Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...
Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...
Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ADMINISTRATION GUIDE
ADMINISTRATION GUIDE
Copyright<br />
© 2006 Secure Computing Corporation. All rights reserved. No part <strong>of</strong> this publication may be reproduced, transmitted,<br />
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written<br />
permission <strong>of</strong> Secure Computing Corporation.<br />
Trademarks<br />
Secure Computing, SafeWord, <strong>Sidewinder</strong>, <strong>Sidewinder</strong> <strong>G2</strong>, SmartFilter, Type Enforcement, S<strong>of</strong>Token, Enterprise Strong,<br />
Mobile Pass, <strong>G2</strong> Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks <strong>of</strong> Secure<br />
Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. <strong>G2</strong> Enterprise Manager,<br />
SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people, applications<br />
and networks are trademarks <strong>of</strong> Secure Computing Corporation. All other trademarks, tradenames, service marks, service<br />
names, product names, and images mentioned and/or used herein belong to their respective owners.<br />
S<strong>of</strong>tware License Agreement<br />
The following is a copy <strong>of</strong> the S<strong>of</strong>tware License Agreement as shown in the s<strong>of</strong>tware:<br />
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING<br />
“I ACCEPT” BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING<br />
THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. IF YOU DO NOT AGREE WITH THIS AGREEMENT,<br />
THEN CLICK “I DO NOT ACCEPT” BELOW AND RETURN ALL COPIES OF THE SOFTWARE AND DOCUMENTATION<br />
TO SECURE COMPUTING CORPORATION (“SECURE COMPUTING”) OR THE RESELLER FROM WHOM YOU<br />
OBTAINED THE SOFTWARE.<br />
1. SOFTWARE PRODUCTS DEFINITION. “S<strong>of</strong>tware Product(s)” means (i) the machine-readable object-code versions <strong>of</strong><br />
the <strong>Sidewinder</strong> s<strong>of</strong>tware contained in the media (the “S<strong>of</strong>tware”), (ii) the published user manuals and documentation that are<br />
made available for the S<strong>of</strong>tware (the “Documentation”), and (iii) any updates or revisions <strong>of</strong> the S<strong>of</strong>tware or Documentation<br />
that you may receive (the “Update”). Under no circumstances will you receive any source code <strong>of</strong> the S<strong>of</strong>tware.<br />
2. GRANT OF LICENSE. Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license<br />
(without right to sub-license) to use the S<strong>of</strong>tware Products as defined herein on a single machine.<br />
3. LIMITATION OF USE. You may not: 1) copy, except to make one copy <strong>of</strong> the S<strong>of</strong>tware solely for back-up or archival<br />
purposes; 2) transfer, distribute, rent, lease or sublicense all or any portion <strong>of</strong> the S<strong>of</strong>tware Product to any third party; 3)<br />
translate, modify, adapt, decompile, disassemble, or reverse engineer any S<strong>of</strong>tware Product in whole or in part; or 4) modify<br />
or prepare derivative works <strong>of</strong> the S<strong>of</strong>tware Products. You agree to keep confidential and use your best efforts to prevent and<br />
protect the contents <strong>of</strong> the S<strong>of</strong>tware Product from unauthorized disclosure or use. Secure Computing reserves all rights that<br />
are not expressly granted to you.<br />
4. LIMITED SOFTWARE PRODUCT WARRANTY. Secure Computing warrants that the medium/media on which its<br />
S<strong>of</strong>tware is recorded is/are free from defects in material and workmanship under normal use and service for a period <strong>of</strong><br />
ninety (90) days from the date <strong>of</strong> shipment to you.<br />
Secure Computing does not warrant that the functions contained in the S<strong>of</strong>tware will meet your requirements or that<br />
operation <strong>of</strong> the program will be uninterrupted or error-free. The S<strong>of</strong>tware is furnished “AS IS” and without warranty as to the<br />
performance or results you may obtain by using the S<strong>of</strong>tware. The entire risk as to the results and performance <strong>of</strong> the<br />
S<strong>of</strong>tware is assumed by you. If you do not receive media which is free from defects in materials and workmanship during<br />
the 90-day warranty period, you will receive a refund for the amount paid for the S<strong>of</strong>tware Product returned.<br />
5. DISCLAIMER OF WARRANTY AND LIMITATION OF REMEDIES. THE WARRANTIES STATED HEREIN ARE IN LIEU<br />
OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR<br />
FITNESS FOR A PARTICULAR PURPOSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE EXCLUSION OF<br />
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU<br />
SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH VARY BY STATE OR COUNTRY.<br />
SECURE COMPUTING'S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF<br />
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT<br />
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR<br />
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE<br />
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES<br />
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.<br />
6. TERM AND TERMINATION. This license is effective until terminated. You may terminate it at any time by destroying the<br />
S<strong>of</strong>tware Product, including all computer programs and documentation, and erasing any copies residing on computer<br />
equipment. This Agreement also will automatically terminate if you do not comply with any terms or conditions <strong>of</strong> this<br />
Agreement. Upon such termination you agree to destroy the S<strong>of</strong>tware Product and erase all copies residing on computer<br />
equipment.<br />
i
ii<br />
7. PROTECTION OF CONFIDENTIAL INFORMATION. The S<strong>of</strong>tware Product is delivered to you on a confidential basis and<br />
you are responsible for employing reasonable measures to prevent the unauthorized disclosure or use there<strong>of</strong>, which<br />
measures shall not be less than those measures employed by you in protecting its own proprietary information. You may<br />
disclose the S<strong>of</strong>tware Product to your employees as necessary for the use permitted under this Agreement. You shall not<br />
remove any trademark, trade name, copyright notice or other proprietary notice from the S<strong>of</strong>tware Product.<br />
8. OWNERSHIP. This S<strong>of</strong>tware is licensed (not sold) to you. All intellectual property rights including trademarks, service<br />
marks, patents, copyrights, trade secrets, and other proprietary rights in or related to the S<strong>of</strong>tware Products are and will<br />
remain the property <strong>of</strong> Secure Computing or its licensors, whether or not specifically recognized or protected under local law.<br />
You will not remove any product identification, copyright notices, or other legends set forth on the S<strong>of</strong>tware Product.<br />
9. EXPORT RESTRICTIONS. You agree to comply with all applicable United States export control laws, and regulations, as<br />
from time to time amended, including without limitation, the laws and regulations administered by the United States<br />
Department <strong>of</strong> Commerce and the United States Department <strong>of</strong> State. You have been advised that S<strong>of</strong>tware Products are<br />
subject to the U.S. Export <strong>Administration</strong> Regulations. You shall not export, import or transfer S<strong>of</strong>tware Products contrary to<br />
U.S. or other applicable laws, whether directly or indirectly, and will not cause, approve or otherwise facilitate others such as<br />
agents or any third parties in doing so. You represent and agree that neither the United States Bureau <strong>of</strong> Export<br />
<strong>Administration</strong> nor any other federal agency has suspended, revoked or denied your export privileges. You agree not to use<br />
or transfer the Products for end use relating to any nuclear, chemical or biological weapons, or missile technology unless<br />
authorized by the U.S. Government by regulation or specific license.<br />
10. U.S. GOVERNMENT RIGHTS. S<strong>of</strong>tware Products furnished to the U.S. Government are provided on these commercial<br />
terms and conditions as set forth in DFARS 227.7202-1(a).<br />
11. ENTIRE AGREEMENT. This Agreement is our <strong>of</strong>fer to license the S<strong>of</strong>tware Product to you exclusively on the terms set<br />
forth in this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have submitted (or<br />
hereafter submit) different, additional, or other alternative terms to Secure Computing or any reseller or authorized dealer,<br />
whether through a purchase order or otherwise, we object to and reject those terms. Without limiting the generality <strong>of</strong> the<br />
foregoing, to the extent that you have submitted a purchase order for the S<strong>of</strong>tware Product, any shipment to you <strong>of</strong> the<br />
S<strong>of</strong>tware Product is not an acceptance <strong>of</strong> your purchase order, but rather is a counter<strong>of</strong>fer subject to your acceptance <strong>of</strong> this<br />
Agreement without any objections or modifications by you. To the extent that we are deemed to have formed a contract with<br />
you related to the S<strong>of</strong>tware Product prior to your acceptance <strong>of</strong> this Agreement, this Agreement shall govern and shall be<br />
deemed to be a modification <strong>of</strong> any prior terms in their entirety.<br />
12. GENERAL. Any waiver <strong>of</strong> or modification to the terms <strong>of</strong> this Agreement will not be effective unless executed in writing<br />
and signed by Secure Computing. If any provision <strong>of</strong> this Agreement is held to be unenforceable, in whole or in part, such<br />
holding shall not affect the validity <strong>of</strong> the other provisions <strong>of</strong> this Agreement. You may not assign this License or any<br />
associated transactions without the written consent <strong>of</strong> Secure Computing. This License shall be governed by and construed<br />
in accordance with the laws <strong>of</strong> California, without regard to its conflicts <strong>of</strong> laws provisions.
Other Terms and Conditions<br />
This product contains s<strong>of</strong>tware developed by the Net-SNMP project. Copyright © 1989, 1991, 1992 by Carnegie Mellon<br />
University. Copyright © 1996, 1998-2000 The Regents <strong>of</strong> the University <strong>of</strong> California. All Rights Reserved. Copyright © 2001-<br />
2002, Networks Associates Technology, Inc. All rights reserved. Portions <strong>of</strong> this code are copyright © 2001-2002, Cambridge<br />
Broadband Ltd. All rights reserved.<br />
This product contains s<strong>of</strong>tware developed through the Internet S<strong>of</strong>tware Consortium (http://www.isc.org).<br />
Copyright © 1996-2001 Internet S<strong>of</strong>tware Consortium. Portions Copyright © 1996-2001 Nominum, Inc.<br />
This product contains s<strong>of</strong>tware developed by Sendmail, Inc. Copyright © 1998-2001 Sendmail, Inc. All rights reserved.<br />
This product includes s<strong>of</strong>tware and algorithms developed by RSA Data Security Inc.<br />
This product includes cryptographic s<strong>of</strong>tware written by Eric Young (eay@crypts<strong>of</strong>t.com).<br />
This product includes s<strong>of</strong>tware developed by the OpenSSL Project for use in the OpenSSL Toolkit.<br />
(http://www.openssl.org) Copyright © 1998-2000 The OpenSSL Project. All rights reserved.<br />
This product includes s<strong>of</strong>tware developed by the Apache Group for use in the Apache HTTP server project<br />
(http://www.apache.org/).<br />
This product utilizes MySQL (http://www.mysql.com/). Copyright © 1995, 1996, 2000 TcX AB & Monty Program KB & Detron<br />
Stockholm SWEDEN, Helsingfors FINLAND and Uppsala SWEDEN. All rights reserved.<br />
This product incorporates compression code from the Info-ZIP group. There are no extra charges or costs due to the use <strong>of</strong><br />
this code, and the original compression sources are freely available from http://www.cdrom.com/pub/infozip/ or<br />
ftp://ftp.cdrom.com/pub/infozip/ on the Internet.<br />
This product includes s<strong>of</strong>tware developed at the Information Technology Division, US Naval Research Laboratory. Copyright<br />
1995 US Naval Research Laboratory (NRL). All Rights Reserved.<br />
This product includes s<strong>of</strong>tware developed by the University <strong>of</strong> California, Berkeley and its contributors.<br />
Copyright © 1991, 1992, 1993, 1994, 1995, 1996 Berkeley S<strong>of</strong>tware Design Inc. Copyright © 1997, 1998, 1999, 2000, 2001<br />
Berkeley S<strong>of</strong>tware Design Inc. All rights reserved. Copyright © 2001 Wind River Systems, Inc. All rights reserved.<br />
This product uses unmodified GNU s<strong>of</strong>tware. GNU source code is available on request by contacting Secure Computing.<br />
Pine and Pico are registered trademarks <strong>of</strong> the University <strong>of</strong> Washington. No commercial use <strong>of</strong> these trademarks may be<br />
made without prior written permission <strong>of</strong> the University <strong>of</strong> Washington. Pine, Pico, and Pilot s<strong>of</strong>tware and its included text are<br />
Copyright 1989-1996 by the University <strong>of</strong> Washington.<br />
iii
<strong>Technical</strong> Support information<br />
Secure Computing works closely with our Channel Partners to <strong>of</strong>fer worldwide <strong>Technical</strong> Support services. If you purchased<br />
this product through a Secure Computing Channel Partner, please contact your reseller directly for support needs.<br />
iv<br />
To contact Secure Computing <strong>Technical</strong> Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer, send<br />
an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our “Contact Secure” Web<br />
page for the latest information at www.securecomputing.com.<br />
Customer Advocate information<br />
To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a Customer<br />
Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com.<br />
If you have comments or suggestions you would like to make regarding this document or any other Secure Computing<br />
document, please send an e-mail to techpubs@securecomputing.com.<br />
Printing history<br />
Date Part number S<strong>of</strong>tware release<br />
February 2004 SWOP-MN-ADMN61-A <strong>Sidewinder</strong> <strong>G2</strong>, Version 6.1<br />
May 2004 SWOP-MN-ADMN61-B <strong>Sidewinder</strong> <strong>G2</strong>, Version 6.1.0.02<br />
February 2005 SWOP-MN-ADMN61-C <strong>Sidewinder</strong> <strong>G2</strong>, Version 6.1.1<br />
March 2006 SWOP-MN-ADMN61-D <strong>Sidewinder</strong> <strong>G2</strong>, Version <strong>6.1.2</strong>
CONTENTS<br />
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix<br />
Who should read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix<br />
Where to find additional information . . . . . . . . . . . . . . . . . . . . . . . . . . xix<br />
Online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi<br />
Reference materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi<br />
Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii<br />
CHAPTER 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1<br />
What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance? . . . . . . . . . . . . . . . . . .2<br />
<strong>Sidewinder</strong> <strong>G2</strong> management options . . . . . . . . . . . . . . . . . . . . . . . . . . .3<br />
The Type Enforced environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4<br />
<strong>Sidewinder</strong> <strong>G2</strong> kernels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4<br />
How Type Enforcement works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5<br />
Type Enforcement’s effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics . . . . . . . . . . . . . . . .8<br />
Burbs and network stack separation . . . . . . . . . . . . . . . . . . . . . . . . . .8<br />
Proxy s<strong>of</strong>tware and access control . . . . . . . . . . . . . . . . . . . . . . . . . .10<br />
IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11<br />
daemond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
Network Services Sentry (NSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .15<br />
CHAPTER 2 Administrator’s Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .17<br />
<strong>Administration</strong> interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18<br />
Admin Console basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19<br />
Starting and exiting the Admin Console . . . . . . . . . . . . . . . . . . . . . .19<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console . . . . . . . . . . . . . . . .20<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console . . . . . . . . . .21<br />
About the main Admin Console window . . . . . . . . . . . . . . . . . . . . . .23<br />
Admin Console conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25<br />
Using the Admin Console File Editor . . . . . . . . . . . . . . . . . . . . . . . . . .26<br />
Opening and saving files in the File Editor . . . . . . . . . . . . . . . . . . . .27<br />
Creating a backup file in the File Editor . . . . . . . . . . . . . . . . . . . . . .27<br />
Restoring a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28<br />
Using the Find/Replace option . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell . . . . . . . . . . . . . . . .30<br />
v
Table <strong>of</strong> Contents<br />
vi<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server . . . . . . . . . . . . . . 30<br />
Configuring and using the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client . . . . . . 33<br />
Configuring the SSH using the Admin Console . . . . . . . . . . . . . . . . 35<br />
Tips on using SSH with <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . 36<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet . . . . . . . . . . . . . . . . . . . . . 36<br />
Setting up an internal (trusted) Telnet server . . . . . . . . . . . . . . . . . . 36<br />
Setting up an external Telnet server . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using Telnet . . . . . . . . . . . . . . . . 38<br />
CHAPTER 3 General System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
Restarting or shutting down the system . . . . . . . . . . . . . . . . . . . . . . . 40<br />
Powering on the system to the Operational kernel . . . . . . . . . . . . . 40<br />
Rebooting or shutting down using the Admin Console . . . . . . . . . . 41<br />
Rebooting or shutting down using a command line interface . . . . . . 42<br />
Setting up and maintaining administrator accounts . . . . . . . . . . . . . . . 43<br />
Viewing administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
Adding or modifying an administrator account . . . . . . . . . . . . . . . . . 45<br />
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
Setting the system date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
Viewing/changing the date and time . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
Changing the date or time using the config_time utility . . . . . . . . . . 48<br />
Using system roles to access type enforced domains . . . . . . . . . . . . 49<br />
Checking which kernel you are running (uname) . . . . . . . . . . . . . . . 49<br />
Checking which domain you are using (whereami) . . . . . . . . . . . . . 49<br />
Changing your domain access using the srole command . . . . . . . . 49<br />
Configuration file backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
Overview <strong>of</strong> configuration file backup and restore . . . . . . . . . . . . . . 50<br />
Backing up and restoring config files using the Admin Console . . . 52<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> connected to the Internet . . . . . . . 56<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> on an isolated network . . . . . . . . . 56<br />
Configuring the Firewall License tabs . . . . . . . . . . . . . . . . . . . . . . . 58<br />
Displaying the status <strong>of</strong> features on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . 62<br />
Protected host licensing and the Host Enrollment List . . . . . . . . . . . . 62<br />
How hosts are calculated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
Displaying and modifying the Host Enrollment List . . . . . . . . . . . . . 64<br />
Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
Configuring the synchronization server . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
Configuring virus scanning services . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
Configuring the shund server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74<br />
Loading and installing patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76<br />
Viewing currently installed patches . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
Loading a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
Installing a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80<br />
Modifying the burb configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
Modifying the interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table <strong>of</strong> Contents<br />
Modifying the static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90<br />
Configuring Admin Console access . . . . . . . . . . . . . . . . . . . . . . . . . . .91<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS . . . . . . . . . . . . . . . . . . .93<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS . . . . . . . . . . . . . . . . . .93<br />
Enabling/disabling the UPS server . . . . . . . . . . . . . . . . . . . . . . . . . .95<br />
Enforcing FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95<br />
CHAPTER 4 Understanding Policy Configuration . . . . . . . . . . . . . . . . . . .97<br />
Policy configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98<br />
An example <strong>of</strong> traffic being processed by the active rules . . . . . . .100<br />
Ordering proxy rules within a rule group . . . . . . . . . . . . . . . . . . . . .101<br />
Rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103<br />
Planning for rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103<br />
Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104<br />
Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105<br />
Service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108<br />
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109<br />
Proxy rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112<br />
Basic criteria used to allow or deny a connection . . . . . . . . . . . . . .112<br />
Optional criteria used to allow or deny a connection . . . . . . . . . . .113<br />
Using NAT and redirection in proxy rules . . . . . . . . . . . . . . . . . . . .114<br />
Simple proxy rule examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115<br />
Example <strong>of</strong> proxy rules using netgroups . . . . . . . . . . . . . . . . . . . . .116<br />
Advanced proxy rule example using service groups . . . . . . . . . . . .118<br />
Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120<br />
IP Filter rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121<br />
How traffic is filtered if stateful packet inspection is enabled . . . . .122<br />
How traffic is filtered if stateful packet inspection is not enabled . .124<br />
Using NAT and redirection for IP Filter rules . . . . . . . . . . . . . . . . .125<br />
Sharing IP Filter sessions in an HA cluster . . . . . . . . . . . . . . . . . . .128<br />
Specifying the number <strong>of</strong> TCP or UDP IP Filter sessions . . . . . . . .129<br />
CHAPTER 5 Creating Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131<br />
Creating users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132<br />
Configuring users or user groups . . . . . . . . . . . . . . . . . . . . . . . . . .133<br />
Managing user group membership . . . . . . . . . . . . . . . . . . . . . . . . .138<br />
Creating network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139<br />
Displaying network objects and netgroups . . . . . . . . . . . . . . . . . . .139<br />
Configuring domain objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142<br />
Configuring host objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143<br />
Configuring IP address objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .145<br />
Configuring netmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145<br />
Configuring subnet objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147<br />
Configuring netgroup objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148<br />
Managing netgroup membership . . . . . . . . . . . . . . . . . . . . . . . . . .149<br />
Creating service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150<br />
vii
Table <strong>of</strong> Contents<br />
CHAPTER 6 Configuring Application Defenses . . . . . . . . . . . . . . . . . . . 153<br />
Viewing Application Defense information . . . . . . . . . . . . . . . . . . . . . 154<br />
Creating Web or Secure Web Application Defenses . . . . . . . . . . . . . 156<br />
Configuring the Web/Secure Web Enforcements tab . . . . . . . . . . 156<br />
Configuring the Web/Secure Web URL Control tab . . . . . . . . . . . . 160<br />
Configuring the Web/Secure Web HTTP Request tab . . . . . . . . . . 162<br />
Configuring the Web/Secure Web HTTP Reply tab . . . . . . . . . . . . 163<br />
Configuring the Web/Secure Web MIME/Virus/Spyware tab . . . . . 165<br />
Configuring the Web/Secure Web Content Control tab . . . . . . . . . 168<br />
Configuring the Web/Secure Web SmartFilter tab . . . . . . . . . . . . . 169<br />
Configuring the Web/Secure Web Connection tab . . . . . . . . . . . . 169<br />
Creating Web Cache Application Defenses . . . . . . . . . . . . . . . . . . . 170<br />
Creating Mail (Sendmail) Application Defenses . . . . . . . . . . . . . . . . 172<br />
Configuring the Mail (Sendmail) Control tab . . . . . . . . . . . . . . . . . 172<br />
Configuring the Mail (Sendmail) Size tab . . . . . . . . . . . . . . . . . . . . 174<br />
Configuring the Mail (Sendmail) Keyword Search tab . . . . . . . . . . 174<br />
Configuring the Mail (Sendmail) MIME/Virus/Spyware tab . . . . . . 177<br />
Creating Mail (SMTP proxy) Defenses . . . . . . . . . . . . . . . . . . . . . . . 181<br />
Configuring the Mail (SMTP proxy) Enforcements tab . . . . . . . . . . 181<br />
Configuring the Mail (SMTP proxy) Commands tab . . . . . . . . . . . . 182<br />
Configuring the Mail (SMTP proxy) Destination Address tab . . . . . 183<br />
Configuring the Mail (SMTP proxy) Connections tab . . . . . . . . . . . 184<br />
Creating Citrix Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 185<br />
Configuring the Citrix Enforcements tab . . . . . . . . . . . . . . . . . . . . 185<br />
Configuring the Citrix Filters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 185<br />
Configuring the Citrix Connections tab . . . . . . . . . . . . . . . . . . . . . . 186<br />
Creating FTP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 186<br />
Configuring the FTP Enforcements tab . . . . . . . . . . . . . . . . . . . . . 187<br />
Configuring the FTP Command Filter tab . . . . . . . . . . . . . . . . . . . 187<br />
Configuring the FTP Virus/Spyware tab . . . . . . . . . . . . . . . . . . . . . 188<br />
Configuring the FTP Connection tab . . . . . . . . . . . . . . . . . . . . . . . 190<br />
Creating IIOP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 191<br />
Creating Multimedia Application Defenses . . . . . . . . . . . . . . . . . . . . 192<br />
Configuring the Multimedia General tab . . . . . . . . . . . . . . . . . . . . . 192<br />
Configuring the H.323 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 193<br />
Configuring the T120 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194<br />
Configuring the Multimedia Connection tab . . . . . . . . . . . . . . . . . . 194<br />
Creating Oracle Application Defenses . . . . . . . . . . . . . . . . . . . . . . . 194<br />
Configuring the Oracle Enforcements tab . . . . . . . . . . . . . . . . . . . 195<br />
Configuring the Service Name (SID) tab . . . . . . . . . . . . . . . . . . . . 195<br />
Configuring the Oracle Connection tab . . . . . . . . . . . . . . . . . . . . . 196<br />
Creating MS SQL Application Defenses . . . . . . . . . . . . . . . . . . . . . . 196<br />
Creating SOCKS Application Defenses . . . . . . . . . . . . . . . . . . . . . . 197<br />
Configuring the SOCKS 5 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
Configuring the SOCKS Connections tab . . . . . . . . . . . . . . . . . . . 197<br />
Creating SNMP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
viii
Table <strong>of</strong> Contents<br />
Configuring the SNMP Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . .198<br />
Configuring the SNMP v1 tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199<br />
Configuring the SNMP Connection tab . . . . . . . . . . . . . . . . . . . . . .201<br />
Creating Standard Application Defenses . . . . . . . . . . . . . . . . . . . . . .201<br />
Configuring the Standard Connections tab . . . . . . . . . . . . . . . . . . .201<br />
Configuring Application Defense groups . . . . . . . . . . . . . . . . . . . . . .202<br />
Configuring the Application Defense groups window . . . . . . . . . . .202<br />
Configuring connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . .203<br />
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205<br />
CHAPTER 7 Configuring Network Defenses . . . . . . . . . . . . . . . . . . . . . . .207<br />
Viewing Network Defense information . . . . . . . . . . . . . . . . . . . . . . . .208<br />
Configuring the TCP Network Defense . . . . . . . . . . . . . . . . . . . . . . .210<br />
Configuring the IP Network Defense . . . . . . . . . . . . . . . . . . . . . . . . .212<br />
Configuring the UDP Network Defense . . . . . . . . . . . . . . . . . . . . . . .213<br />
Configuring the ICMP Network Defense . . . . . . . . . . . . . . . . . . . . . .215<br />
Configuring the ARP Network Defense . . . . . . . . . . . . . . . . . . . . . . .217<br />
CHAPTER 8 Creating Rules and Rule Groups . . . . . . . . . . . . . . . . . . . . .219<br />
Viewing rules and rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220<br />
Creating proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222<br />
Creating IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228<br />
Creating and managing rule groups . . . . . . . . . . . . . . . . . . . . . . . . . .236<br />
Creating a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236<br />
Managing rules and nested groups within a rule group . . . . . . . . .237<br />
Selecting your active policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .239<br />
Viewing the active policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239<br />
Modifying the active rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . .240<br />
Viewing and modifying general IP Filter properties . . . . . . . . . . . . .241<br />
CHAPTER 9 Configuring Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243<br />
Proxy basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244<br />
Configuring advanced proxy parameters on a per-rule basis using<br />
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245<br />
Improving performance using Fast Path Sessions . . . . . . . . . . . . .245<br />
Proxy session limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246<br />
Redirected proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247<br />
Address redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247<br />
Port redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . .250<br />
Using other proxies on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . .254<br />
Transparent & non-transparent proxies . . . . . . . . . . . . . . . . . . . . . . .254<br />
