using the Admin Console<br />
Figure 18-8. Show Report<br />
window<br />
Table 18-4. Available reports<br />
Report Type Description<br />
18-26 Monitoring, Auditing, and Reporting<br />
5. Click Run Report. The report results will be displayed in a separate Show<br />
Report window.<br />
Note: The reports that you generate in this window are view-only. You are not able<br />
to save or print these reports. If you need to save or print your reports, you will need to<br />
generate them using the command line interface. See the cf_reports man page for<br />
details.<br />
acl_usage This report summarizes proxy rule usage on the system. You can use this report to determine<br />
which proxy rules are being used most frequently.:<br />
dest_traffic This report lists proxy information on the destination hosts that the <strong>Sidewinder</strong> <strong>G2</strong> connected<br />
to, sorted by the number <strong>of</strong> bytes transferred. The report lists the destination host, the service<br />
used, the number <strong>of</strong> kB transferred, and the number <strong>of</strong> connections that were made.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 in<br />
Chapter 9 for information on viewing this e-mail.<br />
host_activity This report lists information about a specific host’s activity on the system. This report provides a<br />
section for the traffic generated, root access attempts, services denied, and user database<br />
actions involving the specified user.<br />
More . . .
Report Type Description<br />
Generating and viewing reports using the Admin Console<br />
host_traffic This report produces proxy information for source host systems on internal and external<br />
networks. You might use this data for tracking which systems have the heaviest traffic going to<br />
and from the <strong>Sidewinder</strong> <strong>G2</strong>. The report lists the source host, the number <strong>of</strong> kB sent to the<br />
server, the number <strong>of</strong> kB sent to the client, the total number <strong>of</strong> kB, and the number <strong>of</strong><br />
connections that were made.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 for<br />
information on viewing this e-mail.<br />
http_virus This report provides information on Web viruses that are detected by the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
report includes virus frequency, hits by source address, and detected Web viruses.<br />
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the <strong>Sidewinder</strong> <strong>G2</strong><br />
connected to, sorted by the number <strong>of</strong> bytes transferred. The report lists the destination host,<br />
the service used, the number <strong>of</strong> kB transferred, and the number <strong>of</strong> connections that were<br />
made.<br />
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external<br />
networks. You might use this data for tracking which systems have the heaviest traffic going to<br />
and from the <strong>Sidewinder</strong> <strong>G2</strong>. The report lists the source host, the number <strong>of</strong> kB sent to the<br />
server, the number <strong>of</strong> kB sent to the client, the total number <strong>of</strong> kB, and the number <strong>of</strong><br />
connections that were made.<br />
ipf_port_traffic This report lists on IP Filter traffic port information that occurred over a specific period <strong>of</strong> time.<br />
The report lists each service, the number <strong>of</strong> kB sent to the server, the number <strong>of</strong> kB sent to the<br />
client, the total number <strong>of</strong> kB, and the number <strong>of</strong> connections that were made. When a service<br />
uses a non-standard port (for example, 8000 or 8010), the service’s port number will also<br />
appear in the Service column.<br />
ipf_traffic This report provides a summary <strong>of</strong> the IP Filter port, host, and destination reports.<br />
mail_virus This report provides information on mail viruses that are detected by the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
report includes virus frequency, hits by source, and detected mail viruses.<br />
performance This report summarizes utilization information (based on one hour increments) for CPU<br />
percentage and load average, as well as real, virtual, and mbuf memory usage.<br />
More . . .<br />
Monitoring, Auditing, and Reporting 18-27
Generating and viewing reports using the Admin Console<br />
Report Type Description<br />
probes_attempted This report lists information about attempts made to connect or send a message to a<br />
<strong>Sidewinder</strong> <strong>G2</strong> port that either has no service associated with it or is associated with an<br />
unsupported service. This report contains a section for probes received in each burb on the<br />
system. The report lists where the probe originated from and how many probes occurred. The<br />
output <strong>of</strong> this report will be similar to the following:<br />
For each burb, the above report lists the time <strong>of</strong> the report, the interval covered by the report,<br />
the source host, destination host, destination port, and the number <strong>of</strong> probes generated by<br />
this source/destination host pair. Up to five destination port values are displayed.<br />
Depending on how you have set up your auditing configuration, you may have already been<br />
notified <strong>of</strong> these probe attempts. If you were not notified, you may want to change your<br />
auditing options as described in Chapter 16.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 for<br />
information on viewing this e-mail.<br />
root_accesses This report contains a list <strong>of</strong> root access attempts by users who used the srole command to<br />
change roles. This report lists the date that the root access attempts occurred, the service<br />
(srole), the result <strong>of</strong> the attempt, which domain the user tried to srole to, and who the<br />
user was. This report is generated daily.<br />
service_denied This report lists instances when users were denied access to a service because <strong>of</strong> the<br />
restrictions you set up in your active rules (also referred to as the Access Control List, or ACL).<br />
The report lists the source and destination hosts, the user, the service that was denied, and the<br />
total number <strong>of</strong> times a check was made. The meaning <strong>of</strong> these events depends on several<br />
factors, including your site’s security policies. The report could indicate that an internal user is<br />
trying to access an unauthorized system on the Internet. It might also indicate a service that<br />
internal users need, and you may want to consider making it available.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 for<br />
information on viewing this e-mail.<br />
service_traffic This report lists proxy information on how <strong>of</strong>ten Internet services were used during a specific<br />
period <strong>of</strong> time. You can use this information to gauge how heavily your <strong>Sidewinder</strong> <strong>G2</strong> is being<br />
used.<br />
The report lists each service, the number <strong>of</strong> kB sent to the server, the number <strong>of</strong> kB sent to the<br />
client, the total number <strong>of</strong> kB, and the number <strong>of</strong> connections that were made. When a service<br />
uses a non-standard port (for example, 8000 or 8010), the service’s port number will also<br />
appear in the Service column.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 for<br />
information on viewing this e-mail.<br />
18-28 Monitoring, Auditing, and Reporting<br />
More . . .
Report Type Description<br />
Generating and viewing reports using the Admin Console<br />
traffic This report lists information about a specific host’s activity while using the system. This report<br />
provides a section for the traffic generated, services denied, and probes generated by the host<br />
that was specified.<br />
udb_action This report, made up <strong>of</strong> two sections, shows the actions performed on the <strong>Sidewinder</strong> <strong>G2</strong>’s<br />
user database. One section <strong>of</strong> the report shows the actions performed on the system<br />
components <strong>of</strong> the user database. The other section <strong>of</strong> the report shows the actions<br />
performed on user components <strong>of</strong> the user database.<br />
The user database report lists the date the action occurred, which user it affects, what action<br />
was made to the database (either an addition, a deletion, or a modification) what type <strong>of</strong> data,<br />
or class, received the action, and which administrator changed the data.<br />
user_activity This report lists information about a specific user’s activity on the system. This report provides a<br />
section for the traffic generated, root access attempts, services denied, and user database<br />
actions involving the specified user.<br />
(Add info. about specifying field in window)<br />
user_traffic This report lists which Internet services are being used and sorts it by the user’s name. You can<br />
use this information to gauge how heavily your <strong>Sidewinder</strong> <strong>G2</strong> is being used.<br />
The report lists each user’s name for each service he/she used on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Information on users is available only when they authenticate through the <strong>Sidewinder</strong> <strong>G2</strong><br />
services. A user name <strong>of</strong> “(null)” is used for traffic that is not authenticated. The report also lists<br />
the number <strong>of</strong> kB read by each user, the number <strong>of</strong> kB written by each user, the total number<br />
<strong>of</strong> kB transferred, and the number <strong>of</strong> connections for each user.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong>” on page 11-6 for<br />
information on viewing this e-mail.<br />
vpn_traffic This report provides information on each VPN connection established on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
This report lists identifying information, gateways, kBytes transferred, and the number <strong>of</strong><br />
connections made for each VPN.<br />
Monitoring, Auditing, and Reporting 18-29
Viewing auto-generated reports<br />
Viewing autogenerated<br />
reports<br />
Table 18-5. Auto-generated report<br />
Auto-generated report Description<br />
Generating<br />
exportable<br />
reports<br />
18-30 Monitoring, Auditing, and Reporting<br />
This section describes a variety <strong>of</strong> automatically generated reports you<br />
can view.<br />
daily system activity This report provides a summary <strong>of</strong> the /etc/daily script that is automatically run on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> every 24 hours. See “Understanding automatic (cron) jobs” on page A-15<br />
for more information on this script and what it does. The report is compiled from the<br />
/var/log/daily.out file, which is generated each time the script is run.<br />
weekly system activity This report provides a summary <strong>of</strong> the /etc/weekly script that is automatically run on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> every week. See “Understanding automatic (cron) jobs” on page A-15 for<br />
more information on this script and what it does. The report is compiled from the<br />
/var/log/weekly.out file, which is generated each time the script is run.<br />
monthly system activity This report provides a summary <strong>of</strong> the /etc/monthly script that is automatically run on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> every month. See “Understanding automatic (cron) jobs” on page A-15 for<br />
more information on this script and what it does. The report is compiled from the /var/<br />
log/monthly.out file, which is generated each time the script is run.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to create exportable data files from the<br />
report data your site generates. This allows you to transfer files from<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, and load them into a database or spreadsheet<br />
application. You can export data via FTP, e-mail, a diskette, or a DAT.<br />
The report data that you can export from the <strong>Sidewinder</strong> <strong>G2</strong> is located<br />
in the /var/log/export_data directory unless you specify otherwise.<br />
The exportable files include:<br />
probe_attempt<br />
acl_denied<br />
traffic<br />
root_access<br />
udb_action<br />
Note: These data files have dates added to them that correspond to the dates the files<br />
were created. Each file contains exportable <strong>Sidewinder</strong> <strong>G2</strong> audit data that corresponds to<br />
what is summarized in the respective <strong>Sidewinder</strong> <strong>G2</strong> reports.<br />
Enter the following commands at the UNIX prompt to generate<br />
exportable data files:
Using third party<br />
reporting tools<br />
Using third party reporting tools<br />
To create an exportable file in /var/log/export_data based on the<br />
previous day’s audit information:<br />
/usr/sbin/gen_reports -e -r all<br />
This generates all reports in separate files.<br />
To create an exportable file in /var/log/export_data based on the<br />
latest (current) traffic audit information:<br />
/usr/sbin/gen_reports -f filename -r traffic<br />
This generates all traffic reports in separate files with the specified<br />
filename added to the front instead <strong>of</strong> the cf reports timestamp.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides you with the option to use third party<br />
reporting tools to format and display audit data. These tools enable<br />
you to use the audit data collected by the <strong>Sidewinder</strong> <strong>G2</strong> to create<br />
easy-to-read informational reports that illustrate how your network is<br />
being used. The current formatting tools that are supported by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> are:<br />
<strong>Sidewinder</strong> Export Format (SEF): To convert your <strong>Sidewinder</strong> <strong>G2</strong> audit<br />
logs into ASCII format using SEF, refer to the <strong>Sidewinder</strong> Export<br />
Format document located at:<br />
http://www.securecomputing.com/index.cfm?sKey=842<br />
WebTrends Extended Logging Format (WELF): To convert your<br />
<strong>Sidewinder</strong> <strong>G2</strong> audit logs into ASCII format using WELF, you can<br />
use the<br />
cf export command. See the following section for more<br />
information on using cf export.<br />
Note: You can also use the acat tool to convert files using WELF. See the acat man page<br />
for information.<br />
Formatting & exporting audit data for use with external<br />
tools<br />
To generate reports based on the <strong>Sidewinder</strong> <strong>G2</strong> log files, you must<br />
format the <strong>Sidewinder</strong> <strong>G2</strong> audit data and then export those files to the<br />
workstation or host that contains the s<strong>of</strong>tware needed to generate log<br />
reports (for example, WebTrends). You can then generate the<br />
<strong>Sidewinder</strong> <strong>G2</strong> log reports on that machine.<br />
Monitoring, Auditing, and Reporting 18-31
Using third party reporting tools<br />
18-32 Monitoring, Auditing, and Reporting<br />
You initiate the formatting and exporting process on the <strong>Sidewinder</strong><br />
<strong>G2</strong> using the <strong>Sidewinder</strong> export utility (cf export) or the acat<br />
utility. The<br />
cf export utility allows you to format raw audit data collected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> into SEF, WELF, Squid, or generic (gen) files and<br />
export those files to a destination host you specify. This utility can<br />
also be used to create a cron job that automatically initiates an FTP<br />
export program once every 24 hours. The FTP export program uses<br />
FTP to transfer the export files from the <strong>Sidewinder</strong> <strong>G2</strong> to the host<br />
you specify. The host can be on a trusted network protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, or it can be a host that resides somewhere on the<br />
Internet.<br />
Note: For more information on using the cf export utility, see the cf_export man page.<br />
For more information on using the acat utility, see the acat man page.<br />
To format and export <strong>Sidewinder</strong> <strong>G2</strong> audit data using cf export,<br />
follow the steps below.<br />
1. Log in to the <strong>Sidewinder</strong> <strong>G2</strong> and type the following command to switch<br />
to the admn role.<br />
srole<br />
Note: If you are a read-only administrator, enter srole adminro to change to the<br />
AdRO domain.<br />
2. To configure the export utility, enter the following command.<br />
cf export add type=file_type name=entry_name<br />
host=hostname user=username password=password<br />
targetdir=destination localdir=local_file_path<br />
where:<br />
type=the type <strong>of</strong> file you want to export (sef, wt, squid, or gen)<br />
name=the name you want to apply to this configuration entry<br />
host=the host name or IP address to which you are exporting the<br />
files.<br />
user=the user name that will be used for FTP authentication<br />
password=the password that will be used for FTP authentication to<br />
the destination host.<br />
targetdir=the directory on the destination host on which you want<br />
the export files placed<br />
localdir=(generic files only) the location <strong>of</strong> the generic file
Using third party reporting tools<br />
3. To export all files that are currently configured and ready to be<br />
exported, enter the following command:<br />
cf export ftp<br />
Note: To export everything, you can just enter cf export all.<br />
4. To enable a cron job to automatically determine which configured<br />
export files need to be exported, and format and export those files once<br />
every 24 hours (at 2:20 a.m. in most cases), enter the following<br />
command:<br />
cf export enable<br />
To disable the automatic cron job process, enter the following<br />
command:<br />
cf export disable<br />
Sample WebTrends report<br />
Figure 18-9. Sample <strong>Sidewinder</strong> <strong>G2</strong> report using WebTrends<br />
Importing the <strong>Sidewinder</strong> <strong>G2</strong> audit data into WebTrends allows you to<br />
produce a number <strong>of</strong> different reports that describe how your the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is being used. For example, the reports can help you<br />
account for network expenses, determine network usage, and isolate<br />
people in your organization who are abusing general network<br />
policies.<br />
Figure 18-9 illustrates the type report you can create using<br />
WebTrends.<br />
Incoming Protocol Usage<br />
Protocol # <strong>of</strong> events % <strong>of</strong> total events kilobytes (kB)<br />
1 http 4245 92.68 33,153<br />
2 ftp 35 0.76 6,049<br />
3 ftp-data 23 0.5 2,233<br />
4 telnet 6 0.13 90<br />
5 smtp 20 0.43 41<br />
6 110/tcp 13 0.28 3<br />
7 other 238 5.19 0<br />
Total 4580 100 41,573<br />
Monitoring, Auditing, and Reporting 18-33
Using third party reporting tools<br />
18-34 Monitoring, Auditing, and Reporting
A<br />
A PPENDIX A<br />
Command Line Reference<br />
About this appendix This appendix summarizes the cf (configurator) command and<br />
provides a summary <strong>of</strong> the cf command areas that are available for<br />
use. It also includes information on using UNIX commands and<br />
working with UNIX files on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
This appendix includes the following topics:<br />
“Overview <strong>of</strong> cf” on page A-1<br />
“Summary <strong>of</strong> cf structure” on page A-2<br />
“Working with files on the <strong>Sidewinder</strong> <strong>G2</strong>” on page A-10<br />
“Understanding automatic (cron) jobs” on page A-15<br />
Overview <strong>of</strong> cf The cf (configurator) command makes it possible for you to<br />
configure various <strong>Sidewinder</strong> <strong>G2</strong> areas (rules, burbs, DNS, etc.)<br />
directly from the UNIX command line. You can use the cf command<br />
as an alternative to the Admin Console (the <strong>Sidewinder</strong> <strong>G2</strong>’s graphical<br />
user interface) for performing most system administration tasks.<br />
There are several situations when you may want to use the cf<br />
command interface instead <strong>of</strong> the Admin Console to perform<br />
configuration activities. With cf, you can automate repetitive<br />
configuration tasks (for example, adding many similar rules) by using<br />
scripts. Also, cf is useful under circumstances when the Admin<br />
Console cannot be used, such as performing <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration from a text-only terminal. A final benefit <strong>of</strong> cf is that it<br />
provides a quick and easy way to see how a certain area <strong>of</strong> your<br />
<strong>Sidewinder</strong> <strong>G2</strong> is currently configured.<br />
Note: cf commands should be run in the Operational kernel (most cf commands will<br />
not function properly in the Administrative kernel).<br />
A<br />
Command Line Reference A-1
A<br />
Summary <strong>of</strong> cf structure<br />
Summary <strong>of</strong> cf<br />
structure<br />
Table A-1. Summary <strong>of</strong> cf structure<br />
A-2 Command Line Reference<br />
The following table summarizes the structure <strong>of</strong> cf, showing the<br />
primary commands available for each area. This table does not show<br />
the keywords available for each <strong>Sidewinder</strong> <strong>G2</strong> area.<br />
The online manual entry (man page) for cf provides a full description<br />
<strong>of</strong> all areas available in the cf command and the keywords/options<br />
associated with each area.<br />
To display the man page listing for the cf command, enter:<br />
man cf<br />
To display the man page listing for a specific cf area, enter:<br />
man cf_areaname<br />
For example, man cf_acl or man cf_interface.<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
acl add<br />
delete<br />
export<br />
flushcache<br />
modify<br />
purge<br />
query<br />
repair restore_console_access<br />
set<br />
adminuser add<br />
delete<br />
modify<br />
set<br />
query<br />
antivirus add<br />
delete<br />
disable<br />
enable<br />
modify<br />
query<br />
set<br />
Use this area to maintain rules on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> administrator<br />
database.<br />
Use this area to configure the anti-virus scan engine and<br />
the <strong>Sidewinder</strong> <strong>G2</strong>’s scanner service.<br />
More . . .
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
appfilter add<br />
delete<br />
modify<br />
purge<br />
set<br />
query<br />
audit add<br />
delete<br />
disable<br />
enable<br />
modify<br />
query<br />
listdb<br />
set<br />
burb set<br />
add<br />
modify<br />
start<br />
query<br />
verify<br />
cert add<br />
addsslcert<br />
delete<br />
getcert<br />
getkey<br />
getcrl<br />
modify<br />
updatedbs<br />
view<br />
query<br />
cfg add<br />
delete<br />
modify<br />
query<br />
cmd set<br />
query<br />
config backup<br />
delete<br />
list<br />
query<br />
restore<br />
set<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure Application Defenses on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure audit, including auditbot, e-mail,<br />
pager, filter and strikeback options.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> burbs and<br />
hostname.<br />
Use this area to configure all VPN certificate entries used by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to define custom attributes for your<br />
configuration files.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> certificate<br />
management daemon.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
backup and restore process. (Backs up/restores the<br />
configuration files, not the hard disk.)<br />
More . . .<br />
Command Line Reference A-3
Summary <strong>of</strong> cf structure<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
crontab set<br />
query<br />
daemond query<br />
set<br />
dns add<br />
delete<br />
dumpdb<br />
notrace<br />
query<br />
querylog<br />
reload<br />
set<br />
status<br />
stats<br />
trace<br />
entrelayd reload<br />
status<br />
export add<br />
all<br />
delete<br />
disable<br />
enable<br />
ftp<br />
modify<br />
query<br />
webtrends<br />
failover add<br />
delete<br />
query<br />
reload<br />
reset<br />
restart<br />
set<br />
start<br />
status<br />
stop<br />
gated set<br />
add<br />
modify<br />
delete<br />
validate<br />
query<br />
A-4 Command Line Reference<br />
Use this area to configure the SmartFilter and package<br />
crontab entries.<br />
Use this area to configure daemond.<br />
Use this area to configure DNS on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure and manage the entrelayd server.<br />
Use this area to configure the export utility.<br />
Use this area to configure the failover (High Availability)<br />
service on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure the gated daemon.<br />
More . . .
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
ikmpd set<br />
query<br />
interface add<br />
modify<br />
delete<br />
detect<br />
up<br />
down<br />
set<br />
status<br />
swap<br />
query<br />
update<br />
ipfilter add<br />
delete<br />
export<br />
modify<br />
purge<br />
query<br />
reload<br />
set<br />
stop<br />
ipsec add<br />
delete<br />
keydump<br />
modify<br />
policydump<br />
query<br />
reload<br />
status<br />
lca add<br />
modify<br />
delete<br />
query<br />
list<br />
revoke<br />
gencrl<br />
getcrl<br />
getcacert<br />
gencert<br />
Summary <strong>of</strong> cf structure<br />
Configure global settings for the ISAKMP daemon.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> network<br />
interfaces.<br />
Use this area to configure IP filtering for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure IPSec parameters.<br />
Use this area to configure the local (on-box) certification<br />
authority.<br />
More . . .<br />
Command Line Reference A-5
Summary <strong>of</strong> cf structure<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
ldap add<br />
delete<br />
modify<br />
query<br />
set<br />
license check<br />
features<br />
firewallID<br />
get<br />
host<br />
read<br />
set<br />
query<br />
msnt add<br />
delete<br />
modify<br />
set<br />
query<br />
mvm import<br />
query<br />
nss enable<br />
disable<br />
modify<br />
query<br />
ntp add<br />
config<br />
delete<br />
modify<br />
enable<br />
disable<br />
set<br />
restart<br />
query<br />
A-6 Command Line Reference<br />
Use this area to configure LDAP authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to license this <strong>Sidewinder</strong> <strong>G2</strong> and any<br />
premium features.<br />
Use this area to configure Micros<strong>of</strong>t NT authentication<br />
servers.<br />
Use this area to configure multi-version management.<br />
Use this area to configure the NSS, which controls access to<br />
all <strong>of</strong> the transparent and non-transparent proxies, as well<br />
as enable/disable some servers.<br />
Use this area to configure network time protocol (NTP).<br />
More . . .
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
package backup<br />
check<br />
contents<br />
description<br />
download<br />
errors<br />
install<br />
list<br />
load_cdrom<br />
load_floppy<br />
log<br />
query<br />
readme<br />
set<br />
verify<br />
password expire<br />
set<br />
query<br />
pool add<br />
delete<br />
modify<br />
query<br />
proxy add<br />
create<br />
delete<br />
destroy<br />
disable<br />
enable<br />
help<br />
modify<br />
query<br />
set<br />
radius add<br />
delete<br />
modify<br />
set<br />
query<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure the package download system.<br />
This is used for loading patches.<br />
Use this area to configure the reusable password<br />
authentication method.<br />
Use this area to create and modify client address and entry<br />
pools.<br />
Use this area to configure <strong>Sidewinder</strong> <strong>G2</strong> proxies.<br />
Use this area to configure RADIUS authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
More . . .<br />
Command Line Reference A-7
Summary <strong>of</strong> cf structure<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
reports add_query<br />
add_report<br />
delete_query<br />
delete_report<br />
modify_query<br />
modify_report<br />
query<br />
run_report<br />
show_tables<br />
show_aggregates<br />
show_databases<br />
show_groups<br />
show_columns<br />
routed add<br />
delete<br />
query<br />
restart<br />
set<br />
start<br />
stop<br />
safeword add<br />
delete<br />
modify<br />
query<br />
securid install<br />
query<br />
sendmail flush<br />
rebuild<br />
server enable<br />
disable<br />
status<br />
restart<br />
reload<br />
query<br />
smartfilter download<br />
set<br />
query<br />
version<br />
A-8 Command Line Reference<br />
Use this area to define, store, and run audit reports.<br />
Use this area to configure RIP processing on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Use this area to configure SafeWord authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure the reusable SecurID<br />
authentication method.<br />
Use this area to rebuild the sendmail database files.<br />
Use this area to administer servers. This includes displaying<br />
status, enabling/disabling, and restarting/reloading<br />
servers. Configuration <strong>of</strong> an individual server is done in its<br />
own area (acl, httpd, nss, ntp, snmp, udpproxy).<br />
Use this area to configure SmartFilter.<br />
More . . .
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
snk backup-dss<br />
delete<br />
primary-dss<br />
query<br />
set<br />
snmp add<br />
delete<br />
modify<br />
query<br />
restart<br />
set<br />
start<br />
stop<br />
usr2<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure the reusable SecureNet Key (snk)<br />
authentication method.<br />
Use this area to configure simple network management<br />
protocol (SNMP).<br />
sshd start Use this area to start the secure shell daemon (sshd)<br />
ssl query<br />
set<br />
sso delete<br />
list<br />
set<br />
query<br />
swede breaklock<br />
repair<br />
override<br />
syncd add<br />
delete<br />
query<br />
set<br />
start<br />
stop<br />
udb add<br />
delete<br />
modify<br />
purge<br />
query<br />
ups query<br />
set<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> SSL<br />
certificates.<br />
Use this area to configure single sign-on authentication.<br />
Use this area to configure the <strong>Sidewinder</strong> enterprise<br />
database engine.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong><br />
synchronization feature.<br />
Use this area to manage the authentication user database.<br />
Use this area to configure the use <strong>of</strong> an uninterruptible<br />
power supply with the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
More . . .<br />
Command Line Reference A-9
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
warders clearauthfailures<br />
listauthfailures<br />
query<br />
set<br />
www add<br />
delete<br />
set<br />
restart<br />
status<br />
reconfigure<br />
rotate<br />
query<br />
Working with files<br />
on the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
A-10 Command Line Reference<br />
The File Editor is an easy-to-use text editor that is available directly<br />
from the Admin Console. The File Editor simplifies the editing<br />
process, enabling you to perform virtually every necessary editing<br />
task from the Admin Console instead <strong>of</strong> command line. The File<br />
Editor also provides some additional conveniences such as unique file<br />
backup and restore features. Refer to “Using the Admin Console File<br />
Editor” on page 2-12 for details.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> also supports typical UNIX editors for you to use, including vi,<br />
emacs, and pico.<br />
Important: The pico -w parameter disables word wrapping on lines that contain up to<br />
256 characters. If you do not include the -w parameter, pico will insert hard carriage<br />
returns after about the 80th column <strong>of</strong> each line that exceeds 80 columns. This corrupts<br />
certain system files, such as the .conf files. Therefore, when you enter the pico command,<br />
be sure to include the -w parameter. However, be aware that certain files may contain<br />
lines over 256 characters and even using the -w parameter will not prevent word<br />
wrapping.<br />
Changing your default editor<br />
By default, the <strong>Sidewinder</strong> <strong>G2</strong> uses the vi text editor. However, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> also supports the emacs and pico editors.<br />
You can change your default editor by following these steps:<br />
1. Log in at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
2. Open the .cshrc file in an editor and locate the line that reads as follows:<br />
setenv EDITOR editorname<br />
Use this area to configure <strong>Sidewinder</strong> <strong>G2</strong> authentication<br />
servers.<br />
Use this area to configure the Web proxy on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
3. Replace the name <strong>of</strong> the current editor with the name <strong>of</strong> the one you<br />
want to use.<br />
For example, you might replace vi with emacs.<br />
4. Save the .cshrc file and quit the editor.<br />
The next time you log in, your default editor will be the one you<br />
specified in the .cshrc file.<br />
5. Type the following command at the system prompt to make the<br />
change effective in the current shell:<br />
source .cshrc<br />
About editing <strong>Sidewinder</strong> <strong>G2</strong> files<br />
UNIX files are not protected against simultaneous editing by two<br />
individuals. For this reason, an administrator should take care not to<br />
make changes to a file when another administrator is working on it. In<br />
the UNIX world, whoever writes the file last usually prevails. In some<br />
cases, file corruption occurs.<br />
For example, if an administrator is editing the server.conf<br />
configuration file using the Admin Console, while someone else is<br />
using a text editor to change that file, there may be undesirable<br />
results. If two people try editing the same file using either vi or emacs,<br />
however, the editor will warn the users about the situation.<br />
Also, when editing the <strong>Sidewinder</strong> <strong>G2</strong> configuration files (server.conf,<br />
roles.conf, etc.), be aware <strong>of</strong> the use <strong>of</strong> special characters that are<br />
used to format commands within these files. Special characters<br />
include double quotes, single quotes, brackets ([ ]), the pound symbol<br />
(#), and parenthesis ( ). Inadvertently placing special characters in the<br />
<strong>Sidewinder</strong> <strong>G2</strong> configuration files will make the files unreadable to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. Enter man sidewinder.conf at <strong>Sidewinder</strong> <strong>G2</strong><br />
command prompt for details.<br />
Important: Save any scripts you create for the <strong>Sidewinder</strong> <strong>G2</strong> in the /usr/local/bin<br />
directory. If you ever need to upgrade your <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware, Secure Computing’s<br />
upgrade procedure will automatically save any scripts that reside in that directory.<br />
Command Line Reference A-11
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
A-12 Command Line Reference<br />
Checking file and directory permissions (ls)<br />
As described in Chapter 2, Type Enforcement restricts users to certain<br />
roles and restricts domains to certain files. Under standard UNIX, files<br />
and directories use access controls. Whether you can read, write, or<br />
execute a file depends on the groups you belong to and the<br />
permissions set on the file. If you try accessing a <strong>Sidewinder</strong> <strong>G2</strong> file<br />
and are denied, even though the UNIX file permissions indicate that<br />
you have access, Type Enforcement may be preventing access.<br />
Checking file types<br />
To check Type Enforcement file types, enter the following command:<br />
/bin/ls -aly filename<br />
You will see output similar to the following:<br />
Admn:file filename<br />
Checking directory types<br />
File Name<br />
File Type (such as exec, file, conf, util, diry)<br />
Creating Domain<br />
To check Type Enforcement directory types, enter the following<br />
command:<br />
/bin/ls -dy directory_name<br />
You will see output similar to the following:<br />
$Sys:diry directory_name<br />
$Sys indicates that the directory was created in the $Sys domain. This<br />
is a domain used by the operating system for various tasks.
Changing a file’s type (chtype)<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Use the chtype command to change a file’s type. Normally, you will<br />
be in the Administrative kernel when changing a file’s type. It is<br />
always possible to change a file’s type in the Administrative kernel<br />
rather than the Operational kernel because the Administrative kernel<br />
does not use Type Enforcement. The Operational kernel uses Type<br />
Enforcement, which may prevent you from changing a file’s type.<br />
There may, however, be situations where it would be convenient to<br />
change a file’s domain while in the Operational kernel without having<br />
to boot to the Administrative kernel. The following procedures<br />
describe how to change a file’s type from either the Administrative or<br />
the Operational kernel.<br />
Changing file types in the administrative kernel<br />
To change a file’s type in the Administrative kernel, follow the steps<br />
below.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> system.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items to the front connection ports or both in the back<br />
connection ports).<br />
2. Enter the following command at the UNIX prompt:<br />
chtype domain:type filename<br />
For example, entering the command:<br />
chtype Admn:exec myprogram<br />
changes the domain and type for the myprogram file to Admn:exec.<br />
Changing file types in the operational kernel<br />
To change a file’s type in the Operational kernel, follow these steps:<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in and enter the following<br />
command to switch to the Admn role.<br />
srole<br />
2. Copy the file you want to change.<br />
cp file1 newfile<br />
Command Line Reference A-13
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
A-14 Command Line Reference<br />
3. Delete the original file.<br />
rm file1<br />
4. Change the new file to the target domain and/or file type.<br />
chtype domain:filetype newfile<br />
5. Rename the file.<br />
mv newfile file1<br />
Auditing the use <strong>of</strong> chtype commands<br />
The <strong>Sidewinder</strong> <strong>G2</strong> audits each failed occurrence <strong>of</strong> a chtype<br />
command. However, you can also audit successful chtype events.<br />
Use the following commands to enable or disable the auditing <strong>of</strong><br />
successful chtype commands.<br />
To enable auditing <strong>of</strong> successful chtype commands, enter the<br />
following command:<br />
sysctl -w kern.auditchtype=1<br />
To disable auditing <strong>of</strong> successful chtype commands, enter the<br />
following command:<br />
sysctl -w kern.auditchtype=0<br />
Note: Whether you enable or disable auditing <strong>of</strong> successful chtype events, failed<br />
chtype events are always audited.<br />
Creating your own scripts<br />
While operating in either the User or Admn domains, you can create<br />
your own scripts for use on the <strong>Sidewinder</strong> <strong>G2</strong>. Scripts created in the<br />
User domain will be executable by the Admn and User domain but no<br />
other domain. Scripts created in the Admn domain will not be<br />
executable by anyone until the type is changed to Admn:scrp using<br />
the chtype command.
Understanding<br />
automatic (cron)<br />
jobs<br />
Understanding automatic (cron) jobs<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains jobs that perform routine maintenance<br />
tasks such as rotating files and cleaning out old files. These jobs are<br />
run by the cron daemon, which reads its configuration file (/etc/<br />
crontab) to determine which jobs to run and when to run them.<br />
The following summarizes each automatic cron job on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
/etc/daily<br />
When enabled, this job runs at 2:00 a.m. each day and performs the<br />
following tasks:<br />
Tells the operator which file systems need rotating.<br />
Prints a summary <strong>of</strong> mail messages to be sent.<br />
Prints a status <strong>of</strong> the mounted file systems.<br />
Reports on system security by checking if files such as password<br />
files have changed.<br />
Runs daily.local. (This allows you to remove miscellaneous old or<br />
junk files from directories such as /usr and /var/tmp (however, you<br />
must first uncomment the appropriate cleandir command line(s)<br />
in /etc/daily.local).<br />
Rotates the /var/account/acct file.<br />
Prints a summary <strong>of</strong> network status.<br />
Compresses and rotates messages in the mail filtering log<br />
directories.<br />
Sends e-mail if the /var/log directory becomes 85% full and again<br />
when it becomes 100% full.<br />
The output <strong>of</strong> this job is sent to the /var/log/daily.out file. You can<br />
view this output as described in Chapter 18.<br />
Command Line Reference A-15
Understanding automatic (cron) jobs<br />
A-16 Command Line Reference<br />
/etc/weekly<br />
This job runs each Saturday at 3:30 a.m and performs these tasks:<br />
Rotates the access_log and error_log files in /var/log/httpd. These<br />
files exist only if the httpd server is running.<br />
Runs weekly.local. (This allows you to remove miscellaneous “.o”<br />
files from the /usr/src and /usr/obj directories (however, you must<br />
first uncomment the find command line in /etc/weekly.local).<br />
The output <strong>of</strong> this job is sent to the /var/log/weekly.out file. You can<br />
view this output as described in Chapter 18.<br />
/etc/monthly<br />
This jobs runs at 5:30 a.m. on the first day <strong>of</strong> each month and rotates<br />
the /var/log/wtmp file. The output <strong>of</strong> this job is sent to the<br />
/var/log/monthly.out file. You can view this output as described in<br />
Chapter 18.<br />
Rollaudit cron jobs<br />
There are two /usr/sbin/rollaudit jobs listed in /etc/crontab. The<br />
first job checks the size <strong>of</strong> various audit and log files daily at 2:00 a.m.<br />
The second job runs each hour and rotates files found to be growing<br />
too quickly. When these jobs run, they check the<br />
/etc/sidewinder/rollaudit.conf configuration file to see which files<br />
should be rotated. The following files are checked by rollaudit:<br />
/var/log/audit.* (the <strong>Sidewinder</strong> <strong>G2</strong> generates reports when these<br />
files are rolled.)<br />
/var/log/auditd.log<br />
/var/log/cron<br />
/var/log/lpd-errs<br />
/var/log/messages<br />
/var/log/maillog (This file is rotated once a week. The output is<br />
used for the mail traffic reports described in Chapter 18.)<br />
/var/log/snmpd.log
Understanding automatic (cron) jobs<br />
You can edit the /etc/sidewinder/rollaudit.conf file to specify how<br />
large files are allowed to get before they are rotated and the<br />
maximum amount <strong>of</strong> time that should elapse between rotations. See<br />
the rollaudit man page for details on editing this file.<br />
Caution: To avoid serious system problems, do not allow the /var/log partition to<br />
become full. The /sbin/logcheck job will generate an e-mail message warning you if the<br />
/var/log partition becomes 85% full and then again if it becomes 100% full.<br />
SmartFilter cron job<br />
The SmartFilter control list is updated weekly by the following job:<br />
/usr/sbin/smartfilter_auto_download<br />
The system administrator is notified via e-mail whenever the control<br />
list is successfully downloaded. See Appendix E for details about<br />
administering SmartFilter.<br />
Note: This cron job is disabled by default.<br />
Monitor data retrieval cron job<br />
The following cron job retrieves disk utilization information once<br />
every minute:<br />
/usr/bin/get_monitor_data<br />
The data gathered from this job is used to generate the performance<br />
report. See Chapter 18 for information on generating audit reports.<br />
Report generating cron jobs<br />
You can use the Admin Console Reporting window to generate the<br />
following reports:<br />
Root_access, service_denied, and traffic reports.<br />
A network_probe report.<br />
Note: Daily reports are initially disabled in /etc/crontab. If you want to enable daily<br />
reports, you must first enable the auditdbd server or you will not receive any data. See<br />
“Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 3-19.<br />
Command Line Reference A-17
Understanding automatic (cron) jobs<br />
A-18 Command Line Reference<br />
Squid log rotation cron job<br />
The Web proxy server is implemented using Squid, an open source<br />
s<strong>of</strong>tware program that provides proxy and caching capabilities.<br />
Squid’s log files (access_log, cache_log, and store.log) are rolled over<br />
daily using the following command:<br />
/usr/sbin/cf www rotate<br />
CRL and certificate retrieval cron job<br />
The following cron job automatically retrieves certificates and CRLs<br />
from Netscape Certificate Authorities (CAs):<br />
/usr/sbin/cf cert updatedbs<br />
For more information on certificates, see Chapter 13.<br />
Anti-virus DAT file cron job<br />
The following cron job automatically updates the anti-virus DAT file.<br />
/usr/sbin/datupdate<br />
Package download cron job<br />
The following cron job automatically performs package downloads:<br />
/usr/sbin/cf package download<br />
Export utility cron job<br />
The following cron job automatically removes old export data:<br />
/usr/sbin/cf export ftp<br />
Logcheck cron job<br />
The following cron job automatically runs the logcheck utility every<br />
five minutes:<br />
/usr/sbin/logcheck
A<br />
A PPENDIX B<br />
Setting Up Network Time<br />
Protocol<br />
About this appendix This appendix provides a brief introduction to Network Time Protocol<br />
(NTP) and describes how to set up NTP on the <strong>Sidewinder</strong> <strong>G2</strong>. This<br />
appendix covers the following topics:<br />
“Overview” on page B-1<br />
“Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong>” on page B-5<br />
“References” on page B-8<br />
Overview NTP provides a way to synchronize all clocks on a network, or to<br />
synchronize the clocks on one network with those on another<br />
network. You may find NTP useful in the following situations:<br />
When your internal network includes a system that already<br />
provides time for the rest <strong>of</strong> your network.<br />
When, for time-critical services, it is important to synchronize your<br />
network with a more accurate chronometer on an external<br />
network.<br />
Important: If exact synchronization is not important to your site, you may ignore NTP<br />
entirely. NTP is not automatically enabled during <strong>Sidewinder</strong> <strong>G2</strong> installation, and is active<br />
only if you configure and enable it as described later in this appendix.<br />
This release <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> is compatible with NTP versions 1,<br />
2, and 3. Version 3 is the preferred version and is the default on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
B<br />
Setting Up Network Time Protocol B-1
B<br />
Overview<br />
Figure B-1. NTP serverclient<br />
relationship<br />
B-2 Setting Up Network Time Protocol<br />
NTP servers and clients<br />
In NTP, a server is a system that sends a time-feed to another system.<br />
(The server is also referred to as a host.) The receiving system—the<br />
one whose time is being set by the server—is an NTP client.<br />
Consider the simple configuration in Figure B-1 showing an NTP time<br />
server with two NTP clients (A and B) in the same network. The NTP<br />
server supplies the time to NTP clients A and B. Using their own NTP<br />
s<strong>of</strong>tware, each client system must also be set up to receive time from<br />
the server.<br />
NTP server<br />
(time source)<br />
Client A Client B<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be set up as an NTP server or a client. Secure<br />
Computing Corporation recommends that the <strong>Sidewinder</strong> <strong>G2</strong> be set<br />
up as an NTP client, receiving time from an NTP server on your<br />
internal network.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client<br />
Figure B-2 shows a common NTP setup. It is the recommended<br />
configuration, with the <strong>Sidewinder</strong> <strong>G2</strong> configured as a client receiving<br />
time from a server labeled “Internal time source.” In this<br />
configuration, a server in the internal network (shown with an analog<br />
clock) is the designated time-setter for the rest <strong>of</strong> the network. The<br />
three other systems in the internal network are also NTP clients.
Figure B-2. <strong>Sidewinder</strong><br />
<strong>G2</strong> as an NTP client —<br />
internal server provides<br />
time to the <strong>Sidewinder</strong><br />
<strong>G2</strong> and to other internal<br />
workstations (no timefeed<br />
to or from Internet)<br />
internal time source<br />
Internal network<br />
time-feed<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Overview<br />
By means <strong>of</strong> NTP, the server automatically maintains the correct time<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> and also maintains the time on other<br />
workstations in the network. The advantages <strong>of</strong> this setup are the<br />
following:<br />
The internal network does not rely on an external time server and<br />
is therefore not exposed to any security breaches that might<br />
conceivably result. For this reason, this is the configuration<br />
recommended by Secure Computing.<br />
Since the <strong>Sidewinder</strong> <strong>G2</strong> is not supplying time for other systems<br />
but is only receiving it, this setup has minimal effect on <strong>Sidewinder</strong><br />
<strong>G2</strong> performance.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server<br />
Internet<br />
You can also set up the <strong>Sidewinder</strong> <strong>G2</strong> to be a time-setter for the rest<br />
<strong>of</strong> the network. The <strong>Sidewinder</strong> <strong>G2</strong> can feed the time to an internal<br />
system which in turn supplies time to your other workstations. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> could also be set up to supply time to the workstations<br />
in your network directly. However, this setup might decrease the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s performance, especially if the <strong>Sidewinder</strong> <strong>G2</strong> has to<br />
supply time directly to a number <strong>of</strong> systems.<br />
As shown in Figure B-3, the <strong>Sidewinder</strong> <strong>G2</strong> is receiving time from<br />
NTP servers on an external network and passing the time on to the<br />
internal network. This would be advantageous if your company<br />
required constant and precise time updates to within microseconds <strong>of</strong><br />
world standard time.<br />
Setting Up Network Time Protocol B-3
Overview<br />
Figure B-3. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> as an NTP<br />
server—external time<br />
servers supply time to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, which<br />
passes time on to the<br />
internal system (multiple<br />
servers provide backup)<br />
B-4 Setting Up Network Time Protocol<br />
Important: Unlike the previous two configurations, an external-to-internal NTP<br />
configuration may introduce security concerns to the <strong>Sidewinder</strong> <strong>G2</strong> and thus to your<br />
network. Therefore, this configuration is only recommended for sites that need world<br />
standard time.<br />
Note: For the configuration shown in Figure B-3, the router must be able to handle NTP<br />
traffic.<br />
time from the<br />
<strong>Sidewinder</strong><br />
time-feed<br />
internal<br />
network<br />
Router<br />
Servers on external network<br />
supply time to the <strong>Sidewinder</strong><br />
To pass a clock setting to the internal network, the external side <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> needs to be configured as a client to the external clocks.<br />
The <strong>Sidewinder</strong> <strong>G2</strong>’s NTP client then takes the "tick" from the remote<br />
clock, and sends it to the on-board system clock. On the internal side<br />
<strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, the NTP server is enabled with the clock type<br />
set to "local." This forces the <strong>Sidewinder</strong> <strong>G2</strong> to look to its internal<br />
clock for the time information, and configured as an internal server,<br />
pass the "tick" to the server on the internal burb interface.<br />
NTP must also be configured on each <strong>of</strong> the external time servers. For<br />
certified time servers, it is safe to assume that this has already been<br />
done correctly.<br />
Note: An external NTP configuration is recommended only for sites that require time<br />
within microseconds <strong>of</strong> world standard time. This is achieved by configuring NTP on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to accept time signals from one or more certified time servers located<br />
outside your company network. For a list <strong>of</strong> certified time servers, check the following Web<br />
site:<br />
http://www.eecis.udel.edu/~mills/ntp/servers.html<br />
The list includes stratum1 and stratum2 servers. Be sure to select stratum2 servers only. It is<br />
also best to choose a time server that is located within your time zone.<br />
R
Figure B-4. NTP conflict:<br />
<strong>Sidewinder</strong> <strong>G2</strong> receiving<br />
time from external and<br />
internal servers<br />
(DO NOT CONFIGURE<br />
NTP IN THIS WAY!)<br />
Configuring NTP<br />
on a <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure B-4 shows a configuration THAT SHOULD NOT BE USED<br />
and that is almost guaranteed to cause trouble. This happens when<br />
NTP is configured to supply time to the <strong>Sidewinder</strong> <strong>G2</strong> from two<br />
servers—one external and one internal. Input from the external time<br />
server cannot be reconciled with that from the internal server.<br />
internal time source<br />
also supplies time to<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
time-feed<br />
internal<br />
network<br />
Use the following procedures to configure the <strong>Sidewinder</strong> <strong>G2</strong> for NTP.<br />
You can enable NTP for the appropriate burbs using the Admin<br />
Console. However, you must configure NTP via the command line.<br />
For information on configuring NTP via the command line see the<br />
cf_ntp man page.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client<br />
Follow the steps below to set up the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client<br />
to receive the time from another NTP server.<br />
Using the Admin Console 1. Disable the fixclock server, as follows (you must disable fixclock before<br />
you enable NTP):<br />
a. In the Admin Console, select Services Configuration -> Servers, and<br />
select fixclock from the Server List. The fixclock Control tab appears.<br />
b. Select the Disable radio button.<br />
c. Click the Save icon in the toolbar.<br />
Router<br />
R<br />
time server on external<br />
network supplies time to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Setting Up Network Time Protocol B-5
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong><br />
B-6 Setting Up Network Time Protocol<br />
2. Enable the NTP server in the appropriate burbs, as follows:<br />
a. Select Services Configuration -> Servers, and select NTP from the<br />
Server List. The NTP Control tab appears.<br />
b. Select the check box for the burbs in which you want NTP enabled.<br />
c. Click the Save icon in the toolbar.<br />
Using command line: 3. At the command line, do the following:<br />
a. Connect to the <strong>Sidewinder</strong> <strong>G2</strong> and enter the srole command.<br />
b. Select the machine(s) from which the <strong>Sidewinder</strong> <strong>G2</strong> will receive<br />
time by entering the following command:<br />
cf ntp add server burb=server_burb<br />
ip=NTPserver_ip_addr<br />
4. [Optional] Configure the appropriate NTP rules using the following<br />
format:<br />
cf ntp add restrict burb=burb_name ip=restricted_ip_<br />
address_or_subnet mask=network_mask_for_ip_address<br />
flags=comma_separated_lists_<strong>of</strong>_flags: notrust,<br />
noquery, etc.<br />
Note: Flags are used to restrict the NTP functions <strong>of</strong> a server, peer, or client. Refer to<br />
man cf_ntp for details.<br />
As an NTP client, synchronization to the server clock will occur at a<br />
rate <strong>of</strong> seconds per hour. That is, a difference <strong>of</strong> several minutes<br />
between the server clock and the client clock may take several days to<br />
synchronize.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server<br />
Follow the steps below to set up the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server<br />
to send the time to other systems.<br />
Note 1: This section assumes the same configuration as shown in Figure B-3. It also<br />
assumes you have already set up the <strong>Sidewinder</strong> <strong>G2</strong> as a client on the external burb to<br />
receive the time-feed from an external time server.<br />
Note 2: If you are setting up NTP to provide time to your network from another network,<br />
and there is a router between that network and your network, make sure the router allows<br />
NTP traffic.<br />
Using the Admin Console: 1. Disable the fixclock server, as follows (you must disable fixclock before<br />
you enable NTP):
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong><br />
a. In the Admin Console, select Services Configuration -> Servers, and<br />
select fixclock from the Server List. The fixclock Control tab appears.<br />
b. Select the Disable radio button.<br />
c. Click the Save icon in the toolbar.<br />
2. Enable the NTP server in the appropriate burbs, as follows:<br />
a. Select Services Configuration -> Servers, and select NTP from the<br />
Server List. The NTP Control tab appears.<br />
b. Select the check box for the burbs in which you want NTP enabled.<br />
c. Click the Save icon in the toolbar.<br />
Using command line: 3. At the command line, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and enter the<br />
srole command.<br />
4. Create a local clock by entering the following command:<br />
cf ntp add peer burb=burb_name ip=127.127.1.0<br />
prefer=yes<br />
Setting prefer=yes specifies that the <strong>Sidewinder</strong> <strong>G2</strong>’s time signals<br />
take precedence over a set <strong>of</strong> correctly operating servers that are also<br />
sending the time.<br />
5. (Optional: Perform if configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an authoritative<br />
NTP clock) Add a list <strong>of</strong> NTP peers that can query the <strong>Sidewinder</strong> <strong>G2</strong> by<br />
entering the following command:<br />
cf ntp add peer burb=peer_burb ip=ip_addr<br />
An NTP peer is a server that is a designated “colleague” to another server<br />
(peers can set each other’s clocks). Peers are sometimes used in large,<br />
internationally-known time sites.<br />
6. (Optional: Perform if configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an authoritative<br />
NTP clock): Set up the NTP rules by entering the following command:<br />
cf ntp add restrict burb=burb_name ip=restricted_ip_<br />
address_or_subnet mask=network_mask_for_ip_address<br />
flags=comma_separated_lists_<strong>of</strong>_flags: notrust,<br />
noquery, etc.<br />
Note: Flags are used to restrict the NTP functions <strong>of</strong> a server, peer, or client. Refer to<br />
man cf_ntp for details.<br />
Setting Up Network Time Protocol B-7
References<br />
References NTP is a complicated protocol with many options. There are<br />
numerous places where more information can be obtained. These<br />
include RFCs, Web sites, and local manual (man) pages. For more<br />
information about NTP, see the following sources:<br />
B-8 Setting Up Network Time Protocol<br />
Internet Request For Comments (RFC)<br />
The following RFCs provide information on NTP:<br />
RFC 1059Network Time Protocol (Version 1)<br />
RFC 1119Network Time Protocol (Version 2)<br />
RFC 1305Network Time Protocol (Version 3)<br />
Web Sites<br />
Point your browser to the following Web site:<br />
http://www.ntp.org/<br />
On-line manual (man) pages<br />
Type the following commands:<br />
man cf_ntp<br />
man xntpd<br />
man xntpdc
A<br />
A PPENDIX C<br />
Configuring Dynamic<br />
Routing with OSPF<br />
About this appendix This appendix describes how to set up routing capability on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using the Open Shortest Path First (OSPF) protocol.<br />
Tip: You should read this appendix only if you have identified that your routing topology<br />
is too complicated to use only static routing or the Routing Information Protocol (RIP).<br />
OSPF is a complex IP routing protocol and deploying OSPF should involve discussions<br />
between routing subject matter experts and security subject matter experts.<br />
This appendix addresses the following topics:<br />
“Overview” on page C-1<br />
“OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong>” on page C-4<br />
“Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong>” on page C-6<br />
“Configuring "passive" OSPF” on page C-13<br />
“Other implementation details” on page C-13<br />
Overview OSPF is a routing protocol in that it provides information used to<br />
figure out routes in a portion <strong>of</strong> a network. Unfortunately, it is not a<br />
routing protocol in that it does not actually pass routes, but<br />
information about links each router has. Based upon this link<br />
information, each router runs the same algorithm and comes up with<br />
the same "picture" <strong>of</strong> the network.<br />
Note: OSPF runs as its own protocol (protocol 89) on top <strong>of</strong> IP.<br />
OSPF uses a fair amount <strong>of</strong> multicasting. When a host detects a<br />
change to a routing table or a change in the network topology, it<br />
immediately multicasts the information to all other hosts in the<br />
network. Unlike the RIP in which the entire routing table is sent, the<br />
host using OSPF sends only the part that has changed. With RIP, the<br />
routing table is sent to neighboring hosts every 30 seconds. OSPF<br />
multicasts updated information only when a change occurs.<br />
C<br />
Configuring Dynamic Routing with OSPF C-1
C<br />
Overview<br />
Figure C-1. Three OSPF<br />
protocol phases<br />
C-2 Configuring Dynamic Routing with OSPF<br />
A closer look at OSPF<br />
Rather than counting the number <strong>of</strong> hops, OSPF bases its path<br />
descriptions on link states that factor in additional network<br />
information. Also, OSPF lets you assign cost metrics to a given host<br />
router so that some paths are given preference.<br />
There are three phases to the OSPF protocol:<br />
1. Routers "discover" neighboring OSPF routers by exchanging Hello<br />
messages. The Hello messages also determine which routers will act as<br />
the Designated Router (DR) and Backup Designated Router (BDR). These<br />
messages are periodically exchanged to ensure connectivity between<br />
neighbors still exists.<br />
2. Routers exchange their "link state databases." Link state means the<br />
information about a system's interfaces (IP address, network mask, cost<br />
for using that interface, and whether it is up or down).<br />
3. Finally, the routers exchange additional information via a number <strong>of</strong><br />
different type <strong>of</strong> Link State Advertisements (LSAs). These "fill out" the<br />
information needed to calculate routes. Some reasons for generating<br />
LSAs are interfaces going up or down, distant routes changing, static<br />
routes being added or deleted, etc.<br />
OSPF router<br />
R<br />
1. Exchange hello messages to discover neighbor OSPF routers<br />
2. Exchange Link state databases<br />
3. Exchange Link state advertisements<br />
OSPF router<br />
OSPF router<br />
At this point, all routers should have a full database. Each database<br />
contains consistent (not identical) information about the network.<br />
Based upon this information, routes are calculated via the "Dijkstra"<br />
algorithm. This algorithm generates the set <strong>of</strong> shortest routes needed<br />
to traverse the network. These routes are then enabled for use by IP.<br />
R<br />
R
Overview<br />
All OSPF routers on a network do not exchange OSPF data—this<br />
limits network overhead. Instead, they communicate with the DR (and<br />
BDR), which are then responsible for updating all other routers on the<br />
network. Election <strong>of</strong> the DR is based upon the priority <strong>of</strong> that router.<br />
OSPF multicasts using the AllSPFRouters (224.0.0.5) and AllDRouters<br />
(224.0.0.6) addresses. The Designated Router (DR) and Backup<br />
Designated Router (BDR) receive packets on the second address.<br />
Important: Since the <strong>Sidewinder</strong> <strong>G2</strong> performs many other functions, Secure Computing<br />
Corporation recommend that customers should not configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
become DR (or BDR) unless forced to by network topology.<br />
OSPF routing<br />
OSPF is considered an Interior Gateway Protocol (IGP). An IGP limits<br />
the exchange <strong>of</strong> routes to a "domain <strong>of</strong> control," known as an<br />
Autonomous System (AS). An AS is a large network (an ISP for<br />
example) created under a central authority running a consistent<br />
routing policy, policies that include different routing protocols. RIP<br />
(both V1 and V2), IS-IS, EIGRP (a proprietary Cisco protocol), are all<br />
IGPs.<br />
Exterior Gateway Protocols, such as EGP and Boundary Gateway<br />
Protocols (BGP), communicate routing information between<br />
Autonomous Systems.<br />
Routers on the "edge" <strong>of</strong> the AS generate "special" LSAs (AS-External-<br />
LSAs) for the rest <strong>of</strong> the AS. There's also a mechanism (forwarding<br />
address) so that an OSPF router can "point over there" for a route.<br />
This feature allows a customer to introduce static routes for their<br />
network from a central router.<br />
Autonomous Systems can be large. It is not necessary for the whole<br />
AS to need to know "everything" about routes. Each AS may be<br />
broken down into areas. All routing information must be identical<br />
within an area. Routing between areas goes through a "backbone." All<br />
routers on a backbone have to be able to communicate with each<br />
other. Since they belong to the same area (area 0 <strong>of</strong> a particular AS),<br />
they also all have to agree. Area Border Routers (ABRs) will have one<br />
interface defined to run in the backbone area. Other interfaces can<br />
then be defined to run in a different area.<br />
Configuring Dynamic Routing with OSPF C-3
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure C-2. OSPF areas<br />
OSPF processing<br />
on a <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
C-4 Configuring Dynamic Routing with OSPF<br />
Take a look at a sample configuration. Figure C-2 shows a large<br />
internal network and backbone terminating at a router.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
Autonomous system (AS)<br />
R<br />
ABR<br />
area n (8.8.8.8)<br />
Complicated<br />
Network<br />
Stub areas are areas where there is a single exit point. An OSPF router<br />
sends "summary" LSAs into the stub that point back to that router as<br />
the default router for the stub area.<br />
For more information on OSPF and Internet routing, check with your<br />
router vendor. The following books may also be useful:<br />
Routing in the Internet, 2nd edition by Christian Huitema, Prentice<br />
Hall (2000)<br />
Cisco Router OSPF: Design and Implementation <strong>Guide</strong>, by William<br />
R. Parkhurst (Cisco <strong>Technical</strong> Expert), McGraw Hill (1998)<br />
OSPF processing is done via a <strong>Sidewinder</strong> <strong>G2</strong> server process called<br />
gated. To implement OSPF processing on the <strong>Sidewinder</strong> <strong>G2</strong>, a<br />
gated server process must be configured, enabled, and started in the<br />
burb expecting to handle OSPF broadcasts. Only one gated may be<br />
started per burb, but that gated will handle all network interfaces<br />
within that burb.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> currently runs version 3.6 <strong>of</strong> gated. This is the<br />
most recent freely available version <strong>of</strong> gated available from the OSPF<br />
Consortium and it's successor, NextHop.<br />
This release <strong>of</strong> OSPF on the <strong>Sidewinder</strong> <strong>G2</strong> runs gated as an "intraarea"<br />
router. That means all interfaces that are configured to run OSPF<br />
exist in the same OSPF area.<br />
Note: Support for the <strong>Sidewinder</strong> <strong>G2</strong> running as an ABR will come in a future release.<br />
R<br />
ASBR<br />
EGP<br />
BGP
Figure C-3. <strong>Sidewinder</strong><br />
<strong>G2</strong> within OSPF area 0<br />
backbone<br />
Figure C-4. <strong>Sidewinder</strong><br />
<strong>G2</strong> within OSPF area "n"<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong> in an OSPF network topology<br />
Essentially there are two choices for locating the <strong>Sidewinder</strong> <strong>G2</strong><br />
within the OSPF network topology.<br />
the <strong>Sidewinder</strong> <strong>G2</strong> within OSPF area 0 backbone<br />
the <strong>Sidewinder</strong> <strong>G2</strong> within OSPF area n<br />
The first choice, shown in Figure C-3, extends the AS backbone<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>. Any area boundary external is to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
Autonomous system (AS)<br />
R<br />
ABR<br />
area n (8.8.8.8)<br />
Network<br />
R<br />
ASBR<br />
The second choice, shown in Figure C-4, runs a non-backbone area<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>, placing the backbone completely internal.<br />
This second option is preferable for security policy reasons, but may<br />
not be practical without re-engineering the OSPF network.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
b<br />
u<br />
r<br />
b<br />
b<br />
u<br />
r<br />
b<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Autonomous system (AS)<br />
R<br />
ABR<br />
b<br />
u<br />
r<br />
b<br />
area n (8.8.8.8)<br />
b<br />
u<br />
r<br />
b<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
ASBR<br />
Configuring Dynamic Routing with OSPF C-5<br />
R
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Setting up OSPF<br />
routing on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
C-6 Configuring Dynamic Routing with OSPF<br />
In order for OSPF to work, it is important that all routers work <strong>of</strong>f <strong>of</strong> a<br />
consistent link state database. The <strong>Sidewinder</strong> <strong>G2</strong> implementation<br />
allows a customer to control which routers it will communicate with<br />
by using the rule list. The active rule list can be configured to only<br />
allow known routers to talk to gated.<br />
Interoperability with other OSPF routers<br />
The 3.6 distribution <strong>of</strong> gated supports OSPF version 1 as described in<br />
RFC 1583. Many routers will detect this automatically; other routers<br />
have an RFC 1583 compatibility mode setting. This setting should be<br />
enabled for all other routers (if available) in the same area as the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Other routing protocols<br />
There are many versions <strong>of</strong> gated that support a number <strong>of</strong> routing<br />
protocols. The <strong>Sidewinder</strong> <strong>G2</strong> gated currently supports OSPF. A<br />
future release will include RIP (both v1 and v2) support. At this time,<br />
we are NOT expecting to support IS-IS (another interior routing<br />
protocol similar to OSPF), or any exterior routing protocols (EGP or<br />
BGP).<br />
Follow the steps below to set up OSPF on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1. Sketch a diagram showing your planned <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
(similar to the diagram in Figure C-4). Include the following items on<br />
your diagram:<br />
configuration <strong>of</strong> the routers to which the <strong>Sidewinder</strong> <strong>G2</strong> connects<br />
OSPF areas in the network(s)<br />
the <strong>Sidewinder</strong> <strong>G2</strong> interfaces (burbs)<br />
2. On the <strong>Sidewinder</strong> <strong>G2</strong>, define one or more netgroups for the routers to<br />
which <strong>Sidewinder</strong> <strong>G2</strong> connects. See Chapter 5 for details on creating<br />
netgroups.<br />
3. On the <strong>Sidewinder</strong> <strong>G2</strong>, configure one or more rules for the OSPF traffic.<br />
See Chapter 7 for details on setting up rules.