Notes on selected proxy configurations . . . . . . . . . . . . . . . . . . . . . . .255<br />
Notes on using the Telnet proxy . . . . . . . . . . . . . . . . . . . . . . . . . . .255<br />
Notes on using the FTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . .257<br />
HTTP/HTTPS considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259<br />
ix
Table <strong>of</strong> Contents<br />
x<br />
ICA proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259<br />
Sun RPC proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
Usenet News proxy configurations . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
T.120 and H.323 proxy considerations . . . . . . . . . . . . . . . . . . . . . 262<br />
Notes on using the DNS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
Configuring proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
Setting up a new proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271<br />
Configuring an SNMP port definition . . . . . . . . . . . . . . . . . . . . . . . 271<br />
TCP maximum segment size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271<br />
CHAPTER 10 Setting Up Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274<br />
Proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274<br />
Administrator authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275<br />
Weak versus strong authentication . . . . . . . . . . . . . . . . . . . . . . . . 275<br />
Supported authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
Standard password authentication . . . . . . . . . . . . . . . . . . . . . . . . . 278<br />
SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
LDAP/Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280<br />
Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280<br />
SNK (SecureNet Key)/Symantec Defender authentication . . . . . . 281<br />
SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281<br />
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281<br />
Authentication process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282<br />
Users, groups, and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
Configuring authentication services . . . . . . . . . . . . . . . . . . . . . . . . . 284<br />
Setting up LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 288<br />
Setting up password authentication . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
Setting up RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . 292<br />
Setting up SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . 294<br />
Setting up SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . 295<br />
Setting up SecureNet Key (SNK) authentication . . . . . . . . . . . . . . 296<br />
Setting up Windows Domain authentication . . . . . . . . . . . . . . . . . . 298<br />
Configuring SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300<br />
Setting up authentication for services . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
Special authentication notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304<br />
Setting up authentication for Web sessions . . . . . . . . . . . . . . . . . . . 305<br />
Setting up authentication for administrators . . . . . . . . . . . . . . . . . . . 306<br />
Allowing users to change their passwords . . . . . . . . . . . . . . . . . . . . 306<br />
How users can change their own password . . . . . . . . . . . . . . . . . . . 308<br />
CHAPTER 11 DNS (Domain Name System) . . . . . . . . . . . . . . . . . . . . . . . . 311<br />
What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312<br />
About transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312<br />
About <strong>Sidewinder</strong> hosted DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Table <strong>of</strong> Contents<br />
About mail exchanger records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314<br />
Configuring the internal network to use hosted DNS . . . . . . . . . . . . .315<br />
Enabling and disabling your DNS server(s) . . . . . . . . . . . . . . . . . . . .316<br />
Using master and slave servers in your network . . . . . . . . . . . . . .316<br />
Determining the number <strong>of</strong> DNS servers defined on <strong>Sidewinder</strong> <strong>G2</strong><br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316<br />
Enabling and disabling hosted DNS servers . . . . . . . . . . . . . . . . .317<br />
Advanced configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317<br />
Managing your current DNS configuration . . . . . . . . . . . . . . . . . . . . .318<br />
Configuring transparent name servers . . . . . . . . . . . . . . . . . . . . . . . .318<br />
Configuring hosted DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .320<br />
Configuring the Server Configuration tab . . . . . . . . . . . . . . . . . . . .322<br />
Configuring the Zones tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325<br />
Using the Master Zone Attributes tab . . . . . . . . . . . . . . . . . . . . . . .329<br />
Using the Master Zone Contents tab . . . . . . . . . . . . . . . . . . . . . . .333<br />
Reconfiguring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336<br />
Reconfiguring transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . .338<br />
Reconfiguring single server hosted DNS . . . . . . . . . . . . . . . . . . . .339<br />
Reconfiguring split server hosted DNS . . . . . . . . . . . . . . . . . . . . . .340<br />
Manually editing DNS configuration files . . . . . . . . . . . . . . . . . . . . . .342<br />
DNS message logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343<br />
CHAPTER 12 Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . .346<br />
Mail server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .346<br />
Mail filtering services on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . .348<br />
Sendmail differences on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . .349<br />
Administering mail on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . .350<br />
Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . .350<br />
Reconfiguring mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351<br />
Managing sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353<br />
Editing the mail configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . .354<br />
Configuring advanced anti-spam and anti-fraud options . . . . . . . . . .356<br />
Configuring the Whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356<br />
Configuring the policy.cfg file . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359<br />
Redirecting mail to a different destination . . . . . . . . . . . . . . . . . . . . .364<br />
Creating a .forward file in a user’s home directory . . . . . . . . . . . . .364<br />
Creating a .forward file in the root directory . . . . . . . . . . . . . . . . . .365<br />
Other sendmail features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365<br />
Configuring sendmail to strip message headers . . . . . . . . . . . . . . .366<br />
Configuring sendmail to use the RealTime Blackhole list . . . . . . . .367<br />
Sendmail and promiscuous relaying . . . . . . . . . . . . . . . . . . . . . . . .368<br />
Allowing or denying mail on a user basis . . . . . . . . . . . . . . . . . . . .369<br />
Changing mail aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369<br />
Managing mail queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370<br />
xi
Table <strong>of</strong> Contents<br />
CHAPTER 13 Setting Up Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 373<br />
An overview <strong>of</strong> Web services on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . 374<br />
Web access for users on your internal network . . . . . . . . . . . . . . . 374<br />
Access to your Web server by untrusted external users . . . . . . . . 374<br />
Access to your internal network by trusted external users . . . . . . . 375<br />
Implementation options for Web access . . . . . . . . . . . . . . . . . . . . . . 376<br />
Using the HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378<br />
Setting up Web access using the HTTP proxy . . . . . . . . . . . . . . . . 379<br />
Setting up clientless VPN access for trusted remote users . . . . . . 379<br />
Using the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381<br />
Setting up Web access using the Web proxy server . . . . . . . . . . . 382<br />
Error messages when using the Web proxy server . . . . . . . . . . . . 382<br />
Configuring the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . 383<br />
Configuring caching options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385<br />
Configuring HTTP filtering options . . . . . . . . . . . . . . . . . . . . . . . . . 386<br />
Manually editing the configuration file . . . . . . . . . . . . . . . . . . . . . . 387<br />
Configuring browsers for the Web proxy server . . . . . . . . . . . . . . . . 389<br />
Mozilla Firefox 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389<br />
Internet Explorer 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389<br />
Internet Explorer 5.x/6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390<br />
Netscape version 6.x/7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390<br />
Certain browsers on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391<br />
CHAPTER 14 Configuring Virtual Private Networks . . . . . . . . . . . . . . . . . 393<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394<br />
An introduction to IPSec technology . . . . . . . . . . . . . . . . . . . . . . . 395<br />
VPN configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396<br />
Configuring hardware acceleration for VPN . . . . . . . . . . . . . . . . . . 398<br />
Configuring a VPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399<br />
Extended Authentication for VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 399<br />
What type <strong>of</strong> VPN authentication should I use? . . . . . . . . . . . . . . . 400<br />
Configuring the ISAKMP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402<br />
Allowing access to the ISAKMP server . . . . . . . . . . . . . . . . . . . . . 403<br />
Configuring the Certificate server . . . . . . . . . . . . . . . . . . . . . . . . . . . 404<br />
Understanding virtual burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405<br />
Creating and using a virtual burb with a VPN . . . . . . . . . . . . . . . . 407<br />
Configuring client address pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407<br />
Configuring a new client address pool . . . . . . . . . . . . . . . . . . . . . . 408<br />
Configuring the Subnets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410<br />
Configuring the DNS and/or WINS servers . . . . . . . . . . . . . . . . . . 411<br />
Configuring the fixed IP map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413<br />
Configuring Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . 415<br />
Understanding Distinguished Name syntax . . . . . . . . . . . . . . . . . . 416<br />
Selecting a trusted source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419<br />
Configuring and displaying CA root certificates . . . . . . . . . . . . . . . 420<br />
Configuring and displaying Remote Identities . . . . . . . . . . . . . . . . 422<br />
xii
Table <strong>of</strong> Contents<br />
Configuring and displaying firewall certificates . . . . . . . . . . . . . . . .424<br />
Configuring and displaying remote certificates . . . . . . . . . . . . . . . .427<br />
Assigning new certificates for Admin Console and synchronization<br />
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430<br />
Importing and exporting certificates . . . . . . . . . . . . . . . . . . . . . . . . . .431<br />
Loading manual remote or firewall certificates . . . . . . . . . . . . . . . .431<br />
Importing a firewall certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432<br />
Importing a remote certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434<br />
Exporting remote or firewall certificates . . . . . . . . . . . . . . . . . . . . .435<br />
Configuring VPN Security Associations . . . . . . . . . . . . . . . . . . . . . . .438<br />
Displaying and configuring a VPN Security Association . . . . . . . . .438<br />
Defining a VPN Security Association . . . . . . . . . . . . . . . . . . . . . . .440<br />
Example VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450<br />
Scenario 1: <strong>G2</strong>-to-<strong>G2</strong> VPN via shared password . . . . . . . . . . . . . .451<br />
Scenario 2: Simple deployment <strong>of</strong> remote users . . . . . . . . . . . . . .452<br />
Scenario 3: Large scale deployment <strong>of</strong> clients . . . . . . . . . . . . . . . .456<br />
CHAPTER 15 Configuring the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . .463<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464<br />
SNMP basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . .467<br />
Enabling/disabling the SNMP server . . . . . . . . . . . . . . . . . . . . . . .469<br />
About the management station . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470<br />
Communication with systems in an external network . . . . . . . . . . . .471<br />
CHAPTER 16 One-To-Many Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474<br />
Considerations when using One-To-Many . . . . . . . . . . . . . . . . . . .475<br />
Example scenario using a One-To-Many cluster . . . . . . . . . . . . . . . .476<br />
Example scenario requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .476<br />
Configuring One-To-Many . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477<br />
Configuring a dedicated cluster burb for each <strong>Sidewinder</strong> <strong>G2</strong> . . . .477<br />
Configuring the primary in a new One-To-Many cluster . . . . . . . . .478<br />
Adding a secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479<br />
Joining a secondary to an existing One-To-Many cluster . . . . . . . .480<br />
Viewing the status <strong>of</strong> a One-To-Many cluster . . . . . . . . . . . . . . . . .481<br />
Changing the primary in a One-To-Many cluster . . . . . . . . . . . . . .482<br />
Removing <strong>Sidewinder</strong> <strong>G2</strong>s from a One-To-Many cluster . . . . . . . .483<br />
Understanding the One-To-Many tree structure . . . . . . . . . . . . . . . .484<br />
CHAPTER 17 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487<br />
How High Availability works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488<br />
HA configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489<br />
Load sharing HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489<br />
Failover HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490<br />
Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492<br />
xiii
Table <strong>of</strong> Contents<br />
xiv<br />
Configuring the heartbeat burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . 493<br />
Configuring <strong>Sidewinder</strong> <strong>G2</strong> for HA . . . . . . . . . . . . . . . . . . . . . . . . . 493<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster . . . . . . . . . . . . 498<br />
Enabling and disabling load sharing for an HA cluster . . . . . . . . . . 500<br />
Removing a <strong>Sidewinder</strong> <strong>G2</strong> from an HA cluster . . . . . . . . . . . . . . . 501<br />
Understanding the HA cluster tree structure . . . . . . . . . . . . . . . . . . . 502<br />
Managing an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503<br />
Modifying HA common parameters . . . . . . . . . . . . . . . . . . . . . . . . 504<br />
Modifying HA local parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 508<br />
Scheduling a s<strong>of</strong>t shutdown for an HA cluster <strong>Sidewinder</strong> <strong>G2</strong> . . . . 510<br />
Connecting directly to a secondary/standby . . . . . . . . . . . . . . . . . 511<br />
CHAPTER 18 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the dashboard . . . . . . . . . . . 514<br />
Viewing device information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515<br />
Viewing network traffic information . . . . . . . . . . . . . . . . . . . . . . . . . . 518<br />
Viewing IPS attack and system event summaries . . . . . . . . . . . . . . . 521<br />
Understanding audit event severities . . . . . . . . . . . . . . . . . . . . . . . 521<br />
Viewing the summary statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 522<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line . . . . . . . . 525<br />
Checking system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525<br />
Checking network status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527<br />
CHAPTER 19 Auditing and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531<br />
Overview <strong>of</strong> the audit process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533<br />
Understanding audit file names . . . . . . . . . . . . . . . . . . . . . . . . . . . 534<br />
Viewing audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534<br />
Exporting audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538<br />
Filtering audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539<br />
Creating custom audit filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544<br />
Understanding audit messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 547<br />
Logging application messages using syslog . . . . . . . . . . . . . . . . . . . 548<br />
Redirecting audit output to a syslog server . . . . . . . . . . . . . . . . . . 549<br />
Viewing syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550<br />
Generating reports using the Admin Console . . . . . . . . . . . . . . . . . . 551<br />
About the Reports window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552<br />
Viewing auto-generated reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 557<br />
Generating exportable reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558<br />
Generating reports using <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter . . . . . . . 559<br />
Formatting & exporting audit data for use with external tools . . . . . . 560<br />
Overview <strong>of</strong> supported log file formats . . . . . . . . . . . . . . . . . . . . . . 560<br />
Using <strong>Sidewinder</strong> <strong>G2</strong> formatting and exporting tools . . . . . . . . . . . 561
Table <strong>of</strong> Contents<br />
CHAPTER 20 IPS Attack and System Event Responses . . . . . . . . . . . . . .563<br />
Overview <strong>of</strong> attack and system event responses . . . . . . . . . . . . . . . .564<br />
Creating IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564<br />
Modifying an IPS attack response . . . . . . . . . . . . . . . . . . . . . . . . .566<br />
Configuring the e-mail settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .571<br />
Creating system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572<br />
Modifying a system response . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573<br />
Configuring the e-mail settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .577<br />
Configuring new event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578<br />
Ignoring network probe attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . .578<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579<br />
APPENDIX A Command Line Reference . . . . . . . . . . . . . . . . . . . . . . . . . . .583<br />
Overview <strong>of</strong> cf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584<br />
Summary <strong>of</strong> cf structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . .594<br />
Changing your default editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594<br />
About editing <strong>Sidewinder</strong> <strong>G2</strong> files . . . . . . . . . . . . . . . . . . . . . . . . . .595<br />
Checking file and directory permissions (ls) . . . . . . . . . . . . . . . . . .595<br />
Changing a file’s type (chtype) . . . . . . . . . . . . . . . . . . . . . . . . . . . .596<br />
Creating your own scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597<br />
Understanding automatic (cron) jobs . . . . . . . . . . . . . . . . . . . . . . . . .598<br />
/etc/daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598<br />
/etc/weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598<br />
/etc/monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599<br />
Rollaudit cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599<br />
Spamfilter cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599<br />
SmartFilter 3.x cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600<br />
Monitor data retrieval cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . .600<br />
Report generating cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600<br />
Squid log rotation cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600<br />
CRL and certificate retrieval cron job . . . . . . . . . . . . . . . . . . . . . . .601<br />
Anti-virus DAT file cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601<br />
Package download cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601<br />
Export utility cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601<br />
Logcheck cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601<br />
APPENDIX B Setting Up Network Time Protocol . . . . . . . . . . . . . . . . . . . .593<br />
Overview <strong>of</strong> NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594<br />
NTP servers and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client . . . . . . . . . . . . . . . . . . . . . . .595<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server . . . . . . . . . . . . . . . . . . . . . .595<br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . .597<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client . . . . . . . . . . . . . .597<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server . . . . . . . . . . . . .598<br />
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599<br />
xv
Table <strong>of</strong> Contents<br />
xvi<br />
Internet Request For Comments (RFC) . . . . . . . . . . . . . . . . . . . . . 599<br />
Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600<br />
On-line manual (man) pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600<br />
APPENDIX C Configuring Dynamic Routing with OSPF . . . . . . . . . . . . . . 601<br />
Overview <strong>of</strong> OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602<br />
A closer look at OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602<br />
OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . 604<br />
<strong>Sidewinder</strong> <strong>G2</strong> in an OSPF network topology . . . . . . . . . . . . . . . . 605<br />
Interoperability with other OSPF routers . . . . . . . . . . . . . . . . . . . . 606<br />
Other routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . 606<br />
Configuring OSPF properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607<br />
Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608<br />
Configuring Advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611<br />
Configuring "passive" OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612<br />
Other implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612<br />
APPENDIX D Configuring Dynamic Routing with RIP. . . . . . . . . . . . . . . . 613<br />
RIP with standard IP routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614<br />
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . 615<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing . . . . . . . . . 616<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> not using transparent IP addressing . . . . . . 619<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . 622<br />
Rule list support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624<br />
Enabling/disabling the routed server . . . . . . . . . . . . . . . . . . . . . . . . . 625<br />
Trace and log information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625<br />
A note about flushing filter routes . . . . . . . . . . . . . . . . . . . . . . . . . . 625<br />
APPENDIX E Setting Up SmartFilter Services . . . . . . . . . . . . . . . . . . . . . . 627<br />
Overview <strong>of</strong> SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . 628<br />
Controlling Web access using the SmartFilter Control List . . . . . . . . 628<br />
Evaluating the SmartFilter Control List . . . . . . . . . . . . . . . . . . . . . . 628<br />
Subscribing to the SmartFilter Control List . . . . . . . . . . . . . . . . . . . 629<br />
Configuring SmartFilter for HTTP/HTTPS . . . . . . . . . . . . . . . . . . . . . 630<br />
Configuring the SmartFilter for Web and Secure Web tab . . . . . . . 631<br />
Configuring proxy rules for SmartFilter version 4.0.2 . . . . . . . . . . . 632<br />
Category codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Table <strong>of</strong> Contents<br />
APPENDIX F Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635<br />
Powering up the system to the Administrative kernel . . . . . . . . . . . .636<br />
Enabling and disabling authentication for the administrative<br />
kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636<br />
Restoring access to the Admin Console . . . . . . . . . . . . . . . . . . . . . .637<br />
Backing up system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638<br />
Performing a full system backup (level0) . . . . . . . . . . . . . . . . . . . .638<br />
Performing an incremental backup . . . . . . . . . . . . . . . . . . . . . . . . .639<br />
Restoring system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641<br />
Performing a full system restore . . . . . . . . . . . . . . . . . . . . . . . . . . .642<br />
Performing an incremental restore via the do.restore script . . . . . .643<br />
Restoring configuration files using the command line . . . . . . . . . . .646<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . .647<br />
Recovering when the licensed NIC fails . . . . . . . . . . . . . . . . . . . . . . .649<br />
Replacing and relicensing a network interface card . . . . . . . . . . . .649<br />
Troubleshooting licensing problems . . . . . . . . . . . . . . . . . . . . . . . .650<br />
What to do if the boot process fails . . . . . . . . . . . . . . . . . . . . . . . . . .651<br />
System reboot messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651<br />
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . .652<br />
If you forget your administrator password . . . . . . . . . . . . . . . . . . . . .653<br />
Changing your password in the administrative kernel . . . . . . . . . .653<br />
Using maintenance mode to disable authentication when you have forgotten<br />
your password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653<br />
Manually clearing an authentication failure lockout . . . . . . . . . . . .654<br />
Interpreting beep patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655<br />
If a patch installation fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656<br />
Troubleshooting proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657<br />
Failed connection requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657<br />
Monitoring allow and deny rule audit events . . . . . . . . . . . . . . . . . .659<br />
Active rules and the DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660<br />
Understanding FTP and Telnet connection failure messages . . . . . .661<br />
Troubleshooting High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .662<br />
Viewing configuration-specific information . . . . . . . . . . . . . . . . . . .662<br />
Viewing status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662<br />
Identifying load sharing addresses in netstat and ifconfig . . . . . . .665<br />
Interface configuration issues with HA . . . . . . . . . . . . . . . . . . . . . .666<br />
Troubleshooting remote interface test failover for peer-to-peer HA 666<br />
Troubleshooting NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666<br />
Why did NTP stop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667<br />
Why does NTP appear to be inaccurate? . . . . . . . . . . . . . . . . . . . .667<br />
NTP clients will not synchronize with the <strong>Sidewinder</strong> <strong>G2</strong> . . . . . . . .667<br />
Restarting NTP from the UNIX prompt . . . . . . . . . . . . . . . . . . . . . .667<br />
Troubleshooting VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668<br />
<strong>Glossary</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683<br />
xvii
Table <strong>of</strong> Contents<br />
xviii
PREFACE<br />
Who should read<br />
this guide<br />
Where to find<br />
additional<br />
information<br />
This guide is intended for a <strong>Sidewinder</strong> <strong>G2</strong> administrator. You should read this<br />
guide if you are responsible for configuring and managing a <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Appliance.<br />
This guide assumes you have:<br />
• A working knowledge <strong>of</strong> UNIX and Windows operating systems.<br />
• A basic understanding <strong>of</strong> system administration.<br />
• A working knowledge <strong>of</strong> the Internet and its associated terms and<br />
applications.<br />
• An understanding <strong>of</strong> networks and network terminology, including TCP/IP<br />
protocols.<br />
The Management Tools CD includes the <strong>Sidewinder</strong> <strong>G2</strong> documentation in .pdf<br />
format. When you install the Management Tools on a Windows-based system,<br />
the documents are automatically loaded onto your hard drive. You can view<br />
them by selecting Start > Programs > Secure Computing > <strong>Sidewinder</strong> <strong>G2</strong> 3.0<br />
Admin Console > Documentation.<br />
Note: To view <strong>Sidewinder</strong> <strong>G2</strong> documents prior to installing the Windows-based<br />
tools, browse to the \Manuals directory on the Management Tools CD.<br />
xix
Preface<br />
xx<br />
Table 1: Summary <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong> documentation<br />
Document Description<br />
Startup <strong>Guide</strong> Steps you through setting up your initial <strong>Sidewinder</strong><br />
<strong>G2</strong> configuration.<br />
<strong>Administration</strong> <strong>Guide</strong> This is the guide you are currently reading. It provides<br />
complete administration information on all <strong>Sidewinder</strong><br />
<strong>G2</strong> functions and features. You should read this guide<br />
if you are responsible for configuring and managing a<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security Appliance.<br />
Enterprise Manager<br />
Startup <strong>Guide</strong><br />
Enterprise Manager<br />
<strong>Administration</strong> <strong>Guide</strong><br />
Steps you through setting up your initial <strong>Sidewinder</strong><br />
<strong>G2</strong> Enterprise Manager configuration. You should<br />
read this guide if you are responsible for configuring<br />
and managing a <strong>G2</strong> Enterprise Manager.<br />
Provides complete administration information on all<br />
<strong>Sidewinder</strong> <strong>G2</strong> Enterprise Manager functions and<br />
features. You should read this guide if you are<br />
responsible for configuring and managing <strong>Sidewinder</strong><br />
<strong>G2</strong> using the Enterprise Manager.<br />
Online help Online help is built into <strong>Sidewinder</strong> <strong>G2</strong>. The Quick<br />
Start Wizard provides help for each configuration<br />
window. The Admin Console program provides<br />
detailed screen-based online help as well as topicbased<br />
online help.<br />
Application notes Detailed instructions for setting up specific<br />
configurations, such as setting up <strong>Sidewinder</strong> <strong>G2</strong> to<br />
work with another vendor's product or environment.<br />
Application notes are located at:<br />
www.securecomputing.com/goto/appnotes<br />
Knowledge Base Supplemental information for all other <strong>Sidewinder</strong> <strong>G2</strong><br />
documentation. Articles include helpful<br />
troubleshooting tips and commands. The Knowledge<br />
Base is located at: www.securecomputing.com/<br />
supportkb.cfm<br />
For the latest information regarding <strong>Sidewinder</strong> <strong>G2</strong> and other Secure<br />
Computing products, refer to our Web site at: www.securecomputing.com.