Figure C-5. OSPF<br />
Properties tab<br />
About the OSPF Properties<br />
tab<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
4. On the <strong>Sidewinder</strong> <strong>G2</strong>, configure the following OSPF parameters:<br />
a. Properties<br />
b. OSPF properties<br />
c. OSPF Areas<br />
d. Advanced<br />
Tip: Follow the procedures in the next sections to use the Admin Console to set your<br />
OSPF options.<br />
5. Enable the OSPF (gated) server by doing the following:<br />
a. Using the Admin Console, select Services Configuration -> Servers<br />
and then select gated-unbound.<br />
b. Click Enable.<br />
Configuring OSPF properties<br />
To configure OSPF properties, start the Admin Console and select<br />
Services Configuration -> Routing -> Dynamic. Click the OSPF Properties tab,<br />
the following window appears:<br />
The OSPF Properties tab specifies the parameters that affect overall<br />
OSPF function on the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1. In the Default Preference field, specify the default preference for<br />
selection <strong>of</strong> routes learned by OSPF versus other gated routing<br />
protocols. The default is 150. Do not change this field unless directed by<br />
Secure Computing.<br />
2. In the Default Cost field, specify the metric for external routes that OSPF<br />
is going to advertise to the Autonomous System (AS). The default is 1.<br />
Do not change this field unless directed to by Secure Computing.<br />
Configuring Dynamic Routing with OSPF C-7
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
C-8 Configuring Dynamic Routing with OSPF<br />
3. In the Default Tag field, specify the tag OSPF routes for other protocoldependent<br />
filtering. The default tag is 0. Do not change this field unless<br />
directed to by Secure Computing.<br />
4. In the Default Type drop-down list, select whether OSPF will advertise<br />
external routes into the AS as either Type 1 or Type 2 Autonomous<br />
System External routes (ASEs) depending on the value <strong>of</strong> this field. The<br />
default is 1. Do not change this field unless directed to by Secure<br />
Computing.<br />
5. In the Default Inherit Metric field, select one <strong>of</strong> the following:<br />
Yes: If this field is set to Yes, OSPF will use the metric from the<br />
external route when exporting ASEs rather than using the default<br />
cost.<br />
No: This is the default value. Do not change this field unless<br />
directed to by Secure Computing.<br />
6. In the Export Limit field, specify the throttle rate at which an ASBR<br />
advertises ASEs into the AS. The default is 100 ASEs per interval. Do not<br />
change this field unless directed to by Secure Computing.<br />
7. In the Export Interval field, specify how <strong>of</strong>ten an ASBR will advertise ASEs<br />
into the AS. The value specifies seconds, with a default <strong>of</strong> 1. Do not<br />
change this field unless directed to by Secure Computing.<br />
8. The syslog field provides you with the ability to allow gated to log<br />
occasional packets to syslog (and thereby <strong>Sidewinder</strong> <strong>G2</strong> audits) in<br />
addition to the depth <strong>of</strong> information obtainable from trace options. The<br />
format is first pktcnt every pktcnt2, which means OSPF will log the first<br />
pktcnt packets for EACH type <strong>of</strong> OSPF packet. After that, it will then log<br />
one message per pktcnt2 packets. The default is no entry, which means<br />
no logging. Do not change this field unless directed to by Secure<br />
Computing.<br />
9. In the OSPF Enabled field specify whether OSPF is enabled (yes or no).<br />
10. To save your changes, click the Save icon in the toolbar.<br />
Configuring OSPF Areas<br />
To configure OSPF areas, start the Admin Console and select Services<br />
Configuration -> Routing -> Dynamic. Click the OSPF Areas tab, the<br />
following window appears:
Figure C-6. OSPF Area<br />
tab<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
About the OSPF Area tab The OSPF Area tab configure communication with other routers.<br />
Follow the steps below.<br />
Configuring the OSPF Area:<br />
Interfaces window<br />
1. In the Area field, specify the area number as follows:<br />
Backbone—Select this option to define area 0.<br />
Number—Select this option to define a non-zero area. The area is<br />
defined in the Area Number field. Values can be simple numbers<br />
(like 3), or "dotted decimal" (like IP addresses). Areas are 32 bit<br />
numbers.<br />
2. In the Stub field, specify the areas where there are no external routes as<br />
follows:<br />
Yes—Select this option If the <strong>Sidewinder</strong> <strong>G2</strong> is an intra-area router<br />
inside a stub area. In the Default Cost area, specify the cost <strong>of</strong> the<br />
default route. If this is the Area Border Router (ABR) for the stub<br />
area, this indicates the cost <strong>of</strong> the default route that will be flooded<br />
into the stub area.<br />
No—Select this option if the <strong>Sidewinder</strong> <strong>G2</strong> is not an intra-area<br />
router inside a stub area.<br />
3. To modify the Interfaces table, see “Configuring the OSPF Area:<br />
Interfaces window” on page C-9. The Interfaces table defines the<br />
configuration for each OSPF interface on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Do not change the Networks field unless directed to by Secure Computing.<br />
When you click New or Modify under the Interfaces table, the<br />
following window appears:<br />
Configuring Dynamic Routing with OSPF C-9
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure C-7. OSPF Area<br />
window: Interface<br />
Information<br />
C-10 Configuring Dynamic Routing with OSPF<br />
1. In the Interfaces field, specify the <strong>Sidewinder</strong> <strong>G2</strong> IP address for each<br />
interface that should use OSPF.<br />
2. In the Cost field, specify the metric that OSPF should advertise when<br />
calculating routes using this interface. (OSPF leaves this undefined, but<br />
it is an integer.)<br />
3. In the Enabled field, specify whether this interface should currently run<br />
OSPF.<br />
4. In the Retransmit Interval field, specify the retransmit interval (in<br />
seconds) between link state advertisement retransmits (the range is 0-<br />
65535).<br />
5. In the Transit Delay field, specify a reasonable estimate on how long it<br />
takes an OSPF packet to be transmitted on this interface (range is 0-<br />
65535). Except for very long delay paths, this parameter will normally be<br />
set to 1.<br />
6. In the Priority field, specify the priority for becoming a Designated<br />
Router (DR) on this interface. Values are from 0–255, with the higher<br />
priorities being more likely to be elected as DR (or Backup DR). When set<br />
to 0 (the default setting), gated will not become a DR under any<br />
circumstance.<br />
Note: Secure Computing recommends that you keep this value 0 on the <strong>Sidewinder</strong><br />
<strong>G2</strong> whenever possible; DR functionality can cause significant utilization impact.<br />
7. In the Hello Interval field, specify the time in seconds between Hello<br />
packets sent to maintain connectivity with neighboring routers. The<br />
default is 10 seconds. Values range from 0–255.<br />
8. In the Router Dead Interval field, specify the time in seconds OSPF will<br />
wait without receiving Hello packets from a neighbor before assuming<br />
that neighbor is down. The default is 40 seconds. Values from 0–65535.
Authentication Information<br />
window<br />
Figure C-8. Authentica-<br />
ting Information window<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
9. [Optional] In the Passive field, specify whether OSPF will NOT send<br />
packets on this interface, but will send information about this interface<br />
to other interfaces. Routes can then be established through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to systems on the passive interface. The default setting is<br />
No.<br />
10. In the Auth field, specify which type <strong>of</strong> primary authentication is used<br />
on OSPF packets for this interface<br />
none—No authentication (default).<br />
simple—Specifies that a clear text value (as specified in the Auth<br />
Keys list) must be present on all packets.<br />
md5:—Specifies that a clear text value and key (as specified in the<br />
Auth Keys list) must be present on all packets.<br />
Note: If you select simple or md5, click New (or Modify) to specify the<br />
authentication key data. See “Authentication Information window” below.<br />
11. To save your changes, click the Save icon in the toolbar.<br />
The Authentication Information window specifies settings for simple<br />
or md5 authentication settings.<br />
1. In the Authentication Key field, specify the clear text value that must be<br />
present on all packets. This entry may be one to eight decimal digits<br />
separated by periods, a one to eight hexadecimal string preceded by 0x,<br />
or a one to eight character string in double quotes. More than one<br />
Authentication key can be defined. The only requirement is that the<br />
keys do not share the same Start Generate time.<br />
2. (md5 authentication only) In the Id Number field, specify a value from<br />
1–255.<br />
3. In the Start/Stop Generate fields, define the time when gated will use<br />
the key to sign outgoing packets.<br />
4. In the Start/Stop Accept fields, define the time gated will use the key to<br />
validate incoming packets.<br />
Configuring Dynamic Routing with OSPF C-11
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Configuring the OSPF<br />
Areas: Networks window<br />
Figure C-9. OSPF<br />
Advanced window<br />
About the Advanced<br />
window<br />
C-12 Configuring Dynamic Routing with OSPF<br />
Note: The Generate/Accept fields are optional fields that specify when an md5 key is<br />
valid. If you specify any time value, you must also specify all other time values. Specify<br />
overlapping valid times to ensure service is not lost. Also, multiple keys cannot share<br />
the same Start Generate or Start Accept times.<br />
The Networks area on the OSPF Areas window should not be<br />
configured unless directed to do so by Secure Computing <strong>Technical</strong><br />
Support.<br />
Configuring Advanced options<br />
To configure advanced options, start the Admin Console and select<br />
Services Configuration -> Routing -> Dynamic. Click the Advanced tab, the<br />
following window appears:<br />
The Advanced window allows you to directly edit and test the gated<br />
configuration file.<br />
Edit "gated.conf" File: Clicking this button allows you to set up and<br />
specify features that are not available through the Admin Console.<br />
Validate "gated.conf" File: Clicking this button launches a test utility<br />
that checks the configuration file’s entries and ensures a valid<br />
configuration.<br />
The resulting test determines whether the file has valid parameter<br />
settings that do not conflict with each other, however, it does not<br />
evaluate the "logic" <strong>of</strong> the specified configuration.
Configuring<br />
"passive" OSPF<br />
Other<br />
implementation<br />
details<br />
Configuring "passive" OSPF<br />
You can configure and run OSPF through the <strong>Sidewinder</strong> <strong>G2</strong><br />
WITHOUT affecting the <strong>Sidewinder</strong> <strong>G2</strong> routing tables. To do this, you<br />
must edit the edit /etc/server.conf file as follows:<br />
1. Using a text editor <strong>of</strong> your choice, find the entry:<br />
2.<br />
server(gated-unbound ...........)<br />
Change the args[-N] to args[-n -N].<br />
3. Save the file.<br />
4. Stop and start the gated server from the Services Configuration -><br />
Servers menu.<br />
Important: In order for the <strong>Sidewinder</strong> <strong>G2</strong> to correctly pass data, static routes must<br />
have been previously defined.<br />
As with any routing protocol, OSPF passes routable addresses. This<br />
defeats the purpose <strong>of</strong> NAT at the <strong>Sidewinder</strong> <strong>G2</strong> running OSPF.<br />
However, NAT can still be performed at the ASBR.<br />
gated supports a method to "query" remote gated implementations<br />
about their current state and information. This is done via the ospf<br />
monitor command. For security, the ospf monitor command is not<br />
supplied on the <strong>Sidewinder</strong> <strong>G2</strong> and it does not accept queries from<br />
remote gated instances.<br />
Filtering <strong>of</strong> routes should not be performed within an area. This leads<br />
to inconsistent link state databases. In turn, the Dijkstra algorithm will<br />
probably end up calculating routing loops. The <strong>Sidewinder</strong> <strong>G2</strong> will<br />
support route filtering when it supports running as an ABR.<br />
Configuring Dynamic Routing with OSPF C-13
Other implementation details<br />
C-14 Configuring Dynamic Routing with OSPF
A<br />
A PPENDIX D<br />
Configuring Dynamic<br />
Routing with RIP<br />
About this appendix This appendix describes how to set up dynamic routing capability on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> using its routing information protocol (RIP)<br />
process. This appendix addresses the following topics:<br />
RIP with standard<br />
IP routers<br />
“RIP with standard IP routers” on page D-1<br />
“RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong>” on page D-3<br />
“RIP with the <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing” on<br />
page D-5<br />
“RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent IP addressing”<br />
on page D-8<br />
“Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong>” on page D-12<br />
“Enabling/disabling the routed server” on page D-15<br />
“Trace and log information” on page D-16<br />
Security Alert: RIP version 1 is an inherently insecure protocol. Without careful<br />
configuration <strong>of</strong> this service, this system may be susceptible to route confusion attacks.<br />
The following describes how RIP processing aids in routing IP packets<br />
through a network that has a redundant routing architecture. Figure<br />
D-1 illustrates this redundant architecture.<br />
D<br />
Configuring Dynamic Routing with RIP D-1
D<br />
RIP with standard IP routers<br />
Figure D-1. Dynamic<br />
routing a with standard<br />
IP route<br />
D-2 Configuring Dynamic Routing with RIP<br />
Bizco<br />
Network<br />
Telnet server<br />
R<br />
router_a<br />
router_b<br />
CorpCity<br />
Network<br />
Note: This figure assumes that all routers (a, b, c, and d) are exchanging RIP packets<br />
between each other every 30 seconds.<br />
In this example, it is unnecessary for the Telnet server and the client<br />
to be accepting RIP packets. The server can statically configure its<br />
gateway to be Router_a. The client can statically configure its gateway<br />
to Router_b.<br />
The Telnet client has two different possible paths <strong>of</strong> reaching the<br />
server: (1) via Router_b-to-Router_a, and (2) via Router_d-to-Router_cto-Router_a.<br />
Examining the routing table on Router_b, you would find<br />
that there are two possible routes to the Bizco network, one with a<br />
hop count equal to two (through Router_a), the other with a hop<br />
count to three (through Router_d).<br />
When the Telnet client needs to connect to the Telnet server, it sends<br />
a TCP connection request to Router_b because its internal default<br />
route points to Router_b. Router_b receives the connection frame and<br />
because the route to the Bizco network is shorter via Router_a (two<br />
hops verses three hops), it forwards the connection frame on to<br />
Router_a. Router_a forwards the frame into the Bizco network and it<br />
eventually gets received by the Telnet server. The Telnet server builds<br />
and sends a reply frame back, this frame typically follows the same<br />
route back to the client. The two systems have established a<br />
connection.<br />
R<br />
R<br />
router_c<br />
R<br />
Telnet<br />
client<br />
router_d
RIP processing on<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The dynamic routing capability <strong>of</strong> RIP can be seen when the link<br />
between Router_a and Router_b is lost. As soon as Router_b notices<br />
that it is no longer receiving RIP updates from Router_a, it updates its<br />
local routing table hop count for that route to 16 (route unreachable)<br />
and broadcasts this to others on its local network (this is to notify<br />
Router_d).<br />
Next, the Telnet client sends another IP frame to Router_a unaware<br />
that the route between Router_a-to-Router_b has been lost. Router_a<br />
looks at its local routing table and discovers there are two routes, one<br />
unreachable, the other through Router_d. Because Router_d is on the<br />
same network as the client, Router_b sends an ‘ICMP Redirect’ back at<br />
the client stating that it can reach the Telnet server network through<br />
Router_d. If the client’s TCP/IP stack is operating correctly, it updates<br />
its local routing table to point that host at Router_d. The client TCP/IP<br />
stack then re-sends its last frame to Router_d. Router_d receives the<br />
frame and forwards it on to Router_c, which forwards it on to<br />
Router_a, etc.<br />
Important: Note that the TCP session continues on through Router_d as if nothing had<br />
happened, and when the link between Router_a and Router_b is re-established, the Telnet<br />
client again should receive an ‘ICMP Redirect’ from Router_d pointing it back at Router_a.<br />
The session should continue as if nothing important happened.<br />
RIP processing is done via a <strong>Sidewinder</strong> <strong>G2</strong> server process called<br />
routed. To implement RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong>, a<br />
routed server process must be configured, enabled, and started in the<br />
burb expecting to handle RIP broadcasts. Only one routed may be<br />
started per burb, but it will handle all network interfaces within that<br />
burb.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be configured to support RIP processing via<br />
the following Admin Console options:<br />
Receive routing information from other routers<br />
Setting this option to Yes enables routed to receive UDP RIP<br />
updates from any interface within that burb and update the local<br />
routing table.<br />
Setting this option to No disables the updating <strong>of</strong> local routing<br />
tables with RIPs received from the local network interfaces.<br />
Configuring Dynamic Routing with RIP D-3
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Figure D-2. Routed on<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
D-4 Configuring Dynamic Routing with RIP<br />
Advertise routing information<br />
Setting this option to Yes enables routed to broadcast UDP RIP<br />
updates, advertising local routing information available within this<br />
burb.<br />
Setting this option to No disables broadcasting <strong>of</strong> any UDP RIP<br />
updates.<br />
Advertise as default gateway<br />
— Setting this option to Yes enables routed to send the default<br />
route.<br />
— Setting this option to No disables sending the default route.<br />
Advertise burb/routes from burbs<br />
This option specifies which burbs (other than the current burb)<br />
should have their routing information included in RIP updates sent<br />
by THIS burb. If no burbs are listed under this option, routed will<br />
only send routing information about the current burb.<br />
Figure D-2 illustrates the implementation <strong>of</strong> RIP processing within the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. This example, shows a trusted burb with two network<br />
interfaces. When the routed server is started in this trusted burb, both<br />
these interfaces will automatically be supporting RIP.<br />
TCP<br />
/IP<br />
local<br />
routing<br />
table<br />
local<br />
routing<br />
table<br />
Internet burb routed<br />
routed trusted burb<br />
Admin Console options set:<br />
Receive routing information<br />
from other routers = yes<br />
Advertise routing information<br />
= no<br />
No other burbs specified<br />
TCP<br />
/IP<br />
Admin Console options set:<br />
Receive routing information<br />
from other routers = no<br />
Advertise routing information<br />
= yes<br />
External burb (1) specified
RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
using transparent<br />
IP addressing<br />
Figure D-3. RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
Routed on the <strong>Sidewinder</strong> <strong>G2</strong> operates by listening for UDP<br />
broadcasts on port 520. It also sets a timer to send a RIP packet<br />
advertising its routing information every 30 seconds. When a RIP<br />
broadcast is received, the routed server updates the local routing table<br />
with any new routes. When the 30 second timer expires, the routed<br />
server reads and updates its local routing table, and then broadcasts<br />
its local routing information<br />
Important: Through Type Enforcement, no routed is allowed to update the local<br />
route table in a different burb.<br />
The following describes how RIP processing occurs through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Figure D-3 illustrates an architecture where the<br />
<strong>Sidewinder</strong> <strong>G2</strong> has been positioned to control IP traffic between the<br />
two company networks. If the <strong>Sidewinder</strong> <strong>G2</strong>s do NOT provide RIP<br />
support, the automatic rerouting <strong>of</strong> traffic through the use <strong>of</strong> dynamic<br />
routing is lost.<br />
Bizco<br />
Network<br />
Telnet server<br />
R<br />
router_a<br />
Internet burb trusted burb<br />
<strong>Sidewinder</strong><strong>G2</strong>_b<br />
R<br />
router_b<br />
Internet burb trusted burb<br />
R<br />
<strong>Sidewinder</strong><strong>G2</strong>_c<br />
router_c<br />
CorpCity<br />
Network<br />
router_d<br />
For this example, Router_a will broadcast UDP RIP packets to<br />
<strong>Sidewinder</strong><strong>G2</strong>_b but they will be dropped. Because the <strong>Sidewinder</strong><br />
<strong>G2</strong> now supports RIP, the <strong>Sidewinder</strong> <strong>G2</strong> can be configured to act as a<br />
router and actively participate in the dynamic RIP processing. In order<br />
to pass data traffic through the <strong>Sidewinder</strong> <strong>G2</strong>, however, some proxy<br />
or server must be configured and enabled.<br />
Configuring Dynamic Routing with RIP D-5<br />
R<br />
Telnet<br />
client
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
D-6 Configuring Dynamic Routing with RIP<br />
The assumption for this discussion is that the administrator has<br />
configured the <strong>Sidewinder</strong> <strong>G2</strong> Telnet proxy. The administrator must<br />
also enable the rule allowing trusted burb-to-Internet burb traffic from<br />
the Telnet client to the Telnet Server. Also, to pass the RIP information<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>s, both systems must configure and enable<br />
the routed server.<br />
For discussion purposes, the administrator must use the Admin<br />
Console to configure routed on the Internet burb for the following<br />
options:<br />
Advertise routing information: yes<br />
Advertise as default gateway: no<br />
Receive routing information from other routers: yes<br />
Routes from burbs: none<br />
Also, routed on the trusted burb must be configured as follows:<br />
Advertise routing information: yes<br />
Advertise as default gateway: no<br />
Receive routing information from other routers: no<br />
Routes from burbs: Internet (2)<br />
Given the above configuration, both <strong>Sidewinder</strong> <strong>G2</strong>s will do the<br />
following:<br />
broadcast the external routing table information to Router_a (so<br />
Router_a knows when the link is up or down)<br />
receive routing information from Router_a (all Bizco’s routing<br />
information) and update the external routing table<br />
broadcast both the internal and external routing information into<br />
CorpCity’s network (which provides CorpCity’s) networks with<br />
routing information to Bizco’s network)<br />
NOT listen to any RIP broadcasts from the CorpCity network.<br />
Important: The last bullet here is VERY IMPORTANT. This will be discussed in more detail<br />
later in this document.
If connection is lost<br />
between Router_a and<br />
<strong>Sidewinder</strong><strong>G2</strong>_b<br />
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
As in the above discussion, when the Telnet client needs to connect to<br />
the Telnet server, it sends a TCP connection request to Router_b<br />
because its internal default route points to Router_b. Router_b<br />
receives the connection frame and because the route to the Bizco<br />
network is shorter via Router_a (3 hops verses 4 hops), it forwards the<br />
connection frame on to Router_a, which forwards the frame to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong> <strong>G2</strong> IP services receive the frame, and<br />
checks its routing table to decide if it knows where this connection<br />
request should be sent.<br />
Because the external routing table has a route to Bizco’s network, the<br />
IP services sends the request up to the Telnet proxy. If there was no<br />
route to Bizco’s network, and a default route had not been specified,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> IP services would have discarded the packet. The<br />
Telnet proxy receives and validates the connection request, then<br />
proceeds to issue a new, independent TCP connection request to the<br />
Telnet server (on the external network). This new request, which has<br />
an originating address <strong>of</strong> the external <strong>Sidewinder</strong> <strong>G2</strong>, gets sent to<br />
Router_a and is forwarded on into the Bizco network and so on and<br />
so forth. The Bizco Telnet server replies back to the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
thinking that the <strong>Sidewinder</strong> <strong>G2</strong> is the originator <strong>of</strong> the session. The<br />
Telnet proxy then replies back to the Telnet client, and the session is<br />
now in place between the server and the client.<br />
If the connection between Router_a and <strong>Sidewinder</strong><strong>G2</strong>_b is lost, the<br />
following occurs:<br />
1. <strong>Sidewinder</strong><strong>G2</strong>_b notices that it is no-longer receiving RIP updates from<br />
Router_a and updates its local routing table hop count for that route to<br />
16 (route unreachable), and broadcasts this out on the internal network<br />
(this is to notify Router_b).<br />
2. The Telnet client sends another IP frame to Router_a unaware that the<br />
route between Router_a-to-<strong>Sidewinder</strong><strong>G2</strong>_b has been lost. Router_a<br />
looks at its local routing table and discovers there are two routes, one<br />
unreachable, the other through Router_d.<br />
3. Because Router_d is on the same network as the client, Router_b sends<br />
an ‘ICMP Redirect’ back at the client stating that it can reach the Telnet<br />
server network through Router_d.<br />
4. The client updates its local routing table to point that host at Router_d,<br />
then re-sends its last frame to Router_d.<br />
5. Router_d receives the frame and forwards it on to Router_c, which<br />
forwards it on to <strong>Sidewinder</strong><strong>G2</strong>_c.<br />
Configuring Dynamic Routing with RIP D-7
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent IP addressing<br />
RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
NOT using<br />
transparent IP<br />
addressing<br />
D-8 Configuring Dynamic Routing with RIP<br />
6. <strong>Sidewinder</strong><strong>G2</strong>_c, receives the IP frame for the Telnet server, checks the<br />
route, has a route, and sends it up to the internal TCP servers. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> TCP services checks the frame and discovers this is not a<br />
TCP connection request and that it there is not currently a session with<br />
the client. Because <strong>of</strong> this, TCP services builds a ‘TCP reset’ frame and<br />
sends it back to the client.<br />
Note: This causes the current Telnet session to be lost. However, when the Telnet client<br />
opens another session to the server, that connection request will get sent to<br />
<strong>Sidewinder</strong><strong>G2</strong>_c, which will go through all the above steps and establish a NEW session<br />
with the Telnet server.<br />
So what happened to the sessions between <strong>Sidewinder</strong><strong>G2</strong>_b and the<br />
client, and <strong>Sidewinder</strong><strong>G2</strong>_b and the server? These sessions will timeout<br />
according to what has been configured for the Telnet proxy<br />
inactivity timer. Currently this defaults to 2700 seconds, or 45 minutes.<br />
Unless the Telnet server also has a connection time-out, the session<br />
will remain between the two systems until the time-out occurs, at<br />
which time the proxy closes both sessions.<br />
What will happen when the route between Router_a and<br />
<strong>Sidewinder</strong><strong>G2</strong>_b becomes available again? The Telnet client sends the<br />
frame to Router_d which will send an ‘ICMP Redirect’ back to the<br />
client telling it to communicate through Router_b. The client will<br />
resend the frame to Router_b, which forwards it to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Again the <strong>Sidewinder</strong> <strong>G2</strong> has received a frame for which it is not in<br />
session, and it will send a ‘TCP reset’ back to the client, causing the<br />
client to again close the session. As far as the client is concerned the<br />
Telnet server has unexpectedly closed the session. And again, if the<br />
client opens a new session all will be fine. But remember the sessions<br />
are timing out between <strong>Sidewinder</strong><strong>G2</strong>_c and the Telnet server.<br />
Important: The administrator should change this Telnet idle session timer to<br />
something more reasonable such as 10 minutes.<br />
The assumption for this discussion is that the Telnet server must be<br />
able to identify the Telnet clients IP address. The above configuration<br />
would not allow this, the Telnet server will see all sessions from<br />
CorpCity network as originating from the <strong>Sidewinder</strong> <strong>G2</strong>. In Figure D-<br />
4 as with Figure D-3, in order to pass any traffic through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, some proxy or server must be configured and<br />
enabled.
Figure D-4. RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
"spo<strong>of</strong>ing" the client’s<br />
address<br />
Bizco<br />
Network<br />
Telnet server<br />
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent IP addressing<br />
R<br />
router_a<br />
Internet burb trusted burb<br />
<strong>Sidewinder</strong><strong>G2</strong>_b<br />
R<br />
router_b<br />
Internet burb trusted burb<br />
R<br />
<strong>Sidewinder</strong><strong>G2</strong>_c<br />
router_c<br />
To accomplish the ‘spo<strong>of</strong>ing’, you must configure the <strong>Sidewinder</strong> <strong>G2</strong>s<br />
generic TCP proxy to listen on port 23, and enable it to spo<strong>of</strong> the<br />
original workstations IP address (refer to the “use_client_address”<br />
feature in the /etc/sidewinder/conf/tcpgsp.conf file). The administrator<br />
must also enable the rule list allowing internal to external traffic from<br />
the Telnet client to the Telnet Server for the generic TCP proxy. Also,<br />
to pass the RIP information through the <strong>Sidewinder</strong> <strong>G2</strong>s, both systems<br />
must configure and enable the routed server.<br />
Again for discussion purposes, the administrator must use the Admin<br />
Console to configure routed on the Internet burb for the following<br />
options:<br />
Advertise routing information: yes<br />
Advertise as default gateway: no<br />
Receive routing information from other routers: yes<br />
Routes from burbs: none<br />
Also, routed on the trusted burb must be configured as follows:<br />
Advertise routing information: yes<br />
Advertise as default gateway: no<br />
Receive routing information from other routers: no<br />
Routes from burbs: Internet (2)<br />
CorpCity<br />
Network<br />
router_d<br />
Configuring Dynamic Routing with RIP D-9<br />
R<br />
Telnet<br />
client
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent IP addressing<br />
D-10 Configuring Dynamic Routing with RIP<br />
When the Telnet client needs to connect to the Telnet server, it sends<br />
a TCP connection request to Router_b which forwards the frame on to<br />
<strong>Sidewinder</strong><strong>G2</strong>_b. The <strong>Sidewinder</strong><strong>G2</strong>_b IP services receives the frame<br />
and passes it up to the generic_TCP proxy, which validates the<br />
connection request and issues a new, independent TCP connection<br />
request to the Telnet server (on the external network).<br />
This new request, however, contains the originating IP address <strong>of</strong> the<br />
real client, not the external <strong>Sidewinder</strong> <strong>G2</strong> IP address. The request<br />
gets sent to Router_a and is forwarded to the Telnet server in the<br />
Bizco network. Next, the Bizco Telnet server builds and sends a reply<br />
to Router_a, expecting it to be delivered on to the client. Router_a<br />
receives the reply and looks at its routing table to find a route to<br />
CorpCity’s client network. Router_a will not find one, and the<br />
packet will be dropped.<br />
Because the <strong>Sidewinder</strong> <strong>G2</strong> is NOT advertising its internal routes<br />
Router_a does NOT know how to get to CorpCity’s networks. What<br />
the administrator should do is set “Routes from Burb to Internal (0)”<br />
on the external side. This will cause the routed server in the external<br />
burb to also advertise all the routes it finds on the internal burb. What<br />
happens now is Router_a gets additional information about internal<br />
routes available on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Does this solve the problem? The answer is NO. Since the internal<br />
routed server is NOT updating the internal route table (“Receive<br />
routing information from other routers” was set to NO), no routes<br />
about CorpCity’s network will be available. The <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator must set as “Receive routing information from other<br />
routers to YES” on the internal routed server. Now the <strong>Sidewinder</strong> <strong>G2</strong><br />
will advertise CorpCity’s routes to router_a, and when Router_a<br />
receives the packet for CorpCity it will understand how to route it.<br />
Note: Beware <strong>of</strong> enabling “Receive routing information from other routers = Yes” in more<br />
than one burb!<br />
Enabling the setup we just described, both <strong>Sidewinder</strong><strong>G2</strong>_b and<br />
<strong>Sidewinder</strong><strong>G2</strong>_c will begin updating their internal routing tables with<br />
RIP information received from the internal routers. Keep in mind that<br />
<strong>Sidewinder</strong><strong>G2</strong>_c is advertising routing information about Bizco’s<br />
network internally, and the internal routers (Router_b, Router_c, and<br />
Router_d) will now contain routing information about how to reach<br />
Bizco’s networks. When the internal routed on <strong>Sidewinder</strong><strong>G2</strong>_b<br />
receives the route information, it will contain routes to Bizco’s<br />
network.
RIP with the <strong>Sidewinder</strong> <strong>G2</strong> NOT using transparent IP addressing<br />
What would happen if <strong>Sidewinder</strong><strong>G2</strong>_b updated its internal route<br />
table with a route to Bizco (the external network) via Router_a?<br />
Incoming packets which should be destined for the external network<br />
would be forwarded back into the internal network to Router_a! Both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s would do this and the frames would never pass<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong>s routed server handles this by NOT adding a<br />
route into the local routing table if the route to be added exists in one<br />
<strong>of</strong> the other route tables. These route updates will be silently<br />
discarded.<br />
Note: Beware, however, that whichever routed updates the table with the route first,<br />
wins!<br />
For example, when <strong>Sidewinder</strong><strong>G2</strong>_b is started and the link to<br />
Router_a is down, <strong>Sidewinder</strong><strong>G2</strong>_b has not received routing<br />
information about Bizco’s network. If <strong>Sidewinder</strong><strong>G2</strong>_c broadcasts a<br />
RIP out that Bizco is available through it, <strong>Sidewinder</strong><strong>G2</strong>_a will<br />
eventually receive this (via the routers) at the internal routed server<br />
which will update its local table with the route to Bizco’s network<br />
through Router_b.<br />
What about the instance such as above where we need it? The only<br />
way to avoid this problem is to configure a filter for which routes it<br />
will advertises to <strong>Sidewinder</strong><strong>G2</strong>_b. More information on how and why<br />
to do this will be given later.<br />
One last note about the above example. If Router_b were removed<br />
from this network and the <strong>Sidewinder</strong> <strong>G2</strong> directly connected to the<br />
internal network, <strong>Sidewinder</strong><strong>G2</strong>_b would be tied directly to the Telnet<br />
clients network. If the Burbs option is set on the external routed<br />
server, it would advertise the necessary route to Router_a on how to<br />
reach the client’s network. In this instance, there would be no reason<br />
to set the “Receive routing information from other routers” to YES on<br />
the internal routed server. Also, in this scenario, if the Telnet client<br />
has its default route pointing to the <strong>Sidewinder</strong> <strong>G2</strong> and the link<br />
between Router_a and <strong>Sidewinder</strong><strong>G2</strong>_b fails, the internal routed will<br />
not know that another route is available (it is not updating its local<br />
table with RIPS from Router_d). Subsequently because the <strong>Sidewinder</strong><br />
<strong>G2</strong> does not know the alternate route it cannot know to send the<br />
client the ‘ICMP Redirect’ frame to allow the session to be re-routed.<br />
Configuring Dynamic Routing with RIP D-11
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Configuring RIP<br />
on the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Figure D-5. Routed<br />
Configuration window<br />
Entering information on the<br />
Routed Configuration<br />
window<br />
D-12 Configuring Dynamic Routing with RIP<br />
To configure the routed server, using the Admin Console select<br />
Services Configuration -> Routing -> Routed. The following window<br />
appears.<br />
This window allows you to configure a routed server in a specific<br />
burb. Follow the steps below.<br />
1. In the Burb drop-down list, select the burb for which you want to<br />
configure routing.<br />
2. In the Routing information field, select one <strong>of</strong> the following options:<br />
Yes—Select this option to enable routed to broadcast UDP RIP<br />
updates, advertising all local routing information available within<br />
the burb(s) selected in the Routes from Burbs box.<br />
No—Select this option to disable broadcasting <strong>of</strong> any UDP RIP<br />
updates.<br />
3. In the As Default Gateway field, select one <strong>of</strong> the following options:<br />
Yes—Select this option to enable routed to send the default<br />
route.<br />
No—Select this option to disable sending the default route.<br />
4. In the Routes from Burbs box, select the burbs for which routes will be<br />
advertised. (This option is only available if you selected Yes in the<br />
Routing Information field.)
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
5. In the Receive routing information from other routers field, select one <strong>of</strong><br />
the following options:<br />
Yes—Select this option to enable routed to receive UDP RIP<br />
updates from any interface within that burb and update the local<br />
routing table.<br />
No—Select this option to disables the updating <strong>of</strong> local routing<br />
tables with RIPs received from the local network interfaces.<br />
6. In the Filter type field, determine whether to allow or deny routes using<br />
the following information:<br />
Filtering provides the administrator the ability to both control which<br />
routes the <strong>Sidewinder</strong> <strong>G2</strong> uses to establish external connections, and to<br />
control what routing information is advertised by the <strong>Sidewinder</strong> <strong>G2</strong><br />
from one network to another. This control focuses on two areas.<br />
which external routes are added into a <strong>Sidewinder</strong> <strong>G2</strong>’s routing table<br />
from a RIP broadcast received via the network.<br />
which routes in a <strong>Sidewinder</strong> <strong>G2</strong>’s routing table are advertised in a RIP<br />
broadcast being sent to an external network.<br />
The possible settings are:<br />
Allow—Specifies that only routes specifically listed will be either<br />
accepted from the network or sent by the routed running in this<br />
burb. If set to Allow, at least one entry must be specified in the<br />
Address/Network/Type/Direction table, or routed cannot be<br />
enabled. Also, all routes will be blocked from being added,<br />
including local network interfaces, unless specifically listed in the<br />
Address/Netmask/Type/Direction table.<br />
Deny—Specifies that routes are accepted and sent unless<br />
specifically listed in the Address/Netmask/Type/Direction table.<br />
Note: There is no provision for allowing some routes and denying other routes.<br />
7. The Address/Netmask/Type/Direction table lists the route filter entries<br />
currently defined for the selected burb. Use the New, Modify, and Delete<br />
buttons to modify this table. See “Defining route filter information” on<br />
page D-14 for details.<br />
When you allow or deny a route, it can be either a host route (indicating<br />
a path to a specific address), or a network route (indicating a path to a<br />
group <strong>of</strong> common machines).<br />
Route filtering is performed whenever routed is going to add a route<br />
to its local routing table. This means that different routing filters can be<br />
applied to different burbs.<br />
Configuring Dynamic Routing with RIP D-13
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Defining route filter<br />
information<br />
D-14 Configuring Dynamic Routing with RIP<br />
The route filter entries highlight one <strong>of</strong> the major limitations <strong>of</strong> routed<br />
and the RIP protocol. routed recognizes only the standard class A, class<br />
B, and class C IP network masks (255.0.0.0, 255.255.0.0, and<br />
255.255.255.0). The <strong>Sidewinder</strong> <strong>G2</strong> route filter entries allow more flexible<br />
network masks for forward compatibility.<br />
8. Click the Save icon in the toolbar to save your routed configuration<br />
changes.<br />
The Route Filter Information window appears if you click the New or<br />
Modify button from the Routed Configuration window. The Route<br />
Filter Information window allows you to create a new or modify an<br />
existing route filter. Follow the steps below.<br />
1. In the Type field, select the type <strong>of</strong> route being defined: host (host route)<br />
or net (network route).<br />
2. In the Address field, specify either the IP address <strong>of</strong> the host for host<br />
routes, or the network portion <strong>of</strong> the IP address for network routes.<br />
3. (Network route only) If you selected net in step 1, specify which portion<br />
<strong>of</strong> the address parameter should be considered valid in the Netmask<br />
field. There are two possible ways to enter the network mask. One is to<br />
use the "dotted decimal" form, such as 255.255.255.0 for class C<br />
networks. The other is to use the hexadecimal representation, which<br />
would be ffffff00 for class C.<br />
4. In the Direction drop-down list, select which direction routed should<br />
apply for this filter. This option provides you with a lot <strong>of</strong> flexibility in<br />
determining what routing information you accept and provide.<br />
Important: Be careful about what routes you advertise to external users and<br />
about accepting routes from those same external users.<br />
Inbound—Specifies routed will not accept this route from the<br />
network. However, it WILL include this route in an advertisement if<br />
you have selected the Advertise option.<br />
Outbound—Specifies that routed will accept this route from the<br />
network. but NOT advertise this route regardless <strong>of</strong> the advertise<br />
option setting.<br />
Both—Specifies routed to ignore this route.<br />
5. Click Add to add the route filter to the list and exit the window.
Enabling/<br />
disabling the<br />
routed server<br />
Rule list support<br />
Enabling/disabling the routed server<br />
Another routed feature is rule list support to identify from which<br />
routers to accept RIP packets. The rule list will be based primarily on<br />
the source IP address on the incoming RIP packets. Create these rules<br />
using the Admin Console by selecting Policy Configuration -> Proxy Rules.<br />
Note: A rule must be defined for routed or it will not function.<br />
To allow incoming traffic, create a new rule with the Service Type<br />
field set to "Server" and the service field set to "routed.” The source IP<br />
address can be either a single router who you want to accept RIP<br />
traffic from or a netgroup <strong>of</strong> routers and/or hosts. The destination IP<br />
address will usually be set to “All Destination Addresses," since the<br />
destination is the broadcast address <strong>of</strong> the network for the burb the<br />
rule applies to. The source and destination burbs will be equal and<br />
should be set to the burb that you want to receive RIP packets from.<br />
All routed configuration files are located in /etc/sidewinder/routed<br />
with one configuration file per burb named<br />
routed.conf.burb_name. The configuration file contains three rules<br />
which directly correspond to the options available in the cf routed<br />
area.<br />
Perform the following steps to enable or disable the routed server.<br />
1. In the Admin Console, select Services Configuration -> Servers.<br />
2. Select routed from the list <strong>of</strong> server names.<br />
3. Click a burb to either enable or disable the routed server in that burb.<br />
A check mark appears if the server is enabled for a burb.<br />
4. Click the Save icon in the toolbar.<br />
Configuring Dynamic Routing with RIP D-15
Trace and log information<br />
Trace and log<br />
information<br />
D-16 Configuring Dynamic Routing with RIP<br />
To debug routed you can add the -t flag to the args field <strong>of</strong> the<br />
routed entry located in /etc/server.conf to enable routed tracing.<br />
server(routed /sbin/routed<br />
config_file[/etc/sidewinder/routed/routed.conf.%n]<br />
directory[]<br />
env(domain[rou%b] user[root] group[wheel] core[]<br />
files[2048]<br />
memory[] processes[500] stack[] rss[])<br />
pidfile(/var/run/routed/routed.pid.%n lock)<br />
valid[0 1 2 3 4 5 6 7 8] enabled[]<br />
require[]<br />
refuse[]<br />
args[-t] roles[$Sys])<br />
Note: You can add one -t flag to routed to increase the tracing level. If you add more<br />
than one -t flag, routed will not start.<br />
All tracing information is logged to the routed log files located in<br />
/var/log/routed/routed.log.burb_name which can be viewed using<br />
standard UNIX commands in the admin role.<br />
A note about flushing filter routes<br />
In the possibility that you misconfigure your routing tables, you will<br />
need to use the Admin Console (or cf routed commands) to disable<br />
routed and make corrections to the tables.<br />
Before restarting routed, enter the following command at a UNIX<br />
prompt to flush the routing tables <strong>of</strong> all gateways.<br />
route flush
A<br />
A PPENDIX E<br />
Setting Up SmartFilter<br />
Services<br />
About this chapter This chapter describes the SmartFilter Control List. It explains how<br />
to subscribe to the SmartFilter Control List and how to configure<br />
SmartFilter on your <strong>Sidewinder</strong> <strong>G2</strong>. It covers the following topics:<br />
Controlling Web<br />
access using the<br />
SmartFilter<br />
Control List<br />
“Controlling Web access using the SmartFilter Control List” on page<br />
E-1<br />
“Evaluating the SmartFilter Control List” on page E-2<br />
“Subscribing to the SmartFilter Control List” on page E-3<br />
“Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong>” on page E-3<br />
“Editing the SmartFilter files” on page E-8<br />
When you configure the <strong>Sidewinder</strong> <strong>G2</strong> to allow Web access using the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s Web proxy server, you can control the Internet sites<br />
that your company’s users access. This feature is based on Secure<br />
Computing’s SmartFilter Control List.<br />
The SmartFilter Control List contains tens <strong>of</strong> millions <strong>of</strong> URLs that are<br />
deemed non-business related or non-productive. Secure Computing<br />
has organized the Control List database into 30 pre-defined categories<br />
plus 10 customizable categories. (See Table E-2 on page E-11.) The<br />
SmartFilter Control List is updated each business day.<br />
SmartFilter can manage Internet access at several levels ranging from<br />
simple access restrictions to thorough blocking <strong>of</strong> all sites deemed<br />
unproductive or non-business related.<br />
Note 1: For a description <strong>of</strong> each category, go to www.smartfilter.com.<br />
Note 2: You can control Web access using SmartFilter’s Control List only when users<br />
access the Web through the Web proxy server. See “Configuring the Web proxy server” on<br />
page 12-12 for details. Also, the Control List can restrict access to HTTP URLs, but you<br />
cannot restrict access via a Web browser to FTP or Gopher sites.<br />
E<br />
Setting Up SmartFilter Services E-1
E<br />
Evaluating the SmartFilter Control List<br />
Evaluating the<br />
SmartFilter<br />
Control List<br />
E-2 Setting Up SmartFilter Services<br />
If you are not a current SmartFilter user, you can evaluate the full<br />
Control List or a sample Control List by following the steps contained<br />
in the sections that follow.<br />
Evaluating the full Control List<br />
You can retrieve a 30-day evaluation copy <strong>of</strong> the full Control List by<br />
performing the following steps:<br />
1. Go to http://www.smartfilter.com.<br />
2. Click on the Product Evaluation option.<br />
3. Select SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong> Firewall from the drop-down list.<br />
4. Click Evaluate this version.<br />
5. Complete and submit the registration form.<br />
Within one business day after you complete and submit the registration<br />
form, you will receive information via e-mail that includes an evaluation<br />
login ID and password. You can then use the ID and password to obtain<br />
a current SmartFilter Control List using the procedure described in the<br />
section titled “About the SmartFilter General tab” on page E-5.<br />
Evaluating the sample Control List<br />
If you want to perform a more immediate SmartFilter evaluation, you<br />
can use the sample Control List provided with the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
sample Control List is initially empty. You can populate the sample<br />
Control List with sites that suit your testing needs by manually adding<br />
those sites to the /etc/sidewinder/smartfilter/site.txt file (see “Editing<br />
the smartfilter.site file” on page E-9). To install the sample Control List,<br />
perform the following steps:<br />
Note: The sample Control List exists only if you have not downloaded a new Control List<br />
from the Secure Computing FTP site. Downloading a new Control List overwrites the<br />
sample Control List that is initially provided on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1. Using the Admin Console, select Services Configuration -> SmartFilter.<br />
2. On the General tab, click Download and Install Control List Now.<br />
To verify that the sample Control List is installed and not a full Control<br />
List, check the size <strong>of</strong> the /var/sf file. The sample Control List is<br />
significantly smaller than the full Control List (less than 100 kB).
Subscribing to the<br />
SmartFilter<br />
Control List<br />
Configuring<br />
SmartFilter on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Subscribing to the SmartFilter Control List<br />
To obtain a subscription to the full SmartFilter Control List, complete<br />
the following steps:<br />
1. Order the SmartFilter service option through Secure Computing or your<br />
reseller.<br />
After you submit your order, you will be mailed an activation certificate<br />
that includes information for obtaining a login ID and password.<br />
2. Once you obtain your login ID and password, you can configure<br />
SmartFilter as described in “Configuring SmartFilter on the <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page E-3.<br />
You will receive a SmartFilter key as part <strong>of</strong> the subscription process.<br />
While this key is not necessary to run SmartFilter with the <strong>Sidewinder</strong><br />
<strong>G2</strong>, it does allow you to view the number <strong>of</strong> users that are covered by<br />
the SmartFilter license, as well as the expiration date for the license.<br />
To view this information, at a <strong>Sidewinder</strong> <strong>G2</strong> command line interface<br />
enter the following command:<br />
sf_license license_key<br />
where license_key is the SmartFilter license key value.<br />
For more information on using this utility, refer to the sf_license<br />
man page.<br />
In order to get SmartFilter up and running with your <strong>Sidewinder</strong> <strong>G2</strong>,<br />
you will need to do the following:<br />
Set up SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Download and install the Control List.<br />
Customize alert e-mails and messages.<br />
Setting up SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong><br />
To ensure that SmartFilter functions properly on the <strong>Sidewinder</strong> <strong>G2</strong><br />
you must do the following:<br />
Important: By default SmartFilter is disabled on the <strong>Sidewinder</strong> <strong>G2</strong>. If you do not<br />
perform the following steps, SmartFilter will not be used to perform Web filtering.<br />
Setting Up SmartFilter Services E-3
Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong><br />
E-4 Setting Up SmartFilter Services<br />
1. Obtain a SmartFilter login ID and password. (See “Evaluating the full<br />
Control List” on page E-2 or “Subscribing to the SmartFilter Control List”<br />
on page E-3.)<br />
2. Configure the Web Proxy server to allow SmartFilter control lists by<br />
selecting the Enable SmartFilter Control Lists check box on the Web<br />
Proxy Server Configuration tab. (See “Configuring the Web proxy server”<br />
on page 12-12.)<br />
3. Configure filtering options (such as denied file extensions) by creating<br />
the appropriate Web Cache Application Defenses for your WebProxy<br />
rules. See “Creating Web Cache Application Defenses” on page 6-19 and<br />
“Creating proxy rules” on page 7-4.<br />
Note: SmartFilter will not function without at least one active WebProxy rule.<br />
You can create an Application Defense that will deny certain<br />
categories, regardless <strong>of</strong> the time <strong>of</strong> day or day <strong>of</strong> the week. and<br />
add it to a WebProxy rule.<br />
Note: Secure Computing recommends that you set the following categories to<br />
deny: sex, nudity, drugs, criminal activities, hate speech, gambling, extreme, and<br />
anonymizer/translator.<br />
You can create a WebProxy rule to filter certain options during<br />
working hours and a separate rule for filtering during non-working<br />
hours.<br />
You can create WebProxy rules to allow specific access to certain<br />
employees (management, etc.).<br />
4. Configure download options and the remainder <strong>of</strong> the SmartFilter<br />
options on the SmartFilter Configuration window. (See “Controlling<br />
Web access using the SmartFilter Control List” on page E-1.)<br />
Downloading and installing the SmartFilter Control List<br />
To download and install the SmartFilter Control List, using the Admin<br />
Console select Services Configuration -> SmartFilter. The following<br />
window appears:
Figure E-1. SmartFilter<br />
window: General tab<br />
About the SmartFilter<br />
General tab<br />
Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The SmartFilter General tab allows you to download and install the<br />
SmartFilter Control List. Follow the steps below.<br />
Note: The Control List is over 50 MB in size, so allow 30 minutes or more for the initial<br />
download to complete before installing it.<br />
To download and install the Control List, follow the steps below:<br />
1. Ensure that the FTP Site field specifies the correct location <strong>of</strong> the Control<br />
List FTP site (the default site is ftp.smartfilter.com). Do not modify the<br />
default value without consulting Secure Computing Customer Support.<br />
2. Type your SmartFilter username in the Username field. You will not be<br />
able to download the SmartFilter Control List file without entering a<br />
valid username.<br />
3. Type your SmartFilter password in the Password field. You will not be<br />
able to download the SmartFilter Control List file without entering a<br />
valid password.<br />
4. Ensure that the Directory field specifies the correct location <strong>of</strong> the<br />
Control List on the FTP site. The path is set to /pub/sfv3/lists/sfcontrol by<br />
default.<br />
5. Click Download and Install Control List Now to immediately download<br />
the SmartFilter Control List.<br />
Setting Up SmartFilter Services E-5
Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong><br />
E-6 Setting Up SmartFilter Services<br />
6. [Optional] If you want to have the most current SmartFilter Control List<br />
automatically downloaded every week, select the Enable Automated<br />
Download and Install check box and specify the following:<br />
Important: You must update the Control List at least once each month. Failure to<br />
do so will cause the Control List to expire and the filtering options will default to<br />
“allow all” HTTP traffic (that is, no sites will be blocked).<br />
a. In the Frequency field, select Daily (to update the list each day at a<br />
specific time) or Weekly (to update the list on a particular day and<br />
time each week).<br />
b. [Conditional] If you selected Weekly in the previous step, select the<br />
day <strong>of</strong> the week on which you would like to download the most<br />
current SmartFilter Control List from the Day drop-down list.<br />
c. In the Time field, select the time <strong>of</strong> day at which you would like to<br />
download the most current SmartFilter Control List. To change the<br />
time, click on the increment you want to change (hour, minute,<br />
second, AM/PM) and use the up and down arrows to specify the<br />
desired time.<br />
Note: While the initial download <strong>of</strong> the Control List is over 50 MB is size, subsequent<br />
updates are performed using a differential download method, which compares the<br />
existing list to the new list and downloads only new information.<br />
Important: If the SmartFilter Control List expires, the filtering options default to<br />
"allow all" http traffic. This means that no sites are blocked.<br />
7. To view the current version <strong>of</strong> the control list you are using, click Show<br />
Installed Control List Version Number Now. An Info window appears<br />
displaying the current installed version. When you are finished viewing<br />
the version, click OK.<br />
8. Click the Save icon in the toolbar to save your changes.<br />
Configuring advanced SmartFilter options<br />
To configure advanced SmartFilter options, in the Admin Console<br />
select Services Configuration -> SmartFilter and click the Advanced tab.<br />
The following window appears.
Figure E-2. SmartFilter<br />
Advanced tab<br />
About the SmartFilter<br />
Advanced tab<br />
Configuring SmartFilter on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The SmartFilter Advanced tab allows you to configure e-mail alert<br />
information as well as create a customized message that will appear<br />
when a user attempts to access a site that is denied by SmartFilter.<br />
From this window, you can also access the config.txt file (by clicking<br />
Edit “SmartFilter.conf”) and the site.txt file (by clicking Edit<br />
“SmartFilter.site”) for editing.<br />
1. In the Primary E-mail Contact field, type the e-mail address <strong>of</strong> the<br />
primary SmartFilter administrator at your company.<br />
2. In the From e-mail: field, type the e-mail address that will appear in the<br />
From field for all e-mail alerts sent to your users. This informs your users<br />
where the alert originated. For example, you may want to use the same<br />
e-mail address as the Primary E-mail Contact.<br />
3. In the Mail Server field, type the fully qualified domain name <strong>of</strong> your<br />
SMTP Mail Server.<br />
4. Click the Save icon to save the information.<br />
5. [Optional] You also have the option to manually edit any <strong>of</strong> the<br />
following SmartFilter files:<br />
Edit ‘SmartFilter.conf’—Click this button to manually edit the<br />
config.txt file. See “Editing the SmartFilter files” on page E-8 for<br />
details.<br />
View Coach Text Page—Click this button to display the message<br />
that will appear to users when users attempt to access a site for<br />
which you have allowed coached access. For information on using<br />
the coaching feature, see “Creating proxy rules” on page 7-4.<br />
Setting Up SmartFilter Services E-7
Editing the SmartFilter files<br />
Editing the<br />
SmartFilter files<br />
E-8 Setting Up SmartFilter Services<br />
Edit Coach Text (html)—Click this button to manually edit the<br />
Coach Text page.<br />
Edit ‘SmartFilter.site’—Click this button to manually edit the site.txt<br />
file. See “Editing the smartfilter.site file” for details.<br />
View Denied Text Page—Click this button to view the message that<br />
users will see when they attempt to access a site that is denied. For<br />
information on denying access for specific categories, see<br />
“Creating proxy rules” on page 7-4.<br />
Edit Denied Text (html)—Click this button to create or edit the<br />
message that users will see when they attempt to access a site that<br />
is denied.<br />
Testing your SmartFilter Configuration<br />
After you have configured SmartFilter for use with the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
you should test the system to ensure that the filtering options you<br />
specified in the Application Defenses for your rules are working<br />
properly. Using your Web browser, try to access a restricted site and<br />
verify that you receive the desired result.<br />
For example, if you create a WebProxy rule that denies access to news<br />
sites, you can then attempt to access www.cnn.com. If the Web site is<br />
blocked, you will know that SmartFilter is working. If the site is not<br />
blocked, you may need to modify the rule (or the Application<br />
Defense that is used for that rule).<br />
You can edit the SmartFilter configuration file<br />
(/etc/sidewinder/smartfilter/config.txt) and the SmartFilter site file<br />
(/etc/sidewinder/smartfilter/site.txt).<br />
Editing the SmartFilter configuration file<br />
Table E-1 defines each parameter that you can edit in the<br />
etc/sidewinder/smartfilter/config.txt file. The parameters are described<br />
in the order they appear in the config.txt file.
Editing the SmartFilter files<br />
Table E-1. config.txt file options that can be edited using the Admin Console<br />
Parameter Description<br />
primary_email<br />
smartfilter_admin@yourcompany.com<br />
from_email<br />
smartfilter_admin@yourcompany.com<br />
mail_server<br />
mail.yourcompany.com<br />
Editing the smartfilter.site file<br />
Specifies the e-mail address <strong>of</strong> the<br />
primary SmartFilter Administrator at<br />
your company site.<br />
Specifies mail coming from your<br />
company as SmartFilter mail.<br />
Specifies the name <strong>of</strong> your mail server.<br />
ftp_site ftp.smartfilter.com Identifies the name <strong>of</strong> the FTP site<br />
where the control list resides.<br />
ftp_username user1 Identifies the username for accessing<br />
the FTP site where the control list<br />
resides.<br />
ftp_passwd password1 Identifies the password for accessing<br />
the FTP site where the control list<br />
resides.<br />
ftp_path pub/sfcontrol Identifies the directory on the FTP site<br />
where the control list resides.<br />
The smartfilter.site file allows you to make your own unique additions<br />
and exemptions to the SmartFilter Control List. The site file is loaded<br />
when SmartFilter is started. Entries in the site file take precedence<br />
over entries in the Control List provided with the system.<br />
Lines in this file that begin with a # symbol are comments only and<br />
are not processed by SmartFilter. To customize your site file, add<br />
uncommented lines as described in the following sections.<br />
Setting Up SmartFilter Services E-9
Editing the SmartFilter files<br />
E-10 Setting Up SmartFilter Services<br />
Adding a URL to one or more Control List categories<br />
To add a URL to one or more Control List categories, follow the steps<br />
below.<br />
1. Specify a URL, site, or path. You can specify sites, parts <strong>of</strong> sites (like a<br />
directory path within a site), and individual URLs.<br />
2. Add a space after the site, path, or URL.<br />
3. Add a comma-delimited string <strong>of</strong> two-letter Control List category codes<br />
in which you want the entry included.<br />
For example:<br />
To restrict: Configure your entry like this:<br />
An entire site: http://www.sexstuff.com sx,os<br />
Part <strong>of</strong> a site (all URLs<br />
beginning with specified<br />
path):<br />
A single URL without<br />
blocking the rest <strong>of</strong> a site:<br />
http://www.univ.edu/compsci/~joecollege/<br />
PICS/Girls sx,pp<br />
http://www.bigco.com/HR/jobs.html js<br />
The following table identifies the category codes to use for the<br />
corresponding Control List categories
Table E-2. Category Codes<br />
Editing the SmartFilter files<br />
Control List category Code Control List category Code<br />
art, culture ac cults/occult oc<br />
anonymizer/translator an on-line sales os<br />
chat ch politics, opinion, religion po<br />
criminal skills cs personal pages pp<br />
drugs dr portal sites ps<br />
entertainment et self help sh<br />
extreme ex sports sp<br />
gambling gb sex sx<br />
games gm travel tr<br />
humor hm webmail wm<br />
hate speech hs user defined category 1 u0<br />
investing in user defined category 2 u1<br />
job search js user defined category 3 u2<br />
lifestyle ls user defined category 4 u3<br />
dating mm user defined category 5 u4<br />
MP3 sites (high bandwidth) mp user defined category 6 u5<br />
mature mt user defined category 7 u6<br />
usenet news na user defined category 8 u7<br />
nudity nd user defined category 9 u8<br />
general news nw user defined category 10 u9<br />
Setting Up SmartFilter Services E-11
Editing the SmartFilter files<br />
E-12 Setting Up SmartFilter Services<br />
Exempting a site, path, or URL from restriction<br />
To exempt a site, path, or URL from restriction, follow the steps<br />
below.<br />
1. Specify a URL, site, or path. You can specify sites, parts <strong>of</strong> sites (like a<br />
directory path within a site), and individual URLs.<br />
2. Add a space after the site, path, or URL.<br />
3. Add the word exempt.<br />
For example:<br />
To exempt: Configure your entry like this:<br />
An entire site: http://www.TV-NEWS.com exempt<br />
A path without<br />
exempting the balance <strong>of</strong><br />
the site:<br />
An individual URL without<br />
exempting the balance <strong>of</strong><br />
the site:<br />
http://www.sexmag.com/articles exempt<br />
http://www.sexmag.com/HumanResources/jobs/<br />
photographer.htm exempt
A<br />
A PPENDIX F<br />
Basic Troubleshooting<br />
About this appendix This appendix provides basic troubleshooting advice as well as<br />
procedures that require attaching a keyboard and monitor to your<br />
<strong>Sidewinder</strong> <strong>G2</strong>, such as performing a full system backup or reimaging<br />
your system. This appendix addresses the following topics:<br />
“Powering-up the system to the Administrative kernel” on page F-2<br />
“Restoring access to the Admin Console” on page F-3<br />
“Backing up system files” on page F-4<br />
“Restoring system files” on page F-8<br />
“Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong>” on page F-14<br />
“What to do if the boot process fails” on page F-16<br />
“Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong>” on page F-17<br />
“If you forget your administrator password” on page F-19<br />
“Interpreting beep patterns” on page F-21<br />
“If a patch installation fails” on page F-23<br />
“Troubleshooting proxy rules” on page F-23<br />
“Understanding FTP and Telnet connection failure messages” on<br />
page F-28<br />
“Troubleshooting High Availability” on page F-29<br />
“Troubleshooting NTP” on page F-34<br />
“VPN troubleshooting commands” on page F-36<br />
F<br />
Basic Troubleshooting F-1
F<br />
Powering-up the system to the Administrative kernel<br />
Powering-up the<br />
system to the<br />
Administrative<br />
kernel<br />
F-2 Basic Troubleshooting<br />
You must be in the Administrative kernel to perform certain system<br />
maintenance tasks such as installing s<strong>of</strong>tware or creating a full system<br />
backup. Follow the steps below to boot the system to the<br />
Administrative kernel when your <strong>Sidewinder</strong> <strong>G2</strong> is powered OFF.<br />
Important: When you are in the Administrative kernel, all network connections are<br />
disabled and Internet services are not available. Type Enforcement is also disabled.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Turn the <strong>Sidewinder</strong> <strong>G2</strong> ON by pressing the power button.<br />
3. When the “Booting <strong>Sidewinder</strong> Operational kernel” message appears,<br />
press any key (excluding Esc) to interrupt the boot sequence.<br />
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel<br />
is booting. Press any key before the 0 appears. A Boot: prompt then<br />
appears.<br />
4. Enter the following command:<br />
bsd.sw.admin -w<br />
5. Press Enter when asked whether to check and mount all file systems.<br />
The system prompt will appear. At the system prompt, you can perform<br />
any administrative tasks that require the Administrative kernel.<br />
Note: If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
6. When you have finished working in the Administrative kernel, reboot or<br />
shut down the system.<br />
Note: See “Rebooting or shutting down using a command line interface” on page 3-<br />
4 to reboot or shut down the system from a command line interface.
Restoring access<br />
to the Admin<br />
Console<br />
Restoring access to the Admin Console<br />
Enabling and disabling authentication for the<br />
administrative kernel<br />
The following steps explain how to enable and disable authentication<br />
for the administrative kernel. By default, administrative kernel<br />
authentication is disabled. This is because it is generally assumed that<br />
the <strong>Sidewinder</strong> <strong>G2</strong> will be housed in a secure location that is not<br />
easily accessible by non-administrators. If your <strong>Sidewinder</strong> <strong>G2</strong> is<br />
housed in an insecure area (that is, non-administrators could easily<br />
gain access to the physical system), you should enable administrative<br />
kernel authentication.<br />
To enable or disable authentication for the administrative kernel,<br />
follow the steps below.<br />
1. Log in to the Admin Console, and select File Editor.<br />
2. Click Start File Editor.<br />
3. Select File -> Open.<br />
4. In the Source field, select Firewall File.<br />
5. In the File field, type /etc/ttys and click OK.<br />
6. To enable or disable administrative kernel authentication, edit the<br />
following line:<br />
console /usr/libexec/getty pccons" ibmpc3 on secure<br />
To require authentication, change the value to insecure.<br />
To disable authentication, change the value to secure.<br />
7. Select File -> Save to save your changes.<br />
8. Select File -> Exit to close the file editor.<br />
If an administrator accidentally configures the active rule group in a<br />
way that prevents an administrator from logging into the <strong>Sidewinder</strong><br />
<strong>G2</strong> (for example, moving the deny_all rule to the first position or<br />
deleting certain access rules), the following procedure allows you to<br />
regain access.<br />
1. Reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the Administrative kernel. For information<br />
on rebooting to the Administrative kernel, see “Powering-up the system<br />
to the Administrative kernel” on page F-2.<br />
Basic Troubleshooting F-3
Backing up system files<br />
Backing up<br />
system files<br />
F-4 Basic Troubleshooting<br />
2. At a console attached directly to the <strong>Sidewinder</strong> <strong>G2</strong>, run the following<br />
script:<br />
restore_console_access<br />
This script will create a temporarily proxy rule called<br />
restore_console_access and adds it to the first position <strong>of</strong> the active<br />
proxy rule group. This rule allows an administrator to log into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> directly (using a console that is directly attached to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>).<br />
3. When the script completes, reboot to the Operational kernel. See<br />
“Rebooting or shutting down using a command line interface” on page<br />
3-4.<br />
4. When the <strong>Sidewinder</strong> <strong>G2</strong> finishes rebooting, log in at a console<br />
attached directly to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
5. Using the command line, identify and correct the problem in your<br />
active proxy rule group that is preventing administrator access. See<br />
Appendix A or refer to the cf acl man page for information on<br />
configuring your active rules via command line.<br />
6. Once you have configured your active rules to allow administrator<br />
access, you will need to delete the restore_console_access rule. If you<br />
do not delete this rule and accidentally misconfigure the active rule<br />
group (displacing the position <strong>of</strong> the restore_console_access rule), a<br />
new rule cannot be configured and added in the correct position.<br />
You can back up your <strong>Sidewinder</strong> <strong>G2</strong> file system to a digital audio<br />
tape (DAT) using scripts provided with the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
backup (and restore) functions on your system have been modified to<br />
be aware <strong>of</strong> Type Enforcement. When you restore files (as described<br />
on page A-8), they are automatically restored with the correct Type<br />
Enforcement properties.<br />
The backup and restore procedures described in this section affect the<br />
entire <strong>Sidewinder</strong> <strong>G2</strong> file system, including configuration files, mail<br />
queues, audit trails, and so on. If you want to backup and restore only<br />
the configuration files on your <strong>Sidewinder</strong> <strong>G2</strong>, see “Configuration file<br />
backup and restore” on page 3-13 for details.<br />
Tip: Be sure to backup your system on a regular basis! You should already have a backup<br />
copy <strong>of</strong> the boot diskette as described in the <strong>Sidewinder</strong> <strong>G2</strong> installation documentation.
Backing up system files<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides scripts for performing a full system<br />
backup and incremental backups. The backup scripts listed in Table<br />
F-1 are provided in the /etc/backups directory. The log file for<br />
backups is stored in /var/log/backup.log.<br />
Table F-1. <strong>Sidewinder</strong> <strong>G2</strong> backup scripts<br />
Backup Type Backup script What it does<br />
Full backup ./level0.backup Backs up everything<br />
Incremental<br />
backup<br />
Performing a full system backup (level0)<br />
Use the /etc/backups/level0.backup script to back up all <strong>of</strong> the<br />
file systems on your <strong>Sidewinder</strong> <strong>G2</strong>. The file systems that exist on<br />
your <strong>Sidewinder</strong> <strong>G2</strong> may vary depending on how you have<br />
configured your <strong>Sidewinder</strong> <strong>G2</strong>. The file systems that are backed up<br />
may include the following (as well as any other file systems that you<br />
have on your <strong>Sidewinder</strong> <strong>G2</strong>):<br />
/<br />
/var<br />
/usr<br />
/home<br />
/var/log<br />
/var/spool<br />
./do.dump fs level<br />
filenum<br />
Backs up the specified file<br />
system and labels it with the<br />
specified filenum<br />
Note: If your <strong>Sidewinder</strong> <strong>G2</strong> has multiple hard disks, resulting in re-partitioning <strong>of</strong> a file<br />
system, the backup scripts will manage that for you. The scripts also support backups that<br />
span multiple tapes.<br />
To perform a full (level 0) system backup, follow the steps below.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
Basic Troubleshooting F-5
Backing up system files<br />
F-6 Basic Troubleshooting<br />
2. Enter the following command on your <strong>Sidewinder</strong> <strong>G2</strong> system to reboot<br />
to the Administrative kernel:<br />
shutdown -g now<br />
3. Press Enter when asked whether to check and mount all file systems.<br />
The system prompt will appear.<br />
Note: If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4. Insert a backup DAT in the <strong>Sidewinder</strong> <strong>G2</strong>’s tape drive and wait for the<br />
tape to reach its load-point.<br />
5. Enter the following command to run the full backup script:<br />
/etc/backups/level0.backup<br />
The backup process will take several minutes. You will see a “DUMP IS<br />
DONE” message for each file system. When the backup is complete, the<br />
# prompt appears and the tape ejects.<br />
6. Label the tape (include type <strong>of</strong> backup, date, time, and so on).<br />
7. Reboot the system to the Operational kernel by entering the following<br />
command:<br />
shutdown -r now<br />
Performing an incremental backup<br />
The /etc/backups/do.dump command allows you to use several<br />
different options that track which files have changed since the last<br />
time you backed up, so that you are not doing full backups each time.<br />
This allows you to back up only the files that have changed since the<br />
last backup. For example, your first system backup would be a full<br />
backup (Level 0). The next time you back up, you would assign a<br />
backup level (a number from 1 to 9); for example, you could label it<br />
backup Level 1. The Level 1 backup procedure would check your file<br />
system, searching for files that were not backed up in Level 0. Only<br />
those files would be written to the tape. The next time you did an<br />
incremental backup, it would back up only the files that had changed<br />
since the previous Level 1 backup.<br />
Note: While incremental backups can eliminate multiple copies <strong>of</strong> unchanged files, using<br />
incremental backups does increase the duration and complexity <strong>of</strong> the restore process. If<br />
you have a fast tape drive and the level 0 backup fits onto a single tape, you may want to<br />
consider performing only level 0 backups.