Online help<br />
Preface<br />
The <strong>Sidewinder</strong> <strong>G2</strong> graphical user interface (known as the Admin Console)<br />
provides comprehensive online help. To access online help, click the help icon<br />
in the toolbar.<br />
Man (or “manual”) pages provide additional help on <strong>Sidewinder</strong> <strong>G2</strong>-specific<br />
commands, file formats, and system routines. To view the available information<br />
for a specific topic, enter one <strong>of</strong> the following commands:<br />
man -k topic<br />
or<br />
apropos topic<br />
where topic is the subject that you want to look up.<br />
Reference materials<br />
If you are new to system administration, you may find the following resources<br />
useful:<br />
Note: Some <strong>of</strong> these resources are referenced throughout this guide.<br />
• UNIX System <strong>Administration</strong> Handbook, 3rd Edition, by Nemeth, et al.<br />
(Prentice Hall).<br />
• Managing Internet Information Services by Liu, et al. (O’Reilly and<br />
Associates, Inc.)<br />
• A standard reference on computer security is Firewalls and Internet<br />
Security by Cheswick and Bellovin (Addison-Wesley).<br />
• For network management information, see TCP/IP Network <strong>Administration</strong><br />
by Craig Hunt (O’Reilly & Associates, Inc.).<br />
• For information on handling mail on UNIX networks, see Sendmail by Bryan<br />
Costales, with Eric Allman and Neil Rickert (O’Reilly & Associates, Inc.).<br />
• For Domain Name System information, see DNS and Bind by Cricket Liu<br />
and Paul Albitz (O’Reilly & Associates, Inc.).<br />
• For information about Internet Review for Comment (RFC) documents,<br />
refer to one <strong>of</strong> the following Web sites:<br />
http://www.cse.ohio-state.edu/cs/Services/rfc/index.html<br />
http://www.ietf.org/rfc.html<br />
xxi
Preface<br />
Typographical<br />
conventions<br />
xxii<br />
This guide uses the following typographic conventions:<br />
Table 2: Conventions used in this guide<br />
Convention Description<br />
boldface courier Commands and keywords you type at a system prompt<br />
are in boldface.<br />
\<br />
(backslash character<br />
in a command string)<br />
When a command does not fit on the same line in this<br />
document, the backslash (\) character is used to<br />
indicate continuation. Enter the command as shown,<br />
ignoring the backslash.<br />
courier italic Place holders for text you type. Words that appear in<br />
square angle brackets are placeholders for<br />
optional text.<br />
courier plain Text displayed by this product on a computer screen.<br />
plain text italics Names <strong>of</strong> files and directories.<br />
Body Text Highlight Buttons, field names, and tabs in procedures that<br />
require user interaction.<br />
Note:<br />
Tip:<br />
Important:<br />
Caution:<br />
Security Alert:<br />
Means reader take note. Notes contain helpful<br />
suggestions or references to material not covered<br />
elsewhere in the manual.<br />
Means the following information will describe a timesaving<br />
action or help you solve a problem.<br />
Means the following text will provide information<br />
essential to the successful completion <strong>of</strong> a task or<br />
procedure.<br />
Means reader be careful. In this situation, you might do<br />
something that could result in loss <strong>of</strong> data or an<br />
unpredictable outcome.<br />
Emphasizes information that is critical to maintaining<br />
product integrity or security.<br />
127.10.3.4 IP addresses, screen captures, and graphics within<br />
this document are intended as examples. They do not<br />
127.10.3.2<br />
necessarily represent a proper or complete<br />
127.9.7.72<br />
configuration or the configuration that is appropriate to<br />
your needs. Often features are enabled so they are<br />
clear in the screen capture. Not all features are<br />
appropriate or desirable for your <strong>Sidewinder</strong> <strong>G2</strong> setup.
1 CHAPTER<br />
Introduction<br />
In this chapter...<br />
What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance? ..............................2<br />
<strong>Sidewinder</strong> <strong>G2</strong> management options ...............................................3<br />
The Type Enforced environment ......................................................4<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics .........................8<br />
1
Chapter 1: Introduction<br />
What is the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance?<br />
What is the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Security<br />
Appliance?<br />
2<br />
Figure 1:<br />
<strong>Sidewinder</strong> <strong>G2</strong> protecting<br />
your organization’s<br />
network<br />
The <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance is a network security gateway that<br />
allows you to connect your organization to the Internet while protecting your<br />
network from unauthorized users and network attackers. It combines an<br />
application-layer firewall, IPSec VPN capabilities and clientless VPN access,<br />
anti-spam/anti-fraud and anti-virus/anti-spyware filtering engines, and SSL<br />
decryption in to one Unified Threat Management (UTM) security appliance,<br />
designed to <strong>of</strong>fer centralized perimeter security.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a high level <strong>of</strong> security by using SecureOS®, an<br />
enhanced UNIX operating system that employs Secure Computing’s patented<br />
Type Enforcement® security technology. SecureOS removes the inherent<br />
security risks <strong>of</strong>ten found in a network application running on non-security<br />
focused commercial operating systems, resulting in superior network security.<br />
Tip: For more information regarding the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance and its<br />
benefits, refer to our Web page at www.securecomputing.com/hardware. Information<br />
about the hardware warranty is available at www.securecomputing.com/goto/<br />
warranty.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> prevents host identification masquerading (IP spo<strong>of</strong>ing),<br />
making it very difficult for attackers to infiltrate your protected network(s). The<br />
<strong>Sidewinder</strong> <strong>G2</strong> also <strong>of</strong>fers advanced authentication and encryption s<strong>of</strong>tware.<br />
Encryption allows authorized users on the Internet access to your protected<br />
network without fear <strong>of</strong> attackers eavesdropping (IP sniffing) or stealing access<br />
credentials and other valuable information.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows public services such as e-mail, a public file archive<br />
(FTP), and World Wide Web (Web) access while protecting the other<br />
computers on your protected network(s). The <strong>Sidewinder</strong> <strong>G2</strong> also provides<br />
powerful configuration options that allow you to control access by your<br />
employees to almost any publicly available service on the Internet.<br />
A minimum <strong>Sidewinder</strong> <strong>G2</strong> configuration supports two network interfaces.<br />
However, you can add additional network interfaces for a total <strong>of</strong> up to 64<br />
network connections. <strong>Sidewinder</strong> <strong>G2</strong> can be used as a gateway between your<br />
internal network and the Internet, or between any networks with different<br />
security needs. Figure 1 shows <strong>Sidewinder</strong> <strong>G2</strong> protecting a company’s internal<br />
network.<br />
protected network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
R<br />
router<br />
Internet<br />
?
Figure 2: Protecting<br />
multiple networks with<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
management<br />
options<br />
Chapter 1: Introduction<br />
<strong>Sidewinder</strong> <strong>G2</strong> management options<br />
The configuration shown in Figure 2 is useful in providing protection for two<br />
otherwise separate networks within your organization, or between your<br />
organization and a strategic business partner. This configuration uses three<br />
network interfaces.<br />
your<br />
network<br />
protected networks<br />
trusted<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
R<br />
router<br />
Internet<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides interface flexibility that allows multiple<br />
management options:<br />
• Admin Console—You can install and use the graphical user interface<br />
s<strong>of</strong>tware, referred to as the Admin Console, on a Windows ® operating<br />
system, allowing you to easily connect to and manage your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Admin Console displays the <strong>Sidewinder</strong> <strong>G2</strong> dashboard, a centralized<br />
way to view system status, from current patch level and uptime to recent<br />
attempted attacks. All Admin Console sessions are encrypted.<br />
• SSH session—You can establish a secure shell (SSH) session to<br />
administer the <strong>Sidewinder</strong> <strong>G2</strong> via the command-line interface from a<br />
Windows, UNIX, or other workstation capable <strong>of</strong> running an SSH client.<br />
• Telnet session—You can also establish a Telnet connection to establish a<br />
command line session with <strong>Sidewinder</strong> <strong>G2</strong>. Telnet is not encrypted and<br />
therefore not secure; only use Telnet sessions to your <strong>Sidewinder</strong> <strong>G2</strong> when<br />
on a secure network.<br />
Tip: See Chapter 2 for details on using each management option.<br />
?<br />
3
Chapter 1: Introduction<br />
The Type Enforced environment<br />
The Type<br />
Enforced<br />
environment<br />
4<br />
As mentioned earlier in this chapter, <strong>Sidewinder</strong> <strong>G2</strong> runs under SecureOS, a<br />
version <strong>of</strong> BSD/OS that Secure Computing has enhanced with a patented<br />
security technology called Type Enforcement. Type Enforcement was originally<br />
developed by Secure Computing Corporation for the Secure Network Server, a<br />
product which meets strict U.S. government standards for computer security.<br />
For the most part, Type Enforcement does not require any extra effort on your<br />
part. The following subsections describe areas that affect how you use the<br />
system and access files <strong>of</strong> which you should be aware.<br />
<strong>Sidewinder</strong> <strong>G2</strong> kernels<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains two separate UNIX kernels that each serve a<br />
specific purpose:<br />
• Operational kernel<br />
This is the kernel that is running during normal operation. By default, the<br />
system boots to the Operational kernel. In this mode, the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
connected to the Internet and to your internal networks, and all network services<br />
are operational. Most importantly, the system is fully protected by the<br />
Type Enforcement security s<strong>of</strong>tware.<br />
For information on booting to the Operational kernel, refer to “Restarting or<br />
shutting down the system” on page 40.<br />
• Administrative kernel<br />
This kernel is used only when an administrator needs to perform special<br />
tasks on the <strong>Sidewinder</strong> <strong>G2</strong>, such as installing or restoring <strong>Sidewinder</strong> <strong>G2</strong><br />
s<strong>of</strong>tware. When the Administrative kernel is running, all network connections<br />
are disabled and Internet services are not available; the Type Enforcement<br />
security s<strong>of</strong>tware is also disabled. Access to the Administrative kernel<br />
is tightly controlled and cannot be granted remotely.<br />
Important: When you boot to the Administrative kernel, the system can be<br />
accessed only by attaching a monitor and keyboard (or a laptop) directly to your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. For information on booting to the Administrative kernel, refer to<br />
“Powering up the system to the Administrative kernel” on page 636.
Chapter 1: Introduction<br />
The Type Enforced environment<br />
Table 3 lists the major differences between the two kernels. The Operational<br />
kernel features are described in the section immediately following this table.<br />
Table 3: <strong>Sidewinder</strong> <strong>G2</strong> kernels<br />
Operational kernel Administrative kernel<br />
SecureOS is protected by Type<br />
Enforcement. (Type Enforcement is<br />
used at every critical system call and<br />
cannot be turned <strong>of</strong>f.)<br />
Normal operating state—The<br />
<strong>Sidewinder</strong> <strong>G2</strong> will automatically boot<br />
to this kernel.<br />
Network connections are enabled;<br />
Internet services are available. Traffic<br />
flows through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Divided into many application<br />
domains; domain restrictions are<br />
enforced.<br />
Administrator access is controlled by<br />
authenticated login and access rules.<br />
Access to files by a process is<br />
restricted based on Domain Definition<br />
Table.<br />
How Type Enforcement works<br />
Type Enforcement is disabled. File<br />
types and domains exist, but are not<br />
enforced.<br />
Used when performing certain<br />
administrative tasks or installing<br />
s<strong>of</strong>tware on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
No traffic passes through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Domain restrictions are not enforced.<br />
Administrator access is limited to a<br />
keyboard and monitor attached<br />
directly to the <strong>Sidewinder</strong> <strong>G2</strong>. By<br />
default, login and access rules do not<br />
apply. (You can configure the<br />
administrative kernel to require<br />
authentication, if desired.)<br />
Access to files by a process is<br />
restricted only by standard UNIX<br />
permissions.<br />
UNIX is not known to be a particularly secure operating system. Logging in as<br />
super-user (root) gives you access to all system files; an intruder who knows<br />
how to acquire root privileges can access any files or applications on a system.<br />
In addition, UNIX does not have tight control over how data files are shared<br />
among the processes running on a system. This means that an intruder who<br />
managed to break into one area <strong>of</strong> a system, such as e-mail, may be able to<br />
easily gain access to other files on the system.<br />
5
Chapter 1: Introduction<br />
The Type Enforced environment<br />
6<br />
Figure 3: Example <strong>of</strong><br />
domain separation<br />
structure on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
The Type Enforcement s<strong>of</strong>tware in the <strong>Sidewinder</strong> <strong>G2</strong> Operational kernel is<br />
designed to plug these security holes. This is done by using the following<br />
mechanisms (each <strong>of</strong> the mechanisms is described below):<br />
• provides maximum network protection<br />
• provides Type Enforced domain processes<br />
• controls Type Enforced attributes applied to files and sockets<br />
• controls inter-domain operations, such as signals<br />
• controls access to system calls<br />
• controls the files a process can access<br />
Maximum network protection<br />
Secure Computing's patented Type Enforcement technology provides network<br />
security protection that is unique to the industry. By using Type Enforcement<br />
within the operating system, the <strong>Sidewinder</strong> <strong>G2</strong> provides the highest level <strong>of</strong><br />
security.<br />
Type Enforcement is based on the security principle <strong>of</strong> least privilege: any<br />
program executing on the system is given only the resources and privileges it<br />
needs to accomplish its tasks. On the <strong>Sidewinder</strong> <strong>G2</strong>, there is no concept <strong>of</strong> a<br />
root super-user. Type Enforcement controls all interactions between domains<br />
and file types. Domains must have explicit permission to access specific file<br />
types, communicate with other domains, or access system functions. Any<br />
attempts to the contrary fail as though the files do not exist.<br />
Type Enforced domain processes<br />
A standard UNIX system separates processes with user and group identities.<br />
Therefore, UNIX identities can be completely subverted by users who obtain<br />
root privileges. The <strong>Sidewinder</strong> <strong>G2</strong> prevents this by providing separate, Type-<br />
Enforced domains for each process running on the system. Type-enforced<br />
domains provide more intricate control over what each process is allowed to do<br />
(see Figure 3).<br />
SMTP Audit<br />
User Kernel Network<br />
News Telnet
Type Enforced attributes<br />
Chapter 1: Introduction<br />
The Type Enforced environment<br />
When an administrator initially logs into the <strong>Sidewinder</strong> <strong>G2</strong> at a command line<br />
prompt, they are automatically placed in the User domain, which allows no<br />
access to sensitive files. An administrator may then switch to their defined<br />
administrative role’s domain using the srole command (for Admn) or srole<br />
adminro (for AdRO). The Admn domain allows an administrator to access to<br />
all administrative functions. The AdRO domain allows read-only access to the<br />
system configuration areas, as well as the ability to generate reports. An<br />
administrator with read-only access cannot make system modifications.<br />
This guide assumes that most commands will be issued by administrators with<br />
read/write access, and therefore only includes the srole command. If you are<br />
a read-only administrator and have reason to access the command line,<br />
always use srole adminro instead <strong>of</strong> srole alone.<br />
For information on assigning administrator roles, see “Setting up and<br />
maintaining administrator accounts” on page 43.<br />
Inter-domain operations<br />
Interactions between domains, such as signalling, are also controlled by Type<br />
Enforcement. For example, a process running in the SMTP domain cannot<br />
send a signal to the Telnet server running in the Telnet domain.<br />
Access to system calls<br />
A typical UNIX system has many privileged system calls that could enable<br />
malicious users to access the kernel directly and compromise the system. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> solves this problem with a set <strong>of</strong> flags for each domain that<br />
indicate which system calls can be made from that domain.<br />
Files available to a process<br />
Process-to-file access is controlled by a Domain Definition Table that maps out<br />
the various classes <strong>of</strong> data files and processes that may be running on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The table specifies which process domains can access<br />
different types <strong>of</strong> files and what type <strong>of</strong> access is allowed (such as read/write/<br />
execute). This table cannot be circumvented.<br />
Your system is pre-configured so that domains have access only to the files<br />
they need. The Domain Definition Table cannot be changed while the<br />
Operational kernel is running. This prevents intruders from tricking the kernel<br />
into modifying the table. Also, Type Enforcement prevents intruders from<br />
installing s<strong>of</strong>tware that may be used to circumvent <strong>Sidewinder</strong> <strong>G2</strong> security<br />
mechanisms.<br />
7
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
Additional<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
operating<br />
characteristics<br />
8<br />
Type Enforcement’s effects<br />
The previous section outlined how Type Enforcement works. Listed below are<br />
the major ways in which Type Enforcement affects you and other users:<br />
• Non-administrative users will not be aware <strong>of</strong> Type Enforcement (unless<br />
they try to perform unauthorized activities).<br />
• In the Operational kernel, there is no concept <strong>of</strong> a super-user who can have<br />
complete system control. The “root” account has no special privileges. The<br />
Admin role operating in the Admn domain has access to most system files,<br />
but is still not as powerful as root on a standard UNIX system.<br />
• Domains make it difficult for an intruder to do damage. Breaking into the<br />
domain in which an application is executing does not provide access to the<br />
files required for administering that application.<br />
• Some system administration cannot be performed in the Operational kernel<br />
and must be done in the Administrative kernel. While in the Administrative<br />
kernel, the <strong>Sidewinder</strong> <strong>G2</strong> is not accessible to any other user or the<br />
Internet. When the Administrative kernel is running, Type Enforcement is<br />
turned <strong>of</strong>f, which allows you to perform procedures such as a s<strong>of</strong>tware<br />
upgrade or a full system backup and restore.<br />
This section lists additional significant differences between <strong>Sidewinder</strong> <strong>G2</strong> and<br />
a standard UNIX system.<br />
Burbs and network stack separation<br />
While installing or managing the <strong>Sidewinder</strong> <strong>G2</strong>, you will notice the use <strong>of</strong> the<br />
term burb. Burb is a term that refers to an interface and all the systems it<br />
connects. Each burb must a unique name (for example, internal, external).<br />
As an example <strong>of</strong> how burbs are used, suppose your organization has two<br />
internal (protected) networks that need to be connected to the external network<br />
(Internet), but the corporate security policy requires that there be limited or no<br />
information flow between the two internal networks. In this scenario, you would<br />
configure three burbs for your <strong>Sidewinder</strong> <strong>G2</strong>, as shown in Figure 4. The<br />
security policy must be defined to enforce the required control over information<br />
flow between the two internal security burbs and between the external burb<br />
and the individual internal burbs, while also protecting the internal burbs from<br />
unauthorized access from the Internet.
Figure 4: Multiple Type<br />
Enforced areas (burbs) on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
trusted networks<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
showing Type<br />
Enforced network<br />
areas (burbs)<br />
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
R<br />
router<br />
Internet<br />
One <strong>of</strong> the unique aspects <strong>of</strong> the SecureOS is the use <strong>of</strong> multiple logical<br />
network stacks to strengthen the enforcement <strong>of</strong> the inter-burb aspects <strong>of</strong> the<br />
system security policy. A network stack consists <strong>of</strong> different layers <strong>of</strong> s<strong>of</strong>tware<br />
responsible for different aspects <strong>of</strong> the communications. For example, one<br />
layer checks a message’s routing information to ensure that it is transmitted to<br />
the correct network. Normal computing systems, and firewalls that operate on<br />
an unsecured OS, have only one network stack.<br />
The SecureOS includes modifications that provide stronger separation <strong>of</strong><br />
communication between different burbs. There are checks at all layers <strong>of</strong> the<br />
s<strong>of</strong>tware to ensure that the network stack data from one burb is not mixed with,<br />
or impacted by, data associated with another burb. This logical separation <strong>of</strong><br />
the network stacks by the security burb is augmented by the Type Enforcement<br />
security policy, which is integral to SecureOS. It controls all operational aspects<br />
<strong>of</strong> the system, including enforcement <strong>of</strong> the separation data processing by the<br />
security burb. This ensures that information passes from one burb to another<br />
only if the network security policy says the specific information flow is allowed.<br />
Figure 5 shows this logical network separation and the processing elements<br />
involved in the transfer <strong>of</strong> data between the network stacks associated with<br />
each burb. Before a process can interact with a network stack, the Type<br />
Enforcement security policy must indicate that the process is allowed to<br />
interact with that burb’s network stack.<br />
9
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
10<br />
Figure 5: Logical<br />
network protocol stacks<br />
provide network<br />
separation<br />
trusted<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
logical network<br />
protocol stacks<br />
Proxy s<strong>of</strong>tware and access control<br />
Internet<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses special programs, called proxies, to forward<br />
application data between two burbs, such as your network and the Internet.<br />
Proxies essentially provide a go-between that can communicate with the burbs<br />
on <strong>Sidewinder</strong> <strong>G2</strong>. For example, when a user on an internal burb tries to<br />
establish an Internet connection, <strong>Sidewinder</strong> <strong>G2</strong> intercepts the connection<br />
attempt and opens the connection on the user’s behalf. All Internet<br />
connections are made by the <strong>Sidewinder</strong> <strong>G2</strong> so that the internal network never<br />
communicates directly with the Internet burb. You can configure transparency<br />
on a per-rule basis, allowing it to appear from a user’s perspective as if they<br />
are connecting directly to the destination and not connecting to the <strong>Sidewinder</strong><br />
<strong>G2</strong> first.<br />
Important: Proxies communicate between two Type Enforced network areas in<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Therefore, proxies are not used to control an external (Internet)<br />
user’s access to the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. For example, when an<br />
external user accesses a Telnet server that you have made publicly available on<br />
the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, there will be no proxy to intervene. For<br />
users on the Internet, proxies are only used when they try to access an internal<br />
burb on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports Web (HTTP), Telnet, and many other TCP-based<br />
proxies. The <strong>Sidewinder</strong> <strong>G2</strong> also supports proxies for routing SNMP, NTP,<br />
DNS, and other types <strong>of</strong> services that require UDP transmissions. You can also<br />
create your own special proxies for other services. In addition, the <strong>Sidewinder</strong><br />
<strong>G2</strong> provides proxies that use multiple TCP and/or UDP sessions such as FTP,<br />
Real Media, and Oracle SQLNet.
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
Most proxies are disabled by default and must be enabled on the<br />
Services Configuration > Proxies window before that type <strong>of</strong> traffic can pass<br />
through <strong>Sidewinder</strong> <strong>G2</strong>. Once a proxy is enabled, you can configure which<br />
internal users can use each type <strong>of</strong> proxy by creating proxy rules and<br />
organizing them into rule groups that enforce your site’s security policy. For<br />
example, you can configure rules that allow all internal users to access all<br />
Internet Web sites, or you can prohibit users from accessing the Web from<br />
specific internal systems or from accessing specific Web sites. can configure<br />
advanced, application-specific properties for your proxy rules using Application<br />
Defenses.<br />
Note: See Chapter 4 for a detailed description <strong>of</strong> proxy rules and Application<br />
Defenses. See Chapter 9 for a detailed description <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
and procedures for configuring them.<br />
IP filtering<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to securely forward IP packets between<br />
networks using IP Filter rules. Unlike proxies, which operate at the application<br />
layer and in most cases on TCP or UDP traffic, IP Filter operates directly on IP<br />
packets allowing non-TCP/UDP (as well as TCP/UDP) traffic to pass between<br />
the networks. For example, with IP Filter you can pass encrypted VPN<br />
sessions through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
IP Filter works by inspecting many <strong>of</strong> the fields within a packet, including the<br />
source and destination IP address, port, and protocol. Each packet that arrives<br />
at the <strong>Sidewinder</strong> <strong>G2</strong> will be inspected and compared to an active IP Filter rule<br />
group that you have configured. Matching packets will then be forwarded on to<br />
the destination network.<br />
You can configure IP Filter to inspect TCP, UDP, and many other protocols.<br />
With TCP, UDP, and ICMP, the <strong>Sidewinder</strong> <strong>G2</strong> can actively track individual<br />
sessions by performing stateful inspection. This ensures that only packets valid<br />
for a new session or a portion <strong>of</strong> an existing session are sent on to the final<br />
destination. In addition, the <strong>Sidewinder</strong> <strong>G2</strong> supports the ability to perform<br />
Network Address Translation (NAT) and redirection when using IP Filter.<br />
Using NAT, the source address <strong>of</strong> outgoing IP packets is translated from the<br />
client's IP address to the external address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. Using<br />
redirection, the destination address <strong>of</strong> an incoming packet is rewritten to a<br />
redirect host. Using NAT and/or redirection allows the IP addresses <strong>of</strong><br />
machines behind the <strong>Sidewinder</strong> <strong>G2</strong> to be hidden. You can also allow a private,<br />
non-routeable network (such as 10.0.0.0) to access the Internet using NAT.<br />
Note: See Chapter 4 for information on using IP Filter rules.<br />
11
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
12<br />
daemond<br />
The daemond (pronounced demon-dee) process is a powerful component that<br />
enhances overall security. It monitors and controls all <strong>of</strong> the major s<strong>of</strong>tware<br />
components on <strong>Sidewinder</strong> <strong>G2</strong>. It also detects and audits some classes <strong>of</strong><br />
attacks against the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
For example, should someone try to attack a <strong>Sidewinder</strong> <strong>G2</strong> service (such as<br />
sendmail), causing the component to crash, the daemond process will detect<br />
the failure, immediately restart the failed component, and create a critical event<br />
audit entry (allowing the administrator to be notified and respond to the attack).<br />
daemond starts during the <strong>Sidewinder</strong> <strong>G2</strong> boot process. On start up, it reads<br />
the /etc/sidewinder/daemond.conf file to determine its configuration options. As<br />
a <strong>Sidewinder</strong> <strong>G2</strong> administrator, there are two daemond options you should be<br />
aware <strong>of</strong>: default memory size and failure mode.<br />
About the default memory size option<br />
If no memory size is specified for a service in the /etc/server.conf or<br />
/etc/sidewinder/nss.common.conf files, the default memory size option<br />
specifies the size (in MB) that daemond will give each <strong>of</strong> the services it starts.<br />
The default size is 128 MB. If there is no value present in the daemond<br />
configuration file, it will use the default value from /etc/login.conf.<br />
About the failure (safe) mode option<br />
By default, daemond will run in its normal mode (that is, failure mode is not<br />
configured and daemond will run in its normal, operational mode). This means<br />
that daemond will attempt to start all enabled components in the /etc/<br />
server.conf and /etc/sidewinder/nss.common.conf files. When failure mode is<br />
enabled in the /etc/sidewinder/daemond.conf file, and a failure event has<br />
occurred, daemond will start in failure mode (also called safe mode). This<br />
means that daemond will only start the components that are enabled for failure<br />
mode in the /etc/server.conf and /etc/sidewinder/nss.common.conf files.<br />
Components that are NOT enabled for failure mode will not be started.<br />
Failure mode is set under any <strong>of</strong> the following circumstances:<br />
• a license check fails<br />
• the audit partition overflows<br />
• an error occurs while installing a patch<br />
Note: If a patch fails for any reason, the patch process will configure daemond to<br />
start in failure mode. This is done in order to secure the system and provide only<br />
necessary administrator access to the <strong>Sidewinder</strong> <strong>G2</strong>.
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
If you configure a failover High Availability (HA) cluster, the standby <strong>Sidewinder</strong><br />
<strong>G2</strong> will run in failure mode. If the primary <strong>Sidewinder</strong> <strong>G2</strong> becomes unavailable<br />
and the standby is required to take over as the primary <strong>Sidewinder</strong> <strong>G2</strong>,<br />
daemond will start all services for that <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If the primary <strong>Sidewinder</strong> <strong>G2</strong> in an HA cluster goes into failure mode and the<br />
secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> is not available, the primary <strong>Sidewinder</strong> <strong>G2</strong><br />
will remain as the primary <strong>Sidewinder</strong> <strong>G2</strong>, but the priority value for that<br />
<strong>Sidewinder</strong> <strong>G2</strong> will change to one, ensuring that if a secondary/standby<br />
<strong>Sidewinder</strong> <strong>G2</strong> becomes available, it can take over as the primary <strong>Sidewinder</strong><br />
<strong>G2</strong>. For information on HA, see Chapter 17.<br />
daemond and run levels<br />
When running in either normal mode or failure mode, daemond starts<br />
components according to their run level. After each component in a run level<br />
has started, daemond “sleeps” for the run level interval specified in the /etc/<br />
daemond.conf file. After the sleep completes, daemond starts the components<br />
in the next run level. There are five different run levels. Each run level contains<br />
the following components:<br />
Table 4: daemond run levels<br />
Run level Component<br />
0 auditd, auditsql, aclsql, swedesql<br />
1 acld, auditbotd, resolverd, upsd<br />
2 auditdbd, named-unbound, named-internet, randomd<br />
3 nss<br />
4 All remaining proxies and servers. This is also the default run level.<br />
There are four key components that must be enabled and running before<br />
daemond will successfully boot the <strong>Sidewinder</strong> <strong>G2</strong>. These are: auditd,<br />
auditsql, aclsql, and acld.<br />
Whether running in normal or failure mode, daemond will fail to bring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> up completely if any <strong>of</strong> the following situations occur:<br />
• A configuration file error exists in any <strong>of</strong> the three files daemond parses:<br />
/etc/daemond.conf, /etc/server.conf, and /etc/sidewinder/nss.common.conf.<br />
• The system has not been properly licensed or activated.<br />
• A key component failed to start up or was not properly enabled.<br />
• A patch installation failed.<br />
13
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
14<br />
If one <strong>of</strong> these error conditions occur, a message appears notifying you that<br />
your system has booted to failure mode along with the reason why it booted to<br />
failure mode. The reason for the failure will be logged in /var/log/daemond.log.<br />
If none <strong>of</strong> the above situations occur, daemond will bring the system up without<br />
error.<br />
Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished booting and the system is operational,<br />
daemond becomes responsible for monitoring, stopping and starting all the<br />
components in /etc/server.conf and /etc/sidewinder/nss.common.conf. While<br />
daemond is monitoring the enabled and running components, it is also<br />
responsible for keeping an instance <strong>of</strong> that component running.<br />
Restarting processes<br />
If a component dies unexpectedly, daemond will restart that component and<br />
audit the event in both the audit log and the daemond log. The message in<br />
/var/log/daemond.log will look similar to this:<br />
Nov 7 16:05:22 fiji : restarting /usr/libexec/syncd (2686)<br />
due to unexpected death<br />
If a component quits within five seconds <strong>of</strong> starting three times in a row,<br />
daemond will not attempt to restart it until the next time daemond rereads its<br />
configuration files. This event will also be audited to both the audit log and the<br />
daemond log. The message in /var/log/daemond.log will look similar to this:<br />
Nov 5 18:13:03 fiji : /usr/contrib/sbin/sshd will not be<br />
restarted due to possible startup errors<br />
Stopping processes<br />
daemond is also responsible for stopping processes. If a <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator chooses to disable a process (using the Admin Console or cf<br />
commands), the configuration files are changed and a SIGHUP command is<br />
sent to daemond. The SIGHUP command signals daemond to reread the<br />
configuration files. If daemond finds an entry associated with a currently<br />
running process that is now marked as disabled, daemond will stop that<br />
process. The process will not be started again until it is re-enabled by an<br />
administrator. Re-enabling a process will cause another SIGHUP command to<br />
be sent to daemond, which will reread the configuration files and attempt to<br />
restart the process.<br />
All component failure events are logged in the /var/log/daemond.log file. If<br />
daemond fails during system start-up, the daemond log file will record the<br />
reason for this failure. It will also record information each time daemond<br />
restarts a process that died unexpectedly. This is useful for tracking attacks on<br />
a particular component.
Network Services Sentry (NSS)<br />
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
If you have administered a standard UNIX system, you are probably familiar<br />
with inetd, which manages daemons for network services. Daemons are<br />
server processes that run continuously in the background and wait until they<br />
are needed. On the <strong>Sidewinder</strong> <strong>G2</strong>, inetd has been replaced with the Network<br />
Services Sentry (NSS), which manages most <strong>of</strong> the server and proxy services.<br />
There is an NSS configuration file for each burb defined on your <strong>Sidewinder</strong><br />
<strong>G2</strong>. The NSS configuration files are updated for you when you make changes<br />
to services. For example, the files are updated whenever you enable or disable<br />
a proxy.<br />
NSS regulation <strong>of</strong> valid ports for the Admin Console<br />
For the Admin Console and synchronization services, NSS regulates the ability<br />
to change the default port. You may use the Admin Console or the command<br />
line to edit the default ports for these services. For example, you might want to<br />
alter ports when the default conflicts with the port <strong>of</strong> another service, or when<br />
you want to create a portlist with non-continuous numbers.<br />
You can edit the port fields using the Admin Console Firewall <strong>Administration</strong> ><br />
UI Access Control window. See “Backing up and restoring config files using<br />
the Admin Console” on page 52 and “Configuring Admin Console access” on<br />
page 91 for details.<br />
When changing the port for a service, be sure to consider the criteria listed in<br />
Table 5 below.<br />
Table 5: Criteria for modifying a service port<br />
Port type Criteria<br />
Valid ports must be . . . • between 1–65535 when using the Admin<br />
Console, and for all other services<br />
• unique within ports assigned to other<br />
services <strong>of</strong> the same type (server, t_proxy,<br />
nt_proxy)<br />
Valid port ranges must be . . . • two valid ports separated by a single hyphen<br />
(may be non-continuous)<br />
• listed in ascending order<br />
• a maximum <strong>of</strong> 1995 ports<br />
• between 1–65535 when using the Admin<br />
Console, and for all other services<br />
• unique within ports assigned to other<br />
services <strong>of</strong> the same type (server, t_proxy,<br />
nt_proxy)<br />
Valid portlists must be. . . valid ports and/or valid ranges separated by<br />
spaces<br />
15
Chapter 1: Introduction<br />
Additional <strong>Sidewinder</strong> <strong>G2</strong> operating characteristics<br />
16
2 CHAPTER<br />
Administrator’s<br />
Overview<br />
In this chapter...<br />
<strong>Administration</strong> interface options .....................................................18<br />
Admin Console basics....................................................................19<br />
Admin Console conventions...........................................................25<br />
Using the Admin Console File Editor..............................................26<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell ..........................30<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet.....................................36<br />
17
Chapter 2: Administrator’s Overview<br />
<strong>Administration</strong> interface options<br />
<strong>Administration</strong><br />
interface options<br />
18<br />
Figure 6: <strong>Sidewinder</strong> <strong>G2</strong><br />
administration options<br />
You can manage <strong>Sidewinder</strong> <strong>G2</strong> in one <strong>of</strong> two ways:<br />
• Admin Console—The <strong>Administration</strong> Console (or Admin Console) is the<br />
graphical s<strong>of</strong>tware program that runs on a Windows system within your<br />
network. The Admin Console is installed using the Management Tools CD.<br />
This CD also installs the Quick Start Wizard, which is used to initially<br />
configure your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: The Admin Console is occasionally referred to as “cobra” in some<br />
command line tools.For information on installing the Admin Console s<strong>of</strong>tware,<br />
see the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong>. For information on using the Admin<br />
Console, see “Admin Console basics” on page 19.<br />
• command line interface—If you are experienced with UNIX, you can also<br />
use the command line interface to configure and manage <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Command line interface refers to any UNIX prompt. The command line<br />
interface supports many <strong>Sidewinder</strong> <strong>G2</strong>-specific commands as well as<br />
standard UNIX commands you can enter at a UNIX prompt. For example,<br />
the cf (configurator) command can perform a wide range <strong>of</strong> configuration<br />
tasks.<br />
Tip: For help using command line interface instead <strong>of</strong> the Admin Console to<br />
manage your <strong>Sidewinder</strong> <strong>G2</strong>, refer to Appendix A. You can also use the<br />
extensive manual (man) pages included on <strong>Sidewinder</strong> <strong>G2</strong>. To do so, log into<br />
<strong>Sidewinder</strong> <strong>G2</strong> at a command prompt, type man followed by the name <strong>of</strong> a<br />
command, and then press Enter.<br />
For most administrative tasks, use the Admin Console as the primary<br />
<strong>Sidewinder</strong> <strong>G2</strong> interface. For troubleshooting, connect via SSH or Telnet and<br />
use the command line interface.<br />
Whether you use the Admin Console or the command line interface, you can<br />
manage <strong>Sidewinder</strong> <strong>G2</strong> from a number <strong>of</strong> locations. Figure 6 highlights the<br />
administration interface options available to you.<br />
Note: Normal administration is possible only when the Operational kernel is<br />
booted. When the Administrative kernel is running, all administration must be done<br />
directly at the <strong>Sidewinder</strong> <strong>G2</strong> by connecting a monitor and keyboard (or laptop).<br />
Admin Console<br />
running<br />
on a Windows<br />
workstation<br />
Command line<br />
interface via a<br />
Telnet connection<br />
on a Windows or<br />
UNIX workstation<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
Remote Admin Console<br />
or command line<br />
interface via an SSH<br />
connection
Admin Console<br />
basics<br />
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
This section describes how to start the Admin Console, and explains how to<br />
add a new <strong>Sidewinder</strong> <strong>G2</strong>. It also provides general guidelines for using the<br />
Admin Console. For information on installing the Admin Console s<strong>of</strong>tware on a<br />
Windows PC, see the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong>.<br />
Note: This version <strong>of</strong> the Admin Console supports backwards compatibility.<br />
Therefore, if you have a current version <strong>of</strong> the Admin Console installed, you can still<br />
connect to a remote <strong>Sidewinder</strong> <strong>G2</strong> that is running at 6.0.0.00 or higher, and the<br />
window will automatically update to display the earlier version <strong>of</strong> the Admin<br />
Console. You will also receive online help that is appropriate to the version at which<br />
the <strong>Sidewinder</strong> <strong>G2</strong> is running.<br />
Starting and exiting the Admin Console<br />
The Admin Console can only access <strong>Sidewinder</strong> <strong>G2</strong> if <strong>Sidewinder</strong> <strong>G2</strong> is<br />
configured to allow secure sessions for the burb in which the Admin Console’s<br />
workstation resides. By default, access is enabled on the <strong>Sidewinder</strong> <strong>G2</strong>’s<br />
internal burb. For information on changing Admin Console access on an active<br />
<strong>Sidewinder</strong> <strong>G2</strong>, see “Configuring Admin Console access” on page 91.<br />
Starting the Admin Console<br />
To start the Admin Console on a Windows workstation, do one <strong>of</strong> the following:<br />
• Click the <strong>Sidewinder</strong> <strong>G2</strong> Admin Console icon<br />
located on the desktop.<br />
• Select Start > Programs > Secure Computing > <strong>Sidewinder</strong> <strong>G2</strong> Admin<br />
Console 3.0 > Firewall Admin Console.<br />
If you are starting the Admin Console for the first time, you will need to add the<br />
<strong>Sidewinder</strong> <strong>G2</strong>(s) that you want to manage. See “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to<br />
the Admin Console” on page 20 for information on creating a new <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Exiting the Admin Console<br />
To exit the Admin Console, do one <strong>of</strong> the following:<br />
Important: If you have any active connections when you exit the Admin Console,<br />
those connections, as well as any unsaved changes, will be lost. You will not be<br />
prompted to save before exiting.<br />
• In the File menu, select Exit.<br />
• Simultaneously press Alt+x.<br />
• Click the icon in the upper right corner <strong>of</strong> the Admin Console window.<br />
19
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
20<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console<br />
Before you can manage a <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console, you must<br />
first identify it in the Admin Console. Follow the steps below.<br />
1 In the Admin Console window, click the<br />
Firewall). The Add Firewall window appears.<br />
icon, (or click File > New<br />
2 In the Name field, type a descriptive name for the <strong>Sidewinder</strong> <strong>G2</strong> you are<br />
adding. For example, you might specify the host name you used during the<br />
installation process. Only alphanumeric characters and dashes can be<br />
used; spaces are not allowed.<br />
3 In the IP Address field, type the IP address you want to use to access the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The address must be a valid IP address for an interface on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. Also, the interface must be contained within a burb for<br />
which remote administration has been enabled.<br />
Tip: To view the current mapping <strong>of</strong> interfaces and burbs, use ifconfig -a<br />
via the command line.<br />
4 Click Add to save the information and exit this window. Each <strong>Sidewinder</strong> <strong>G2</strong><br />
you add is displayed in the Admin Console tree (in the left portion <strong>of</strong> the<br />
window).<br />
5 Click the appropriate icon listed under Firewalls. The properties appear in<br />
the right portion <strong>of</strong> the window.<br />
6 [Conditional] The Port field displays the default port number (9003) on<br />
which the <strong>Sidewinder</strong> <strong>G2</strong> will listen. You will generally not need to modify<br />
this field.<br />
7 To log in and connect to a <strong>Sidewinder</strong> <strong>G2</strong>, see “Connecting to a <strong>Sidewinder</strong><br />
<strong>G2</strong> via the Admin Console” on page 21.
Figure 7: Admin Console<br />
Login window<br />
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console<br />
To connect to a specific <strong>Sidewinder</strong> <strong>G2</strong>, select the appropriate icon from the<br />
Admin Console tree and then click Connect. The login window appears.<br />
Connecting to a <strong>Sidewinder</strong> <strong>G2</strong><br />
The first time you attempt to connect to a <strong>Sidewinder</strong> <strong>G2</strong> using the Admin<br />
Console, a pop-up window appears presenting you with the firewall certificate<br />
that will be used for all subsequent administrative connections. To accept the<br />
certificate, click Yes.<br />
If you want to verify the certificate before accepting it, you will need to obtain<br />
the certificate fingerprint before you log into the Admin Console. To obtain the<br />
certificate fingerprint, log into the <strong>Sidewinder</strong> <strong>G2</strong> via command line and enter<br />
the srole command to change to the admin role. (If you have not configured<br />
remote access, you will need to attach a monitor and keyboard directly to your<br />
<strong>Sidewinder</strong> <strong>G2</strong>.) Enter the following command:<br />
cf cert view fw name=cert_name<br />
The contents <strong>of</strong> the certificate are displayed. The certificate fingerprint is<br />
located at the bottom <strong>of</strong> the certificate directly beneath the<br />
END CERTIFICATE identifier. This fingerprint can be used to verify the<br />
fingerprint that is displayed when you initially connect to the <strong>Sidewinder</strong> <strong>G2</strong> via<br />
the Admin Console.<br />
To log into a <strong>Sidewinder</strong> <strong>G2</strong>, follow the steps below.<br />
1 In the Username field, enter your <strong>Sidewinder</strong> <strong>G2</strong> user name.<br />
2 In the Authentication Method drop-down list, select the appropriate<br />
authentication method for the <strong>Sidewinder</strong> <strong>G2</strong> to which you are connecting.<br />
Valid options include a simple password or a more sophisticated method<br />
such as SafeWord, SecurID, SNK, RADIUS, LDAP, or Micros<strong>of</strong>t NT.<br />
Note: All methods other than the password method require access to a<br />
separate authentication server.<br />
21
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
22<br />
Figure 8: Feature<br />
Notification window<br />
3 Click OK. An authentication window appears. Enter the appropriate<br />
response, and then click OK. When you connect for the first time, the<br />
Feature Notification window appears displaying the status <strong>of</strong> each licensed<br />
feature.<br />
Tip: If you do not want this window to appear each time you connect, select the<br />
Don’t show this again check box.<br />
4 When you are finished viewing the window, click Close.<br />
The main Admin Console window appears.<br />
Note: For information on using the main Admin Console window, see “About<br />
the main Admin Console window” on page 23.For an overview <strong>of</strong> the tasks you<br />
can perform using the Admin Console, see “Admin Console conventions” on<br />
page 25.<br />
Disconnecting from the <strong>Sidewinder</strong> <strong>G2</strong> via the Admin Console<br />
To end an Admin Console session for a <strong>Sidewinder</strong> <strong>G2</strong>, do one <strong>of</strong> the following:<br />
• Right-click the <strong>Sidewinder</strong> <strong>G2</strong> icon, and select Disconnect from the menu<br />
that appears.<br />
• Select the <strong>Sidewinder</strong> <strong>G2</strong> icon, and click Disconnect in the main Admin<br />
Console window.
Figure 9: Main Admin<br />
Console menu<br />
Main Admin Console<br />
window<br />
About the main Admin Console window<br />
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
When you start the Admin Console, a window similar to the following appears.<br />
From this window you can connect to and manage one or more <strong>Sidewinder</strong><br />
<strong>G2</strong>s. The main Admin Console window is divided into three areas: top, left, and<br />
right, as described in the sections below.<br />
About the top portion <strong>of</strong> the Admin Console window<br />
The top portion <strong>of</strong> the Admin Console window contains five icons that<br />
represent various shortcut actions, shown in the table below.<br />
Click this icon to add a <strong>Sidewinder</strong> <strong>G2</strong>. For more information on<br />
adding a new <strong>Sidewinder</strong> <strong>G2</strong>, see “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
Admin Console” on page 20.<br />
Click this icon to save changes you make in the Admin Console to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Click this icon to cancel (or ‘rollback’) any unsaved changes in the<br />
Admin Console.<br />
Click this icon to refresh (or update) the screen.<br />
Click this icon to launch the State Change Wizard. (If you are<br />
connected to an HA or One-To-Many cluster, clicking this button will<br />
take you to the appropriate cluster management window.)<br />
Click this icon to access context-sensitive online help for the current<br />
Admin Console window that is displayed.<br />
23
Chapter 2: Administrator’s Overview<br />
Admin Console basics<br />
24<br />
The top portion <strong>of</strong> the window also contains the following menu options:<br />
• File—The following options and information about their respective short<br />
cuts keys are available under this menu:<br />
– New Firewall (Ctrl-N): Add a <strong>Sidewinder</strong> <strong>G2</strong> that can be managed using<br />
the Admin Console.<br />
– Save (Ctrl-S): Save changes.<br />
– Cancel (Ctrl-E): Cancel changes.<br />
– Exit (Alt-X): Exit the Admin Console application.<br />
• Help—The following options are available under this menu:<br />
– Context-sensitive Help: Display specific information for an Admin<br />
Console window. The title for this option correlates to the specific<br />
window for which you will receive help.<br />
– About (Ctrl-H): Display information about the current version <strong>of</strong> the<br />
Admin Console s<strong>of</strong>tware.<br />
About the left portion <strong>of</strong> the Admin Console window<br />
The left portion <strong>of</strong> the window contains the Admin Console tree. The Admin<br />
Console tree is not active unless you are connected to a <strong>Sidewinder</strong> <strong>G2</strong>. Once<br />
you are connected to a specific <strong>Sidewinder</strong> <strong>G2</strong>, you can click any <strong>of</strong> the items<br />
in the Admin Console tree to manage that area <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
You can also right-click a <strong>Sidewinder</strong> <strong>G2</strong> in the Admin Console tree to perform<br />
the following actions:<br />
• Delete a <strong>Sidewinder</strong> <strong>G2</strong> from the Admin Console.<br />
• Connect or disconnect a <strong>Sidewinder</strong> <strong>G2</strong> from the Admin Console.<br />
• Add a <strong>Sidewinder</strong> <strong>G2</strong> to an enterprise or cluster or create a cluster by<br />
clicking Promote Firewall to start the State Change Wizard.<br />
• Expand or collapse all or sections <strong>of</strong> the branch items beneath a<br />
<strong>Sidewinder</strong> <strong>G2</strong> icon.<br />
About the right portion <strong>of</strong> the Admin Console window<br />
The right portion <strong>of</strong> the Admin Console window initially displays configuration<br />
information for the <strong>Sidewinder</strong> <strong>G2</strong> to which you are currently connected, as<br />
follows:<br />
• Name—Defines the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to which you are<br />
connected.<br />
• IP Address—Identifies the IP address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to which you<br />
are connected.<br />
• Port—Identifies the port number that will be used to connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Version—This is a read-only field that displays the current <strong>Sidewinder</strong> <strong>G2</strong><br />
version after connecting to the <strong>Sidewinder</strong> <strong>G2</strong>.
Admin Console<br />
conventions<br />
Chapter 2: Administrator’s Overview<br />
Admin Console conventions<br />
• <strong>Sidewinder</strong> <strong>G2</strong> State—This is a read-only field that displays the current<br />
<strong>Sidewinder</strong> <strong>G2</strong> state (whether it is a standalone, part <strong>of</strong> an HA or One-To-<br />
Many cluster, or part <strong>of</strong> an enterprise managed environment).<br />
• Connect—Establishes a connection with the selected <strong>Sidewinder</strong> <strong>G2</strong>.<br />
When using the Admin Console, the following conventions and tips will help<br />
you avoid common mistakes:<br />
• To filter a table based on the contents <strong>of</strong> a single column, right-click a<br />
column heading and select the filter criteria for which you want to filter. (To<br />
customize a filter, select the Custom Filter option.) To view all items in a<br />
table, select the No Filter option.<br />
You can also reverse the order <strong>of</strong> the table within a column by clicking the<br />
appropriate column heading. To return the table to its original order, click<br />
the column heading a second time.<br />
– Right–click a column heading and use the Filter By option to filter on a<br />
particular item or create a custom filter.<br />
– Click the appropriate column heading to sort rules by a particular field<br />
(column). Click the heading a second time to sort the list in reverse<br />
order. You can select an item to modify from a list by double clicking on<br />
it or by clicking on it once to highlight it, and then clicking Modify.<br />
• When a box preceding an option is filled in or contains a check mark, it is<br />
enabled or selected. When the box is empty (a check mark does not<br />
appear), the option is disabled.<br />
• On some windows, you need to use the scroll bar to view all <strong>of</strong> the<br />
information or options.<br />
• In the Rules window, you can reposition rules and groups by clicking and<br />
dragging an entry to a new location.<br />
• To delete an item from a list or table in an Admin Console window, click the<br />
item to select it, and then click Delete.<br />
• When you leave a window that you have modified, you will automatically be<br />
prompted to save your changes before you exit the window. You can also<br />
save your modifications at any time by clicking the Save icon in the toolbar<br />
(or an OK button for some pop-up windows).<br />
• When you exit a window and do not want to save your changes, click No<br />
when prompted to save your changes. You can also cancel your changes at<br />
any time by clicking the Rollback icon (or the Cancel button in some<br />
windows) to restore the current window’s settings to the last saved version.<br />
• For assistance on any <strong>of</strong> the Admin Console windows, click the Help icon<br />
located in the top portion <strong>of</strong> the window. The online help provides<br />
information about each <strong>of</strong> the Admin Console windows. To view the entire<br />
list <strong>of</strong> available help topics, click the TOC button from within the help<br />
system.<br />
25
Chapter 2: Administrator’s Overview<br />
Using the Admin Console File Editor<br />
Using the Admin<br />
Console File<br />
Editor<br />
About the File Editor<br />
main window<br />
26<br />
Figure 10: File Editor<br />
window<br />
About the File Editor<br />
window<br />
While administering <strong>Sidewinder</strong> <strong>G2</strong>, you may find it necessary to modify a text<br />
file or a configuration file. Although the typical UNIX editors are available for<br />
you to use (vi, emacs, and pico), you may find it easier to use the File Editor<br />
provided with the Admin Console. The File Editor is an easy-to-use editor that<br />
is available directly from the Admin Console. The File Editor simplifies the<br />
editing process, enabling you to perform virtually every necessary editing task<br />
from the Admin Console instead <strong>of</strong> using a command line.<br />
The File Editor also provides some additional conveniences such as unique file<br />
backup and restore features. (Of course, UNIX aficionados are still welcome to<br />
use the editor <strong>of</strong> their choice if they prefer.) In addition, using the File Editor<br />
through the Admin Console provides a secure connection.<br />
To access the File Editor, log into the Admin Console, select File Editor, and<br />
then click Start File Editor. The following window appears:<br />
The File Editor window contains three different menu options:<br />
• File—This menu contains the basic action options. Use it to open new or<br />
existing files, and to save files. The File menu also provides two unique<br />
capabilities: it enables you to create a backup copy <strong>of</strong> a file, and it enables<br />
you to restore a file from a previously saved backup copy. See “Creating a<br />
backup file in the File Editor” on page 27 and “Restoring a file” on page 28<br />
for details.<br />
• Edit—This menu enables you to perform typical functions such as cutting,<br />
copying, pasting, and finding/replacing text. See “Using the Find/Replace<br />
option” on page 29 for information on finding and replacing text.<br />
• Help—The following options are available under this menu:<br />
– File Editor Help: Displays specific information for the File Editor window.<br />
– About Help: Displays information about the current version <strong>of</strong> the Admin<br />
Console s<strong>of</strong>tware.