Performing an incremental<br />
backup<br />
Backing up system files<br />
Tip: How <strong>of</strong>ten you should perform incremental backups depends on many factors, such<br />
as how much your system is used. The UNIX System <strong>Administration</strong> Handbook <strong>of</strong>fers<br />
several types <strong>of</strong> schedules that meet various needs.<br />
The following example shows an incremental backup (Level >0) that<br />
backs up four file systems. The backed up files are labeled file 1<br />
through file 4.<br />
Level 5 dump for /var as file 1 to /dev/nrst0 on Fri Feb<br />
17 03:00:03 CST 1995<br />
Level 5 dump for /usr as file 2 to /dev/nrst0 on Fri Feb<br />
17 03:00:11 CST 1995<br />
Level 5 dump for / as file 3 to /dev/nrst0 on Fri Feb 17<br />
03:01:33 CST 1995<br />
Level 5 dump for /var/log as file 4 to /dev/nrst0 on Fri<br />
Feb 17 03:06:10 CST 1995<br />
The following example performs an incremental backup <strong>of</strong> the /usr<br />
file system. The tape will not be rewound, and the backed up file will<br />
not be compressed.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and<br />
reboot.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Enter the following command at the command prompt:<br />
shutdown -g now<br />
3. Press Enter when asked whether to check and mount all file systems.<br />
The system prompt will appear.<br />
Note: If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4. Insert a backup DAT into the tape drive and wait for the tape to reach its<br />
load-point.<br />
5. Type the following command to run the incremental backup script,<br />
Important: You must type this command for each file system except /tmp.<br />
/etc/backups/do.dump /usr level filenum<br />
where:<br />
level = the backup level (see Incremental backup on “Performing<br />
an incremental backup” on page F-6)<br />
Basic Troubleshooting F-7
Restoring system files<br />
Restoring system<br />
files<br />
F-8 Basic Troubleshooting<br />
filenum = a file number, indicating the position on the backup<br />
tape. For example, if this is the second file system on the tape the<br />
value for this parameter should be 1 (the first file system will be at<br />
position 0). For more information on how this parameter is used,<br />
see “Performing an incremental restore via the do.restore script” on<br />
page F-11.<br />
This command backs up the /usr file system to the “no rewind” tape<br />
device (usually /dev/nrst0) and labels it.<br />
You will see a “DUMP IS DONE” message for each file system. When the<br />
backup is complete, the # prompt appears.<br />
6. When you have finished all incremental backups, rewind and eject the<br />
DAT by entering the following command:<br />
mt o<br />
7. Label the tape, indicating the type <strong>of</strong> backup, date, and time. You<br />
should also record the file systems that were backed up along with the<br />
corresponding file number (filenum) and mount point in case the file<br />
system order changes over time.<br />
8. Reboot the system to the Operational kernel by entering the following<br />
command:<br />
shutdown -r now<br />
In the unlikely event that your <strong>Sidewinder</strong> <strong>G2</strong>’s hard disk needs to be<br />
replaced, you will need to restore the file system that you have<br />
backed up. You will also need to do a full system restore if you add<br />
hardware (for example, memory or disk space) to your active<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
The restore process allows you to restore your <strong>Sidewinder</strong> <strong>G2</strong> to your<br />
last level 0 backup without reconfiguring your system. To do this,<br />
follow the instructions in “Performing a full system restore” on page F-<br />
9. Then use the procedure in “Performing an incremental restore via<br />
the do.restore script” on page F-11 to restore files from your<br />
incremental backup tapes.<br />
When you restore files, they are automatically restored with the<br />
correct Type Enforcement properties.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides the capability to restore files from a full<br />
system backup (Level 0) or incremental backup tape (see Table F-2).
Table F-2. <strong>Sidewinder</strong> <strong>G2</strong> restore scripts<br />
Restore Type Restore method What it does<br />
Restoring system files<br />
Full restore via boot process Restores your <strong>Sidewinder</strong> <strong>G2</strong><br />
from the level 0 backup tape<br />
Incremental<br />
restore<br />
Important: You must perform all incremental restore operations from the<br />
Administrative kernel.<br />
Performing a full system restore<br />
Use the following procedure to restore your <strong>Sidewinder</strong> <strong>G2</strong> using a<br />
level 0 backup. The restore process allows you to restore your<br />
<strong>Sidewinder</strong> <strong>G2</strong> to your last level 0 backup without reconfiguring your<br />
system.<br />
Caution: When you perform this procedure, all existing data will be overwritten by your<br />
last level 0 backup. Any files or directories added since the level 0 backup will be lost.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and<br />
reboot.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Enter the following command on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
shutdown -h now<br />
3. Once the system is halted, insert the <strong>Sidewinder</strong> <strong>G2</strong> product CD-ROM,<br />
and then power <strong>of</strong>f the system.<br />
4. Power up the system.<br />
./do.restore<br />
filenum<br />
Tip: See the <strong>Sidewinder</strong> <strong>G2</strong> installation and configuration documentation for<br />
additional details on the Installation Wizard.<br />
5. Press Enter when the Installation Wizard appears.<br />
Restores the specified file<br />
system from the specified<br />
filenum<br />
6. In the Installation Type window, use the down-arrow to move to the<br />
Restore Full System Backup option, and then press the space bar to<br />
select it.<br />
Basic Troubleshooting F-9
Restoring system files<br />
F-10 Basic Troubleshooting<br />
7. Tab to Continue and then press Enter.<br />
The Restore Full System Backup command will prompt you to insert a<br />
backup DAT; this is the DAT that you created when you did the level 0<br />
backup.<br />
8. Change partitioning information if needed.<br />
During the boot process the Default Disk Allocation screen displays the<br />
default values. If you need to modify the values, tab to Configure and<br />
then press Enter.<br />
Note: You may need to modify these values if you have installed new hardware.<br />
Otherwise, it is recommended that you use either the default values or whatever<br />
values that were set when the system backup was performed.<br />
9. Insert the DAT and wait for the tape to reach its load-point. Press Enter<br />
to initiate the restore process. The restore process will repartition the<br />
drives and reload all <strong>of</strong> the system files from the tape.<br />
10. When the restore is finished, the following message will appear:<br />
File restore complete.<br />
11. Remove the DAT and CD-ROM from their respective drives.<br />
12. Press Enter to reboot. The system then reboots to the Administrative<br />
kernel.<br />
13. If needed, restore any incremental backups. See “Performing an<br />
incremental restore via the do.restore script” on page F-11 for<br />
information.<br />
14. Perform a new full system (level 0) backup. See “Performing a full system<br />
backup (level0)” on page F-5.<br />
Important: Do this even if you have not restored any old incremental backups.<br />
Performing a new level 0 backup might seem unnecessary at this point, but it must be<br />
done in order for future incremental backups to remain in sync with the new file<br />
structure. Problems will likely occur if you do a new incremental backup at a later<br />
date and then try to restore the system without having first done a full system (level<br />
0) backup.<br />
15. When the full system backup is complete, enter the following<br />
command to reboot to the Operational kernel:<br />
shutdown -r now
Restoring system files<br />
Performing an incremental restore via the do.restore<br />
script<br />
As noted earlier in this section, the <strong>Sidewinder</strong> <strong>G2</strong> file systems are<br />
stored as separate files on the backup tape. To restore a file system,<br />
you can use the do.restore script in the /etc/backups directory.<br />
Incremental restores must be performed from the Administrative<br />
kernel.<br />
Follow these steps to restore files on the <strong>Sidewinder</strong> <strong>G2</strong>:<br />
Caution: If you are restoring the root (/) file system, DO NOT restore the /shlib directory,<br />
which contains shared libraries. If you restore this directory, the system will hang and you<br />
will not be able to reboot it. To restore this file system, first use the add command to restore<br />
all files. Then use the delete command to delete the /shlib directory from the list <strong>of</strong> files.<br />
Extract the files as usual.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and<br />
reboot.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Reboot the system to the Administrative kernel by entering the<br />
following command:<br />
shutdown -g now<br />
3. Press Enter when asked whether to check and mount all file systems.<br />
The system prompt will appear.<br />
Note: If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4. Insert your backup DAT into the tape drive. Use the DAT on which you<br />
backed up your files.<br />
5. Type df to display the file system on the current <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Important: The file system on the current <strong>Sidewinder</strong> <strong>G2</strong> may not reflect the order<br />
in which the file systems were backed up on a back up tape!<br />
Basic Troubleshooting F-11
Restoring system files<br />
F-12 Basic Troubleshooting<br />
For example, the output might look like this:<br />
Filesystem 512-blocksUsed Avail Capacity Mounted on<br />
/dev/sd0a 21150 14392 4642 76% /<br />
/dev/sd0d 123903 86320 25192 77% /var<br />
/dev/sd0e 123903 86320 25192 77% /var/log<br />
/dev/sd0g 3837972 939306 2514868 27% /usr<br />
/dev/sd1a 4047224 2131220 1511280 59% /home<br />
6. Use the cd command to switch to the appropriate directory.<br />
Switch to the directory shown in the “Mounted on” column, as shown in<br />
the previous step.<br />
7. Position the tape and invoke the restore script by entering the following<br />
command.<br />
/etc/backups/do.restore filenum<br />
Note: You must enter this command for each file system that you want to restore.<br />
The filenum variable refers to the order in which the file system<br />
appears on the backup tape. For example, typing do.restore 0 will<br />
position the tape to restore the first file system that was backed up. In<br />
the example list shown in step 5, the first file system backed up was /.<br />
Typing do.restore 4 will forward the tape four file systems from the<br />
first one. (This script automatically rewinds the tape first.) Based on the<br />
example in step 5, the tape would move to /home.<br />
After you type the command, you are in the interactive mode for the<br />
restore command (the prompt is restore>).<br />
8. Type the command you want to use to build the extract list.<br />
You can type any <strong>of</strong> the commands listed in Table F-3.<br />
These commands build the extract list, but relative to the current<br />
directory specified in step 4. For example, use the add command to add<br />
files to the list <strong>of</strong> the ones you want to restore. A restore is not started<br />
until the next step is completed.
Table F-3. Restore Script Commands<br />
Command What it does<br />
ls directory Lists contents <strong>of</strong> the specified directory<br />
cd directory Changes to specified directory<br />
Restoring system files<br />
pwd Prints the full path name <strong>of</strong> the current working<br />
directory<br />
add directory<br />
add file<br />
delete directory<br />
delete file<br />
9. After you have selected the files, enter the extract command.<br />
10. When prompted, enter the volume number by typing 1 and press Enter.<br />
You will be asked whether you want to change owner/mode/types for<br />
the current working directory.<br />
11. Type y or n and press Enter.<br />
Adds directory or file to list <strong>of</strong> files to be extracted<br />
Important: If you are restoring the root file system,<br />
see Caution on page F-11!<br />
Deletes directory or file from list <strong>of</strong> files to be<br />
extracted<br />
extract Extracts all files that were added to the list<br />
setmodes Sets modes <strong>of</strong> requested directories<br />
quit Exits program immediately<br />
what Lists dump header information<br />
verbose Toggles verbose flag (useful with ls command)<br />
help or ? Prints this command list<br />
You should almost always type n to prevent the owner/mode/types in<br />
the current working directory from being changed.<br />
12. To exit the restore script, type quit at the >restore prompt.<br />
13. Repeat step 6 through step 12 for other file systems you want to restore.<br />
Basic Troubleshooting F-13
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong><br />
Adding hardware<br />
to an active<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
F-14 Basic Troubleshooting<br />
14. When you are finished restoring files from the DAT, rewind and eject the<br />
tape by entering the following command:<br />
mt o<br />
15. Reboot to the Operational kernel by entering the following command:<br />
shutdown -r now<br />
Restoring configuration files using the command line<br />
If you need to restore your <strong>Sidewinder</strong> <strong>G2</strong> to a backup configuration<br />
saved on floppy diskette and do not have access to the Admin<br />
Console, use the following steps to restore your configuration backup<br />
via the command line.<br />
1. Insert the configuration backup diskette in the <strong>Sidewinder</strong> <strong>G2</strong>’s diskette<br />
drive.<br />
2. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command:<br />
cf config restore loc=floppy<br />
3. The <strong>Sidewinder</strong> <strong>G2</strong> restores the configuration files. If your backup<br />
configuration uses multiple diskettes, you will be prompted when you<br />
need to remove the current diskette and insert the next diskette.<br />
4. When restore process is complete, remove the diskette and reboot.<br />
Important: The version <strong>of</strong> the configuration backup must match the version on the<br />
Installation–Disk Imaging CD used during the restore process. Avoid complications by<br />
backing up your configuration after every upgrade.<br />
You can use the full system (level 0) restore process if you want to<br />
add hardware (for example, memory or disk space) to your active<br />
<strong>Sidewinder</strong> <strong>G2</strong>, or if you are moving to a new chassis.<br />
Note: The best time to add memory or disk space is before you install your <strong>Sidewinder</strong> <strong>G2</strong><br />
s<strong>of</strong>tware. When you have completed the procedure, the <strong>Sidewinder</strong> <strong>G2</strong> will automatically<br />
detect the new memory and disk space.
To add hardware, follow these steps.<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong><br />
Note: You do not need to perform this procedure if you are adding network devices.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and<br />
reboot.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items to the front connection ports or both in the back<br />
connection ports).<br />
2. Perform a level 0 backup <strong>of</strong> your system.<br />
Important: You must back up your s<strong>of</strong>tware system because you will be<br />
repartitioning the disk drives in step 7, and you will need a full backup to restore the<br />
system. Given the significance <strong>of</strong> this backup, it is a good idea to perform two level 0<br />
backups, in case there is a problem with the first backup. See “Backing up system<br />
files” on page F-4 for instructions on performing a level 0 backup.<br />
3. Type the following command to halt the system.<br />
shutdown -h now<br />
4. Power <strong>of</strong>f the system.<br />
5. Add the new hardware to your system.<br />
Be sure to take the necessary precautions to prevent accidental<br />
electrostatic shock.<br />
6. Power up the system and quickly insert the <strong>Sidewinder</strong> <strong>G2</strong> Installation–<br />
Disk Imaging CD-ROM.<br />
Tip: See the <strong>Sidewinder</strong> <strong>G2</strong> installation and configuration documentation for<br />
additional details.<br />
7. Press Enter when the Installation Wizard appears.<br />
8. In the Installation Type window, use the down-arrow to move to the<br />
Restore Full System Backup option, and then press the space bar to<br />
select it.<br />
9. Tab to Continue and then press Enter.<br />
The Restore Full System Backup command will prompt you to insert a<br />
backup DAT; this is the DAT that you created when you did the level 0<br />
backup.<br />
10. Change partitioning information, if needed.<br />
During the boot process the Default Disk Allocation screen displays the<br />
default values. If you need to modify the values, tab to Configure and<br />
then press Enter.<br />
Basic Troubleshooting F-15
What to do if the boot process fails<br />
What to do if the<br />
boot process fails<br />
F-16 Basic Troubleshooting<br />
Note: You may need to modify these values if you installed new hardware.<br />
Otherwise, it is recommended that you use either the default values or whatever<br />
values that were set when the system backup was performed.<br />
11. Insert the DAT and wait for the tape to reach its load-point. Press Enter<br />
to initiate the restore process. The restore process will repartition the<br />
drives and reload the system files from the tape.<br />
12. When the restore is finished, the following message will appear: File<br />
restore complete.<br />
13. Remove the DAT and CD-ROM from their drives.<br />
14. Press Enter to reboot the system to the Administrative kernel.<br />
15. If needed, restore any incremental backups. See “Performing an<br />
incremental restore via the do.restore script” on page F-11 for<br />
information.<br />
16. Perform a new full system (level 0) backup.<br />
Important: Do this even if you have not restored any old incremental backups.<br />
Performing a new level 0 backup might seem unnecessary at this point, but it must be<br />
done in order for future incremental backups to remain in sync with the new file<br />
structure. Problems are likely to occur if you perform a new incremental backup at<br />
some later date and then try to restore the system without having first performed a<br />
full system backup.<br />
17. When the full system backup is complete, enter the following<br />
command to reboot to the Operational kernel:<br />
shutdown -r now<br />
Boot failure may be caused by the fsck command. This command is<br />
run as part <strong>of</strong> the system boot process. If this command fails, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will not boot properly. If the boot process fails, you<br />
will need to attach a keyboard and monitor and repower the system.<br />
If you see a # prompt (indicating that the fsck command failed), type<br />
the following at the # prompt to fix any disk problems:<br />
ind Kern /sbin/fsck -p<br />
Then restart the system by entering shutdown -r now at the<br />
command prompt.
Re-imaging your<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
System reboot messages<br />
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong><br />
During a system reboot, certain system events will cause messages to<br />
be stored in the audit holding area prior to auditd being started.<br />
When auditd starts, one or more blue messages stating “sacopen:<br />
transferred 1 records from hold” may appear on the console’s<br />
display. This merely indicates that the messages stored in the audit<br />
holding area were transferred to the audit stream. Normally, these<br />
messages can be ignored.<br />
If you need to re-image your <strong>Sidewinder</strong> <strong>G2</strong> configuration, follow the<br />
steps below. You will need both your <strong>Sidewinder</strong> <strong>G2</strong> Installation–Disk<br />
Imaging CD-ROM and your configuration backup diskette. (You may<br />
need to use this process if your original configuration was incorrect.)<br />
Note: Any changes you made to the multi-processor configuration (mp.config) file, will<br />
be overwritten during the re-installation process.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Insert the Installation–Disk Imaging CD into the drive and reboot (or<br />
power on) the system. The system boots from the CD and displays<br />
standard boot-up information. When the system finishes booting, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware Installation Wizard Welcome window appears.<br />
3. Press Enter. The Installation Type window appears.<br />
4. Press Enter to accept Install as the installation type and continue with<br />
the installation.<br />
5. Review the system information. If necessary, tab between the window<br />
information and the Continue button.<br />
6. Make sure the Continue button is highlighted and press Enter.<br />
7. Press Enter to accept the default disk partitioning.<br />
Note: In most situations, the default partitioning should be appropriate. Only<br />
experienced administrators should change the default disk partitioning.<br />
8. Tab to highlight Yes.<br />
9. Press Enter. The Installation Wizard will erase your system’s hard drive<br />
and re-install the <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware.<br />
Basic Troubleshooting F-17
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong><br />
F-18 Basic Troubleshooting<br />
Caution: If you answer Yes at this point, your system’s hard drive will be erased.<br />
Depending on the size <strong>of</strong> your hard drive, this process may take some time (from<br />
30 to 120 minutes for a 20 GB hard drive).<br />
10. Press Enter. The Installation window appears.<br />
11. Tab to Done and press Enter.<br />
12. Remove the CD-ROM and insert your Configuration Wizard floppy<br />
diskette in the <strong>Sidewinder</strong> <strong>G2</strong>’s diskette drive.<br />
13. Press Enter to reboot the system. The <strong>Sidewinder</strong> <strong>G2</strong> automatically loads<br />
the configuration information from the Configuration Wizard floppy<br />
diskette. When this process completes:<br />
If configured to auto-activate, the system will initialize and access<br />
the Secure Computing activation server. During this time, the<br />
system will reboot, then emit two beeps indicating the <strong>Sidewinder</strong><br />
<strong>G2</strong> is active.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> will try to send the activation request for one minute. If the<br />
activation is not successful in that time, you must activate your <strong>Sidewinder</strong> <strong>G2</strong> using<br />
the Admin Console.<br />
If configured for manual activation, the system will initialize and<br />
start in Safe mode. After about seven minutes, a four-beep pattern<br />
begins and continues (every 30 seconds) until the <strong>Sidewinder</strong> <strong>G2</strong><br />
license is activated. The <strong>Sidewinder</strong> <strong>G2</strong> will not pass traffic until it is<br />
activated.<br />
Note: Safe mode indicates that <strong>Sidewinder</strong> <strong>G2</strong> is now networked, but not passing<br />
traffic. Traffic will only be passed once your <strong>Sidewinder</strong> <strong>G2</strong> licensed is activated.<br />
14. Remove the Configuration Wizard diskette and store it in a safe location.<br />
15. [Conditional] If you applied any system patches to your <strong>Sidewinder</strong> <strong>G2</strong><br />
prior to making your last configuration backup, you will need to load<br />
and install to your previous patch level before you apply the<br />
configuration backup diskette. (For information on loading and<br />
installing patches, see “Loading and installing patches” on page 3-41.)<br />
16. Restore your <strong>Sidewinder</strong> <strong>G2</strong> configuration data. See “Restoring<br />
configuration files using the Admin Console” on page 3-18.
If you forget your<br />
administrator<br />
password<br />
If you forget your administrator password<br />
If you forget your administrator password, you can change your<br />
password on the <strong>Sidewinder</strong> <strong>G2</strong> itself by booting to the administrative<br />
kernel.<br />
Important: By default, the administrative kernel does not require authentication.<br />
However, if you have configured your system to require administrative kernel<br />
authentication, you will need to temporarily disable authentication using the<br />
maintenance mode option before you can access the administrative kernel and change<br />
your password. For information on disabling administrative kernel authentication when<br />
you have forgotten your password, see “Using maintenance mode to disable<br />
authentication when you have forgotten your password” on page F-20.<br />
Changing your password in the administrative kernel<br />
Follow the steps below to change your password in the administrative<br />
kernel.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and<br />
reboot.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. When the "loading/boot . . . . . ." message appears, press<br />
any key to interrupt the boot sequence.<br />
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational<br />
kernel is booting. Press any key before the 0 appears. A Boot: prompt<br />
then appears.<br />
3. Enter the following command:<br />
bsd.sw.admin -w<br />
4. Press Enter when asked whether to check and mount all file systems.<br />
The system prompt will appear.<br />
5. Enter the following command to change your password:<br />
cf adminuser modify user=name password=newpassword<br />
6. To reboot to the Operational kernel, enter the following command:<br />
shutdown -r now<br />
You can now log in using your new password.<br />
Basic Troubleshooting F-19
If you forget your administrator password<br />
F-20 Basic Troubleshooting<br />
Using maintenance mode to disable authentication<br />
when you have forgotten your password<br />
If you have configured your system to require administrative kernel<br />
authentication and you forget your password, you will need to<br />
temporarily disable administrative kernel authentication using the<br />
maintenance mode option, as described below.<br />
1. Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. Insert the <strong>Sidewinder</strong> <strong>G2</strong> Installation–Disk Imaging CD-ROM in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s CD drive, and then power <strong>of</strong>f the system.<br />
3. Power up the system. Click Continue when the Installation Wizard<br />
appears.<br />
4. On the Installation Type window, use the down arrow to scroll to the<br />
Maintenance Mode option, and press the space bar to select it.<br />
5. Tab to Continue and press Enter. The shell prompt appears.<br />
6. Open the /etc/ttys file for editing.<br />
7. Modify the value <strong>of</strong> the following line to be secure:<br />
console /usr/libexec/getty pccons ibmpc3 on secure<br />
8. Save your changes and exit.<br />
9. At the shell prompt, type exit and press Enter. The Install Wizard<br />
appears.<br />
10. See “Changing your password in the administrative kernel” on page F-<br />
19 for information on changing your password in the administrative<br />
kernel.
Interpreting beep<br />
patterns<br />
Interpreting beep patterns<br />
Manually clearing an authentication failure lockout<br />
If you have enabled the authentication failure lockout option and<br />
have been locked out <strong>of</strong> your system, another administrator can log in<br />
to the system and clear the lock using the Admin Console (see<br />
“Configuring authentication services” on page 9-11). However, if you<br />
do not have another administrator who can clear your lock for you,<br />
you can still manually clear your lock by successfully logging in at the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, as follows:<br />
1. Attach a keyboard and monitor (or laptop) directly to your <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Note: If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection port<br />
pair (that is, attach both items either to the front connection ports or the back<br />
connection ports).<br />
2. [Conditional] If the <strong>Sidewinder</strong> <strong>G2</strong> does not detect the keyboard and<br />
monitor (or laptop), reboot the <strong>Sidewinder</strong> <strong>G2</strong>. When the <strong>Sidewinder</strong><br />
<strong>G2</strong> has booted, the login prompt appears.<br />
3. Log in to the <strong>Sidewinder</strong> <strong>G2</strong>. When you successfully log in directly on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, the lock will be cleared automatically and you<br />
should be able to log in to the <strong>Sidewinder</strong> <strong>G2</strong> as usual.<br />
At times, your <strong>Sidewinder</strong> <strong>G2</strong> may emit a beep pattern. The beep<br />
pattern may repeat itself until the issue is addressed. This is the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s way <strong>of</strong> communicating to you its status and what<br />
needs to happen next. Refer to this chart to interpret the various<br />
patterns and take the appropriate action.<br />
Basic Troubleshooting F-21
Interpreting beep patterns<br />
Table F-4. <strong>Sidewinder</strong> <strong>G2</strong> beep patterns<br />
What you hear What it means What you should do<br />
TWO (2) short beeps<br />
(non-repeating)<br />
THREE (3) short beeps<br />
(repeating)<br />
FOUR (4) short beeps<br />
(repeating)<br />
FIVE (5) short beeps<br />
(repeating)<br />
ONE (1) medium beep<br />
THREE (3) short beeps<br />
F-22 Basic Troubleshooting<br />
<strong>Sidewinder</strong> <strong>G2</strong> successfully<br />
rebooted and is now passing<br />
traffic<br />
Configuration Wizard floppy<br />
diskette is not in its drive<br />
Errors on Configuration Wizard<br />
floppy diskette<br />
(non-content errors)<br />
Unlicensed <strong>Sidewinder</strong> <strong>G2</strong><br />
running in Safe Mode<br />
No action needed, the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
operational.<br />
Insert the Configuration Wizard diskette.<br />
Try again with a new Configuration Wizard floppy<br />
diskette.<br />
If you get this beep pattern upon the initial<br />
installation, do one <strong>of</strong> the following:<br />
— license the <strong>Sidewinder</strong> <strong>G2</strong> (see<br />
Chapter 3 for details)<br />
— attach a serial console or<br />
monitor and keyboard, then<br />
enter the following command:<br />
stop_beep<br />
Note: Using this command only turns <strong>of</strong>f the beep<br />
pattern, but does not make your <strong>Sidewinder</strong> <strong>G2</strong> fully<br />
operational. You must license the <strong>Sidewinder</strong> <strong>G2</strong><br />
before it will pass and monitor traffic.<br />
Network failure If you get this beep sequence while the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is licensed, troubleshoot your<br />
network connectivity.<br />
Remove media from the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Managed <strong>Sidewinder</strong> <strong>G2</strong> failed<br />
to register with the EM server<br />
Note: This beep pattern can<br />
only occur on a managed<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Remove media and reboot.<br />
Verify the <strong>Sidewinder</strong> <strong>G2</strong> name, registration key,<br />
and administration user name and password<br />
information. Then try again manually to register<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to the EM server.<br />
More...
What you hear What it means What you should do<br />
Long beep followed by<br />
n short beeps<br />
(repeating)<br />
(where n = sequential number<br />
<strong>of</strong> floppy diskettes to be<br />
installed)<br />
Long beep<br />
(repeating)<br />
If a patch<br />
installation fails<br />
Troubleshooting<br />
proxy rules<br />
Ready for next floppy diskette in<br />
configuration backup<br />
If a patch installation fails<br />
Insert the next floppy diskette in your<br />
configuration backup.<br />
Task failed Contact Customer Support<br />
(if you have a support contract)<br />
Re-install or perform a configuration restore.<br />
In the unlikely event the patch installation fails, the <strong>Sidewinder</strong> <strong>G2</strong><br />
will not be operational, and will instead boot into failure mode. A<br />
message appears when you log in to the <strong>Sidewinder</strong> <strong>G2</strong> and it is in<br />
failure mode.<br />
Failure mode enables the <strong>Sidewinder</strong> <strong>G2</strong> to boot far enough to allow<br />
an administrator to log in. The administrator can then display the log<br />
files and perform diagnostic functions in an effort to determine what<br />
went wrong.<br />
Important: Unless you are an extremely experienced <strong>Sidewinder</strong> <strong>G2</strong> administrator,<br />
please contact Secure Computing <strong>Technical</strong> Support if your <strong>Sidewinder</strong> <strong>G2</strong> boots into<br />
failure mode.<br />
After correcting the problem you should perform the following steps:<br />
1. Exit failure mode by typing the following command:<br />
cf daemond set failure_mode=<strong>of</strong>f<br />
2. Reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: For more information on failure mode, see “daemond” on page 1-12.<br />
The following sections provide information on troubleshooting basic<br />
proxy rule problems. For additional information on troubleshooting<br />
proxy rules, refer to the cf_proxy man page.<br />
Basic Troubleshooting F-23
Troubleshooting proxy rules<br />
F-24 Basic Troubleshooting<br />
Failed connection requests<br />
If the <strong>Sidewinder</strong> <strong>G2</strong> rejects a connection request that you feel should<br />
have succeeded, you can take steps to determine why the connection<br />
was rejected. The steps shown below will help you to locate and<br />
correct rule configuration errors. They will also help you gain a better<br />
understanding <strong>of</strong> how those rules work.<br />
1. Start the Admin Console and select Services Configuration -> Proxies.<br />
Verify that the appropriate proxy is enabled. The most common mistake<br />
is failing to enable the service type indicated by the proxy rule.<br />
Tip:Verify that all appropriate servers are enabled as well.<br />
2. Select Policy Configuration -> Rules.<br />
Verify that the proxy rule for the proxy or server specifies the correct<br />
network. You need to enable the service type on the correct network to<br />
listen for incoming connections. In the Rules Source/Dest tab, this<br />
corresponds to the Source Burb column.<br />
3. Verify the position <strong>of</strong> the rules within the Active Rules window. (Select<br />
Policy Configuration -> Rules -> and then click View Active Policy).<br />
The order <strong>of</strong> the rules in the Active Rules window is important. The<br />
attributes <strong>of</strong> a connection request sometimes may match more than<br />
one proxy rule. See “Creating proxy rules” on page 7-4 for a detailed<br />
example.<br />
4. Check the audit log information.<br />
If the connection still fails, scan the audit log to determine which proxy<br />
rule denied the connection. See Chapter 18 for details on viewing audit.<br />
The below displays a common scenario, a connection that failed to<br />
match a rule:<br />
Apr 29 16:52:29 2002 CDT f_nss a_server t_acldeny<br />
p_major<br />
pid: 27122 ruid: 0 euid: 0 pgid: 188 fid: 2000001<br />
logid: 0 cmd: ’nss’<br />
domain: nss1 edomain: nss1 srcip: 172.17.9.27<br />
srcburb: 1 dstip: 172.17.9.27 dstburb: 1 protocol: 6<br />
service_name: telnet agent_type: server user_name:<br />
authmethod: acl_id: <br />
cache_hit: 0<br />
5. Turn on verbose auditing <strong>of</strong> rule (ACL) checks.
Troubleshooting proxy rules<br />
To determine why no proxy rule matched the connection request, type<br />
the following command to turn on verbose auditing <strong>of</strong> rule checks:<br />
cf acl set loglevel=4<br />
This increases the level <strong>of</strong> rule audits from the default level 2 (minor) to<br />
level 4 (major).<br />
Note: Modifications to the log level setting will not be overwritten if acld is<br />
restarted. To return the log level to its default value, you must manually reset it.<br />
When the connection attempt is rejected, the proxy or server will<br />
generate a more verbose audit message as shown below:<br />
May 5 02:37:42 2002 CDT f_ping_proxy a_aclquery<br />
t_info p_major<br />
pid: 184 ruid: 0 euid: 0 pgid: 184 fid: 2000001<br />
logid: 0 cmd: 'pingp'<br />
domain: Ping edomain: Ping<br />
+|pingp|INFO|MAJOR|PING_PROXY|aclQUERY<br />
=Skipped 'http_out': query service 'ping' != rule<br />
'http'.<br />
Skipped 'telnet_external': query agent 'proxy' !=<br />
rule 'server'.<br />
Skipped 'http_ssl_out': query service 'ping' != rule<br />
'https'.<br />
Skipped 'ftp_out': query service 'ping' != rule<br />
'ftp'.<br />
Skipped 'telnet_out': query service 'ping' != rule<br />
'telnet'.<br />
Skipped 'nntp_out': query service 'ping' != rule<br />
'nntp'.<br />
Skipped 'real_media_out': query service 'ping' !=<br />
rule 'RealMedia'.<br />
Skipped 'rtsp_out': query service 'ping' != rule<br />
'rtsp'.<br />
Skipped 'gopher_out': query service 'ping' != rule<br />
'gopher'.<br />
Skipped 'finger_out': query service 'ping' != rule<br />
'finger'.<br />
Basic Troubleshooting F-25
Troubleshooting proxy rules<br />
F-26 Basic Troubleshooting<br />
Skipped 'dns_self': query service 'ping' != rule<br />
'dns'.<br />
Skipped 'smtp_out': query service 'ping' != rule<br />
'smtp'.<br />
Skipped 'smtp_in': query service 'ping' != rule<br />
'smtp'.<br />
Skipped 'cobra_all': query agent 'proxy' != rule<br />
'server'.<br />
Skipped 'login_console': query agent 'proxy' != rule<br />
'server'.<br />
Access denied by rule 'deny_all'.<br />
You can use this output to determine why each proxy rule failed to<br />
match the connection request. Locate the proxy rule that you thought<br />
should have matched. Then inspect and correct the proxy rule.<br />
Note: When you are done troubleshooting, type the following command to lower<br />
the level <strong>of</strong> rule audits back to the default:<br />
cf acl set loglevel=2<br />
If you do not set the loglevel back to 2, you will run out <strong>of</strong> disk space.<br />
Monitoring allow and deny rule audit events<br />
Another troubleshooting tool is the rule monitoring tool (acat_acls).<br />
This real-time monitoring tool enables you to display allow and deny<br />
rule audit events as they occur on the <strong>Sidewinder</strong> <strong>G2</strong>. Because the<br />
rule audit events are displayed in real-time, this tool provides a<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator a unique window by which to view<br />
<strong>Sidewinder</strong> <strong>G2</strong> rule activity. You can use the tool to determine if your<br />
rule database is properly configured, or to simply view how your<br />
rules are being used on a live system.<br />
For example:<br />
If you are not certain whether your Telnet rule is properly<br />
configured, you can start the monitoring tool, attempt your Telnet<br />
connection and see (in real-time) whether the connection is<br />
allowed or denied.<br />
If you want to see (in real-time) which rules are currently the most<br />
heavily used, start the monitoring tool and watch as the current<br />
rule audit events scroll by within a command window.