Figure 11: Open File<br />
window<br />
Opening or saving a<br />
file using File Editor<br />
window<br />
Opening and saving files in the File Editor<br />
Chapter 2: Administrator’s Overview<br />
Using the Admin Console File Editor<br />
When you select File > Open or File > Save As a window similar to the<br />
following appears.<br />
To open or save a file, follow the steps below.<br />
1 [Conditional] In the Source field, specify where the source is located. The<br />
options are:<br />
• Local File—Indicates the file is located on the local Windows<br />
workstation or on a network connected to the workstation.<br />
• Firewall File—Indicates the file is located on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the File field, type the full path name <strong>of</strong> the file.<br />
If you do not know the full path name, click Browse to browse the available<br />
directories. When you locate the file, click OK. The file name appears in the<br />
File field.<br />
3 Click OK to open or save the file, or click Cancel to cancel the request.<br />
Creating a backup file in the File Editor<br />
When modifying the <strong>Sidewinder</strong> <strong>G2</strong> configuration files, it is normally a good<br />
practice to create a backup copy <strong>of</strong> the file before you begin editing the file.<br />
That way, if you make a mistake while editing the file you have the option to<br />
revert to the original file. The File Editor provides an easy method for creating a<br />
backup copy <strong>of</strong> a file. You can even make a backup after you begin modifying a<br />
file. The key is to create the backup before you save your changes. Once you<br />
save your changes you will not be able to create a backup file that mirrors the<br />
original file.<br />
To make a backup copy <strong>of</strong> a file, open the file with the File Editor, then select<br />
File > Backup. The following window appears:<br />
27
Chapter 2: Administrator’s Overview<br />
Using the Admin Console File Editor<br />
28<br />
Figure 12: Backup File<br />
window<br />
Entering information<br />
on the Backup File<br />
window<br />
Figure 13: Restore<br />
window<br />
Entering information<br />
in the Restore File<br />
window<br />
To make a backup copy <strong>of</strong> the last saved version <strong>of</strong> the file currently open<br />
within the File Editor, follow the steps below.<br />
1 In the Name <strong>of</strong> Backup File field, specify a name for the backup file. By<br />
default, the file is given the same name as the original file but with a .bak<br />
extension.<br />
The backup file will be created in the directory listed in the Current Directory<br />
field. This is the directory in which the original file currently resides,<br />
and cannot be modified.<br />
2 Click OK to save the information and exit the window, or click Cancel to exit<br />
the window without saving the backup file.<br />
Restoring a file<br />
In order to restore a file, the file must be open within the File Editor. Select<br />
File > Restore and the following window appears.<br />
This window enables you to restore a file to its original contents. You can do<br />
this only if you have previously created a backup copy <strong>of</strong> the file. Follow the<br />
steps below.<br />
1 In the Restore From File field, specify the name <strong>of</strong> the backup file to use<br />
when restoring the file to its original condition. If you do not know the name<br />
<strong>of</strong> the backup file, click Select to browse the available files. When you<br />
locate the file, click Open. The file name appears in the Restore From File<br />
field.<br />
Note: If a backup file exists, it will appear in the same directory as the current<br />
file, because you are only allowed to create a backup in the same directory. The<br />
Current Directory field displays the name <strong>of</strong> that directory and cannot be<br />
modified.<br />
2 Click OK to save the information and exit the window, or click Cancel to exit<br />
the window without saving the backup file.
Figure 14: Find/Replace<br />
window<br />
Entering information<br />
on the Find/Replace<br />
window<br />
Using the Find/Replace option<br />
Chapter 2: Administrator’s Overview<br />
Using the Admin Console File Editor<br />
You can use the Find/Replace option on the Edit menu to perform advanced<br />
editing <strong>of</strong> files. To use the Find/Replace option, select<br />
Edit > Find/Replace. The following window appears.<br />
This window enables you to locate a character string within the file and to<br />
replace the character string with a different character string. Follow the steps<br />
below.<br />
1 In the Find what field, specify the character string you want to search for<br />
within the file.<br />
2 [Optional] If you want to replace the character string specified in the Find<br />
what field with a different character string, type the new string in the<br />
Replace with field.<br />
3 In the Search field, specify which direction in the file the search should be<br />
performed. There are two options:<br />
• Down—From your current position within the file, the File Editor will<br />
search down (forward) in the file for the specified character string.<br />
• Up—From your current position within the file, the File Editor will search<br />
up (backward) in the file for the specified character string.<br />
4 In the Case field, specify whether the File Editor should find any matching<br />
character string, or if it should consider upper and lower case when<br />
performing the search. There are two options:<br />
• Match—Find only those character strings that exactly match the case as<br />
specified in the Find what field.<br />
• Ignore—Find all matching character strings regardless <strong>of</strong> upper and<br />
lower case.<br />
5 Click Find Next to initiate the character search and to locate the next<br />
occurrence within the file.<br />
29
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
Administering<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
using Secure<br />
Shell<br />
30<br />
6 [Optional] If the character search locates a match, you can click Replace to<br />
replace the found character string with the character string specified in the<br />
Replace with field. To replace all occurrences <strong>of</strong> the character string, click<br />
Replace All. An Info window will appear indicating how many times the<br />
character string was replaced. Click OK to close the Info window.<br />
7 To find additional occurrences <strong>of</strong> the character string, continue to click Find<br />
Next for each occurrence. When there are no additional occurrences, a<br />
message will appear telling you that the search is complete.<br />
8 When you are finished searching, click Close to exit this window.<br />
Secure Shell (SSH) provides secure encrypted communication between two<br />
hosts over an insecure network, allowing you to securely manage your<br />
<strong>Sidewinder</strong> <strong>G2</strong> from a remote location. This section describes how to configure<br />
and use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server and/or an SSH client.<br />
• The procedures covered in the following sections are based on OpenSSH<br />
version 3.8.1p1. It provides support for SSH version 1.5 and 2.0 sessions.<br />
• sftp and sftp-server are included in OpenSSH and installed on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH server<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, SSH is typically used by administrators to log into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> securely from a remote machine. In this case the <strong>Sidewinder</strong><br />
<strong>G2</strong> acts as the SSH server.<br />
When configuring the SSH server you have the option to use<br />
RSA/DSA authentication. If you use RSA/DSA authentication, the<br />
authentication is accomplished via an exchange <strong>of</strong> public and private keys<br />
between the server and the client. The downside <strong>of</strong> RSA/DSA authentication is<br />
that it requires a bit more <strong>of</strong> an administrative effort. If you elect NOT to use<br />
RSA/DSA authentication, the SSH clients must enter their <strong>Sidewinder</strong> <strong>G2</strong> user<br />
name and authentication information when initiating the SSH connection.<br />
The following sub-sections provide specific information on configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> as an SSH server using RSA or DSA authentication, as well as<br />
general information on configuring the SSH server.
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
Configuring SSH when not using RSA/DSA authentication<br />
If you are not using RSA/DSA authentication, follow the steps below to<br />
configure SSH.<br />
1 In the Admin Console, select Services Configuration > Servers.<br />
2 Select sshd in the list <strong>of</strong> server names, and click the Configuration tab.<br />
3 Ensure that the Allow RSA Authentication field is disabled.<br />
4 Rather than using RSA/DSA authentication, each client will be required to<br />
log in using their <strong>Sidewinder</strong> <strong>G2</strong> user name and authentication information.<br />
5 Click the Control tab.<br />
6 Enable the SSH server in the desired burbs, then click the Save icon.<br />
7 [Conditional] If a Host Key Pair does not exist, you will be prompted by the<br />
Admin Console to confirm that the Admin Console will create an SSH host<br />
key. Click Yes.<br />
8 Configure and enable the authentication method you want to use to<br />
authenticate SSH sessions. See Chapter 10 for information.<br />
9 Create an SSHD rule that allows SSH clients to log into this <strong>Sidewinder</strong> <strong>G2</strong><br />
using SSH.<br />
In the rule, select the following options: Service Type= server,<br />
Service = sshd. You will also need to select the authentication method you<br />
enabled in step 8. See “Creating proxy rules” on page 222 for information<br />
on creating a proxy rule using the Admin Console.<br />
Note: If the client has previously established an SSH connection to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, the information associated with the previous connection must<br />
be deleted from the client.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> is now ready to accept SSH connection requests.<br />
Remember that a client must have an administrator account on the <strong>Sidewinder</strong><br />
<strong>G2</strong> in order to log in.<br />
Configuring SSH when using RSA/DSA authentication<br />
If you are using RSA /DSA authentication to configure SSH, follow the steps<br />
below.<br />
1 Connect to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Select Services Configuration > Servers.<br />
3 Select sshd in the list <strong>of</strong> server names, and click the Configuration tab.<br />
4 Enable the Allow RSA Authentication field.<br />
31
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
32<br />
5 If you do not currently have an SSH host key pair, click Generate New Host<br />
Key. Click OK to acknowledge that the new key pair has been created.<br />
You must have at least one SSH host key pair for the SSH daemon to operate.<br />
If you have an existing key pair, you do not need to create a new one.<br />
The host key pairs are stored in the /etc/ssh directory and have the following<br />
file names:<br />
ssh_host_key<br />
ssh_host_key.pub<br />
ssh_host_rsa_key<br />
ssh_host_rsa_key.pub<br />
ssh_host_dsa_key<br />
ssh_host_dsa_key.pub<br />
6 Click the Control tab.<br />
7 Enable the SSH server in the desired burbs, and then click the Save icon.<br />
8 From a command line prompt, create a subdirectory named /.ssh in each<br />
administrator’s home directory.<br />
Example: If an administrator named lloyd has a home directory named<br />
/home/lloyd, create the /.ssh subdirectory by typing the following commands:<br />
srole<br />
cd /home/lloyd<br />
mkdir .ssh<br />
SSH version 1.5 rsa private key<br />
SSH version 1.5 rsa public key<br />
SSH version 2.0 rsa private key<br />
SSH version 2.0 rsa public key<br />
SSH version 2.0 dsa private key<br />
SSH version 2.0 dsa public key<br />
9 Use a text editor to create a file named authorized_keys in each<br />
administrator’s /.ssh directory.<br />
Do this using the File Editor provided in the Admin Console, or your favorite<br />
UNIX editor.<br />
10 Paste each user’s public key into the respective authorized_keys file.<br />
The method you use to get the public keys onto the <strong>Sidewinder</strong> <strong>G2</strong> is up to<br />
you. You might use FTP, or you might copy/paste from one window to<br />
another.<br />
11 Create an SSHd rule that allows SSH clients to log into this <strong>Sidewinder</strong> <strong>G2</strong><br />
using SSH. See “Creating proxy rules” on page 222 for information on<br />
creating a rule using the Admin Console.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> is now ready to accept connections from SSH clients.<br />
Remember that an administrator must have an account on the <strong>Sidewinder</strong> <strong>G2</strong><br />
in order to log in.
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
Configuring and using the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH<br />
client<br />
It is also possible for the <strong>Sidewinder</strong> <strong>G2</strong> to act as an SSH client. For example,<br />
you might want to establish an SSH connection between two <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
In this case one <strong>Sidewinder</strong> <strong>G2</strong> operates as the server (via the SSH daemon),<br />
and the other operates as an SSH client. You have the option to use RSA/DSA<br />
authentication with the SSH client.<br />
Note: On non-<strong>Sidewinder</strong> <strong>G2</strong> systems, an SSH client that is run from root will bind<br />
to a reserved port. As a security feature, the <strong>Sidewinder</strong> <strong>G2</strong> SSH client is not<br />
allowed to bind to a reserved port. This is prevented by Type Enforcement.<br />
If not using RSA/DSA authentication<br />
There is nothing to configure on the <strong>Sidewinder</strong> <strong>G2</strong> if you are not using RSA/<br />
DSA authentication. To use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client, follow the<br />
steps below:<br />
1 Log into the <strong>Sidewinder</strong> <strong>G2</strong> and type the following command to switch to<br />
the Admn domain.<br />
srole<br />
2 Establish the connection with the SSH server by typing one <strong>of</strong> the following<br />
commands.<br />
ssh login_name address<br />
or<br />
ssh login_name@address<br />
where:<br />
login_name = the name used when logging onto the SSH server.<br />
address = the address <strong>of</strong> the host with which you are establishing an SSH<br />
connection.<br />
You have the option to use an authentication method other than the default<br />
method when connecting to another <strong>Sidewinder</strong> <strong>G2</strong>. Type a colon and the<br />
name <strong>of</strong> the authentication method after the login_name field. For example,<br />
to use SafeWord you would type:<br />
ssh login_name:safeword address<br />
If using RSA/DSA authentication<br />
To use the <strong>Sidewinder</strong> <strong>G2</strong> as an SSH client while using RSA/DSA<br />
authentication, you must perform several configuration steps before initiating<br />
the SSH connection.<br />
33
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
Configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> as an<br />
SSH client<br />
Using the<br />
<strong>Sidewinder</strong> <strong>G2</strong> as an<br />
SSH client<br />
34<br />
1 Connect to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Select Services Configuration > Servers.<br />
3 Select sshd in the list <strong>of</strong> server names, then click the Configuration tab.<br />
4 Click Generate New Client Key to generate a public and private key pair<br />
that the <strong>Sidewinder</strong> <strong>G2</strong> can use when acting as an SSH client. The client<br />
public and private keys are created in the /home/username/.ssh directory,<br />
where username is the user name you used when connecting to the Admin<br />
Console. The file names vary, depending on the SSH version:<br />
• SSH version 1.5 — The client public key file name is identity.pub and<br />
the private key file name is identity.<br />
• SSH version 2.0 — The client public key file names are id_rsa.pub and<br />
id_dsa.pub. The corresponding private key file names are id_rsa and<br />
id_dsa.<br />
5 [Conditional] If the SSH server that you will be connecting to is another<br />
<strong>Sidewinder</strong> <strong>G2</strong>, connect to that <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console at<br />
this time.<br />
If needed, click the New Firewall button in the top portion <strong>of</strong> the Admin Console<br />
and add the other <strong>Sidewinder</strong> <strong>G2</strong>(s) to the list <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong>s you<br />
can administer.<br />
6 If the SSH server that you will be connecting to is another <strong>Sidewinder</strong> <strong>G2</strong>,<br />
click Export Client Key to export the public client key to the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>(s). Otherwise, use the best available method (FTP, cut and<br />
paste, etc.) to export the public client key to the SSH server.<br />
7 Select the <strong>Sidewinder</strong> <strong>G2</strong> to export to, and click OK.<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command to<br />
switch to the admn role:<br />
srole<br />
2 Establish the connection with the SSH server by typing the following<br />
command.<br />
ssh -l login_name -o "RSAAuthentication yes" address<br />
where:<br />
login_name = the user name used when logging onto the SSH server<br />
address = the address <strong>of</strong> the host with which you are establishing an SSH<br />
connection<br />
See the ssh man page for more details.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, the SSH client must be run from the Admn domain.<br />
Many SSH daemons, however, do not allow root users to connect to the SSH<br />
daemon. To get around this, be sure to use the -l option when logging in. This<br />
allows you to login as a different user.
Figure 15: sshd Server<br />
Configuration tab<br />
Configuring the<br />
sshd Server<br />
Configuration tab<br />
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Secure Shell<br />
Configuring the SSH using the Admin Console<br />
SSH is configured from the Admin Console by selecting Services<br />
Configuration > Servers. Select sshd from the list <strong>of</strong> servers. Select the<br />
appropriate check box(es) to enable the server for one or more burbs. To<br />
configure the SSH server, select the Configuration tab. The following window<br />
appears:<br />
The SSH Server Configuration tab enables you to generate host and client<br />
keys, and to specify whether RSA/DSA authentication is allowed. Follow the<br />
steps below.<br />
1 If you want to allow SSH connections to be authenticated using RSA/DSA<br />
authentication, select the Allow RSA Authentication check box.<br />
RSA/DSA authentication is a common encryption and authentication system<br />
that uses an exchange <strong>of</strong> public and private keys between the server<br />
and the client. It is based on the RSA/DSA algorithm. If this check box is not<br />
enabled, all SSH connections must be authenticated using the authentication<br />
method specified in the SSH rule(s)’ Authentication tab.<br />
2 To generate an SSH host authentication key that will be used when the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is acting as the server in an SSH connection, click Generate<br />
New Host Key. <strong>Sidewinder</strong> <strong>G2</strong> automatically generates the following three<br />
authentication keys: RSA1, RSA, and DSA.<br />
3 To generate the SSH version 1.5 client authentication key that will be used<br />
when the <strong>Sidewinder</strong> <strong>G2</strong> is acting as a client in an SSH connection, click<br />
Generate New Client Key.<br />
4 [Conditional] To export the client key to another <strong>Sidewinder</strong> <strong>G2</strong>, click Export<br />
Client Key. You can only export the client key if:<br />
• you generated a client key as described in step 3<br />
• you currently have an active Admin Console connection with one or<br />
more additional <strong>Sidewinder</strong> <strong>G2</strong>s (the <strong>Sidewinder</strong> <strong>G2</strong>[s] that will act as<br />
the SSH server).<br />
5 Click the Save icon to save your changes.<br />
35
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
Configuring the<br />
Export Client Key<br />
window<br />
Administering<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
using Telnet<br />
36<br />
The Export Client Key window is used to select the <strong>Sidewinder</strong> <strong>G2</strong>(s) to which<br />
you want to export the public client key. After selecting the desired <strong>Sidewinder</strong><br />
<strong>G2</strong>(s), click OK to initiate the export process.<br />
Tips on using SSH with <strong>Sidewinder</strong> <strong>G2</strong><br />
Please note the following information about SSH on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• There are two configuration files associated with SSH:<br />
– For the SSH daemon: /etc/sshd_config<br />
– For the SSH client: /etc/ssh_config<br />
• See the ssh, sshd, and ssh-keygen man pages for additional details.<br />
• The <strong>Sidewinder</strong> <strong>G2</strong>'s SSH daemon and client are based on the OpenSSH<br />
implementation. See http://www.openssh.com for more information.<br />
To troubleshoot <strong>Sidewinder</strong> <strong>G2</strong> problems using a command line interface<br />
rather than the Admin Console, you can configure Telnet services that allow<br />
you to connect from a system within your network. You can also allow trusted<br />
users to use a Telnet client to log into Internet systems remotely.<br />
Setting up an internal (trusted) Telnet server<br />
Telnet provides a way to log into a system in your network from another<br />
system. All you need to know is the name <strong>of</strong> the system in which you want to<br />
log in. Once you have established a connection, you are logged in just as you<br />
would be if you were physically located at that system.<br />
A Telnet server is defined for each burb on your <strong>Sidewinder</strong> <strong>G2</strong>: one for the<br />
external (Internet) burb and one for each <strong>of</strong> the internal (or trusted) burbs. This<br />
gives you the capability to Telnet to the <strong>Sidewinder</strong> <strong>G2</strong> from any system on an<br />
internal burb so you can perform administrative tasks remotely.<br />
Note: For security reasons, the Telnet servers are not initially enabled.
To access the trusted Telnet server, follow the steps below:<br />
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
1 Create a proxy rule that allows access to the Telnet server and add it to the<br />
active rule group. See “Creating proxy rules” on page 222.<br />
2 Enable the Telnet server as follows:<br />
a Select Services Configuration > Servers.<br />
b Select telnet from the list <strong>of</strong> server names.<br />
c Select the burb(s) in which you want the Telnet server to be enabled. A<br />
check mark appears when the server is enabled for a burb.<br />
d Click the Save icon in the toolbar.<br />
Important: All users accessing a Telnet server must be authenticated. If the proxy<br />
rule that allows entry for a Telnet connection does not specify authentication, users<br />
will not be able to log in.<br />
To perform <strong>Sidewinder</strong> <strong>G2</strong> administration tasks, you must have an account on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> as described on “Setting up and maintaining administrator<br />
accounts” on page 43. Aside from your account and authentication information,<br />
all you need to log into the <strong>Sidewinder</strong> <strong>G2</strong> is the name. To log into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using Telnet, see “Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
Telnet” on page 38.<br />
Setting up an external Telnet server<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to enable an external Telnet server. An external<br />
server resides on the external network side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, and is<br />
available to Internet users once you set up the appropriate “allow” proxy rules<br />
and add them to the active rule group. (The other Telnet servers reside on the<br />
internal side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> and are available only to trusted users.)<br />
Security Alert: Setting up a Telnet server on the external side <strong>of</strong> your <strong>Sidewinder</strong><br />
<strong>G2</strong> can raise security issues. Contact Secure Computing <strong>Technical</strong> Support before<br />
attempting this.<br />
37
Chapter 2: Administrator’s Overview<br />
Administering <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
38<br />
Connecting to the <strong>Sidewinder</strong> <strong>G2</strong> using Telnet<br />
Note: You must enable the Telnet server in the appropriate burb(s) before you will<br />
be allowed to Telnet. See “Setting up an internal (trusted) Telnet server” on page<br />
36.<br />
1 Telnet to the <strong>Sidewinder</strong> <strong>G2</strong> and log in by typing the following command,<br />
using your <strong>Sidewinder</strong> <strong>G2</strong> host name.<br />
telnet hostname<br />
When prompted, enter your <strong>Sidewinder</strong> <strong>G2</strong> authentication information.<br />
Depending on the authentication method configured for you on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, you must now provide a valid password or a special passcode<br />
or personal identification number (PIN) before you are logged on to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Enter the following command:<br />
srole<br />
Enter commands from the UNIX prompt as required. Refer to Appendix A or<br />
the man pages for information on using individual commands.
3 CHAPTER<br />
General System Tasks<br />
In this chapter...<br />
Restarting or shutting down the system .........................................40<br />
Setting up and maintaining administrator accounts........................43<br />
Changing passwords......................................................................47<br />
Setting the system date and time...................................................47<br />
Using system roles to access type enforced domains ...................49<br />
Configuration file backup and restore.............................................50<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license .............................................55<br />
Protected host licensing and the Host Enrollment List ...................62<br />
Enabling and disabling servers ......................................................65<br />
Configuring the synchronization server ..........................................68<br />
Configuring virus scanning services...............................................69<br />
Configuring the shund server .........................................................74<br />
Loading and installing patches .......................................................76<br />
Modifying the burb configuration ....................................................82<br />
Modifying the interface configuration..............................................83<br />
Modifying the static route ...............................................................90<br />
Configuring Admin Console access ...............................................91<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS ................................93<br />
Enforcing FIPS ...............................................................................95<br />
39
Chapter 3: General System Tasks<br />
Restarting or shutting down the system<br />
Restarting or<br />
shutting down<br />
the system<br />
40<br />
You can boot the <strong>Sidewinder</strong> <strong>G2</strong> to start up in one <strong>of</strong> two kernels: Operational<br />
or Administrative (see “<strong>Sidewinder</strong> <strong>G2</strong> kernels” on page 4 for descriptions <strong>of</strong><br />
each kernel). This section describes how to power up the <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
Operational kernel when the <strong>Sidewinder</strong> <strong>G2</strong> is powered <strong>of</strong>f, and how to reboot<br />
or shut down the system when the <strong>Sidewinder</strong> <strong>G2</strong> is running.<br />
Important: The Administrative kernel is used only when an administrator needs to<br />
perform special tasks (such as installing s<strong>of</strong>tware or restoring <strong>Sidewinder</strong> <strong>G2</strong><br />
s<strong>of</strong>tware from a backup tape), or under certain circumstances for troubleshooting<br />
purposes. For information on booting the <strong>Sidewinder</strong> <strong>G2</strong> into the Administrative<br />
kernel, see “Powering up the system to the Administrative kernel” on page 636.<br />
When you power up the <strong>Sidewinder</strong> <strong>G2</strong>, it will boot to the Operational kernel by<br />
default. You will almost always run the <strong>Sidewinder</strong> <strong>G2</strong> in the Operational<br />
kernel, unless you need to perform a full system backup or restore, or to install<br />
hardware or s<strong>of</strong>tware. All procedures that require the Administrative kernel are<br />
discussed in Appendix F “Basic Troubleshooting”.<br />
The procedures to power up, reboot, or shut down the <strong>Sidewinder</strong> <strong>G2</strong> in the<br />
Operational kernel are described in the following subsections.<br />
Important: When the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted or shutdown, a record <strong>of</strong> who<br />
issued the action is logged in the /var/log/messages file. This applies to a reboot or<br />
shutdown issued from the Admin Console or using the shutdown command.<br />
Powering on the system to the Operational kernel<br />
Because the Operational kernel is the default kernel, you can boot your<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the Operational kernel by pressing the power button. Once<br />
the system has booted, you can start the Admin Console and log into your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Once you are logged in, you can perform the Operational<br />
kernel tasks described in this manual.<br />
Note: If the boot process fails, see “What to do if the boot process fails” on page<br />
651.