Starting the rule<br />
monitoring tool (acat_acls)<br />
Viewing the output from<br />
the rule monitoring tool<br />
Halting and resuming rule<br />
monitoring tool output<br />
Stopping the rule<br />
monitoring tool<br />
Troubleshooting proxy rules<br />
The remainder <strong>of</strong> this section provides information on using the<br />
monitoring tool. Information can also be found by typing<br />
man acat_acls at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
To start the rule monitoring tool, enter the following commands at a<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
srole<br />
/usr/bin/acat_acls -a -d<br />
where:<br />
-a = display allow rule audit events<br />
-d = display deny rule audit events<br />
If you want to view only allow rule audit events or only deny rule<br />
audit events, simply omit the undesired option (-a or -d).<br />
Each rule audit event is displayed on a single 80-character line using<br />
the following format:<br />
Action Date Time Source Source Dest. Dest. Service Agent<br />
Burb IP Burb IP<br />
The source burb and the destination burb fields will display the burb<br />
index number, not the burb name. The following example shows both<br />
an allow rule audit event and a deny rule audit event:<br />
DENY 02/05/05 02:41:04 2 192.168.179.76 1 192.168.180.87 ping proxy<br />
If the output from the monitoring tool is scrolling by too quickly, you<br />
can temporarily halt the output by pressing the following key<br />
combination:<br />
Ctrl-S<br />
To resume output, press the following key combination:<br />
Ctrl-Q<br />
To stop the rule monitoring tool, press the following two keys<br />
simultaneously:<br />
Ctrl-C<br />
Basic Troubleshooting F-27
Understanding FTP and Telnet connection failure messages<br />
Understanding<br />
FTP and Telnet<br />
connection failure<br />
messages<br />
F-28 Basic Troubleshooting<br />
Active rules and the DNS<br />
If you create a proxy rule that contains a host name or a domain<br />
name, that rule will consult the Domain Name System (DNS) in order<br />
to translate the name to its corresponding IP address. Because <strong>of</strong> this,<br />
there are some facts related to DNS that you should consider when<br />
setting up your security policy.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be configured to use transparent DNS, one<br />
DNS server (known as single or unbound DNS), or two DNS servers<br />
(known as split DNS). The split DNS scenario is the most secure, as<br />
one DNS server is dedicated to your Internet burb and the second<br />
DNS server services your remaining burbs. This essentially isolates the<br />
two DNS servers from each other, protecting your non-Internet burbs<br />
from attacks by malicious persons on the Internet.<br />
However, it is theoretically possible for attackers on the Internet to<br />
feed false information to your Internet DNS server. Therefore, you<br />
should be careful when using rules to allow or deny access to specific<br />
hosts on the Internet.<br />
When dealing with outside connections, there are steps that you can<br />
take to increase the level <strong>of</strong> assurance:<br />
1. Use IP addresses in your proxy rule instead <strong>of</strong> host names or domain<br />
names. This avoids having to depend on external DNS.<br />
2. Make the proxy rule demand strong authentication (for example,<br />
SafeWord).<br />
3. Make the proxy rule demand encryption <strong>of</strong> the connection (for<br />
example, VPN).<br />
For additional protection you should do a combination <strong>of</strong> the above.<br />
Depending on your <strong>Sidewinder</strong> <strong>G2</strong>’s configuration, FTP and Telnet<br />
users will see one <strong>of</strong> two messages when a connection attempt is<br />
denied by the <strong>Sidewinder</strong> <strong>G2</strong>. The type and meaning <strong>of</strong> these<br />
messages are summarized below.
Troubleshooting<br />
High Availability<br />
Table F-5. Connection failure messages for Telnet<br />
Message Possible Causes<br />
telnet 192.55.214.24<br />
Trying 192.55.214.24<br />
Connected to 192.55.214.24<br />
Escape character is ‘^]’.<br />
Connection closed by foreign host.<br />
telnet 192.55.214.24<br />
telnet: Unable to connect to remote<br />
host: Connection refused.<br />
Note: Similar messages are displayed for failed FTP connections.<br />
Troubleshooting High Availability<br />
✔ Rule entry denied the connection<br />
✔ Server is down<br />
✔ No proxy enabled on port but the<br />
<strong>Sidewinder</strong> <strong>G2</strong> server is enabled<br />
✔ Distinguishing IP addresses were used<br />
but no match was found<br />
✔ No proxy or <strong>Sidewinder</strong> <strong>G2</strong> server<br />
enabled on that port<br />
✔ Default route is wrong on client<br />
This section provides information to determine whether High<br />
Availability is functioning properly.<br />
Viewing configuration-specific information<br />
The cf failover query command gives you configuration-specific<br />
information, as shown in the following example:<br />
failover set priority=255<br />
multicast_group=239.192.0.1 \<br />
heartbeat_burb=internal firewall_id=1 \<br />
interface_test_time=30 ping_wait=0 load_sharing=<strong>of</strong>f<br />
interval_time=1 \ interface_test_failures=3<br />
enabled=on<br />
failover set password=pasword type=sha1<br />
failover add address alias=10.10.1.22 \<br />
remote=172.27.1.21 network=172.27.1.2<br />
failover add address alias=10.10.10.12 \<br />
remote=10.10.10.21 burb=internal<br />
Basic Troubleshooting F-29
Troubleshooting High Availability<br />
F-30 Basic Troubleshooting<br />
Viewing status information<br />
The cf failover status command gives you information on<br />
whether or not HA is active, what state the system is in (primary or<br />
secondary/standby), and useful statistical information.<br />
Viewing status information for a primary<br />
The following example shows sample results for a primary in a peerto-peer<br />
HA configuration:<br />
This system is operating as primary.<br />
Failover is running in burb 3<br />
IP alias 10.10.10.186 assigned to interface eb0<br />
IP alias 192.168.222.186 assigned to interface exp1<br />
IP alias 192.168.107.186 assigned to interface exp0<br />
This system was configured as a standby with priority<br />
245 for firewall ID 186.<br />
Failover interface status:<br />
Interface eb0 not monitored<br />
Interface exp1 up<br />
Interface exp0 not monitored<br />
IP Filter tracking state as primary<br />
Active firewall list:<br />
10.10.10.7<br />
Statistics for failover<br />
Failover running since Wed Feb 2 15:04:48 2005<br />
Failover allowing 3 seconds for interface swap<br />
(default)
Troubleshooting High Availability<br />
Number <strong>of</strong> advertisements sent = 210<br />
Number <strong>of</strong> received advertisements = 0<br />
Number <strong>of</strong> rcvd advertisements since primary = 0<br />
Number <strong>of</strong> times this system has become primary = 1<br />
Number <strong>of</strong> release messages received = 0<br />
Number <strong>of</strong> release messages sent = 0<br />
Number <strong>of</strong> failed takeover attempts = 0<br />
Number <strong>of</strong> possible duplicate primary messages = 0<br />
Number <strong>of</strong> heartbeat ack messages received = 0<br />
Number <strong>of</strong> heartbeat ack messages sent = 0<br />
Number <strong>of</strong> messages received with errors = 0<br />
Number <strong>of</strong> same priority advertisements rcvd = 0<br />
Number <strong>of</strong> pings received on interface eb0 = 0<br />
Number <strong>of</strong> pings received on interface exp1 = 7<br />
Number <strong>of</strong> pings received on interface exp0 = 0<br />
Viewing status information for a secondary<br />
The following example shows sample results for a secondary that is<br />
configured for load sharing HA:<br />
This system is operating in load sharing mode as<br />
secondary.<br />
This system is node 1.<br />
The primary is node 0 (10.10.10.6).<br />
Failover is running in burb 3<br />
cluster heartbeat address 10.10.10.186 assigned to<br />
interface eb0<br />
shared cluster address 192.168.222.186 assigned to<br />
interface exp1<br />
shared cluster address 192.168.107.186 assigned to<br />
interface exp0<br />
Failover interface status:<br />
Interface eb0 not monitored<br />
Interface exp1 up<br />
Interface exp0 not monitored<br />
IP Filter tracking state as load sharing peer<br />
Basic Troubleshooting F-31
Troubleshooting High Availability<br />
F-32 Basic Troubleshooting<br />
Active firewall list:<br />
node address<br />
0 10.10.10.6 (primary)<br />
Statistics for failover<br />
Failover running since Wed Feb 2 14:08:52 2005<br />
Failover allowing 3 seconds for interface swap<br />
(default)<br />
Number <strong>of</strong> advertisements sent = 0<br />
Number <strong>of</strong> received advertisements = 1404<br />
Number <strong>of</strong> rcvd advertisements since primary = 1404<br />
Number <strong>of</strong> times this system has become primary = 0<br />
Number <strong>of</strong> release messages received = 0<br />
Number <strong>of</strong> release messages sent = 0<br />
Number <strong>of</strong> failed takeover attempts = 0<br />
Number <strong>of</strong> possible duplicate primary messages = 0<br />
Number <strong>of</strong> heartbeat ack messages received = 0<br />
Number <strong>of</strong> heartbeat ack messages sent = 1404<br />
Number <strong>of</strong> messages received with errors = 0<br />
Number <strong>of</strong> same priority advertisements rcvd = 0<br />
Number <strong>of</strong> pings received on interface eb0 = 0<br />
Number <strong>of</strong> pings received on interface exp1 = 46<br />
Number <strong>of</strong> pings received on interface exp0 = 0<br />
Tip: The failover daemon is named faild. Enter the pss faild command to determine<br />
whether the failover daemon is active.<br />
Identifying load sharing addresses in netstat and ifconfig<br />
Output for netstat -i queries will display load sharing addresses<br />
with a plus (+) sign. The following example displays the results for<br />
the netstat -i command with load sharing enabled.
Troubleshooting High Availability<br />
Name Index MTU Speed Mtrc Burb Address Network<br />
em0 1 1500 100M 0 external 00:0c:f1:c7:ba:ea<br />
em0+ 1 0 external 172.27.1.22 172.27<br />
em0 1 0 external 172.27.1.2 172.27<br />
exp0 2 1500 100M 0 internal 00:a0:c9:9d:99:a1<br />
exp0+ 2 0 internal 10.10.10.22 10.10.10/24<br />
exp0 2 0 internal 10.10.10.2 10.10.10/24<br />
eb0 3 1500 100M 0 heartbeat 00:10:5a:98:51:26<br />
eb0 3 0 heartbeat 10.10.1.2 10.10.1/24<br />
eb0 3 0 heartbeat 10.10.1.22 10.10.1/24<br />
lo0 4 1500 0 Firewall<br />
lo0 4 0 Firewall 127.0.0.1 127<br />
lo0 4 0 external 127.1.0.1 127<br />
lo0 4 0 internal 127.2.0.1 127<br />
lo0 4 0 heartbeat 127.3.0.1 127<br />
Output for ifconfig -a queries will display load sharing addresses<br />
with the word shared. The following example displays the results for<br />
the ifconfig -a command with load sharing enabled.<br />
em0: flags=8843<br />
link type ether 0:c:f1:c7:ba:ea mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 172.27.1.22 netmask 255.255.0.0 broadcast 172.27.255.255<br />
burb external, burb index 1 shared<br />
inet 172.27.1.2 netmask 255.255.0.0 broadcast 172.27.255.255<br />
burb external, burb index 1<br />
exp0: flags=8843<br />
link type ether 0:a0:c9:9d:99:a1 mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 10.10.10.22 netmask 255.255.255.0 broadcast 10.10.10.255<br />
burb internal, burb index 2 shared<br />
inet 10.10.10.2 netmask 255.255.255.0 broadcast 10.10.10.255<br />
burb internal, burb index 2<br />
eb0: flags=8843<br />
link type ether 0:10:5a:98:51:26 mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 10.10.1.2 netmask 255.255.255.0 broadcast 10.10.1.255<br />
burb heartbeat, burb index 3<br />
inet 10.10.1.22 netmask 255.255.255.0 broadcast 10.10.1.255<br />
burb heartbeat, burb index 3<br />
lo0: flags=8009<br />
link type loop mtu 1500<br />
inet 172.0.0.1 netmask 255.0.0.0<br />
burb Firewall, burb index 0<br />
inet 172.1.0.1 netmask 255.0.0.0<br />
burb external, burb index 1<br />
inet 172.2.0.1 netmask 255.0.0.0<br />
burb internal, burb index 2<br />
inet 172.3.0.1 netmask 255.0.0.0<br />
burb heartbeat, burb index 3<br />
Basic Troubleshooting F-33
Troubleshooting NTP<br />
Troubleshooting<br />
NTP<br />
F-34 Basic Troubleshooting<br />
Interface configuration issues with HA<br />
If you modify your interface configuration, your HA configuration will<br />
not function until you update the HA Interfaces table (in the Admin<br />
Console, select High Availability -> Common Parameters tab) to match<br />
the modified interface configuration. When you are finished updating<br />
the interface information, reboot the <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
Troubleshooting remote interface test failover for peerto-peer<br />
HA<br />
If you have a peer-to-peer HA cluster configured and the remote host<br />
used for interface testing becomes unavailable, the primary will report<br />
an interface failure (after the specified number <strong>of</strong> failed ping attempts<br />
is reached) and failover will occur. When this happens, the new<br />
primary will receive the interface failure status from the former<br />
primary, and interface failure testing will be disabled. In this state, the<br />
standby will take over for the primary only if the primary becomes<br />
unavailable.<br />
Once the remote host is restored, you will need to issue the cf<br />
failover reset command on the standby, and then on the primary<br />
to reset and re-enable the interface failover indicators.<br />
If you have NTP properly configured and enabled, you should be able<br />
to monitor NTP packets being sent/received on the appropriate<br />
<strong>Sidewinder</strong> <strong>G2</strong> interfaces. To do so, enter the following command:<br />
tcpdump -npi ext_interface# port 123<br />
where: ext_interface# is the external interface and number (for<br />
example em0, em1, etc.)<br />
NTP packets should be sent/received every 15-30 seconds.<br />
To check the exact time, enter the date command and compare it to a<br />
known good clock source (for example, www.time.gov).<br />
Note: An NTP proxy and an NTP server cannot run in the same burb. Therefore, if you<br />
have a proxy enabled and running in the same burb as the NTP server, the NTP server will<br />
not start.
Why did NTP stop?<br />
Troubleshooting NTP<br />
NTP is designed to automatically quit whenever the client’s time<br />
deviates from the server’s signal by more than 15 minutes. When a<br />
deviation <strong>of</strong> this magnitude occurs, NTP writes a message to file<br />
/var/log/messages before quitting.<br />
To restart NTP, first set the <strong>Sidewinder</strong> <strong>G2</strong>’s clock manually (refer to<br />
“Setting the system date and time” in Chapter 3) and then follow the<br />
directions below for restarting NTP.<br />
Why does NTP appear to be inaccurate?<br />
You probably have fixclock running.<br />
NTP clients will not synchronize with the <strong>Sidewinder</strong> <strong>G2</strong><br />
This may be because, when the <strong>Sidewinder</strong> <strong>G2</strong> is configured as an<br />
NTP server, it reports itself as a stratum 0 time server. Not all clients<br />
can synchronize from a stratum 0 server. To change the stratum<br />
setting, type the following command:<br />
cf ntp add server burb=burbname ip=127.127.1.0<br />
where: burbname = the burb that is serving time to the NTP clients.<br />
If the <strong>Sidewinder</strong> <strong>G2</strong> is serving time to clients in multiple burbs, and<br />
one or more clients in each burb has a problem with stratum 0<br />
servers, you must type this command once for each burb.<br />
Restarting NTP from the UNIX prompt<br />
If the NTP process stops, you can restart the NTP process by doing<br />
the following:<br />
1. At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in and enter the following<br />
command to switch to the Admn role:<br />
srole<br />
2. To start the NTP time server, enter the following command:<br />
cf server restart ntp burb=burb<br />
Basic Troubleshooting F-35
VPN troubleshooting commands<br />
VPN<br />
troubleshooting<br />
commands<br />
F-36 Basic Troubleshooting<br />
3. [Optional] Verify the state <strong>of</strong> the NTP servers by entering the following<br />
command:<br />
cf server status ntp<br />
In addition to standard logging, the <strong>Sidewinder</strong> <strong>G2</strong> also performs<br />
auditing <strong>of</strong> certain system events which allows you to generate<br />
information on VPN connections. Table F-6 shows some useful<br />
commands you can use to track VPN connections in real-time mode<br />
and check VPN settings/configuration.<br />
Table F-6. Basic <strong>Sidewinder</strong> <strong>G2</strong> VPN troubleshooting commands<br />
Commands<br />
tcpdump -npi ext_interface port 500 or proto 50<br />
To show IPSec and ESP traffic arriving at the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
cf ipsec q<br />
To review VPN policies on the console.<br />
cf ipsec policydump<br />
To determine if VPN is active - the presence <strong>of</strong> SPI and transform numbers<br />
indicates the secure connection is functioning.<br />
showaudit -v<br />
To show detailed audit trace information for VPN. To enable a more detailed<br />
auditing level, in the Admin Console select VPN Configuration> ISAKMP<br />
Server and change the audit level using the pull-down menu.
R EFERENCE<br />
<strong>Glossary</strong><br />
ACE/Server A server made by Security Dynamics Incorporated that can be used to<br />
authenticate users attempting connections through (or to) the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
ACL (access control list) Another term for active rule group.<br />
activation The process by which a customer’s licensed s<strong>of</strong>tware becomes active.<br />
activation key A string <strong>of</strong> numbers and characters that allows the operation <strong>of</strong> the<br />
s<strong>of</strong>tware.<br />
active rule group A rule group, <strong>of</strong>ten made up <strong>of</strong> nested rule groups and rules, that is<br />
loaded in to the <strong>Sidewinder</strong> <strong>G2</strong> kernel and begins actively monitoring<br />
traffic coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
ActiveX Micros<strong>of</strong>t’s name for certain object-oriented programming technologies<br />
and tools. ActiveX is <strong>of</strong>ten downloaded and executed on a local system<br />
when browsing the Internet, and may require specific port restrictions.<br />
Consult Micros<strong>of</strong>t’s documentation for more information.<br />
Admin Console The graphic user interface (GUI) used to configure and manage the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The Admin Console runs on Windows-based platforms.<br />
Admin Console tree The hierarchical layout in the left–hand panel <strong>of</strong> the Admin Console.<br />
Admn domain The physical and logical resources within the UNIX operating system that<br />
has access to most <strong>of</strong> the other domains.<br />
admin role The role is assigned to administrators authorized to work in the Admn<br />
domain with full privileges. An administrator assigned the admin role can<br />
use all menus and commands in the Admin Console. This includes adding<br />
or removing users, backing up and restoring the system, and using all<br />
other system functions and commands.<br />
adminRO role The read–only role assigned to administrators authorized to access and<br />
view, but not modify, information. The AdminRO role is essentially an<br />
auditor role, allowing the administrator to view system and audit<br />
information, as well as generate reports.<br />
G<br />
<strong>Glossary</strong> G-1
G<br />
<strong>Glossary</strong><br />
G-2 <strong>Glossary</strong><br />
Administrative kernel A UNIX kernel that provides the environment needed to perform<br />
administrative tasks such as installing s<strong>of</strong>tware or running a system<br />
backup. When the Administrative kernel is running, all network<br />
connections are disabled and Internet services are not available; Type<br />
Enforcement security is disabled. See also Operational kernel.<br />
alarm event A <strong>Sidewinder</strong> <strong>G2</strong> feature used to monitor your network for potentially<br />
threatening activity, such as an attempted attack or an audit overflow.<br />
When an alarm event is generated, an appropriate event response is<br />
issued.<br />
alias An arbitrary name that a system administrator can assign to a network<br />
element. Aliases can typically be any combination <strong>of</strong> up to 16 characters<br />
(without spaces).<br />
API (application<br />
program interface)<br />
A stable, published s<strong>of</strong>tware interface to an operating system or specific<br />
s<strong>of</strong>tware program by which a programmer writing a custom application<br />
can make requests <strong>of</strong> the operating system or specific s<strong>of</strong>tware program.<br />
(An API provides an easy and standardized connection to a particular<br />
s<strong>of</strong>tware component.).<br />
Application Defenses A feature that is incorporated in proxy rules to configure applicationspecific<br />
properties for each proxy on a per-rule basis. Properties include<br />
basic timeout properties and application-specific permissions, as well as<br />
anti-virus, anti-spam, SSL decryption, and Web services management for<br />
key proxies.<br />
application-layer proxy Also known as an intelligent proxy. Application-layer proxies check<br />
application-layer data as it comes into the <strong>Sidewinder</strong> <strong>G2</strong>. If the data is<br />
compliant with that application’s standard, the <strong>Sidewinder</strong> <strong>G2</strong> initiates a<br />
new connection on its opposite side and passes on the data. If the data is<br />
not compliant, the <strong>Sidewinder</strong> <strong>G2</strong> drops the data.<br />
auditing A method <strong>of</strong> collecting and storing information that can be used to track<br />
system activity (for example authentication attempts, configuration<br />
modifications, stopping and starting <strong>of</strong> services, etc.).<br />
authentication A process that verifies the authenticity <strong>of</strong> a person or system before<br />
allowing access to a network system or service.<br />
authenticator A device or mechanism used to verify the identity <strong>of</strong> an individual logging<br />
onto a network, application, or computer. Authenticators are also called<br />
tokens.<br />
BIND (Berkeley<br />
Internet Name<br />
Domain)<br />
A standard program which implements the Domain Name Service (DNS).
<strong>Glossary</strong><br />
BSD/OS The operation system obtained from Wind River, Inc., and used as a base<br />
for developing SecureOS. See also SecureOS<br />
burb A set <strong>of</strong> one or more interfaces and the group <strong>of</strong> systems connected to<br />
each interface that are to be treated the same from a system security<br />
policy point <strong>of</strong> view.<br />
certificate See digital certificate.<br />
Certificate Authority<br />
(CA)<br />
CGI (common gateway<br />
interface)<br />
A highly trusted entity, that issues and revokes certificates for a set <strong>of</strong><br />
subjects, and is ultimately responsible for their authenticity.<br />
Any server-side code that accepts data from forms via HTTP. The forms<br />
are generally on Web pages and submitted by end users.<br />
challenge A set <strong>of</strong> random numbers generated by the computer being accessed. The<br />
numbers are entered into the authenticator, which then generates a<br />
password. You can set some authenticators to generate a password in<br />
response to a challenge.<br />
cipher key In order for encryption to be unique, it uses a random set <strong>of</strong> characters,<br />
called a cipher key. Encrypting data using two different keys will produce<br />
two completely different results. All authenticators contain at least one<br />
key that they use to generate passwords.<br />
circuit proxy See network-layer proxy.<br />
client A program or user that requests network service(s) from a server.<br />
Configuration Wizard A Windows-based program that allows you to create an initial<br />
configuration for your <strong>Sidewinder</strong> <strong>G2</strong> or <strong>G2</strong> Enterprise Manager.<br />
daemon A s<strong>of</strong>tware routine within UNIX that runs in the background, performing<br />
system-wide functions.<br />
daemond (Pronounced daimon-dee) A powerful <strong>Sidewinder</strong> <strong>G2</strong> component process<br />
that enhances overall security by monitoring and controlling all <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s major s<strong>of</strong>tware components. It also detects and audits<br />
some classes <strong>of</strong> attacks against the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
dark data center A term used to describe a data process facility where all machines are<br />
designed to be managed remotely. This type <strong>of</strong> facility maximizes storage<br />
space by rack-mounting computers and minimizes overhead costs by not<br />
needing lights. Machines stored in a dark data center ideally require<br />
minimal physical human interaction.<br />
<strong>Glossary</strong> G-3
<strong>Glossary</strong><br />
G-4 <strong>Glossary</strong><br />
digital certificate A data structure that is digitally signed by a CA, or a signature source that<br />
users can trust. The certificate contains a series <strong>of</strong> values, such as the<br />
certificate name and usage, information identifying the owner <strong>of</strong> the<br />
public key, the public key itself, an expiration date, and the name <strong>of</strong> the<br />
CA that generated the certificate.<br />
DMZ (demilitarized<br />
zone)<br />
DNS (domain name<br />
system)<br />
A network buffer zone that generally hosts services that require<br />
interaction with Internet traffic, while still protecting internal systems. On<br />
<strong>Sidewinder</strong>, the DMZ is generally a burb for hosting Web servers and<br />
other hosts that receiving large volumes <strong>of</strong> external, untrusted traffic.<br />
A TCP/IP service that maps domain and host names to IP addresses, IP<br />
addresses to domain and host names, and provides information about<br />
services and points <strong>of</strong> contact in a network or the Internet. A set <strong>of</strong><br />
connected name servers and resolvers allows users to use a host name<br />
rather a 32-bit Internet address.<br />
domain (1) Relative to networking, the portion <strong>of</strong> an Internet address that denotes<br />
the name <strong>of</strong> a computer network. For instance, in the IP address<br />
jones@bizco.sales.com, the domain is bizco.sales.com.<br />
(2) Relative to Type Enforcement, an attribute applied to a process<br />
running on SecureOS that determines which system operation the process<br />
may perform.<br />
DoS (denial <strong>of</strong> service) Event in which a network experiences a loss <strong>of</strong> a service, like e-mail or a<br />
Web server, that is expected to be available. This event is generally<br />
caused by a malicious attack, but may also happen accidentally.<br />
DSS (defender security<br />
server)<br />
A server made by AssureNet Pathways that can be used to authenticate<br />
users attempting connections through (or to) the <strong>Sidewinder</strong> <strong>G2</strong>. See also<br />
SecureNet Key (SNK).<br />
dynamic password The unique one–time response to a log in challenge or special code<br />
presented by an authentication server. Each password is obtained using a<br />
s<strong>of</strong>tware or hardware authenticator that communicates with a password<br />
generator.<br />
editor A program that can be used to create or modify text files. See also file<br />
editor.<br />
encryption Data encryption uses a secret code to scramble information so that it can<br />
be read only by computers using the same code or encryption<br />
technology. While encryption reduces the risk <strong>of</strong> unauthorized access, it<br />
does not create a totally safe networking environment on its own.<br />
end user See user.
<strong>Glossary</strong><br />
event response A response to an alarm event that includes notifying the administrator<br />
and/or performing a Strikeback.<br />
extended<br />
authentication<br />
(XAUTH)<br />
An extension <strong>of</strong> the IKE protocol. It provides a mechanism to employ an<br />
administrator–selected authentication mechanism in addition to the<br />
existing IKE authentication (that is, in addition to certificate based or preshared<br />
key authentication). It initiates after the existing IKE authentication<br />
mechanism is successful. XAUTH enables use <strong>of</strong> strong authentication<br />
(sometimes referred to as legacy authentication) in VPN configurations.<br />
external DNS External DNS provides a limited external view <strong>of</strong> the organizational<br />
domain. No internal information is available to the external DNS and only<br />
the external DNS can communicate with the outside. Therefore, no<br />
internal naming information can be obtained by anyone on the outside.<br />
The external DNS cannot query the internal DNS or any other DNS server<br />
inside the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
failover See high availability.<br />
failure mode See safe mode.<br />
File Editor The program available directly in the Admin Console that can be used to<br />
create or modify text files. The File Editor communicates with the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using a secured connection.<br />
firewall A network component that filters traffic between a designated “protected<br />
network” and external networks. A firewall ensures that the protected<br />
network is safe from unauthorized entry and file manipulation.<br />
firewall ID The MAC address by which you choose to identify your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The firewall ID is used when activating your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
fixed password A string <strong>of</strong> characters <strong>of</strong> varying lengths and composition (text and/or<br />
numerics) used to identify a user attempting to access a service. Fixed<br />
passwords remain unchanged unless given a finite life span. Fixed<br />
passwords are also known as memorized passwords.<br />
FTP (file transfer<br />
protocol)<br />
A protocol used on the Internet for transferring files.<br />
FTP site An Internet site that hosts directories and files that you can browse and<br />
copy to your system using the file transfer protocol (FTP).<br />
gateway A network component used to connect two or more networks that may<br />
use dissimilar protocols and data transmission media.<br />
generic proxy An administrator–configured <strong>Sidewinder</strong> <strong>G2</strong> proxy that is not part <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s preconfigured proxies.<br />
<strong>Glossary</strong> G-5
<strong>Glossary</strong><br />
G-6 <strong>Glossary</strong><br />
group Logical groupings <strong>of</strong> two or more users, identified by a single name. See<br />
rule groups, user groups.<br />
hardware acceleration A licensed feature that improves throughput for system performance<br />
when processing traffic. This feature consists <strong>of</strong> both hardware and<br />
s<strong>of</strong>tware elements.<br />
hardware<br />
authenticator<br />
Also referred to as tokens. Hardware authenticators are hand-held devices<br />
that use an internally held cryptographic variable to generate a dynamic<br />
(single-use) passcode.<br />
high availability A licensed feature that allows a second <strong>Sidewinder</strong> <strong>G2</strong> to be configured<br />
either in a load sharing capacity or in "hot backup" mode.<br />
host Any computer connected to a network; for example, a workstation,<br />
router, <strong>Sidewinder</strong> <strong>G2</strong>, or server.<br />
HTML (hypertext<br />
markup language)<br />
HTTP (hypertext<br />
transfer protocol)<br />
HTTPS (hypertext<br />
transfer protocolsecure)<br />
ICANN (Internet<br />
Corporation for<br />
Assigned Names and<br />
Numbers)<br />
IETF (Internet<br />
Engineering Task<br />
Force)<br />
IKE (Internet key<br />
exchange)<br />
A simple programming language used to create Web documents.<br />
Hypertext uses special links that you can click to jump from one related<br />
topic to another.<br />
An agreed-upon format (protocol) that requests and transfers HTML<br />
documents on the World Wide Web.<br />
An agreed-upon format (protocol) that requests and transfers HTML<br />
documents on the World Wide Web in a secured manner.<br />
A U.S. non-pr<strong>of</strong>it organization designated to allocate IP address space,<br />
assign protocol parameters, perform domain name system management,<br />
and maintain root server systems. Other domain registration companies<br />
are available.<br />
The organization that developed the IPSec standard which protects data<br />
on unprotected (or untrusted) networks such as the Internet.<br />
A key management protocol standard which automates the<br />
implementations <strong>of</strong> other protocols (ISAKMP, Oakley, etc.) used in a VPN<br />
connection.<br />
interface A shared boundary through which information can be exchanged. (An<br />
interface may be a shared portion <strong>of</strong> computer s<strong>of</strong>tware accessed by two<br />
or more programs, a hardware component linking two devices, or a<br />
device or program allowing a user to communicate and use the computer<br />
or program.)