Figure 16: System<br />
Shutdown window<br />
Entering information<br />
on the System<br />
Shutdown window<br />
.<br />
Chapter 3: General System Tasks<br />
Restarting or shutting down the system<br />
Rebooting or shutting down using the Admin Console<br />
The following procedure allows you to reboot or shut down the system using<br />
the Admin Console.<br />
In the Admin Console, select Firewall <strong>Administration</strong> > System Shutdown.<br />
The following window appears.<br />
This window is used to either reboot the <strong>Sidewinder</strong> <strong>G2</strong> or to shut down the<br />
system completely. Follow the steps below.<br />
1 In the Shutdown Options area, select the action you want to perform:<br />
• Reboot to Operational Kernel—Restarts the system in the Operational<br />
kernel.<br />
• Reboot to Administrative Kernel—Restarts the system in the<br />
Administrative kernel and displays the # prompt at the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
indicating that you are in a login shell and can start issuing <strong>Sidewinder</strong><br />
<strong>G2</strong> or UNIX commands. (You will be prompted to mount the file<br />
systems.)<br />
Important: Remember that while <strong>Sidewinder</strong> <strong>G2</strong> is in the Administrative<br />
kernel, it is <strong>of</strong>fline and does not pass traffic. You must connect a keyboard and<br />
monitor to the <strong>Sidewinder</strong> <strong>G2</strong> before you can administer the system in the<br />
Administrative kernel. See “Powering up the system to the Administrative<br />
kernel” on page 636 for details.<br />
• Halt System—Shuts down the <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware without<br />
restarting. Run this command before you move your <strong>Sidewinder</strong> <strong>G2</strong> to a<br />
new location or make hardware changes.<br />
2 [Optional] If you want a shutdown message to appear informing users <strong>of</strong> a<br />
pending shutdown, type the message text in the Shutdown Message field.<br />
41
Chapter 3: General System Tasks<br />
Restarting or shutting down the system<br />
42<br />
3 In the Shutdown Time field, select the shutdown time from the following<br />
options.<br />
• Immediately—The system will shutdown immediately when you click<br />
Execute Shutdown.<br />
• Delay Shutdown for—The shutdown will be delayed for the amount <strong>of</strong><br />
time specified in the Hours and Minutes fields. You can enter values in<br />
these fields that will delay the shutdown for up to 24 hours and 59<br />
minutes.<br />
4 Click Execute Shutdown to implement the shutdown.<br />
Any connections to the Admin Console will be lost when the <strong>Sidewinder</strong> <strong>G2</strong><br />
shuts down. New connections to the <strong>Sidewinder</strong> <strong>G2</strong> will not be allowed<br />
once the shutdown process has been executed.<br />
Rebooting or shutting down using a command line<br />
interface<br />
The shutdown command reboots or shuts down the system from a command<br />
line interface. Use this command to indicate how and when you want the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to shut down.<br />
The shutdown time can be specified as:<br />
• now (for immediate shutdown)<br />
• a number <strong>of</strong> minutes (If you are specifying the number <strong>of</strong> minutes, you must<br />
include a plus (+) sign in front <strong>of</strong> the minutes.)<br />
• an exact date and time ([[[yy]mm]dd]hhmm])<br />
Use the command in the following formats to shut down or reboot the system:<br />
• To restart the system in the Operational kernel, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -r [time]<br />
For example, shutdown -r now would immediately reboot <strong>Sidewinder</strong> <strong>G2</strong><br />
into its Operational kernel.<br />
• To restart the system to the Administrative kernel, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -g [time]<br />
For example, shutdown -g +120 would reboot <strong>Sidewinder</strong> <strong>G2</strong> into its<br />
Administrative kernel in two hours (120 minutes).<br />
Important: Remember that while <strong>Sidewinder</strong> <strong>G2</strong> is in the Administrative<br />
kernel, it is <strong>of</strong>fline and does not pass traffic. You must connect a keyboard and<br />
monitor to the <strong>Sidewinder</strong> <strong>G2</strong> before you can administer the system in the<br />
Administrative kernel. See “Powering up the system to the Administrative<br />
kernel” on page 636 for details.
Setting up and<br />
maintaining<br />
administrator<br />
accounts<br />
Chapter 3: General System Tasks<br />
Setting up and maintaining administrator accounts<br />
• To shut down the <strong>Sidewinder</strong> <strong>G2</strong> without restarting, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
shutdown -h [time]<br />
For example, shutdown -h 0601312359 would halt <strong>Sidewinder</strong> <strong>G2</strong> at one<br />
minute to midnight on January 31, 2006.<br />
Note: More information about shutdown options is available on the shutdown<br />
man page.<br />
The shutdown process for a <strong>Sidewinder</strong> <strong>G2</strong> that belongs to an HA cluster is<br />
slightly different. See “Scheduling a s<strong>of</strong>t shutdown for an HA cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong>” on page 510 for information on shutting down a <strong>Sidewinder</strong> <strong>G2</strong><br />
that belongs to an HA cluster.<br />
Each <strong>Sidewinder</strong> <strong>G2</strong> administrator must have an account created on the<br />
system. When you installed your <strong>Sidewinder</strong> <strong>G2</strong>, you created an initial<br />
administrator account by entering a login name and password. This section<br />
describes how to set up and maintain <strong>Sidewinder</strong> <strong>G2</strong> accounts for other<br />
administrators.<br />
Note: Only administrators have accounts directly on the <strong>Sidewinder</strong> <strong>G2</strong>. People<br />
who use <strong>Sidewinder</strong> <strong>G2</strong> networking services have “user” (or network login)<br />
accounts, not <strong>Sidewinder</strong> <strong>G2</strong> administrator accounts. See “Creating users and user<br />
groups” on page 132 for information on creating non-administrative user accounts.<br />
When you add an administrator account, you will also assign the new<br />
administrator a role. The following table describes the available administrator<br />
roles. The following processes explain how to view, add, edit, or delete<br />
administrator account information or change role assignments.<br />
Table 6: Administrator roles<br />
Role Authorized to:<br />
admin • Access all windows, menus, and commands within<br />
the Admin Console.<br />
• Add and remove users and assign roles.<br />
• Do incremental back-ups and restore the system.<br />
(Full back-ups and restores are done in the<br />
Administrative kernel.)<br />
• Use all other system functions and commands.<br />
adminro Read access to all windows, menus, and commands<br />
within the Admin Console (including monitoring,<br />
reporting, and auditing). This role is generally used as an<br />
auditor role.<br />
no admin privileges Maintains an existing or new administrator account<br />
without any read or write access. This role is generally<br />
used to temporarily disable an administrator account.<br />
43
Chapter 3: General System Tasks<br />
Setting up and maintaining administrator accounts<br />
44<br />
Figure 17:<br />
Firewall Accounts window<br />
About the Firewall<br />
Accounts window<br />
Viewing administrator accounts<br />
Start the Admin Console and select Firewall <strong>Administration</strong> > Firewall<br />
Accounts. A window similar to the following appears.<br />
This window displays the administrator accounts currently established on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Each row in the table defines one user account, and contains<br />
the following information:<br />
• Username—This column identifies the name used by each administrator<br />
when logging into the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Full Name—This column identifies the full name <strong>of</strong> each user.<br />
• Role—This column identifies the authorized role for each user.<br />
• Directory—This column identifies the home directory path that is created<br />
for that user.<br />
You can also specify the following information, which applies to all user<br />
accounts:<br />
• Delete home directory upon deletion <strong>of</strong> user—Select this check box to<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to automatically delete a user’s home<br />
directory if a user’s account is deleted from the system.<br />
• Administrator Authentication Default Method—Select the default<br />
authentication method that will be used by administrators to log into the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: This is different from the default authentication method that is specified<br />
within individual proxy rules, which are only for proxy users.
Figure 18:<br />
Administrator Information<br />
tab<br />
Entering information<br />
on the Firewall<br />
Accounts - New/<br />
Modify window<br />
Chapter 3: General System Tasks<br />
Setting up and maintaining administrator accounts<br />
To create or modify a user account, click New or Modify, and see “Adding or<br />
modifying an administrator account” on page 45 for details.<br />
To delete a user account, highlight the user account you want to delete and<br />
click Delete. A confirmation message appears. Select Yes to delete the<br />
account or No to cancel. (When you delete an administrator account, the user<br />
database entry for that administrator is also removed.)<br />
Adding or modifying an administrator account<br />
When you click New or Modify in the Firewall Accounts window, the following<br />
window appears.<br />
Note: The information shown in the Firewall Accounts window is stored in the<br />
/etc/sidewinder/roles.conf file.<br />
To create a new <strong>Sidewinder</strong> <strong>G2</strong> administrator account or to modify an existing<br />
account, follow the steps below.<br />
1 In the Username field, type the user name for the administrator. The name<br />
can consist <strong>of</strong> up to 16 alpha-numeric characters and must begin with an<br />
alphabetic character.<br />
If you are editing an existing account, you cannot change the user name.<br />
Important: Do not use uppercase characters in the username field, because<br />
sendmail will automatically convert the user name to lowercase before mail is<br />
delivered. Therefore, any mail addressed to a user name that contains<br />
uppercase characters will not be forwarded.<br />
45
Chapter 3: General System Tasks<br />
Setting up and maintaining administrator accounts<br />
46<br />
2 In the Password field, type a password for this administrator. This is the<br />
password the administrator must enter when logging into the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Use the following guidelines to create a strong password:<br />
• Use passwords that are at least 7 or 8 characters in length.<br />
• Use a mix <strong>of</strong> upper and lowercase letters, and non-alphabetic<br />
characters such as symbols and numbers.<br />
• Do not use any easily guessed words or words found in a dictionary,<br />
including foreign languages.<br />
Note: If you are modifying the account, the encrypted password is displayed in<br />
this field.<br />
3 In the Confirm Password field, retype the password you entered in the<br />
Password field. This text entered in this field must match the text entered in the<br />
Password field and aids in reducing the possibility <strong>of</strong> error when creating<br />
passwords.<br />
4 [Optional] In the Full Name field, type the full name <strong>of</strong> the administrator.<br />
5 [Optional] In the Office field, type the <strong>of</strong>fice address <strong>of</strong> the administrator.<br />
6 [Optional] In the Office Phone field, type the <strong>of</strong>fice phone number <strong>of</strong> the<br />
administrator.<br />
7 [Optional] In the Home Phone field, type the home phone number <strong>of</strong> the<br />
administrator.<br />
8 In the Directory field, specify the home directory for this administrator. The<br />
default value for this field is /home/username. This field can only be modified if<br />
you are creating a new administrator account.<br />
9 In the Login Shell drop-down list, specify the UNIX shell that will be used when<br />
this administrator logs in.<br />
10 In the Roles drop-down list, select the authorized role for this administrator.<br />
• admin—Select this option if you want the user to have administrator<br />
privileges for all areas on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• adminro—Select this option to allow read privileges only. This role will<br />
allow an administrator to view all system information, as well as create<br />
and run audit reports. An administrator with read-only privileges cannot<br />
commit changes to any area <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• no admin privileges—Select this option to temporarily disable an<br />
account. An administrator with no admin privileges cannot log into<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
11 Click Add to save the changes (or OK if modifying an account), or click<br />
Cancel to exit the window without saving the changes.
Changing<br />
passwords<br />
Setting the<br />
system date and<br />
time<br />
Figure 19: Date and<br />
Time window<br />
About the Date and<br />
Time window<br />
Chapter 3: General System Tasks<br />
Changing passwords<br />
To change an administrator account password (also known as a UNIX account<br />
password), do the following:<br />
Note: If you forget your password, you can still access the administrative kernel to<br />
change your password. See “If you forget your administrator password” on page<br />
653.<br />
1 In the Admin Console, select Firewall <strong>Administration</strong> > Firewall Accounts.<br />
The Administrator Accounts window appears.<br />
2 Click the administrator account whose password you want to change, then<br />
click Modify. The Firewall Accounts: Modify window appears.<br />
3 In the Password field, enter the new administrator account password.<br />
4 Click OK.<br />
Use the following procedures to check the <strong>Sidewinder</strong> <strong>G2</strong> system clock or<br />
change the system clock from the Admin Console.<br />
Viewing/changing the date and time<br />
To check and/or change the system date and time settings, start the Admin<br />
Console and select Firewall <strong>Administration</strong> > Date and Time. The Date and<br />
Time window appears.<br />
Before changing the date and time, note the following:<br />
• Applying changes to the date and time will cause the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
automatically reboot. Therefore, you should only modify date and/or time<br />
settings during <strong>of</strong>f-hours. Also note that the reboot will cause you to lose<br />
your Admin Console connection.<br />
• The Admin Console allows you to set the clock ahead a maximum <strong>of</strong> 31<br />
days. The Admin Console does not allow you to set the system clock back<br />
in time. To set the clock back, reboot to the Administrative kernel and run<br />
the config_time utility. See “Changing the date or time using the<br />
config_time utility” on page 48 for details.<br />
47
Chapter 3: General System Tasks<br />
Setting the system date and time<br />
48<br />
To change the date and time using the Admin Console, follow the steps below.<br />
1 In the Location drop-down list, select the world-wide location <strong>of</strong> this<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the Time Zone drop-down list, select the time zone in which this<br />
<strong>Sidewinder</strong> <strong>G2</strong> is located.<br />
3 In the Date field, select the current date from the Month, Day, and Year<br />
drop-down lists.<br />
4 In the Time drop-down list, select the current time (hours, minutes,<br />
AM/PM).<br />
5 Click the Save icon to save your changes.<br />
Changing the date or time using the config_time utility<br />
To change the system date or time setting on <strong>Sidewinder</strong> <strong>G2</strong> use the<br />
config_time utility, as follows.<br />
1 Reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the Administrative kernel. For information on<br />
rebooting to the Administrative kernel, see “Powering up the system to the<br />
Administrative kernel” on page 636.<br />
2 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command:<br />
config_time<br />
The first date and time configuration window appears.<br />
3 Specify the correct time zone.<br />
When you are prompted to set the time zone, type yes or no (default), then<br />
press Enter.<br />
• If you respond no, proceed to step 4.<br />
• If you respond yes, a list <strong>of</strong> time zone options appears and you must<br />
type in the exact spelling for the time zone option you want and then<br />
press Enter.<br />
4 Specify the correct system clock settings.<br />
At the screen asking if you want to set the system clock, type yes or no<br />
(default), then press Enter.<br />
• If you respond no, the config_time script stops.<br />
• If you respond yes, you will be prompted to enter the current date, then<br />
the current time. Specify the date and time in the format shown on the<br />
screen.<br />
Important: If you increment the system date by more than a few days, you<br />
may cause passwords to expire. For example, if a user’s password is set to<br />
expire in six days and you increment the date setting by seven days, that user’s<br />
password will automatically expire.<br />
5 Reboot to the Operational kernel by entering the following command:<br />
shutdown -r now
Using system<br />
roles to access<br />
type enforced<br />
domains<br />
Chapter 3: General System Tasks<br />
Using system roles to access type enforced domains<br />
The following information provides command line information that will assist<br />
you in determining the kernel, domain, and system role in which you are<br />
currently running.<br />
Note: For more information on any <strong>of</strong> the commands described below, see the<br />
appropriate man page.<br />
Checking which kernel you are running (uname)<br />
To find out whether you are operating in the Administrative or Operational<br />
kernel, type the following command:<br />
uname -a<br />
Using the -a parameter in this command specifies to print the kernel name as<br />
well as other system identifying attributes, such as hardware platform<br />
information. SW_OPS indicates you are running in the Operational kernel.<br />
SW_ADMIN indicates you are running in the Administrative kernel.<br />
Checking which domain you are using (whereami)<br />
To check which domain you are currently executing in, type the following<br />
command:<br />
whereami<br />
A response similar to the following will appear:<br />
domain=User<br />
The domain in the response indicates in which domain you are operating.<br />
Changing your domain access using the srole command<br />
When you initially log into the <strong>Sidewinder</strong> <strong>G2</strong> using a command prompt, you<br />
are logged into the User domain by default. The User domain allows very little<br />
access, including no access to sensitive files.<br />
To change to the Admn domain, which allows access to all <strong>Sidewinder</strong> <strong>G2</strong><br />
domains (based on your administrative role), enter the following command:<br />
srole<br />
To return to the previous domain role and shell, enter the following command:<br />
exit<br />
You are returned to the User domain.<br />
49
Chapter 3: General System Tasks<br />
Configuration file backup and restore<br />
Configuration<br />
file backup and<br />
restore<br />
50<br />
This feature enables you to backup and restore <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
files. Backing up the configuration files enables you to quickly restore a<br />
<strong>Sidewinder</strong> <strong>G2</strong> to a previous operational state. Table 7 shows the difference<br />
between a configuration backup and a system file backup.<br />
Overview <strong>of</strong> configuration file backup and restore<br />
This section covers backing up and restoring configuration files using the<br />
Admin Console. System file backup and restore procedures, and configuration<br />
restores using the command line, are described in Appendix F, “Basic<br />
Troubleshooting.” Back up the full system before and after making major<br />
changes to your <strong>Sidewinder</strong> <strong>G2</strong>, such as adding new hardware.<br />
Table 7: Configuration backup/restore vs. system file backup/restore<br />
Configuration backup and restore System file backup and restore<br />
Backs up and restores just the<br />
<strong>Sidewinder</strong> <strong>G2</strong> configuration files.<br />
Backs up the files to diskette, to itself,<br />
or to the hard drive <strong>of</strong> another<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Backs up and restores the entire<br />
<strong>Sidewinder</strong> <strong>G2</strong> hard drive.<br />
Backs up the <strong>Sidewinder</strong> <strong>G2</strong> hard<br />
drive to a DAT.<br />
Does not allow incremental backups. Allows incremental backups.<br />
You backup and restore from within<br />
the Operational kernel. This enables<br />
you to perform the backup and restore<br />
on another <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Can be performed on either a local or<br />
a remote <strong>Sidewinder</strong> <strong>G2</strong>, using the<br />
Admin Console.<br />
Enables you to restore a <strong>Sidewinder</strong><br />
<strong>G2</strong> without having to re-install from<br />
scratch.<br />
Restores only the configuration files.<br />
Mail queues, audit trails, etc., are not<br />
restored.<br />
Does not backup site-specific<br />
changes made to non-configuration<br />
files.<br />
The backup and restore process is<br />
quick.<br />
Requires you to boot to the<br />
Administrative kernel to perform the<br />
backup and restore. This means you<br />
cannot perform this backup and<br />
restore on another <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Can only be performed locally using<br />
the Installation Wizard.<br />
Requires you to re-install from scratch<br />
using the DAT.<br />
Restores the entire system as it<br />
existed at the time <strong>of</strong> the backup. This<br />
includes old mail queues, audit trail<br />
information, etc.<br />
Backs up all site-specific changes.<br />
The backup and restore process is not<br />
as quick.
Figure 20: Configuration file backup options<br />
Option 1)<br />
Back up your local <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration files to diskette<br />
Note: Make sure your <strong>Sidewinder</strong> <strong>G2</strong><br />
has a floppy drive before selecting this<br />
option.<br />
Option 2)<br />
Back up your <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration files to its own hard<br />
drive (used to allow you to FTP<br />
the configuration backup to<br />
another location, for instance).<br />
Option 3)<br />
Back up a <strong>Sidewinder</strong><br />
<strong>G2</strong> to a different<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
What is backed up<br />
and restored<br />
Chapter 3: General System Tasks<br />
Configuration file backup and restore<br />
Figure 20 displays the various options you have when using the configuration<br />
backup process.<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
local <strong>Sidewinder</strong> <strong>G2</strong><br />
SSL<br />
connection<br />
local <strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
remote<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
There are two files that determine which configuration files will be backed up<br />
and restored. The files are located in the /etc/backups/config_backup directory<br />
and are named:<br />
• backup_file_list — Contains the list <strong>of</strong> files and directories that will be<br />
included in the configuration backup/restore process. Wild cards can be<br />
used when specifying names in this file.<br />
• exclude_file_list — Defines the files within backup_file_list that should be<br />
excluded from the configuration backup/restore process. For example, files<br />
that contain graphics are located in some <strong>of</strong> the directories specified in<br />
backup_file_list that should not be included in the configuration backup/<br />
restore process. You cannot specify directory names or use wild cards in<br />
this file.<br />
Caution: While it is possible to modify these two files, do so with caution. To<br />
prevent accidental modification, these files are defined as read-only. If you<br />
absolutely must modify one <strong>of</strong> these files, use the Admin Console.<br />
51
Chapter 3: General System Tasks<br />
Configuration file backup and restore<br />
What is not backed<br />
up or restored<br />
52<br />
Figure 21: Configuration<br />
Backup window<br />
About the<br />
Configuration<br />
Backup window<br />
The general rule is, if it is not a configuration file it will not be backed up. For<br />
example, the configuration backup/restore process will not process the mail<br />
queues, the audit trail, the log files, any executable files, etc. As such,<br />
modifications you make to non-configuration files will not be backed up and<br />
restored.<br />
Backing up and restoring config files using the Admin<br />
Console<br />
To back up or restore your configuration files using the Admin Console, start<br />
the Admin Console and select Firewall <strong>Administration</strong> > Configuration<br />
Backup. The Configuration Backup window appears.<br />
Note: See “Restoring configuration files using the command line” on page 646 for<br />
details on restoring configuration files when the Admin Console is not accessible.<br />
The Configuration Backup window allows you to backup and restore your<br />
<strong>Sidewinder</strong> <strong>G2</strong> configuration files. Configuration files can be backed up to<br />
either a floppy diskette, the <strong>Sidewinder</strong> <strong>G2</strong> hard drive, or the hard drive <strong>of</strong><br />
another <strong>Sidewinder</strong> <strong>G2</strong>. You can restore the backup configuration files using<br />
this window when your system is operational.<br />
Important: If you will be performing a configuration backup to or restore from a<br />
remote <strong>Sidewinder</strong> <strong>G2</strong>, you must first configure the synchronization server<br />
information. (See “Configuring the synchronization server” on page 68.) You must<br />
also enable the Synchronization proxy rule on the remote <strong>Sidewinder</strong> <strong>G2</strong>. See<br />
“Creating proxy rules” on page 222.
Chapter 3: General System Tasks<br />
Configuration file backup and restore<br />
Backing up configuration files using the Admin Console<br />
To back up your configuration files using the Admin Console, follow the steps<br />
below.<br />
1 In the Configuration Action field, select Backup.<br />
2 In the Backup To or Restore From field, select the type <strong>of</strong> backup you want<br />
to make:<br />
• Floppy Diskette—Select this option to back up to a floppy diskette.<br />
(Select this option only if your <strong>Sidewinder</strong> <strong>G2</strong> has a floppy drive.)<br />
• Local <strong>Sidewinder</strong>—Select this option to back up to the <strong>Sidewinder</strong> <strong>G2</strong><br />
hard drive (the backup can then be transferred to another location using<br />
FTP).<br />
• Remote <strong>Sidewinder</strong>—Select this option to back up to a different<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If you select this option, you must first ensure that both<br />
the synchronization server and Synchronization rule have been<br />
configured and enabled on the remote <strong>Sidewinder</strong> <strong>G2</strong> (where the<br />
backup will reside). See “Configuring the synchronization server” on<br />
page 68.<br />
3 [Conditional] If you selected Remote <strong>Sidewinder</strong> or Local <strong>Sidewinder</strong> in the<br />
previous step, do the following:<br />
a [Remote <strong>Sidewinder</strong> only] In the Address field, type the IP address <strong>of</strong><br />
the remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
b [Remote <strong>Sidewinder</strong> only] In the Port field, type the port that will be used<br />
to connect to the remote <strong>Sidewinder</strong> <strong>G2</strong>. The port number specified in<br />
this field must match the port number used for the remote <strong>Sidewinder</strong><br />
<strong>G2</strong>. The default for this field is 9005 and should not be modified.<br />
Note: The Port field does not support port lists. The remote <strong>Sidewinder</strong> <strong>G2</strong><br />
must be listening on the specified port for the transfer to occur.<br />
c [Remote <strong>Sidewinder</strong> only] In the Shared Sync Key field, enter<br />
a synchronization key that you created when you configured<br />
the synchronization server. (You can view the synchronization key<br />
for the synchronization server by going to Services Configuration ><br />
Servers > Synchronization > Configuration tab.)<br />
d In the Filename field, type the filename that the current configuration is<br />
stored as on the specified <strong>Sidewinder</strong> <strong>G2</strong> in the /var/backups/repository<br />
directory. This is needed in case there are multiple configurations on<br />
your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Remote backups will be stored in directories and file names with the format<br />
filename.hostname (where the filename is the user-specified value<br />
and the hostname is the fully qualified domain name <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> being backed up or restored.<br />
53
Chapter 3: General System Tasks<br />
Configuration file backup and restore<br />
54<br />
4 To edit the list <strong>of</strong> files that will be included in the backup, click Edit Include<br />
List. A file editor window is displayed, containing a list <strong>of</strong> the files and<br />
directories that will be backed up. In this window, you can add or delete files<br />
or directories to include in the backup.<br />
Note: By default, previous backups are not included in a new backup. If you<br />
want to include previous backup files in a current backup, you must add the<br />
/var/backups/repository file path to the Include List.<br />
5 To edit the list <strong>of</strong> files that will be excluded from the backup, click Edit<br />
Exclude List. A file editor window is displayed, containing a list <strong>of</strong> the files<br />
that will not be backed up. You can add or delete files from the exclude list<br />
as desired. (Only individual files can be added or deleted from the Exclude<br />
list. You cannot include directories in the Exclude list.)<br />
6 The Local Backup Files area provides a list <strong>of</strong> current configuration<br />
backups stored on the local <strong>Sidewinder</strong> <strong>G2</strong> hard disk repository. To delete a<br />
backup file from the list, highlight one or more backups that you want to<br />
delete and click Delete.<br />
7 To begin the backup process, click the Save.<br />
Restoring configuration files using the Admin Console<br />
To restore configuration files using the Admin Console, follow the steps below.<br />
Note: You must restore configuration files from a backup file that was created at<br />
the same version as the system to which you are restoring (for example, if your<br />
system is currently running at version <strong>6.1.2</strong>.00, you can only perform a restore<br />
using a version <strong>6.1.2</strong>.00 configuration backup file).<br />
1 In the Configuration Action field, select Restore.<br />
2 In the Backup To or Restore From field, select the type <strong>of</strong> restore you want<br />
to perform:<br />
• Floppy Diskette—Select this option to restore from a floppy diskette.<br />
(Select this option only if your <strong>Sidewinder</strong> <strong>G2</strong> has a floppy drive.)<br />
• Local <strong>Sidewinder</strong>—Select this option to restore from the <strong>Sidewinder</strong> <strong>G2</strong><br />
hard drive.<br />
• Remote <strong>Sidewinder</strong>—Select this option to restore from a different<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: The Local Backup Files area provides a list <strong>of</strong> current configuration<br />
backups stored on the <strong>Sidewinder</strong> <strong>G2</strong> hard disk repository.