<strong>Glossary</strong><br />
internal DNS Manages DNS information only available to internal machines. The<br />
internal name server cannot receive queries from external hosts since it<br />
cannot communicate directly with the external network. Resolution <strong>of</strong><br />
external DNS information both for the <strong>Sidewinder</strong> <strong>G2</strong> itself and to handle<br />
internal queries for external information are handled by the internal name<br />
server. Although it is unable to communicate directly with external hosts,<br />
it is able to send queries and receive the responses via the external DNS.<br />
IP address A 32- bit address that uses standard dotted quad notation assigned to<br />
TCP/IP network devices. An IP address is unique to each machine on the<br />
Internet. An IP address contains a network and host field.<br />
IP Filter Provides the ability to specify rules to allow IP-based traffic to flow<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> at the network layer. For example, traffic may<br />
pass through the <strong>Sidewinder</strong> <strong>G2</strong> without being passed to the application<br />
proxies. IP Filter can be used for tracking TCP session states, and is<br />
sometime referred to as "stateful inspection."<br />
IPSec (Internet<br />
Protocol Security)<br />
ISAKMP (internet<br />
security association<br />
and key management<br />
protocol)<br />
ISP (Internet Service<br />
Provider)<br />
A set <strong>of</strong> standards created to provide data integrity and confidentiality at<br />
the IP layer <strong>of</strong> the network stack.<br />
A protocol framework which sets the parameters for a VPN connection by<br />
defining the payload format, how the key exchange protocol will be<br />
implemented, and how the security association will be negotiated.<br />
A company that provides individuals and other companies access to the<br />
Internet and other related services such as Web site building and virtual<br />
hosting. An ISP has the equipment and the telecommunication line access<br />
required to have a point-<strong>of</strong>-presence (POP) on the Internet for the<br />
geographic area served.<br />
kernel Manages all physical resources, including scheduling <strong>of</strong> processes, virtual<br />
memory, file system management, reading and writing files to disk or<br />
tape, printing, and network communications. The <strong>Sidewinder</strong> <strong>G2</strong> is run in<br />
one <strong>of</strong> two kernels: the operational kernel or the administrative kernel.<br />
key pair The reference to a private key and a mathematically-related public key.<br />
The private key is safeguarded by the owner, and known only to them.<br />
The public key can be distributed to anyone. This allows one key to be<br />
used for encryption, and the other key to be used for decryption.<br />
key pair generation The process <strong>of</strong> generating mathematically-related public/private key pairs.<br />
LDAP Lightweight Directory Access Protocol. An internet standard for directory<br />
services that run over TCP/IP.<br />
<strong>Glossary</strong> G-7
<strong>Glossary</strong><br />
G-8 <strong>Glossary</strong><br />
login ID When used in conjunction with a password, a means <strong>of</strong> authentication to<br />
start a session with a computer system.<br />
MAC (media access<br />
control)<br />
A unique address assigned to network interface card hardware as a means<br />
<strong>of</strong> identification. <strong>Sidewinder</strong> <strong>G2</strong> licenses are locked to a MAC address on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
mail server A network computer that serves as an intermediate station for electronic<br />
mail transfers.<br />
man page Short for manual page, refers to the online help that is available within<br />
the UNIX operating system. For example, entering man ls at the UNIX<br />
prompt displays a description <strong>of</strong> the UNIX ls command.<br />
MAT (multiple address<br />
translation)<br />
MIB (management<br />
information base)<br />
MIME (Multi-purpose<br />
Internet Mail<br />
Exchange)<br />
MX (mail exchanger)<br />
records<br />
The ability for a single <strong>Sidewinder</strong> <strong>G2</strong> interface to support multiple<br />
external IP addresses so that inbound connections can be directed based<br />
on IP addresses and service. MAT allows proxies to be directed to<br />
different destinations for the same service by the IP address to which it<br />
was connected.<br />
Within SNMP architecture, a database that stores information about<br />
managed objects. These objects are used in the management <strong>of</strong> networks.<br />
Allows a mail client or Web browser to send and receive non-textual<br />
information, such as graphics, audio, video, and spreadsheets.<br />
Entries in DNS that define where e-mail addresses within domain names<br />
get delivered.<br />
name resolution The process in which name servers supply address and hostname<br />
information to hosts.<br />
name server A network computer that maintains a relationship between IP addresses<br />
and corresponding domain names.<br />
NAS (Network Access<br />
server)<br />
NAT (network address<br />
translation)<br />
A computer that is specially made to receive communications from<br />
outside an organization and distribute them within the organization on its<br />
network. It uses TACACS +, RADIUS, or other protocols for authorization<br />
and sometimes for accounting.<br />
The ability <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to rewrite the source address <strong>of</strong> a packet<br />
to a new IP address specified by the administrator.<br />
nested rule group A nested rule group is a rule group that you place within another rule<br />
group.
<strong>Glossary</strong><br />
network-layer proxy Also known as a circuit proxy. Network-layer proxies check data at the<br />
transport and session (TCP/IP) layers to verify that the data packet<br />
complies with expected standards.<br />
NIC (network interface<br />
card)<br />
NNTP (network news<br />
transport protocol)<br />
Hardware, like a computer circuit board, that contains a port or a jack that<br />
enables a computer to connect to network wiring (ethernet cable, phone<br />
line, etc.).<br />
The protocol by which network news articles are transferred or read<br />
across the Internet.<br />
node (1) Any network device such as a workstation or server.<br />
(2) The connection point for devices in a network.<br />
non-anonymous FTP An FTP site that can only be accessed by individuals who enter a valid<br />
user name and password.<br />
nslookup (name server<br />
lookup)<br />
NSS (network service<br />
sentry)<br />
NTP (network time<br />
protocol)<br />
A UNIX command that allows you to interactively query a DNS server and<br />
ensure the name server is properly resolving host names and IP<br />
addresses.<br />
Manages servers and proxy services on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
A protocol that provides a way to synchronize all clocks on a network, or<br />
to synchronize the clocks on one network with those on another<br />
network.<br />
object Generally an item that you can individually select and manipulate,<br />
including shapes and pictures that appear on a display screen, as well as<br />
less tangible s<strong>of</strong>tware entities.<br />
ODBC (Open Database<br />
Connectivity)<br />
A widely accepted application programming interface (API) for database<br />
access. It is based on the Call-Level Interface (CLI) from X/Open and ISO/<br />
IEC for database APIs and uses Structured Query Language (SQL) as its<br />
database access language.<br />
<strong>of</strong>f-line State <strong>of</strong> a computer when it is not connected to another device.<br />
on-line State <strong>of</strong> a computer when it is connected to another device.<br />
operational kernel The <strong>Sidewinder</strong> <strong>G2</strong> SecureOS kernel that provides the normal operating<br />
state, including Type Enforcement controls. When this kernel is running,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> can connect to both the Internet and the internal<br />
network, and all configured services are operational.<br />
OS (Operating System) The master control program that keeps everything flowing smoothly<br />
inside your computer.<br />
<strong>Glossary</strong> G-9
<strong>Glossary</strong><br />
G-10 <strong>Glossary</strong><br />
OSPF (Open Shortest<br />
Path First)<br />
A routing protocol that dynamically updates changes to routing table<br />
information. This protocol is an enhancement over previous protocols<br />
that required entire tables to be updated instead <strong>of</strong> changed data only.<br />
packet filtering Packet filters allow network administrators to limit a user's access to<br />
specific services on the network. For example, a user may be allowed to<br />
send electronic mail, but not copy data files from the network. Packet<br />
filtering on the communications server analyzes each message being sent<br />
from a remote client. The filter can determine the computer and service<br />
the user is attempting to reach and either permit or deny access to that<br />
service.<br />
password The most common form <strong>of</strong> authentication security. Some networks<br />
require multiple levels <strong>of</strong> passwords to gain access to various servers or<br />
databases. Passwords become weak links when they are shared among<br />
colleagues, stolen, written down or created in such a way that they can be<br />
easily guessed.<br />
PIN (Personal<br />
Identification Number)<br />
A number known only by an individual for the purpose <strong>of</strong> helping<br />
identify a person during a computer-based authentication process. PINs<br />
should be memorized by the individual.<br />
ping A command that sends an ICMP message from a host to another host over<br />
a network to test connectivity and packet loss.<br />
PKI Public Key Infrastructure. A PKI is a system for distributing public<br />
cryptographic keys within a community <strong>of</strong> interested users. The<br />
predominant model (based on X.509) makes use <strong>of</strong> digital certificates<br />
generated by certificate authorities. A PKI enables secure remote<br />
communication in a number <strong>of</strong> network application areas.<br />
port The number that identifies the destination application process for<br />
transmitted data. Port numbers range from 1 to 65535. (For example,<br />
Telnet typically uses port 23, DNS uses 53, etc.)<br />
primary name server The DNS server for a domain where the name information is stored and<br />
maintained.<br />
private key The private key is used to decrypt messages that were encrypted with the<br />
corresponding public key. A private key can also be used to digitally sign<br />
messages. The recipient can use the corresponding public key to verify<br />
the authenticity <strong>of</strong> the message.<br />
protocol A set <strong>of</strong> rules by which one entity communicates with another, especially<br />
over a network. This is important when defining rules by which clients<br />
and servers talk to each other over a network. Important protocols<br />
become published, standardized, and widespread.
<strong>Glossary</strong><br />
proxy A s<strong>of</strong>tware agent that acts on behalf <strong>of</strong> a user requesting a network<br />
connection through the <strong>Sidewinder</strong> <strong>G2</strong>. Proxies accept a connection from<br />
a user, make a decision as to whether or not the user or client IP address<br />
is permitted to use the proxy, optionally does additional authentication,<br />
and then completes a connection on behalf <strong>of</strong> the user to a remote<br />
destination.<br />
proxy server A server that acts on behalf <strong>of</strong> another server, and may perform tasks such<br />
as caching, access control, or provide a route to a destination server.<br />
Administrators may choose to configure proxy servers as transparent,<br />
meaning the end user is unaware <strong>of</strong> the proxy server’s presence, or nontransparent,<br />
meaning the end user must authenticate to, or interact with,<br />
the server.<br />
public key A public key is used to encrypt messages that only the holder <strong>of</strong> the<br />
corresponding private key can decrypt. Public keys can also be used to<br />
verify the authenticity <strong>of</strong> digitally-signed documents.<br />
public key<br />
cryptography<br />
A class <strong>of</strong> cryptographic methods that employ a pair <strong>of</strong> keys for<br />
encrypting and decrypting messages. A message encrypted with the<br />
public key can only be decrypted with the corresponding private key.<br />
Within a public key cryptography system, the public key may be made<br />
public without compromising the encrypted data. Public key<br />
cryptography enables encryption and digital signatures, and simplifies<br />
cryptographic key distribution through the use <strong>of</strong> a public key<br />
infrastructure.<br />
RADIUS Remote Authentication Dial-In User Service. An authentication protocol<br />
developed by Livingston Enterprises Inc. Recognized by the Internet<br />
Engineering Task Force (IETF) as a dial-in security solution on the<br />
Internet.(RFC 2138).<br />
RAID (redundant array<br />
<strong>of</strong> individual disks)<br />
Stores information on multiple hard disks to provide redundancy. Using<br />
RAID can improve performance and fault-tolerance.<br />
redirected proxy A <strong>Sidewinder</strong> <strong>G2</strong> proxy option that reroutes a connection to a specific<br />
host system, hiding the actual destination address or port from the system<br />
requesting the connection.<br />
reference<br />
implementation<br />
An IETF term. It is the particular implementation <strong>of</strong> the protocol or<br />
standard that is referred to and used in the associated RFC.<br />
registration The process <strong>of</strong> authenticating one <strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster or<br />
One-To-Many cluster. This process establishes an encrypted, trusted<br />
connection between the two systems.<br />
remote management The ability to administer a system from a remote location.<br />
<strong>Glossary</strong> G-11
<strong>Glossary</strong><br />
G-12 <strong>Glossary</strong><br />
RFC (Request for<br />
Comments)<br />
RIP (Routing<br />
Information Protocol)<br />
One <strong>of</strong> a series <strong>of</strong> documents recognized by the Internet Engineering<br />
Task Force (IETF). Most RFCs document protocol specifications and<br />
standards.<br />
A protocol that updates routing tables.<br />
role A login mode used for administrating the <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong><br />
<strong>G2</strong> separates administrator access into two roles: admin (write privileges)<br />
or adminro (read-only privileges).<br />
root In UNIX, a user name that gives special privileges to a person who logs<br />
onto the system using that name and the correct password. The root user<br />
name allows the user to have access to all <strong>of</strong> the systems files. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> does not allow root privileges.<br />
root servers The highest level DNS servers.<br />
router A network device that forwards data between two or more networks,<br />
delivering them to their final destination or to another router.<br />
rule A rule is a mini policy which contains criteria that is used to inspect<br />
incoming or outgoing traffic. Rules determine whether that traffic will be<br />
allowed to continue to its destination. There are two distinct rules types<br />
that you can configure on the <strong>Sidewinder</strong> <strong>G2</strong>: proxy rules and IP Filter<br />
rules.<br />
rule group An organized set <strong>of</strong> rules. A rule group can consist <strong>of</strong> both rules and<br />
nested rule groups.<br />
safe mode Also known as failure mode, a <strong>Sidewinder</strong> <strong>G2</strong> operating state that allows<br />
system administration while not allowing network traffic to pass through.<br />
A <strong>Sidewinder</strong> <strong>G2</strong> can enter this mode under conditions that include: (a)<br />
after a failed license check, (b) after a reboot during which the system<br />
detects a problem with an installed patch, (c) after a reboot during which<br />
the system failed to start a critical service, or (d) after the audit partition<br />
has overflowed.<br />
secondary name server DNS servers that download and record a backup copy <strong>of</strong> domain<br />
information from a primary DNS server.<br />
SecurID token A small hand-held device used to calculate the proper response during a<br />
login attempt.<br />
SecureNet Key (SNK) A strong authentication system made by Digital Pathways Incorporated.
<strong>Glossary</strong><br />
SecureOS The UNIX-based operating system used in a <strong>Sidewinder</strong> <strong>G2</strong> system.<br />
SecureOS is built upon BSD/OS and includes Type Enforcement security<br />
mechanisms.<br />
session The time period during which a terminal user logs on the system until<br />
they log <strong>of</strong>f the system.<br />
server A computer system that provides services (such as FTP) to a network, or a<br />
program running on a host that <strong>of</strong>fers a service to other hosts on a<br />
network.<br />
SMTP (simple mail<br />
transport protocol)<br />
SNMP (simple network<br />
management protocol)<br />
The TCP/IP protocol that transfers e-mail as it moves through the system.<br />
The industry standard protocol used for network management.<br />
SNMP agent A server that communicates with SNMP management stations to provide<br />
information and status for a network node.<br />
SOA (Start <strong>of</strong><br />
Authority)<br />
A record found in every DNS zone that contains information about which<br />
DNS server is the primary name server, in addition to other administrative<br />
information about the zone.<br />
srole A <strong>Sidewinder</strong> <strong>G2</strong> UNIX command used to change to a different domain<br />
(User, Admn, or AdmRO).<br />
SSO (single sign-on) The ability <strong>of</strong> a user to authenticate once and then have access to<br />
protected content on sites in multiple internet domains.<br />
standalone Refers to a device or s<strong>of</strong>tware program that is self-contained; one that<br />
does not require any other device or s<strong>of</strong>tware program to function.<br />
standard password<br />
authentication<br />
A UNIX mechanism that requires someone logging into a network server<br />
to enter a password in order to prove they have a valid login account.<br />
stateful inspection Method <strong>of</strong> checking a data packet’s source and destination. The<br />
information is recorded in a dynamic state table. New packets from the<br />
same session are checking against the table to ensure that they are valid.<br />
Invalid packets are dropped.<br />
Strikeback® A <strong>Sidewinder</strong> <strong>G2</strong> feature that can be configured to gather information<br />
about detected network access violations, or ignore packets from a<br />
particular host for a specified period <strong>of</strong> time.<br />
<strong>Glossary</strong> G-13
<strong>Glossary</strong><br />
G-14 <strong>Glossary</strong><br />
strong authentication A login process that requires a user to enter a unique, one-time response<br />
to a login challenge or special code presented by an authentication<br />
server. The authentication server resides somewhere in the internal<br />
network and sends a log in challenge to a user when he or she attempts<br />
to log in. The user must make the proper response to the challenge using<br />
a special hardware or s<strong>of</strong>tware token.<br />
subnet A network addressing scheme that separates a single network into a<br />
number <strong>of</strong> smaller physical networks to simplify routing.<br />
syntax Refers to the spelling and grammar <strong>of</strong> a programming language.<br />
Computers are inflexible machines that only understand what you type if<br />
you type it in the exact form (syntax) that the computer expects.<br />
TCP/IP (transmission<br />
control protocol/<br />
internet protocol<br />
A networking protocol suite created for use in the Internet.<br />
Telnet A TCP/IP protocol that directs the exchange <strong>of</strong> character-oriented data<br />
during a client-to-server session.<br />
token A small hand-held hardware device or client s<strong>of</strong>tware used to generate a<br />
one-time passcode or password. See hardware authenticator.<br />
traceroute A UNIX command that shows all <strong>of</strong> the routing steps between a host and<br />
another host.<br />
trap An SNMP alert message sent as an unsolicited transmission <strong>of</strong> information<br />
from a managed node (router, <strong>Sidewinder</strong> <strong>G2</strong>, etc.) to an SNMP<br />
management station.<br />
Type Enforcement® Secure Computing’s patented security technology that protects against<br />
intruders by preventing someone from taking over the UNIX operating<br />
system within <strong>Sidewinder</strong> <strong>G2</strong> and accessing critical files or doing other<br />
damage.<br />
UAP User Authentication Points.<br />
UDP (user datagram<br />
protocol)<br />
A connectionless protocol that transfers data across a network with no<br />
reliability checking or error checking.<br />
UNIX A powerful operating system used in high-end workstations and<br />
computer systems on the Internet. It allows a single computer to operate<br />
multiple programs and be accessed by other computers, all at the same<br />
time.
URL (universal<br />
resource locator)<br />
<strong>Glossary</strong><br />
Provides the address <strong>of</strong> specific documents on the Web. Every Internet<br />
file has a unique URL; they indicate the name <strong>of</strong> the server, the directory,<br />
and the specific document. The form <strong>of</strong> a URL is protocol://pathname. For<br />
example, ftp://www.website.com; http://www.website.com.<br />
user (end user) A collection <strong>of</strong> specific data elements that identify the user to the system,<br />
define the resources to which they have access, the administrative group<br />
to which they belong, and their role within a network structure.<br />
user domain The domain that allows access to all nonsensitive files.<br />
user groups A logical grouping <strong>of</strong> two or more users, identified by a single name.<br />
VPN (virtual private<br />
network)<br />
A method <strong>of</strong> authenticating and encrypting data transmissions between<br />
the machines (<strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong>, <strong>Sidewinder</strong> <strong>G2</strong>-to-client)<br />
via the Internet. VPN makes it appear as though the networks on the<br />
internal side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s are connected to each other via a pair<br />
<strong>of</strong> routers with a leased line between them.<br />
VPN tunnel A secure route via the Internet between two machines (<strong>Sidewinder</strong> <strong>G2</strong>-to-<br />
<strong>Sidewinder</strong> <strong>G2</strong>, <strong>Sidewinder</strong> <strong>G2</strong>-to-client, etc.) that use authentication and<br />
encryption to transfer data.<br />
warder A <strong>Sidewinder</strong> <strong>G2</strong> server that provides an interface between the proxy<br />
s<strong>of</strong>tware and the various authentication services.<br />
weak authentication A login process that merely requires a user to enter the same password<br />
each time he or she logs in. The “standard” UNIX password process is<br />
considered a weak authentication method. If someone “sniffs” the<br />
password <strong>of</strong>f the phone line or network as it is transmitted they can<br />
conceivably use that password to then break into the system. Because<br />
your internal network is thought to be “trusted,” this type <strong>of</strong><br />
authentication is generally used for authenticating internal-to-external<br />
proxy connections.<br />
TCP/IP (transmission<br />
control protocol/<br />
internet protocol<br />
UDP (User Datagram<br />
Protocol)<br />
A networking protocol suite created for use in the Internet.<br />
A connectionless protocol that transfers data across a network, with only<br />
limited reliability checking or error checking.<br />
Web farm A group <strong>of</strong> computers that host multiple Web servers for one Web site or<br />
a group <strong>of</strong> Web sites belonging to the same company. Load balancing is<br />
<strong>of</strong>ten used to distribute traffic among the servers to handle shifts in<br />
demand.<br />
XAUTH An abbreviation <strong>of</strong> Extended Authentication.<br />
<strong>Glossary</strong> G-15
<strong>Glossary</strong><br />
G-16 <strong>Glossary</strong>
A<br />
R EFERENCE<br />
Index<br />
A record (address record) 10-23, 10-26<br />
acat_acls F-26<br />
accept certificate 2-6<br />
access control<br />
report 18-28<br />
access rules<br />
DNS rules 4-27, 4-28<br />
account<br />
administrator 3-5<br />
changing password 3-9<br />
ACE/Server 9-8<br />
ACL<br />
monitoring tool F-26<br />
rule checking 11-8<br />
sort 18-26<br />
activation process 3-19<br />
active network connections report 17-22<br />
activity reports 18-30<br />
adding<br />
disk space F-14<br />
hardware F-14<br />
host 2-4<br />
memory F-14<br />
address<br />
pools 13-18<br />
redirection 7-6, 8-6<br />
Admin Console 2-2<br />
administration options 2-2<br />
configuring user groups 5-3<br />
exit 2-9<br />
File Editor 2-12<br />
file editor 11-8<br />
logging in 2-5<br />
main window 2-8<br />
management 3-56<br />
setting system date and time 3-9<br />
tips when using 2-11<br />
valid port values 1-16<br />
admin role<br />
file access 1-8<br />
tasks 3-5<br />
administration<br />
remote via SSH 2-17<br />
remote via telnet 2-24<br />
<strong>Administration</strong> Services Only<br />
proxy rules 4-25<br />
administration tool 2-2<br />
administrative kernel 1-4, 1-8<br />
authentication F-3<br />
backups F-6<br />
booting to F-2<br />
checking if you’re in 3-11<br />
clear authentication lockout F-21<br />
features 1-5<br />
when to use 3-2<br />
administrator<br />
account 3-5<br />
authentication 9-3<br />
cautions when editing UNIX files A-11<br />
adminro role<br />
tasks 3-5<br />
Admn domain 1-8<br />
alarm event<br />
ignore network probe attempts 17-17<br />
alarm events<br />
auditing 17-13<br />
configuration window 17-2<br />
event responses 17-8<br />
example scenario 17-13<br />
filter types 17-14<br />
list 17-2<br />
algorithms with VPN 13-63<br />
In<br />
Index In-1
In<br />
Index<br />
In-2 Index<br />
alias<br />
IP addresses 3-52, 4-34<br />
mail 11-22, 11-26<br />
root 11-26<br />
allow-query option 10-16<br />
allow-transfer option 10-16, 10-20<br />
allow-update option 10-20<br />
Anit-spam<br />
whitelist 11-13<br />
anonymous ftp 14-11<br />
Anti-spam filtering<br />
advanced 11-13<br />
Anti-virus filtering<br />
for Mail 6-26<br />
for Web 6-13<br />
aol proxy 8-9<br />
Application Defenses 6-1<br />
Citrix 6-31<br />
FTP 6-33<br />
groups 6-46<br />
Mail 6-21<br />
Multimedia 6-36<br />
Oracle 6-38<br />
Secure Web 6-4<br />
SNMP 6-42<br />
SOCKS 6-41<br />
standard 6-45<br />
Web 6-4<br />
Web Cache 6-19<br />
audit 18-5<br />
*.gz files 18-6<br />
*.raw files 18-6<br />
alarm event notification 17-13<br />
alarm events 17-13<br />
configuring 17-1<br />
editing configuration files 17-12<br />
event type numbers 17-14<br />
events 18-6<br />
exporting data 18-11<br />
overview 18-5<br />
probe attempts 18-28<br />
root accesses 18-28<br />
sample message 18-19<br />
sending SNMP traps 14-4<br />
sending to syslog 18-22<br />
SNMP traps 14-4<br />
Strikeback 17-14<br />
Strikeback commands 17-11<br />
understanding messages 18-19<br />
viewing 18-7<br />
viewing messages 18-19<br />
audit.raw file 10-36, 18-5<br />
audit_filters.conf file 18-5<br />
auditbot<br />
process 17-2, 18-5<br />
auditbotd.conf file 17-2<br />
auditd.conf file 18-5<br />
authentication<br />
administrative kernel F-3<br />
administrators 9-3, 9-33<br />
authenticators 9-4<br />
clear locks F-21<br />
defined 13-3<br />
enable/disable in admin kernel F-<br />
20<br />
failure lockout 9-13<br />
in proxy rules 4-19<br />
LDAP 9-16<br />
methods 9-5<br />
overview 9-9<br />
password 9-6, 9-18<br />
proxies 9-2<br />
RADIUS 9-8, 9-19<br />
SafeWord PremierAccess 9-6, 9-<br />
21<br />
SafeWord RemoteAccess 9-6<br />
SecurID 9-8<br />
SNK 9-8, 9-24<br />
SNMP message header 14-3<br />
SSH login 2-18<br />
SSO 9-27<br />
strong 9-3<br />
summary 9-1<br />
user groups 4-8<br />
warder 9-9<br />
weak 9-3<br />
Web session authentication 9-32<br />
Windows Domain 9-8, 9-26<br />
with VPN 13-3<br />
authenticators 9-4<br />
B<br />
backup
ackup_file_list 3-15<br />
complete (full) F-5<br />
configuration files 3-13<br />
contents 3-15<br />
example F-7<br />
file types F-4<br />
in administrative kernel F-5<br />
incremental F-6<br />
levels F-5<br />
overview F-4<br />
restore F-8<br />
backup configuration files<br />
via command line F-14<br />
beep patterns F-21<br />
bibliography xiii<br />
binary characters 6-26<br />
BIND 10-4<br />
blackhole list 11-22, 11-24<br />
boot process<br />
failure F-16<br />
boot prompt F-2<br />
boot.default file 3-58<br />
booting 3-2<br />
broadcast address 13-25, D-15<br />
browser 12-6, 12-10, 12-19<br />
caching 12-11, 12-15<br />
download MIB files 14-11<br />
Internet Explorer 12-21<br />
Netscape 12-21<br />
SmartFilter compatible 6-21<br />
BSD/OS 1-4<br />
burb 1-9<br />
configuring 3-48<br />
Internet 3-49<br />
C<br />
caching<br />
configuring 12-15<br />
Web pages 12-11<br />
WebProxy server 8-18, 12-15<br />
category codes (SmartFilter) E-10<br />
category names (SmartFilter) E-10<br />
Caution tag xiv<br />
certificate accept window 2-6<br />
Certificate Authority (CA)<br />
checking 13-38, 13-41<br />
Index<br />
defined 13-6<br />
definition 13-27<br />
public versus private 13-31<br />
certificate management daemon 13-14<br />
certificate server 13-13<br />
certificates<br />
configuring 13-37, 13-40<br />
defined 13-27<br />
cf command A-1<br />
command syntax A-2<br />
displaying the man page listing A-2<br />
overview A-1<br />
summary A-1<br />
change password server 9-34<br />
changepw_form proxy 8-9, 9-35<br />
changing admin password 3-9<br />
check-names option 10-15, 10-19<br />
chtype command 11-20, A-13<br />
Citrix proxy (ica) 8-10<br />
client address pools 13-18<br />
clientless VPN 8-18, 12-3<br />
cluster<br />
high availability 16-1<br />
one-to-many 15-1<br />
clustering<br />