Activating the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
license<br />
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
3 [Conditional] If you selected Remote <strong>Sidewinder</strong> or Local <strong>Sidewinder</strong> in the<br />
previous step, do the following:<br />
a [Remote <strong>Sidewinder</strong> only] In the IP address field, type the IP address <strong>of</strong><br />
the remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
b [Remote <strong>Sidewinder</strong> only] In the Port field, type the port that will be used<br />
to connect to the remote <strong>Sidewinder</strong> <strong>G2</strong>. The port number specified in<br />
this field must match the port number used for the remote <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Note: The Port field does not support port lists. The remote <strong>Sidewinder</strong> <strong>G2</strong><br />
must be listening on the specified port for the transfer to occur.<br />
c [Remote <strong>Sidewinder</strong> only] In the Shared Sync Key field, enter a<br />
synchronization key that you created when you configured the<br />
synchronization server on the remote <strong>Sidewinder</strong> <strong>G2</strong> (where the backup<br />
resides). You can view the synchronization key for the synchronization<br />
server by going to Services Configuration > Servers > Synchronization<br />
> Configuration tab.<br />
d In the Filename field, type the filename that the current configuration is<br />
stored as on the <strong>Sidewinder</strong> <strong>G2</strong> in the /var/backups/repository directory.<br />
This is needed in case there are multiple configurations on your<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 To begin the restore process, click the Save. (If you selected the diskette<br />
method, you will be prompted to insert a diskette into the <strong>Sidewinder</strong> <strong>G2</strong><br />
diskette drive.) The system will automatically reboot when the restore<br />
process is complete.<br />
In most cases, you will license your <strong>Sidewinder</strong> <strong>G2</strong> and any licensed features<br />
during the initial configuration process. When you initially connect to a<br />
<strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console, a window appears displaying a list <strong>of</strong><br />
features that are currently licensed for that <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If you need to relicense or license a feature after initial configuration, you can<br />
use this section to activate a license using the Admin Console.<br />
Note: When the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted or shutdown, a record <strong>of</strong> who issued<br />
the action is logged in the /var/log/messages file. This applies to a reboot or<br />
shutdown issued from the Admin Console or by using the shutdown command.<br />
Important: See “Protected host licensing and the Host Enrollment List” on page 62<br />
for information on how the <strong>Sidewinder</strong> <strong>G2</strong> enforces the host license limits.<br />
55
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
56<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> connected to the Internet<br />
If you are working on a <strong>Sidewinder</strong> <strong>G2</strong> that is connected to the Internet, you<br />
can use the following general steps to provide the necessary information for<br />
your company and obtain an activation key.<br />
1 Locate the serial number for your <strong>Sidewinder</strong> <strong>G2</strong>. The serial number should<br />
appear on your Activation Certificate.<br />
2 In the Admin Console, enter your company and contact information in the<br />
Firewall <strong>Administration</strong> > Firewall License > Contact and Company tabs.<br />
The information you provide in each tab is submitted when you obtain your<br />
activation key, and is used for technical support assistance. For details on<br />
providing information in the Contact and Company tabs, see “Configuring<br />
the Firewall License tabs” on page 58.<br />
3 In the Admin Console, complete the information in the Firewall<br />
<strong>Administration</strong> > Firewall License > Firewall tab. You will need the serial<br />
number that you located in step 1.<br />
4 Click Submit Data to receive your activation key. See “Entering information<br />
on the Firewall tab” on page 60 for details on completing the information<br />
and receiving your activation key.<br />
5 Select Firewall <strong>Administration</strong> > System Shutdown and reboot the system<br />
to the Operational kernel.<br />
When your system reboots, your <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware and any features<br />
you licensed will be activated.<br />
Licensing from a <strong>Sidewinder</strong> <strong>G2</strong> on an isolated network<br />
If you are on an isolated network and do not have access to the Secure<br />
Computing activation server, you can request an activation key using the<br />
following method.<br />
1 Start an Admin Console management session.<br />
2 On the Admin Console menu, select Firewall <strong>Administration</strong> -> Firewall<br />
License.<br />
3 Click the Firewall tab.<br />
4 In the Serial Number field, verify that it shows the 16-digit serial number<br />
located on the Activation Certificate or on your hardware platform.
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
5 In the Firewall ID field, use the drop-down list to select a MAC address to<br />
use as your firewall ID. There will be one MAC address listed for each NIC<br />
in the firewall.<br />
Tip: If your management console does not have Web access, move to a<br />
workstation that has Web access. Bring a copy <strong>of</strong> the serial number and MAC<br />
address with you to the Web-accessible workstation.<br />
6 Use a Web browser to access the <strong>Sidewinder</strong> <strong>G2</strong> activation Web page:<br />
https://www.securecomputing.com/cgi-bin/sidewinder-activation.cgi<br />
7 Complete the form on the Web site and click Submit. A confirmation screen<br />
appears.<br />
8 Verify that the information you entered is correct, then do one <strong>of</strong> the<br />
following:<br />
• If correct, click Submit. After a minute or so, a new Web page appears<br />
displaying the activation key.<br />
• If not correct, use the Back button to return to the form and correct the<br />
information.<br />
9 Using the on-screen instructions, save the activation key to a floppy<br />
diskette.<br />
Tip: You may choose to continue following the on-screen instructions for<br />
importing the file via command line, or use the Admin Console instructions<br />
given here.<br />
10 Insert the diskette into the management system’s floppy diskette drive.<br />
11 From your management console, select Firewall <strong>Administration</strong> -> Firewall<br />
License.<br />
12 Click the Firewall tab.<br />
13 Click the Import Key button to import the key into the <strong>Sidewinder</strong> <strong>G2</strong>. Enter<br />
information into the following fields:<br />
• Source: Select Local File<br />
• File: Enter the name <strong>of</strong> the file that contains the activation key. Click the<br />
Browse button if needed.<br />
14 Click OK to approve the specified file. The activation key is extracted from<br />
the file and written to the Activation Key field.<br />
15 From the Admin Console menu, select Firewall <strong>Administration</strong> -> System<br />
Shutdown.<br />
16 From the System Shutdown window, select Reboot to Operational Kernel<br />
and specify your shutdown time.<br />
17 Click Execute Shutdown. Once it finishes rebooting, your <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Appliance and the features you licensed will activate.<br />
18 To complete the licensing process, fill in the information fields in the Firewall<br />
License windows. See “Entering information on the Contact tab” on page 58<br />
and “Entering information on the Company tab” on page 59 for details.<br />
57
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
58<br />
Figure 22: Firewall<br />
License: Contact tab<br />
Entering information<br />
on the Contact tab<br />
Configuring the Firewall License tabs<br />
To configure license information, select Firewall <strong>Administration</strong> > Firewall<br />
License in the Admin Console. The Firewall License window appears. The<br />
window contains four tabs used to collect various licensing information.<br />
The Contact tab is used to enter contact information for the administrator <strong>of</strong> this<br />
particular <strong>Sidewinder</strong> <strong>G2</strong>. This information is needed so that you can receive<br />
important customer bulletins and renewable support licenses. Follow the steps<br />
below.<br />
Note: The fields shown in parentheses are optional.<br />
1 In the First Name field, type the first name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.<br />
2 In the Last Name field, type the last name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.<br />
3 In the E-mail field, type the e-mail address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator.<br />
4 In the Primary Phone field, type the phone number <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
administrator, including the area code.<br />
5 [Optional] In the Alternate Phone field, type an alternate phone number in<br />
case the first number is unavailable.<br />
6 [Optional] In the Fax field, type a fax number for your organization.<br />
7 [Optional] In the Job Title field, type the job title <strong>of</strong> the person responsible<br />
for administering this <strong>Sidewinder</strong> <strong>G2</strong>.
Figure 23: Firewall<br />
License: Company tab<br />
Entering information<br />
on the Company tab<br />
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
8 [Optional] In the Purchased From field, type the name <strong>of</strong> the company that<br />
sold you this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
9 [Optional] In the Comments field, type record miscellaneous information<br />
about your site.<br />
10 Click the Save icon.<br />
11 Click the Company tab to enter information about your company. The<br />
Company tab appears.<br />
The Company tab is used to enter information about the company that has<br />
purchased this particular <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1 In the Company Name field, type the full name <strong>of</strong> the company that<br />
purchased this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the Industry Classification drop-down list, select the classification that<br />
most closely matches your industry.<br />
3 Fill in the requested address information fields on the Company Address<br />
tab and on the Billing Address tab. If the information is the same on both<br />
tabs, enter the information on the Company Address tab, then switch to the<br />
Billing Address tab and click Copy From Company Address.<br />
4 Click the Save icon.<br />
5 Click the Firewall tab to provide the information necessary to license your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The Firewall tab appears.<br />
59
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
60<br />
Figure 24: Firewall<br />
License: Firewall tab<br />
Entering information<br />
on the Firewall tab<br />
This tab is used to enter information about the <strong>Sidewinder</strong> <strong>G2</strong> you are<br />
attempting to license. Follow the steps below.<br />
Note: For information on the Current Features area, see “Displaying the status <strong>of</strong><br />
features on <strong>Sidewinder</strong> <strong>G2</strong>” on page 62.<br />
1 In the Serial Number field, type the 16-digit alpha-numeric serial number for<br />
this <strong>Sidewinder</strong> <strong>G2</strong>. The serial number is located on your <strong>Sidewinder</strong> <strong>G2</strong><br />
Activation Certificate.<br />
2 In the Firewall ID drop-down list, select a MAC address to use as your<br />
firewall ID. There will be one MAC address listed for each NIC in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Select the first MAC address in the list.<br />
The Activation URL field displays the URL <strong>of</strong> the Web site to which the<br />
<strong>Sidewinder</strong> <strong>G2</strong> licensing information will be sent. If you are required to modify<br />
the URL, click Edit to modify the activation URL. The Edit Activation URL<br />
window appears. See “Entering information on the Edit Activation URL window”<br />
on page 61.<br />
3 Click Submit Data to submit the data to the Secure Computing Corporation<br />
licensing Web site. The license information is sent using an encrypted<br />
HTTPS session. If the data is complete, the request will be granted and a<br />
new activation key will be written to the Activation Key field. This key is<br />
used by the <strong>Sidewinder</strong> <strong>G2</strong> to activate or deactivate the various s<strong>of</strong>tware<br />
features available on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
After receiving a new activation key, a message will appear prompting you<br />
to reboot the <strong>Sidewinder</strong> <strong>G2</strong>. The new activation key will not take effect until<br />
you perform a reboot.<br />
The current status <strong>of</strong> the various <strong>Sidewinder</strong> <strong>G2</strong> features is displayed in the<br />
Current Features area. If a feature you want to use is currently not licensed,<br />
you must obtain a different activation key in order to enable that feature.
Figure 25: Firewall<br />
License: Enrollment List<br />
tab<br />
Entering information<br />
on the Enrollment<br />
List tab<br />
Chapter 3: General System Tasks<br />
Activating the <strong>Sidewinder</strong> <strong>G2</strong> license<br />
4 [Optional] If you need to import an activation key that has been saved to a<br />
file, click Import Key. You will typically use this button if your <strong>Sidewinder</strong> <strong>G2</strong><br />
or local network does not have access to the URL defined in the Activation<br />
URL field. The activation key is retrieved by a different machine, saved to<br />
an HTML file, then moved to a location that is accessible by either the<br />
<strong>Sidewinder</strong> <strong>G2</strong> or by the Windows machine you are using to run the Admin<br />
Console.<br />
5 Select the Enrollment List tab to enter information regarding the host<br />
enrollment list. The Enrollment List tab appears.<br />
The Licensed host limit field displays the number <strong>of</strong> hosts for which you are<br />
licensed. The Number <strong>of</strong> hosts in enrollment list field displays the current<br />
number <strong>of</strong> hosts that are contained in the enrollment list. The Host Enrollment<br />
List displays the actual IP addresses <strong>of</strong> hosts that are in the enrollment list. To<br />
delete a host, highlight the host you want to delete, and click Delete. To refresh<br />
the window to reflect updated information, click Refresh.<br />
See “Protected host licensing and the Host Enrollment List” on page 62 for an<br />
in-depth discussion about the Host Enrollment List.<br />
Entering information on the Edit Activation URL window<br />
To edit the activation URL, follow the steps below.<br />
Note: Do not edit the activation URL unless instructed to do so by Secure<br />
Computing <strong>Technical</strong> Support.<br />
In Edit Activation URL window you can restore the default web-based URL by<br />
clicking Restore Default URL. You can also click in the URL field and manually<br />
type a new URL address. Click OK to save your changes and return to the<br />
Firewall tab.<br />
61
Chapter 3: General System Tasks<br />
Protected host licensing and the Host Enrollment List<br />
Protected host<br />
licensing and the<br />
Host Enrollment<br />
List<br />
62<br />
Entering information on the Import Key window<br />
1 In the Source field, select either Local File or Firewall File.<br />
• Local File—Select this option if the activation key resides on a diskette<br />
or hard drive on either a local machine or on a network drive.<br />
• Firewall File—Select this option if the activation key resides in a<br />
directory located on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the File field, type the name <strong>of</strong> the file that contains the activation key, or<br />
click Browse to search the available drives for the file that contains the<br />
activation key. When you locate the file, select the file, then click Open. The<br />
file name appears in the File field.<br />
3 Click OK to approve the specified file. The activation key is extracted from<br />
the file and written to the Activation Key field.<br />
Note: You must reboot the <strong>Sidewinder</strong> <strong>G2</strong> in order for the new activation key to<br />
take effect.<br />
Displaying the status <strong>of</strong> features on <strong>Sidewinder</strong> <strong>G2</strong><br />
To display the status <strong>of</strong> the features installed on <strong>Sidewinder</strong> <strong>G2</strong>, in the Admin<br />
Console select Firewall <strong>Administration</strong> > Firewall License and then select the<br />
Firewall tab. The Current Features field at the bottom <strong>of</strong> the tab displays the<br />
features currently available for <strong>Sidewinder</strong> <strong>G2</strong> and the status <strong>of</strong> each feature<br />
on your particular <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Host Enrollment List is a dynamic list that is used to record each unique IP<br />
address (host) that makes an outbound connection to the Internet. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses this list to verify compliance with the IP address license<br />
"cap"—the portion <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> license that dictates the number <strong>of</strong><br />
hosts the <strong>Sidewinder</strong> <strong>G2</strong> will support.<br />
Important: You may ignore this section if you have an unlimited license. All license<br />
processing is bypassed if you have an unlimited license.<br />
Tip: In general, a host is a client on an internal or external network that is being<br />
protected by the <strong>Sidewinder</strong> <strong>G2</strong>. For accounting purposes, a host is any unique<br />
host IP address that originates a connection through the <strong>Sidewinder</strong> <strong>G2</strong>. See “How<br />
hosts are calculated” on page 63 for more details.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides administrators the capability to display and modify<br />
the enrollment list. This allows you to identify which IP addresses are currently<br />
counted against your protected host license cap. It also enables you to delete<br />
IP address entries that you do not want counted against your host cap. For<br />
example, you might do this if a connection is initiated from a test system in your<br />
lab and you do not want that system to count against the host license cap.
Chapter 3: General System Tasks<br />
Protected host licensing and the Host Enrollment List<br />
The <strong>Sidewinder</strong> <strong>G2</strong> strictly enforces the maximum IP address (host) license<br />
number, meaning only the number <strong>of</strong> IP addresses authorized by the protected<br />
host license will be allowed to make connections through the <strong>Sidewinder</strong> <strong>G2</strong>. If<br />
the number <strong>of</strong> IP addresses in the enrollment list exceeds 75% <strong>of</strong> the number<br />
allowed by your protected host license, an audit will occur. informing you that<br />
you are approaching the maximum number <strong>of</strong> hosts. The audit will also display<br />
the current number <strong>of</strong> hosts and the maximum number <strong>of</strong> hosts that are<br />
allowed for your license.<br />
If the enrollment list becomes full, additional audits will occur each time a new<br />
IP address attempts to make a connection to the Internet. However, only the IP<br />
addresses contained in the enrollment list will be allowed. IP addresses not<br />
already listed in the enrollment list will be unable to make a connection to the<br />
Internet. A user attempting to make a connection using a browser will receive a<br />
standard policy denial message. If a user is attempting to make a connection<br />
using a non-browser application (for example, FTP) the connection will simply<br />
be blocked and they will not receive an error message.<br />
You can configure the licexceed system event to email the administrator when<br />
the enrollment list reaches the maximum number allowed, and IP addresses<br />
are denied access due to a protected host license violation. See Chapter 20 for<br />
details on configuring system responses.<br />
If you reach the host enrollment maximum and you want to allow access to<br />
additional hosts, you will need to modify the host enrollment list to remove<br />
hosts entries that no longer need to be listed, upgrade your license, or upgrade<br />
to a larger <strong>Sidewinder</strong> <strong>G2</strong> appliance. See “Displaying and modifying the Host<br />
Enrollment List” on page 64 for information on managing the host enrollment<br />
list.<br />
How hosts are calculated<br />
In general, a host is defined as a workstation that is protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and uses the <strong>Sidewinder</strong> <strong>G2</strong> to connect to the Internet. Any<br />
host that contains a unique IP address and that initiates a connection from a<br />
non-Internet burb is counted as a new host.<br />
The manner in which remote hosts access the <strong>Sidewinder</strong> <strong>G2</strong> may affect the<br />
host count. For example:<br />
• Remote hosts that use dynamic addressing rather than static addressing<br />
may have multiple IP addresses added to the Host Enrollment List.<br />
• Hosts accessing the <strong>Sidewinder</strong> <strong>G2</strong> via a VPN will be added to the Host<br />
Enrollment List if the VPN uses proxies to move the traffic from a non-<br />
Internet burb to another burb. Figure 26 illustrates this idea.<br />
63
Chapter 3: General System Tasks<br />
Protected host licensing and the Host Enrollment List<br />
64<br />
Figure 26: Determining<br />
which VPN clients count<br />
against the host license<br />
cap<br />
Client A<br />
Client B<br />
= VPN tunnel<br />
= Data<br />
Internet<br />
VPN<br />
VPN<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
internal<br />
network<br />
Client A = Not counted against the host license cap.<br />
Client B = Counted against the host license cap.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> counts total hosts, not concurrent hosts. It is important to<br />
understand the distinction. Assume you have a 25 host license. If you have 30<br />
hosts, but only 20 are in use or online at any one time, you will still exceed the<br />
license cap because the <strong>Sidewinder</strong> <strong>G2</strong> will eventually detect a 26th host,<br />
putting you over the limit.<br />
Displaying and modifying the Host Enrollment List<br />
To display and modify the contents <strong>of</strong> the Host Enrollment List using the Admin<br />
Console, select Firewall <strong>Administration</strong> > Firewall License and click the<br />
Enrollment List tab. In this window, you can do the following:<br />
• View the number <strong>of</strong> hosts authorized by your current <strong>Sidewinder</strong> <strong>G2</strong> license<br />
in the Licensed host limit field. This is your host license “cap.”<br />
• View the current number <strong>of</strong> hosts listed in the Number <strong>of</strong> hosts in<br />
enrollment list field. This number is important because if it exceeds the<br />
number <strong>of</strong> hosts authorized by the <strong>Sidewinder</strong> <strong>G2</strong> license, you will be<br />
considered to be in violation <strong>of</strong> your license cap. If you have an unrestricted<br />
host license, the term Unlimited will appear in this field.<br />
The Host Enrollment List is cleared automatically if you upgrade your protected<br />
host license.<br />
• Delete hosts from the Host Enrollment List by highlighting the host and<br />
clicking Delete. To select multiple hosts to delete, hold the Shift key while<br />
selecting the hosts.<br />
Note: You can update the contents <strong>of</strong> the Host Enrollment List field by clicking<br />
Refresh.<br />
e<br />
x<br />
t<br />
i<br />
n<br />
t<br />
proxie<br />
virtual
Enabling and<br />
disabling servers<br />
Figure 27: Servers<br />
window<br />
About the Servers<br />
window<br />
Chapter 3: General System Tasks<br />
Enabling and disabling servers<br />
Consider the following information when deleting entries from the enrollment<br />
list:<br />
– If the host you delete has a current connection through the <strong>Sidewinder</strong><br />
<strong>G2</strong>, that connection will be preserved.<br />
– If the host severs the connection and attempts a new connection, the<br />
new connection request may or may not be approved.<br />
– A new connection request will be permitted only if there is still room<br />
available within the enrollment list.<br />
The Admin Console allows you to view the status <strong>of</strong> each server and to enable<br />
or disable each server from one central location. You can also configure some<br />
<strong>of</strong> the servers in this window. To view the status <strong>of</strong> a server or to enable/disable<br />
a server, select Services Configuration > Servers.<br />
The Server window displays a list <strong>of</strong> the available servers in the left portion <strong>of</strong><br />
the window. A green circle appears in front <strong>of</strong> a server if the server is currently<br />
enabled. A red circle with a slash indicates that the server is disabled. When<br />
you select a server, the properties for that server appear in the right portion <strong>of</strong><br />
the window.<br />
You can enable or disable some servers for the entire <strong>Sidewinder</strong> <strong>G2</strong>, while<br />
other servers can be enabled or disabled for individual burbs on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The fields and buttons that appear in the right portion <strong>of</strong> the<br />
window will change depending on the type <strong>of</strong> server that is selected. If the<br />
selected server can be enabled for individual burbs, the Enabled For field will<br />
also appear. To enable or disable a server, select the Control check box for<br />
that server for each burb. (A check mark appears for each burb in which the<br />
server is enabled.)<br />
65
Chapter 3: General System Tasks<br />
Enabling and disabling servers<br />
66<br />
Table 8: <strong>Sidewinder</strong> <strong>G2</strong> servers<br />
Server Name Notes<br />
The following table provides some helpful information on specific servers.<br />
auditdbd The audit database daemon server. By default, this server is not enabled. See Chapter<br />
19.<br />
changepw The Change Password server. See Chapter 10.<br />
cmd Certificate Management Daemon server. The CMD server must be enabled before<br />
configuring the certificate server. See Chapter 14.<br />
entrelayd The entrelayd server is used for managing standalone <strong>Sidewinder</strong> <strong>G2</strong>s, as well as<br />
multiple <strong>Sidewinder</strong> <strong>G2</strong>s in an HA cluster or One-To-Many cluster. See Chapter 16 and<br />
Chapter 17.<br />
fixclock The basic clock synchronization server that is used to ensure that the <strong>Sidewinder</strong> <strong>G2</strong><br />
clock remains up-to-date. This server cannot be enabled if you have configured and<br />
enabled NTP on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
gated-unbound The server used in conjunction with OSPF (Dynamic) routing. See Appendix C.<br />
isakmp The ISAKMP server is used by the <strong>Sidewinder</strong> <strong>G2</strong> to generate and exchange keys for<br />
VPN sessions. See Chapter 14.<br />
kmvfilter The kmvfilter (keyword, MIME, and virus/spyware filter) server enables the <strong>Sidewinder</strong> <strong>G2</strong><br />
to perform keyword, MIME, and anti-virus/spyware mail filtering. For information on<br />
configuring mail filtering, see “Creating Mail (Sendmail) Application Defenses” on page<br />
172.<br />
monitord The server used to report the system’s health status in real time and to record statistics<br />
about system and network utilization. Data gathered by monitord is displayed in the<br />
<strong>Sidewinder</strong> <strong>G2</strong> dashboard. See Chapter 18.<br />
named-internet A DNS server. Available only if two DNS servers (Split DNS mode) are defined. This<br />
server services the Internet burb. See Chapter 11.<br />
named-unbound A DNS server. If one DNS server is defined, this server services all the burbs on<br />
<strong>Sidewinder</strong> <strong>G2</strong>. If two DNS servers (Split DNS mode) are defined, this server services all<br />
burbs except the Internet burb. See Chapter 11.<br />
ntp The Network Time Protocol (NTP) server. See Appendix B.<br />
routed The server used in conjunction with RIP routing. See Appendix D.<br />
sendmail The SMTP server. See Chapter 12.<br />
shund The shund server accepts shunning requests from Intrusion Detection Servers (IDS), and<br />
verifies the signature on the data that the IDS has generated.<br />
More...