see One-To-Many 15-1<br />
CMD server 13-14<br />
CNAME record 10-27<br />
command line interface 2-2<br />
community names 14-3<br />
config.txt<br />
SmartFilter E-8<br />
config.txt file<br />
SmartFilter E-7<br />
configuration<br />
auditing 17-1<br />
auditing files 17-12<br />
DNS 10-5, 10-9<br />
files 3-13, A-11<br />
interface 3-50<br />
mail 11-12<br />
mail host 11-6<br />
OSPF C-6<br />
Strikeback 17-1<br />
Configuration Wizard<br />
diskette F-17, F-22<br />
configurator (cf) command A-1<br />
Index In-3
Index<br />
In-4 Index<br />
configuring<br />
network objects 5-10<br />
user groups 5-3<br />
connection service type 4-18<br />
control list<br />
category codes (SmartFilter) E-10<br />
for Web access E-1<br />
SmartFilter E-1<br />
control list (SmartFilter)<br />
category names (SmartFilter) E-10<br />
control list for Web access 12-14<br />
CPU<br />
time by process 17-20<br />
CRL 13-33<br />
cron scripts A-15<br />
D<br />
daemond 1-12<br />
daily system activity report 18-30<br />
date (setting) 3-9<br />
decryption 13-4<br />
default<br />
route 3-54<br />
default proxy rules 4-21<br />
deleting<br />
roles 3-7<br />
destination burb 4-18, 7-6<br />
destination network object 4-18<br />
dig command 17-11, 17-14, 17-24<br />
directory type<br />
checking A-12<br />
disable<br />
multi-processor mode 3-57<br />
servers 3-30<br />
discard<br />
netprobes 17-17<br />
disk space F-14<br />
diskette<br />
Configuration Wizard F-17, F-18, F-<br />
22<br />
Distinguished Names 13-35<br />
DNS 10-1<br />
A record (address record) 10-23, 10-<br />
26, 10-27<br />
access rules 4-27, 4-28<br />
advanced server options 10-15<br />
advanced zone options 10-19<br />
BIND 10-4<br />
CNAME record 10-27<br />
configuration 10-5, 10-9, 10-11<br />
configuration utility 10-29<br />
disabling servers 10-7<br />
editing configuration files 10-9<br />
enabling servers 10-7<br />
file types 10-36<br />
files 10-4<br />
forward zones 10-18<br />
forwarders 10-13<br />
HINFO 10-27, 10-28<br />
hosts 10-25<br />
if turned <strong>of</strong>f 10-7<br />
logging 10-36<br />
mail exchanger records 10-24<br />
master zone 10-18<br />
master zone attributes 10-20<br />
master zone contents 10-25<br />
MX record 10-4, 10-27, 10-28<br />
name servers table 10-24<br />
proxy 8-9<br />
query 10-4<br />
reconfigure 10-29<br />
reverse zones 10-18<br />
serial number 10-22<br />
servers for VPNs 13-23<br />
<strong>Sidewinder</strong> Hosted 10-2<br />
<strong>Sidewinder</strong> hosted 10-11<br />
slave zone 10-18<br />
SOA record 10-21<br />
split DNS mode 10-7, 10-8<br />
sub-domain 10-23<br />
transparent 10-2, 10-9<br />
TTL value 10-22<br />
zone 10-16<br />
do.dump script F-5, F-9<br />
do.restore script F-11<br />
documentation xii<br />
domain definition table 1-5, 1-8<br />
domain name 4-18<br />
domain object 4-10<br />
configuring 5-12<br />
domains<br />
access 1-7<br />
Admn 1-8
checking 3-12<br />
creator A-12<br />
current 3-12<br />
defined 1-6<br />
file access 1-8<br />
for processes 17-20<br />
in operational vs. admin kernels 1-5<br />
mail 11-2, 11-3, 11-6<br />
DSS 9-8, 9-24<br />
dynamic IP addressing<br />
Adding a new VPN 13-55<br />
dynamic routing C-1<br />
E<br />
editing UNIX files A-11<br />
editors<br />
Admin Console File Editor 2-12<br />
changing default A-10<br />
emacs A-10<br />
vi A-10<br />
emacs editor<br />
commands A-10<br />
using A-10<br />
enable<br />
automated package install 3-46<br />
multi-processor mode 3-57<br />
periodic patch imports 3-44<br />
servers 3-30<br />
encryption 13-4<br />
defined 13-3<br />
for external-to-internal proxy 8-3<br />
with VPN 13-3<br />
errors F-21<br />
etc/crontab A-15<br />
etc/daily script 18-30<br />
etc/login.conf 1-13<br />
etc/monthly script 18-30<br />
etc/resolv.conf file 10-6<br />
etc/server.conf 1-13<br />
etc/sidewinder/daemond.conf 1-13<br />
etc/syslog.conf file 18-22<br />
etc/weekly script 18-30<br />
event responses 17-8<br />
e-mail 17-10<br />
pager 17-10<br />
strikeback 17-11<br />
exclude_file_list file 3-15<br />
executables<br />
installing 1-8<br />
exiting roles 3-12<br />
export<br />
audit data 18-11<br />
Extended Authentication 13-8<br />
F<br />
failed connection request<br />
proxy rules F-24<br />
failover<br />
see high availability 16-1<br />
failure lockout<br />
authentication 9-13<br />
failure mode F-23<br />
see safe mode 1-13<br />
fast path sessions 6-49<br />
file editor<br />
Admin Console 11-8<br />
file permissions A-12<br />
file type<br />
.forward files 11-20<br />
checking A-12<br />
DNS files 10-36<br />
when backing up F-4<br />
when restoring F-4<br />
files<br />
backing up F-4<br />
configuration A-11<br />
restoring F-11<br />
rotating A-15<br />
filesystems<br />
restoring F-11<br />
filtering<br />
mail 6-22<br />
Web 6-13<br />
finger command 17-11<br />
finger proxy 8-9<br />
firewall<br />
monitoring 18-3<br />
firewall certificate 13-37<br />
firewall license 3-19<br />
fixed IP 13-25<br />
forward files 11-5, 11-20<br />
forward zones 10-18<br />
Index<br />
Index In-5
Index<br />
In-6 Index<br />
fsck command F-16<br />
ftp<br />
no connection 8-17<br />
proxy 8-9<br />
ftp proxy 8-17<br />
G<br />
gated C-4<br />
gopher proxy 8-9<br />
groups<br />
Application Defense 6-46<br />
network 4-7, 5-19<br />
user 4-7, 4-8<br />
H<br />
H.323 proxy 8-9<br />
considerations 8-22<br />
HA<br />
see high availability 16-1<br />
halt command 3-4<br />
hardware<br />
adding F-14<br />
hardware acceleration<br />
VPN 13-7<br />
hardware authenticator 9-4<br />
hardware platform 1-2<br />
header stripping 11-22<br />
heartbeat 16-3, 16-4, 16-5<br />
help (online) xiii<br />
high availability 16-1<br />
configuration options 16-3<br />
configuring 16-6<br />
heartbeat 16-3, 16-4, 16-5<br />
load sharing 16-3<br />
peer-to-peer 16-8<br />
primary-secondary 16-5<br />
HINFO 10-27, 10-28<br />
Host Enrollment List 3-27<br />
host name 4-18<br />
firewall 2-25<br />
host object 4-10<br />
configuring 5-13<br />
hosted DNS<br />
on firewall 10-11<br />
single 10-3<br />
split server 10-3<br />
hosts<br />
DNS 10-25<br />
HTTP<br />
proxy 8-9, 12-4<br />
HTTPS<br />
proxy 8-10, 12-4<br />
I<br />
ica proxy 8-10<br />
ICMP 3-49, 8-11<br />
ident proxy 8-10<br />
IDS<br />
server configuration 3-39<br />
IETF 13-3<br />
IIOP<br />
Application Defense 4-16, 6-34<br />
proxy 8-10<br />
IKE 13-1, 13-5<br />
imap proxy 8-10<br />
Important tag xiv<br />
importing<br />
SecureClient certificates 13-48<br />
in-addr-arpa 10-18<br />
inbound proxy 8-2<br />
incremental backup F-6<br />
inetd 1-16<br />
installation<br />
executables 1-8<br />
failed patch F-23<br />
reinstalling s<strong>of</strong>tware F-8<br />
installing patches 3-45<br />
interface configuration 3-50<br />
interfaces report 17-23<br />
Internet<br />
hosts (connection information) 18-26,<br />
18-27<br />
Internet Explorer<br />
browser 12-21<br />
Internet Key Exchange 13-5<br />
Internet server 10-7<br />
IP address object 4-10<br />
configuring 5-15<br />
IP Filter 4-28<br />
deny rules 17-17
overview 1-12<br />
IP sniffing 1-2<br />
IP spo<strong>of</strong>ing 1-2<br />
IPSec<br />
defined 13-3<br />
irc proxy 8-10<br />
ISAKMP server 13-11<br />
K<br />
kernels<br />
defined 1-4<br />
determining current 3-11<br />
differences 1-5<br />
keys (VPN)<br />
defined 13-4<br />
encryption and decryption 13-4<br />
generating 13-5<br />
L<br />
LDAP 13-13, 13-48<br />
LDAP authentication 9-16<br />
level0.backup script F-5<br />
license<br />
Host Enrollment List 3-27<br />
how to 3-19<br />
load sharing HA 16-3<br />
loading patches 3-43<br />
lockout<br />
authentication failure 9-13<br />
log in<br />
Admin Console 2-5<br />
logcheck 18-5<br />
logging 18-21<br />
backups F-5<br />
DNS 10-36<br />
loopback address 10-17<br />
lotus proxy 8-10<br />
ls -dy command A-12<br />
ls -y command A-12<br />
M<br />
m4 macros 11-10<br />
mail<br />
Index<br />
.forward files 11-5, 11-20<br />
aliases 11-26<br />
configuration 11-7, 11-10<br />
domains 11-2, 11-3, 11-6<br />
internal host 11-2<br />
internal server 11-2<br />
local delivery 11-5<br />
local server 11-2<br />
mailertables 11-12<br />
postmaster 11-6<br />
program mailers 11-5<br />
reconfiguring 11-9<br />
redirecting 11-26<br />
servers 11-6<br />
setup 11-6<br />
SMTP 11-2<br />
SNMP hosted 11-2<br />
transparent SMTP 11-1<br />
Type Enforcement restrictions 11-5<br />
mail exchanger records 10-4, 10-21, 10-<br />
23, 10-24<br />
mail filtering<br />
anti-spam filter 6-23<br />
anti-spam filter configuration 11-13<br />
keyword search filter 6-22<br />
MIME/Anti-Virus filter 6-22<br />
size filter 6-22, 6-23<br />
mail host 11-2, 11-6<br />
configuring 11-6<br />
mail queues 11-5, 11-28<br />
checking 11-27<br />
mail.local program 11-3<br />
mailertable files 11-12<br />
maintenance A-15<br />
maintenance mode<br />
enable/disable authentication in F-20<br />
management information base (MIB) 14-<br />
3<br />
manuals xii<br />
master zone 10-18<br />
attributes 10-20<br />
contents (DNS) 10-25<br />
maximum segment size (MSS) 8-33<br />
membership<br />
user groups 5-8<br />
memory F-14<br />
messages<br />
Index In-7
Index<br />
In-8 Index<br />
audit 18-19<br />
DNS 10-36<br />
in mail queues 11-27<br />
log 18-21<br />
postmaster 11-6<br />
system reboot F-17<br />
methods used to authenticate users 9-5<br />
MIME filtering<br />
for mail 6-26<br />
for Web 6-13<br />
mode<br />
safe 1-13<br />
modem 17-10, 17-13<br />
modify 3-50<br />
monitoring<br />
<strong>Sidewinder</strong> <strong>G2</strong> 18-3<br />
Monitoring tool (ACLs) F-26<br />
monthly system activity report 18-30<br />
mp.config file 3-58<br />
msn proxy 8-10<br />
MSS (maximum segment size) 8-33<br />
mssql proxy 8-10<br />
mta domain 11-3<br />
mta0 domain 11-6<br />
mta1 domain 11-6<br />
mtac domain 11-2, 11-6<br />
Multicast Group Address 16-21<br />
Multiple Address Translation (MAT) 3-52<br />
multi-processor mode<br />
enabling/disabling 3-57<br />
MX record 10-4, 10-27, 10-28<br />
N<br />
name servers<br />
boot files 10-4<br />
configuring 10-5<br />
name servers table 10-24<br />
NAT 1-12, 3-49, 4-10<br />
in proxy rules 4-19<br />
netgroup object 4-11<br />
configuring 5-19<br />
netgroups<br />
configuring 5-19<br />
netmap<br />
member 4-11, 5-16<br />
object 5-16<br />
netmap object 4-10<br />
netmask 3-51, 3-53<br />
netprobes<br />
denying 17-17<br />
Netscape<br />
browser 12-21<br />
Netscape browser 9-36, 12-19<br />
netstat 17-22, F-32<br />
netstat command 17-23<br />
network address translation (NAT) 10-3,<br />
10-30<br />
network groups 4-7, 4-18<br />
network interfaces 3-50<br />
report 17-23<br />
network object<br />
destination 4-18<br />
network objects 4-18<br />
configuring 5-10<br />
domain 4-10, 4-18<br />
host 4-10, 4-18<br />
IP address 4-10, 4-18<br />
netgroup 4-11<br />
netmap 4-10<br />
subnet 4-11, 4-18<br />
network probe<br />
ignore 17-17<br />
network probe attempts 17-17<br />
network protection<br />
illustrated 1-2<br />
network security<br />
and VPN 13-3<br />
network service 4-18<br />
networks<br />
connections report 17-22<br />
interfaces report 17-23<br />
process status 17-20<br />
routing tables 17-23<br />
services 1-16<br />
stack separation 1-10<br />
News<br />
feed 8-19<br />
proxy 8-19<br />
proxy redirection 8-21<br />
server configurations 8-20<br />
servers 8-19<br />
newsgroups 8-19<br />
NIC 17-25
NNTP 8-19<br />
nntp proxy 8-11<br />
non-transparent proxies 8-14<br />
Note tag xiv<br />
notify option 10-15, 10-20<br />
nslookup command 17-12<br />
NSS 1-16<br />
nss.common.conf file 1-13<br />
NTP B-1<br />
configurations B-2<br />
flags B-6, B-7<br />
overview B-1<br />
peer B-7<br />
reasons for having stopped F-35<br />
references B-8<br />
restarting F-35<br />
servers and clients B-2<br />
stratum 0 F-35<br />
troubleshooting F-34<br />
version number B-1<br />
ntp proxy 8-11<br />
O<br />
OID<br />
editing 6-44<br />
One-To-Many<br />
considerations 15-2<br />
defining additional secondary<br />
firewalls 15-7<br />
scenario 15-4<br />
One-to-Many<br />
exiting 15-12<br />
managing 15-13<br />
synchronized areas 15-14<br />
online help xiii<br />
operating system (BSD/OS) 1-4<br />
operational kernel 1-4<br />
checking if you’re in 3-11<br />
features 1-5<br />
routing tables 17-23<br />
using remotely 2-2<br />
when to use 3-2<br />
OSPF C-1<br />
configuration C-6<br />
gated C-4<br />
overview C-1<br />
outbound proxy 8-2<br />
P<br />
Index<br />
packages 3-41<br />
pager<br />
event response 17-10<br />
paragraph formats<br />
Caution xiv<br />
Important xiv<br />
Note xiv<br />
Security Alert xiv<br />
password<br />
authentication 5-7<br />
changing 3-9, 9-32, 9-34<br />
changing in the administrative kernel<br />
F-19<br />
how users change their own 9-36<br />
setting user 5-7<br />
what to do if you forget F-19<br />
password authentication 9-6, 9-18<br />
Password Change Server 9-34<br />
patches<br />
failed installation F-23<br />
installing 3-45<br />
loading 3-43<br />
peer-to-peer<br />
high availability 16-8<br />
performance report 17-19<br />
pico editor A-10<br />
ping command 17-12<br />
ping proxy 8-11<br />
planning<br />
network and user groups 4-7<br />
pop proxy 8-11<br />
port<br />
no service 18-28<br />
redirection 8-8<br />
specified in Web browser 12-19<br />
unsupported service 18-28<br />
postmaster 11-6<br />
pre-shared password, defined 13-6<br />
primary name server 10-8<br />
primary-secondary HA 16-5<br />
printer proxy 8-11<br />
process<br />
access to files 1-5<br />
Index In-9
Index<br />
In-10 Index<br />
displaying information 17-20<br />
domain 17-20<br />
domain access 1-7<br />
file access 1-8<br />
processes<br />
CPU time 17-20<br />
report 17-20<br />
status 17-20<br />
promiscuous relaying 11-22, 11-24<br />
proxies<br />
address redirection 8-6<br />
aol 8-9<br />
authentication 9-2<br />
changepw_form 8-9<br />
connection service type 4-18<br />
dns 8-9<br />
enabling and disabling 8-28<br />
finger 8-9<br />
for external-to-internal proxy 8-3<br />
FTP 8-17<br />
ftp 8-9<br />
gopher 8-9<br />
H.323 8-9<br />
HTTP 8-9, 12-4<br />
HTTPS 8-10, 12-4<br />
ica (Citrix) 8-10<br />
IIOP 8-10<br />
imap 8-10<br />
inbound 8-2<br />
indent 8-10<br />
initial set-up 8-9<br />
irc 8-10<br />
lotus 8-10<br />
msn 8-10<br />
mssql 8-10<br />
News 8-19<br />
nntp 8-11<br />
non-transparent 8-14<br />
ntp 8-11<br />
outbound 8-2<br />
overview 1-11, 8-1<br />
ping 8-11<br />
pop 8-11<br />
port redirection 8-8<br />
printer 8-11<br />
real media 8-11<br />
redirection 8-21<br />
rlogin 8-11<br />
rsh 8-11<br />
rtsp 8-11<br />
smtp 8-11<br />
snmp 8-12<br />
socks5 8-12<br />
sql 8-12<br />
ssh 8-12<br />
streamworks 8-12<br />
sunrcp 8-12<br />
t120 8-12<br />
telnet 2-24, 8-11, 8-12, 8-15<br />
transparent 8-14<br />
wais 8-12<br />
Web 12-1<br />
Web proxy considerations 12-12<br />
WebProxy server 8-18<br />
whois 8-12<br />
wins 8-12<br />
Xscreen0 8-13<br />
proxy rules<br />
<strong>Administration</strong> Services Only 4-25<br />
authentication 4-19<br />
connection service type 4-18<br />
default 4-21<br />
destination burb 4-18<br />
failed connection request F-24<br />
NAT 4-19<br />
optional criteria 4-18<br />
overview 4-17<br />
redirection 4-19<br />
SafeWord groups 7-9<br />
service group 4-12, 4-24<br />
source burb 4-18<br />
Standard Internet 4-25<br />
temporary 7-10, 7-17<br />
time to live option 7-10, 7-17<br />
troubleshooting F-23<br />
ps command 17-20<br />
R<br />
RADIUS authentication 9-8, 9-19<br />
real media proxy 8-11<br />
realtime blackhole list 11-22<br />
rebooting 3-3<br />
to administrative kernel command 3-4
to operational kernel command 3-4<br />
reconfigure<br />
DNS 10-29<br />
mail 11-9<br />
redirecting proxies 8-21<br />
address redirection 7-6, 8-6<br />
port redirection 8-8<br />
redirection 4-10<br />
in proxy rules 4-19<br />
reference material xiii<br />
online help xiii<br />
RFCs xiii<br />
re-imaging<br />
<strong>Sidewinder</strong> <strong>G2</strong> F-17<br />
reinstallation F-17<br />
remote access<br />
clientless VPN 12-3<br />
remote administration<br />
via SSH 2-17<br />
via telnet 2-24<br />
remote certificate 13-40<br />
Remote Identities<br />
defined and configuring 13-35<br />
remote management<br />
Admin Console 3-56<br />
reports<br />
3rd party tools 18-31<br />
daily activity 18-30<br />
mail queues 11-27<br />
monthly activity 18-30<br />
network connections 17-22<br />
network connections/services 17-22<br />
network interfaces 17-23<br />
routing tables 17-23<br />
Strikeback 17-15<br />
VPN activity 18-29<br />
weekly activity 18-30<br />
restarting 3-3<br />
restore F-8, F-11<br />
complete F-9<br />
configuration files 3-13<br />
file types F-4<br />
overview F-8<br />
root filesystem F-11<br />
script command options F-12<br />
shlib directory F-11<br />
restore configuration files<br />
Index<br />
via command line F-14<br />
restricting<br />
access by date and time 4-19<br />
Web access E-1<br />
reverse zones 10-18<br />
RFCs xiii<br />
RIP D-1<br />
configuring D-12<br />
trace and log information D-16<br />
transparent IP addressing D-5<br />
without transparent IP addressing D-8<br />
rlogin proxy 8-11<br />
roles<br />
admin 1-8, 3-5<br />
adminro 3-5<br />
deleting 3-7<br />
exiting 3-12<br />
restore F-9<br />
switching 3-12<br />
roles.conf file 3-7<br />
rollaudit A-17<br />
rollaudit.conf file A-16<br />
root 1-5, 1-8<br />
restoring filesystem<br />
restoring F-11<br />
rotating files 18-22, A-15<br />
routed D-3<br />
configuring D-12<br />
filter D-14<br />
flushing filter routes D-16<br />
routes<br />
default 3-54<br />
static 3-54<br />
routing<br />
dynamic (OSPF) C-1<br />
dynamic (RIP) D-1<br />
routing tables report 17-23<br />
rsh proxy 8-11<br />
rtsp proxy 8-11<br />
rule<br />
sort 18-26<br />
rule elements 4-6<br />
network objects 4-9<br />
planning for 4-7<br />
user groups 4-8<br />
users 4-8<br />
rules<br />
Index In-11
Index<br />
In-12 Index<br />
default proxy 4-21<br />
IP Filter 4-28<br />
proxy 4-17<br />
run levels 1-14<br />
S<br />
safe mode 1-13<br />
SafeWord PremierAccess<br />
authentication 9-6, 9-21<br />
SafeWord RemoteAccess<br />
authentication 9-6<br />
SafeWord user groups 7-9<br />
scanner<br />
service 3-34<br />
SCEP 13-34, 13-38, 13-41, 13-42<br />
scripts<br />
/etc/daily 18-30<br />
/etc/monthly 18-30<br />
/etc/weekly 18-30<br />
creating your own A-14<br />
cron A-15<br />
do.dump F-5, F-9<br />
do.restore F-11<br />
level0.backup F-5<br />
sdconf.rec file 9-23<br />
secondary name server 10-8<br />
secure shell (SSH) 2-17<br />
Secure Web<br />
Application Defenses 6-4<br />
SecureClient certificates<br />
importing 13-48<br />
SecureOS 1-1, 1-10<br />
SecurID authentication 9-8, 9-22<br />
security 1-5<br />
and VPN 13-3<br />
Security Alert tag xiv<br />
security association<br />
VPN 13-51<br />
Security Parameters Index (SPI)<br />
using manual key exchange 13-62<br />
SEF 18-12, 18-31<br />
sendmail 11-6<br />
blackhole list 11-22<br />
configuration 11-10<br />
header stripping 11-22<br />
m4 macros 11-10<br />
promiscuous relaying 11-22, 11-24<br />
RealTime Blackhole list 11-24<br />
version 11-10<br />
sendmail.cf files 11-10<br />
serial number (DNS) 10-22<br />
server.conf file A-11, D-16<br />
servers<br />
connection service type 4-18<br />
DNS 10-7<br />
enabling/disabling 3-30<br />
mail 11-2, 11-6<br />
News 8-19, 8-20<br />
telnet 2-24, 2-25<br />
Web 12-2, 12-3<br />
service group 4-12, 4-18, 4-24<br />
service groups<br />
configuring 5-21<br />
example 4-13<br />
service type 4-18<br />
shlib directory F-11<br />
shun server 3-39<br />
shund 3-39<br />
shutdown 3-3<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
administrator interfaces 2-2<br />
authentication methods 9-3<br />
configuration using cf command A-1<br />
defined 1-1<br />
filesystems F-5<br />
general system tasks 3-1<br />
kernels 1-4<br />
NTP B-1<br />
re-imaging F-17<br />
SNMP agent 14-1<br />
<strong>Sidewinder</strong> Hosted<br />
DNS 10-2<br />
sighup command 1-16<br />
single sign-on (SSO)<br />
authentication 9-27<br />
site.txt file<br />
SmartFilter E-8<br />
size filter 6-23<br />
slave zone 10-18<br />
SmartFilter<br />
control list 12-14, E-1<br />
controlling Web access E-1<br />
sample Control List E-2
smartfilter.site file E-9<br />
SMTP 11-2<br />
ACL rule checking 11-8<br />
configuration 11-7<br />
configuring servers 11-8<br />
secure split servers 11-2<br />
transparent mail 11-1<br />
smtp proxy 8-11<br />
SNK authentication 9-8, 9-24<br />
SNMP 6-42, 14-1<br />
agent 14-1<br />
alarm trap 14-4<br />
authentication header 14-3<br />
basic information 14-1<br />
community names 14-3<br />
configuring agent on the firewall 14-8<br />
enabling/disabling agent 14-8<br />
management information base (MIB)<br />
14-3<br />
proxy 8-12<br />
traps 14-4<br />
SOA record 10-21<br />
SOCKS proxy 6-41<br />
socks5 proxy 8-12<br />
S<strong>of</strong>tRemote 13-8, 13-44<br />
s<strong>of</strong>tware authenticator 9-4<br />
s<strong>of</strong>tware packages 3-41<br />
installing 3-45<br />
sounds F-21<br />
source burb 4-18<br />
spam<br />
see anti-spam filter 11-13<br />
SPI (Security Parameters Index)<br />
using manual key exchange 13-62<br />
SPI index 13-63<br />
split DNS 10-7, 10-8<br />
sql proxy 8-12<br />
Squid 8-18, 12-18, A-18<br />
squid.conf.template file 12-18<br />
srole command 3-12, 18-28<br />
SSH 2-17<br />
client 2-20<br />
enabling server 2-18<br />
proxy 8-12<br />
server 2-22<br />
SSL decryption 6-5, 8-18<br />
SSO<br />
Index<br />
authentication 9-27<br />
stacks 1-10<br />
standard<br />
Application Defenses 6-45<br />
Standard Internet<br />
proxy rules 4-25<br />
startup<br />
kernel 1-4<br />
State Change Wizard 2-9, 2-11<br />
HA create cluster 16-8<br />
HA join existing 16-13<br />
HA remove primary 16-17<br />
One-To-Many add primary 15-6<br />
One-To-Many add secondary 15-9<br />
One-To-Many remove primary 15-13<br />
stateful inspection 1-12<br />
static route 3-54<br />
status<br />
process 17-20<br />
status reports<br />
routing tables 17-23<br />
stratum 0 F-35<br />
streamworks proxy 8-12<br />
Strikeback 17-14<br />
command options 17-11<br />
configuring 17-1<br />
sample results 17-15<br />
timeout option 17-13<br />
strikeback_wait_time option 17-12<br />
strong authentication 9-3<br />
Strong Cryptography 6-7, 12-8<br />
sub-domain (DNS) 10-23<br />
subnet<br />
network object 4-18<br />
subnet object 4-11<br />
configuring 5-17<br />
sunrcp proxy 8-12<br />
super-user 1-5, 1-8<br />
support for multiple networks 1-2<br />
syslog 18-21<br />
audit messages 18-22<br />
configuration file 18-22<br />
syslogd 18-22<br />
file rotation 18-22<br />
system boot 1-4<br />
system calls 1-7<br />
system reboot<br />
Index In-13
Index<br />
In-14 Index<br />
T<br />
messages F-17<br />
T.120 proxy 8-12, 8-22<br />
TCP checksum <strong>of</strong>fload 3-50<br />
TCP connections 17-22<br />
maximum segment size 8-33<br />
tcpdump F-34, F-36<br />
telnet<br />
defined 2-24<br />
no connection 8-16<br />
proxy 2-24, 8-11, 8-12, 8-15<br />
server 2-24<br />
server setup 2-25<br />
time (setting) 3-9<br />
traceroute command 17-12<br />
transparent<br />
DNS 10-2, 10-9<br />
mail (SMTP) 11-1<br />
proxies 8-14<br />
transport mode 13-54<br />
traps within SNMP 14-4<br />
troubleshooting<br />
NTP F-34<br />
proxy rules F-23<br />
TTL value (DNS) 10-22<br />
tunnel mode 13-6, 13-54<br />
Type Enforcement 1-4<br />
administrative kernel 1-8<br />
defined 1-6<br />
directory types A-12<br />
dump function F-4<br />
effects 1-8<br />
file types A-12<br />
how it works 1-5<br />
restore F-4<br />
sendmail 11-5<br />
U<br />
UDP connections 17-22<br />
uname -a<br />
command 3-11<br />
unbound DNS server 10-7<br />
UNIX<br />
editing files A-11<br />
security 1-5<br />
text editors A-11<br />
UPS (Uninterruptible Power Supply) 3-58<br />
uptime command 17-19<br />
Usenet News 8-19<br />
user groups 4-7, 4-8<br />
authentication 4-8<br />
configuring 5-3<br />
displaying 5-1<br />
in proxy rules 4-19<br />
membership 5-8<br />
user passwords 5-7<br />
users<br />
changing password 3-9<br />
displaying 5-1<br />
using the Admin Console 3-3<br />
V<br />
var/log directory<br />
backup.log F-5<br />
daily.out A-15<br />
monthly.out A-16<br />
weekly.out A-16<br />
wtmp file A-16<br />
var/log/audit.raw file 10-36<br />
var/log/daemon.log file 10-36<br />
var/log/daily.out file 18-30<br />
var/log/monthly.out file 18-30<br />
var/log/weekly.out file 18-30<br />
var/spool/mqueue.0 11-5, 11-27<br />
var/spool/mqueue.1 11-5, 11-27<br />
var/spool/mqueue.c 11-5, 11-27<br />
version<br />
sendmail 11-10<br />
vi editor<br />
commands A-10<br />
using A-10<br />
virtual burb 13-15<br />
virus scanning 3-34<br />
vmstat command 17-19<br />
VPN<br />
AH keys 13-63<br />
algorithms 13-63<br />
and SecureClient 13-7<br />
association 13-51
certificate authority 13-27<br />
certificate management daemon 13-<br />
14<br />
certificate server 13-13<br />
client 13-7<br />
client address pools 13-18<br />
client ID 13-27<br />
clientless 8-18, 12-3<br />
embedded 13-1<br />
Extended Authentication 13-8<br />
firewall certificate 13-37<br />
fixed IP 13-25<br />
hardware acceleration 13-7<br />
how it works 13-4<br />
IKE 13-1<br />
ISAKMP server 13-11<br />
key types 13-4<br />
LDAP 13-48<br />
public CA server 13-32<br />
remote certificate 13-40<br />
Remote Identities 13-35<br />
scenarios 13-65<br />
security association 13-51<br />
SPI 13-63<br />
transport mode 13-6<br />
tunnel mode 13-6<br />
understanding 13-1<br />
VPN report 18-29<br />
W<br />
wais proxy 8-12<br />
warder 9-9<br />
weak authentication 9-3<br />
Web<br />
access 12-1<br />
access via proxy 12-2, 12-3<br />
Application Defenses 6-4<br />
browser 12-6, 12-10<br />
caching 12-11<br />
configuring the Squid caching proxy<br />
12-11<br />
configuring Web proxy on port 80 12-<br />
7<br />
implementation options 12-3<br />
restricting access to E-1<br />
SmartFilter 12-10<br />
Index<br />
Web proxy 12-1<br />
Web servers 12-2, 12-3<br />
WebProxy server 8-18, 9-32, 9-36, 12-<br />
4, 12-10, 12-12<br />
options 12-15<br />
transparent/non-transparent mode<br />
12-18<br />
WebTrends 18-31, 18-33<br />
weekly system activity report 18-30<br />
whereami<br />
command 3-12<br />
whitelist<br />
configuring for anti-spam 11-13<br />
whois command 8-12, 17-25<br />
whois proxy 8-12<br />
Windows Domain<br />
authentication 9-8, 9-26<br />
wins proxy 8-12<br />
WINS server 13-23<br />
X<br />
X Windows<br />
pre-defined proxy 8-13<br />
Xscreen0 proxy 8-13<br />
Z<br />
zones 10-16<br />
Index In-15
Index<br />
In-16 Index
The <strong>Sidewinder</strong> <strong>G2</strong> ® Security Appliance is the most comprehensive<br />
gateway security appliance in the world, with the strongest credentials<br />
<strong>of</strong> any leading all-in-one firewall or Unified Threat Management security<br />
appliance (as tracked by IDC and Gartner). This market leading Internet<br />
security appliance protects your applications and networks against the<br />
entire threat matrix competely and reliably—and at Gigabit speeds. This<br />
appliance consolidates the widest variety <strong>of</strong> gateway security functions<br />
in one system, reducing the complexity <strong>of</strong> managing a total perimeter<br />
security solution. These security functions include our unprecedented<br />
Application Defenses firewall with embedded anti-virus, anti-spam,<br />
traffic anomaly detection, IDS/IPS, and a whole host <strong>of</strong> other critical<br />
protective features described below.<br />
<strong>Sidewinder</strong> <strong>G2</strong> includes the only firewall that has never had a CERT<br />
advisory posted against it in over 10 years—a truly remarkable<br />
accomplishment. It recently achieved the highest level <strong>of</strong> EAL4+<br />
Common Criteria certification possible (far stronger than other vendors’<br />
EAL4 ratings). As a result, your <strong>Sidewinder</strong> <strong>G2</strong> provides you with defensein-depth<br />
protections against the entire threat matrix around the clock.<br />
Secure Computing Corporation<br />
www.securecomputing.com<br />
Corporate Headquarters<br />
4810 Harwood Road<br />
San Jose, Ca 95124 USA<br />
Tel +1.800.379.4944<br />
Tel +1.408.979.6100<br />
Fax +1.408.979.6501<br />
European Headquarters<br />
East Wing, Piper House<br />
Hatch Lane<br />
Windsor SLl4 3QP UK<br />
Tel +44.1753.410900<br />
Fax +44.1753.410901<br />
SWOP-MN-ADMN61-C<br />
Asia/Pac Headquarters<br />
1604-5 MLC Tower<br />
248 Queen’s Road East<br />
Wan Chai, Hong Kong<br />
Tel +852.2520.2422<br />
Fax +852.2587.1333<br />
Japan Headquarters<br />
Level 15 JT Bldg.<br />
2-2-1 Toranomen Minato-Ku<br />
Tokyo 105-0001 Japan<br />
Tel +81.3.5114.8224<br />
Fax +81.3.5114.8226<br />
ADDITIONAL SECURITY<br />
SOLUTIONS FROM<br />
SECURE COMPUTING<br />
SIDEWINDER <strong>G2</strong> ENTERRPISE MANAGER<br />
<strong>Sidewinder</strong> <strong>G2</strong> ® Enterprise Manager from<br />
Secure Computing is an enterprise strong ®<br />
security appliance that delivers single-point<br />
policy management for hundreds <strong>of</strong> distributed<br />
<strong>Sidewinder</strong> <strong>G2</strong> systems, and a simple Power-It-On deployment. It provides a robust audit repository,<br />
and is managed remotely from an intuitive<br />
Windows-based s<strong>of</strong>tware package. It makes central<br />
management <strong>of</strong> complex hierarchical policies a<br />
reality. SQL database architecture enables you to<br />
customize the s<strong>of</strong>tware to group firewalls in any<br />
way that is meaningful to your organization, goals,<br />
and mission.<br />
SMARTFILTER PRODUCTS<br />
SmartFilter ® products (SmartFilter, Sentian , and<br />
Bess ® ) enable organizations to understand and<br />
monitor their Internet use, while taking effective<br />
steps to provide appropriate control over outbound<br />
Web access.<br />
SAFEWORD PRODUCTS<br />
SafeWord ® products provide Strong authentication<br />
technology that positively identifies users and<br />
eliminates the password risk—ensuring that only the<br />
right people can make connections to your business.<br />
© 2005 Secure Computing Corporation. All Rights Reserved. Secure Computing,<br />
SafeWord, <strong>Sidewinder</strong>, SmartFilter, Type Enforcement, S<strong>of</strong>Token, SecureSupport,<br />
SecureOS, MobilePass, <strong>G2</strong> Firewall, Bess, <strong>Sidewinder</strong> <strong>G2</strong>, enterprise strong,<br />
PremierAccess, and Strikeback are trademarks <strong>of</strong> Secure Computing Corporation,<br />
registered in the U.S. Patent and Trademark Office and in other countries.<br />
<strong>G2</strong> Enterprise Manager, Application Defenses, RemoteAccess, On-Box, Power-It-On!,<br />
Sentian, and Securing connections between people, applications, and networks are<br />
trademarks <strong>of</strong> Secure Computing Corporation. All other trademarks used herein<br />
belong to their respective owners.