Server Name Notes<br />
Chapter 3: General System Tasks<br />
Enabling and disabling servers<br />
sidfilter The sender id filter used by sendmail verifies that the host sending or forwarding mail to<br />
<strong>Sidewinder</strong> <strong>G2</strong> is authorized for the domain given in the mail message. For example, if<br />
mail from a@example.com is sent from 10.10.1.3, sidfilter verifies that 10.10.1.3 is<br />
authorized to send mail for example.com.<br />
snmpd Simple Network Management Protocol daemon. The SNMP server can only be enabled<br />
for one burb, and it cannot be enabled for the Internet burb. See Chapter 15.<br />
spamfilter This server allows you to enable anti-spam and anti-fraud mail filtering for the burbs that<br />
you specify, as well as configure whitelists for internal and external burbs. For information<br />
on configuring anti-spam/anti-fraud mail filter rules, see “Creating Mail (Sendmail)<br />
Application Defenses” on page 172. For information on configuring advanced spamfilter<br />
properties and whitelist configuration, see “Configuring advanced anti-spam and antifraud<br />
options” on page 356.<br />
To receive automatic updates for the spamfilter server, enable the spamfilter cron job.<br />
See “Spamfilter cron job” on page 599 for more information.<br />
sshd The Secure Shell daemon server. The SSHd server provides secure encrypted<br />
communication between two hosts. See Chapter 2.<br />
sso The Single Sign-On (SSO) server allows you to configure SSO. SSO allows users access<br />
to multiple services with a single successful authentication to the <strong>Sidewinder</strong> <strong>G2</strong>. See<br />
“Configuring SSO” on page 300.<br />
Note: If you disable the SSO server, the SSO authenticated user cache will be emptied<br />
(that is, all cached users will be removed). When the SSO server is enabled again, all<br />
users will need to authenticate before being added back into the cache.<br />
synchronization The synchronization server is used to synchronize configuration information among<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that are participating in a One-To-Many cluster or an HA cluster. It also<br />
allows you to perform a configuration backup or restore to/from a remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
See “Configuring the synchronization server” on page 68.<br />
telnet If you disable the Telnet server, all future connections will be denied. Any users who are<br />
currently logged in to the server will not be affected. See Chapter 2.<br />
upsd The Uninterruptible Power Supply daemon server. See “Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
use a UPS” on page 93 for more information.<br />
WebProxy The Web Proxy server. See Chapter 13.<br />
67
Chapter 3: General System Tasks<br />
Configuring the synchronization server<br />
Configuring the<br />
synchronization<br />
server<br />
68<br />
Figure 28: Synchronization<br />
server:<br />
Configuration tab<br />
About the<br />
synchronization<br />
server Configuration<br />
tab<br />
The synchronization server is used to synchronize configuration information<br />
among <strong>Sidewinder</strong> <strong>G2</strong>s that are participating in a One-To-Many cluster or an<br />
HA cluster. It also allows you to perform a configuration backup or restore to/<br />
from a remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
To configure the synchronization server, log into the Admin Console, select<br />
Services Configuration > Servers and then select synchronization from the<br />
Server Name list. The synchronization server Control tab appears. To enable<br />
or disable a server, select the Control check box for that server for each burb.<br />
(A check mark appears for each burb in which the server is enabled.) To<br />
configure the synchronization server, select the Configuration tab. The<br />
following window appears.<br />
This tab allows you to configure the shared synchronization key and port<br />
number, and allows you to select the SSL certificate for the synchronization<br />
server. Follow the steps below.<br />
Note: The synchronization server is automatically configured for you when you<br />
create a High Availability or One-To-Many cluster.<br />
1 In the Shared Sync Key field, type the shared key. The shared key is any 10<br />
character, alphanumeric string (for example, 12345abcde). You will need to<br />
enter this key again if you configure HA or One-To-Many, or if you perform a<br />
configuration backup or restore from a remote <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the Port field, specify the port on which the synchronization server will<br />
listen. The default is 9005 and should not be changed.<br />
3 In the SSL Certificate drop-down list, select the certificate to use for the<br />
synchronization server. The certificate will be one <strong>of</strong> the following:<br />
• the default certificate<br />
• a self-signed, RSA/DSA certificate that is defined on the Firewall<br />
Certificates tab <strong>of</strong> the Certificate Management window.<br />
Important: Before assigning a new certificate, you must first create a new<br />
certificate.<br />
4 [Conditional] To go to the Firewall Certificates window, click Certificates.<br />
The Firewall Certificates window is used to define new certificates. After<br />
creating a new certificate you can return to the Configuration tab and assign<br />
the new certificate to the synchronization server.
Configuring<br />
virus scanning<br />
services<br />
Chapter 3: General System Tasks<br />
Configuring virus scanning services<br />
For detailed information on certificates, refer to “Configuring and displaying<br />
firewall certificates” on page 424.<br />
5 Select Policy Configuration > Rules and enable the Synchronization rule.<br />
6 Click the Save icon to save your changes.<br />
The scanner service is a licensed add-on module that uses virus scanning<br />
services that allow you to configure and enable system-level MIME, virus, and<br />
spyware scanning on the <strong>Sidewinder</strong> <strong>G2</strong> for HTTP and mail. When you enable<br />
scanning services, you can specify the number <strong>of</strong> server processes that will be<br />
dedicated to various data sizes, allowing the <strong>Sidewinder</strong> <strong>G2</strong> to process data<br />
more efficiently. You can also configure how <strong>of</strong>ten the subscription list will be<br />
updated.<br />
To use scanning services on <strong>Sidewinder</strong> <strong>G2</strong>, you must also ensure the<br />
following conditions have been met:<br />
• The Anti-Virus feature must be licensed. To verify that the feature has been<br />
licensed, see “Displaying the status <strong>of</strong> features on <strong>Sidewinder</strong> <strong>G2</strong>” on page<br />
62. If you are not licensed for Anti-Virus, contact your sales representative.<br />
• The kmvfilter server must be enabled for the appropriate burbs if you are<br />
scanning mail messages. (This server is not required to be enabled for<br />
HTTP scanning services.) For information on enabling the kmvfilter server,<br />
see “Enabling and disabling servers” on page 65.<br />
• The appropriate Application Defenses must be configured and contained in<br />
proxy rules that are included in the active proxy rule list.<br />
Note: For information on configuring scanning for Web services, see “Creating<br />
Web or Secure Web Application Defenses” on page 156. For information on<br />
configuring scanning for mail services, see “Creating Mail (Sendmail) Application<br />
Defenses” on page 172.<br />
To configure and enable scanning services, in the Admin Console select<br />
Services Configuration > Scanner. The Scanner window appears with the<br />
Control tab displayed.<br />
About the Scanner Control tab<br />
This tab allows you to enable or disable the scanning services. This feature<br />
must be enabled if you are planning to configure MIME, virus, and spyware<br />
filtering for Web, mail, and/or FTP services. To enable scanning services, click<br />
Enable. To disable scanning services, click Disable. To configure the scanner<br />
feature, click the Advanced tab and see “About the Scanner Advanced tab” on<br />
page 70.<br />
Important: The MIME/virus/spyware scanning service is a licensed feature. While<br />
scanning services can be enabled and configured, they will not function unless the<br />
feature has been licensed. For information on licensing a feature, see “Activating<br />
the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 55.<br />
69
Chapter 3: General System Tasks<br />
Configuring virus scanning services<br />
70<br />
Figure 29: Scanner:<br />
Advanced tab<br />
About the Scanner Advanced tab<br />
This tab allows you to configure how the scanner processes on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> will be distributed for incoming and outgoing traffic. This is done<br />
by configuring the scanner groups that are defined in the distribution table.<br />
There are four groups (or types) <strong>of</strong> traffic, each with a specific size category.<br />
For each size category, you can specify how many scanner processes will be<br />
dedicated to processing traffic for that size range. (You cannot modify the size<br />
values or configure additional size categories.)<br />
The File Size Range column displays the size limits for each group. The<br />
Scanners column displays the number <strong>of</strong> scanner processes that will be<br />
dedicated to that size range. The number <strong>of</strong> scanner processes that you<br />
specify for each group will depend on the type <strong>of</strong> traffic your <strong>Sidewinder</strong> <strong>G2</strong><br />
processes.<br />
For example, if your <strong>Sidewinder</strong> <strong>G2</strong> processes a large amount <strong>of</strong> traffic that is<br />
under 40kB, you may dedicate a larger number <strong>of</strong> scanner processes to that<br />
group. If your <strong>Sidewinder</strong> <strong>G2</strong> processes only a small amount <strong>of</strong> traffic that<br />
exceeds 40kB, you may dedicate only one scanner process to that group.<br />
There is also a default Unlimited group that processes all traffic that is over<br />
1MB.
Chapter 3: General System Tasks<br />
Configuring virus scanning services<br />
This tab also allows you to view the current virus scanner engine version. To<br />
configure the Scanner Advanced tab, follow the steps below.<br />
1 To configure the number <strong>of</strong> scanner processes for a particular group,<br />
highlight the group in the table and click Modify. The Edit Scanners window<br />
appears. See “About the Edit Scanners window” on page 71 for information<br />
on configuring the number <strong>of</strong> scanner processes for a group.<br />
2 In the Scan Buffer Size field, specify the size <strong>of</strong> information (in kB) that can<br />
be held in the memory buffer before a backup file is created to temporarily<br />
hold the traffic for processing. This value must be between 8kB and 64kB.<br />
The default value is 50kB.<br />
3 In the Archive Scan Buffer Size field, specify the amount <strong>of</strong> memory that<br />
will be used to contain the contents <strong>of</strong> archive files before the anti-virus<br />
engine will temporarily write the contents to disk to perform the virus scan.<br />
The default is 128 MB.<br />
4 In the Maximum Number <strong>of</strong> Files to Scan in an Archive field, specify the<br />
maximum number <strong>of</strong> files that will be scanned within an archive (such as a<br />
.zip file, etc.). If the number <strong>of</strong> files in an archive exceeds the number<br />
specified in this field, scanning will not take place.<br />
5 To view the virus scanner engine version number that is currently installed,<br />
click Show Installed Engine Version Number Now. A pop-up window<br />
appears displaying the current version. To close the pop-up window, click<br />
OK.<br />
6 To continue configuring the scanner feature, click the Signatures tab and<br />
see “About the Scanner Signature tab” on page 71.<br />
About the Edit Scanners window<br />
The Edit Scanners window allows you to specify the number <strong>of</strong> scanner<br />
processes that will be available for processing traffic that falls within the size<br />
limits <strong>of</strong> the selected group. You must dedicate at least one scanner process to<br />
each group.<br />
1 In the Scanners field, specify the number <strong>of</strong> scanner processes you want to<br />
dedicate for the selected group. The number <strong>of</strong> scanner processes should<br />
not exceed a combined total <strong>of</strong> 20 processes for all groups that are<br />
configured. (Configuring more than 20 total processes may have a negative<br />
impact on performance.)<br />
2 Click OK to update the group and return to the Scanner Advanced tab.<br />
About the Scanner Signature tab<br />
This tab allows you to configure the properties for anti-virus updates. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> will automatically download and install updates at intervals that<br />
you determine. You can also manually download and install updates at any<br />
time. Follow the steps below.<br />
71
Chapter 3: General System Tasks<br />
Configuring virus scanning services<br />
72<br />
Figure 30: Scanner:<br />
Signature tab<br />
Important: Secure Computing recommends downloading the latest signature files<br />
prior to enabling Anti-Virus services on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1 In the Source area, verify/modify the following fields:<br />
Caution: Changing these defaults may prevent <strong>Sidewinder</strong> <strong>G2</strong> from obtaining<br />
updated signatures file, resulting in inadequate virus and spyware protection.<br />
• Download Site—This is the name <strong>of</strong> the site from which the package will<br />
be downloaded.<br />
Note: If the download fails, verify that the name resolves to an IP address<br />
and is reachable from the <strong>Sidewinder</strong> <strong>G2</strong> host.<br />
• Directory—The path name on the download site that contains the<br />
update. The default directory is cgi-bin/svupdate.<br />
2 [Conditional] To configure automatic virus updates, follow the sub-steps<br />
below. To manually update the virus definitions immediately, go to step 3.<br />
(The download process validates the new signature files against the<br />
currently installed engine.)<br />
Important: For best results, also turn on Enable Periodic Automated Imports<br />
(Firewall <strong>Administration</strong> > S<strong>of</strong>tware Management > Import tab). Failure to<br />
regularly update your anti-virus engine and signature files will result in<br />
inadequate virus and spyware protection.
Chapter 3: General System Tasks<br />
Configuring virus scanning services<br />
a Select Enable Automated Scanner Engine Updates to automatically<br />
check for new loaded (but not installed) anti-virus engine updates (for<br />
example, patch 611SOV02) when installing new virus signature files. If<br />
an uninstalled engine update exists in the S<strong>of</strong>tware Management area<br />
<strong>of</strong> the Admin Console, the <strong>Sidewinder</strong> <strong>G2</strong> will install it the next time it<br />
installs the new signature files. This installation does not interrupt<br />
system processes.<br />
b In the Frequency field, specify how frequently you want to download<br />
and install updated information:<br />
• To download and install every hour, select Hourly. (Recommended)<br />
• To download and install every day, select Daily.<br />
• To download and install once a week, select Weekly.<br />
c [Conditional] If you selected Weekly in the previous step, in the Day<br />
field, specify the day <strong>of</strong> the week that you want to download and install<br />
updates. You can use the up and down arrows to select the day, or you<br />
can type the first few letters <strong>of</strong> the day to display the appropriate day.<br />
d In the Time field, specify the time <strong>of</strong> day you want the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
download and install the updates. Select the portion <strong>of</strong> the time you<br />
want to change (hours, minutes, seconds) and then use the up and<br />
down arrows to navigate to the desired value.<br />
Note: Downloading and installing updates has a minimal impact on your<br />
system. Traffic that is received while the download and installation are in<br />
process will be scanned using the current version. Once installation is<br />
complete, all traffic will be scanned using the updated scanner information.<br />
e If you want to receive e-mail notification when the updates are<br />
downloaded and installed, select the Enable Email Notification check<br />
box. If you select this option, you will also need to specify an e-mail<br />
address in the Recipient field.<br />
f Proceed to step 5.<br />
3 [Conditional] To update the virus definition manually, follow the sub-steps<br />
below.<br />
a Click Download and Install Signatures Now. A pop-up window appears.<br />
b Click Background to perform the update in the background, or click Wait<br />
to receive a notification and status pop-up when the update is complete.<br />
Proceed to step 5.<br />
4 To view the current version <strong>of</strong> the signature file you are using, click Show<br />
Installed Signatures File Version Number Now. An Info window appears<br />
displaying the current installed version. When you are finished viewing the<br />
version, click OK.<br />
5 Click the Save icon to save your changes.<br />
73
Chapter 3: General System Tasks<br />
Configuring the shund server<br />
Configuring the<br />
shund server<br />
74<br />
Figure 31: Shun server:<br />
IDS Configuration tab<br />
Configuring the IDS<br />
Configuration tab<br />
The shund server accepts shunning requests from Intrusion Detection Servers<br />
(IDS), and verifies the signature on the data that the IDS has generated. If the<br />
signature is valid, a blackhole command is executed to shun the IP address as<br />
requested.<br />
To configure the shund server, follow the instructions below.<br />
In the Admin Console, select Services Configuration > Servers and select<br />
shund from the server list. The shund server Control tab appears.<br />
Configuring the Control tab<br />
A check mark will appear in front <strong>of</strong> each burb for which the shund server is<br />
enabled. To enable the shund server for one or more burbs, select the<br />
appropriate check box(es) in the Enabled For area. To disable the shund<br />
server in one <strong>of</strong> more burbs, deselect the appropriate check box(es). Click the<br />
Save icon to save your changes.<br />
To configure the IDS properties, select the IDS Configuration tab. The following<br />
window appears.<br />
The IDS Configuration tab allows you to configure the IDS servers from which<br />
the shund server will accept requests. The IDS Server Port field identifies the<br />
IDS Server Port. The default port is 8111. To modify the port, type the new port<br />
number in the IDS Server Port field, and click the Save icon. To revert to the<br />
default port (8111), click Restore Default.<br />
To view currently shunned IP addresses, click Current Shunned IP addresses,<br />
and see “About the Shunned IPs window” on page 75.<br />
To delete an existing IDS server, highlight the server and click Delete. You will<br />
be prompted to confirm the deletion. Click Yes to delete the IDS server, or No<br />
to Cancel.
Figure 32: IDS Server<br />
window<br />
About the IDS<br />
Configuration: IDS<br />
Server window<br />
About the Shunned<br />
IPs window<br />
Figure 33: IDS<br />
Configuration: Shunned<br />
IPs window<br />
Chapter 3: General System Tasks<br />
Configuring the shund server<br />
To add a new IDS server, click New. To modify an existing IDS server, highlight<br />
the server and click Modify. To create a duplicate an IDS server, click<br />
Duplicate. The IDS Configuration: IDS Server window appears.<br />
The IDS Server window allows you a create or modify an IDS server.<br />
Follow the steps below to create or modify an IDS server.<br />
1 In the IDS Server IP address field, enter the IP address for the IDS server.<br />
2 In the Shared secret field, enter a text string that the IDS server uses to<br />
generate a signature for shun packets.<br />
3 In the Default time to shun an IP address field, specify the amount <strong>of</strong> time<br />
for which the IP addresses will be shunned, as follows:<br />
a In the drop-down list, specify the time format to use by selecting either<br />
Seconds, Minutes, Hours, or Days.<br />
b In the text field, enter the number <strong>of</strong> seconds, minutes, hours, or days.<br />
4 Click OK to save your changes and return to the Configuration tab. (To<br />
cancel your changes, click Cancel.)<br />
The Shunned IPs window allows you to view and modify the currently shunned<br />
IP addresses.<br />
75
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
Loading and<br />
installing<br />
patches<br />
76<br />
Each entry in the table displays the IP address, burb, and the date and time at<br />
which the IP address will no longer be shunned. You can perform the following<br />
actions in this window:<br />
• Delete one or more IP addresses—To remove one or more IP addresses<br />
from the list, highlight the IP address(es) you want to delete and click<br />
Delete IP(s). (To select multiple addresses, press and hold the Ctrl key as<br />
you select the addresses.)<br />
• Delete all IP addresses—To remove all <strong>of</strong> the IP addresses that are listed in<br />
the table, click Delete All IPs.<br />
• Update the window—To retrieve an updated list <strong>of</strong> shunned IP addresses,<br />
click Refresh. The date and time when displayed data was captured is<br />
listed in the upper portion <strong>of</strong> the window.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides the ability to patch your s<strong>of</strong>tware by installing<br />
s<strong>of</strong>tware patches or “packages” on your system. Types <strong>of</strong> packages available<br />
for install include:<br />
• Upgrades — Use when upgrading <strong>Sidewinder</strong> <strong>G2</strong> to a new base version.<br />
• Patches — Contain s<strong>of</strong>tware fixes and/or new features.<br />
• Hotfixes — Contain an issue-specific fix and should only be installed if it<br />
addresses a current problem. Unlike other patches, hotfixes can be<br />
uninstalled.<br />
• Optional feature patches — Contain fixes, updates, or new features specific<br />
to anti-spam/fraud or anti-virus/spyware add-on modules. Only install these<br />
patches if you have the associated feature licensed.<br />
The s<strong>of</strong>tware packages are available via Secure Computing’s FTP site. You<br />
can view, load, and install s<strong>of</strong>tware packages using the Admin Console.<br />
Tip: If your site requires physical patch media, you can burn a patch to a CD using<br />
the CD burning s<strong>of</strong>tware <strong>of</strong> your choice. Refer to the CD burning s<strong>of</strong>tware’s<br />
instructions for information on burning the patch file to CD. (You can also contact<br />
Customer Service for general instructions.)
Figure 34: S<strong>of</strong>tware<br />
Management: Summary<br />
tab<br />
About the Summary<br />
tab<br />
Viewing currently installed patches<br />
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
To view the patches currently installed on your system, start the Admin<br />
Console and select Firewall <strong>Administration</strong> > S<strong>of</strong>tware Management, and<br />
select the Summary tab. A window similar to the following appears.<br />
The Summary tab displays information about the patches currently installed on<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. This window also enables you to do the following:<br />
• Details—To display a detailed description <strong>of</strong> a particular patch, highlight the<br />
patch in the list and click Details.<br />
• Verify—To verify the signature on a particular patch, highlight the patch in<br />
the list and click Verify.<br />
• Export—To export a particular patch to a diskette, highlight the patch in the<br />
list and click Export.<br />
• View Log—Click this button to display the Package Installation log. The log<br />
contains a list <strong>of</strong> all patches that have been installed.<br />
77
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
78<br />
Figure 35: S<strong>of</strong>tware<br />
Management: Import tab<br />
Entering information<br />
on the Import tab<br />
Loading a patch<br />
You will generally load patches onto the <strong>Sidewinder</strong> <strong>G2</strong> via the network (via the<br />
FTP site). All patches are encrypted and digitally signed. You must have a<br />
current support license in order to decrypt and load a patch. Patches that are<br />
loaded onto the <strong>Sidewinder</strong> <strong>G2</strong> are stored in the /var/spool/packages directory.<br />
Note: Loading a patch on the <strong>Sidewinder</strong> <strong>G2</strong> is not the same as installing it.<br />
Loading a patch only makes that patch available for installation on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. To install a patch on the <strong>Sidewinder</strong> <strong>G2</strong>, see “Installing a patch” on page 80.<br />
To load a s<strong>of</strong>tware package, select Firewall <strong>Administration</strong> > S<strong>of</strong>tware<br />
Management, and select the Import tab. A window similar to the following<br />
appears.<br />
The Import tab is used to load a patch on the <strong>Sidewinder</strong> <strong>G2</strong>. You can load<br />
patches via the network (using Secure Computing’s FTP site), or using<br />
physical media that you create. Follow the instructions below.<br />
To import a patch from the network (via Secure Computing’s FTP site):<br />
1 In the Import from Network area verify the information contained in each<br />
field. If you need to modify any <strong>of</strong> the fields, click Edit. The Edit FTP<br />
Settings window appears, allowing you to modify the following information:<br />
• FTP Site—The name <strong>of</strong> the FTP site from which the package will be<br />
downloaded. The default name is ftp.activations.securecomputing.com.<br />
To edit this information, click Edit.<br />
• Username—The name to use when logging onto the FTP site. The<br />
default user name is anonymous.
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
• Password—The password must be used when logging onto the FTP<br />
site. If no password is set, the <strong>Sidewinder</strong> <strong>G2</strong> serial number will be sent<br />
as the password.<br />
• Directory—The path name on the FTP site that contains the desired<br />
patch(es).<br />
To restore the system default values to all <strong>of</strong> these fields, click Restore<br />
Defaults in the Edit FTP Settings window.<br />
Note: This information is stored in the /etc/sidewinder/package.conf file.<br />
2 Click Import Now to load the patch(es).<br />
3 To enable the <strong>Sidewinder</strong> <strong>G2</strong> to automatically download the latest patches<br />
from the defined FTP site on a periodic basis, select Enable Periodic<br />
Automated Imports. The automated download process will compare the<br />
files on Secure Computing’s FTP site to the files currently on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Only those patches not already present on your system will<br />
be loaded.<br />
In the Frequency field, specify how <strong>of</strong>ten the <strong>Sidewinder</strong> <strong>G2</strong> will automatically<br />
access the FTP site and download the latest patches. The options are:<br />
• daily—Checks for new patches to download every day.<br />
• weekly—Checks for new patches to download every seven days.<br />
• monthly—Checks for new patches to download every 30 days.<br />
• bimonthly—Checks for new patches to download every 60 days.<br />
Note: A cron job defines the exact day and time the download will occur. By<br />
default the download will occur very early in the morning.<br />
4 To have a report e-mailed to the <strong>Sidewinder</strong> <strong>G2</strong> administrator each time the<br />
<strong>Sidewinder</strong> <strong>G2</strong> attempts an automatic import from the FTP site, select<br />
Generate E-mail Report. A report is generated regardless <strong>of</strong> whether a<br />
patch is actually downloaded. The report is e-mailed to the root e-mail alias<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
5 Click the Save icon to save any information you entered, or click Cancel to<br />
reset changes to their original values.<br />
To import a patch from CD-ROM or diskette:<br />
Typically, patches are downloaded via the network (using FTP). If your site<br />
requires patch installation using physical media, you can burn a patch to a CD<br />
using the CD burning s<strong>of</strong>tware <strong>of</strong> your choice (such as Roxio Easy CD<br />
Creator). Refer to the CD burning s<strong>of</strong>tware’s instructions for information on<br />
burning the patch file to CD. (You can also contact Customer Service for<br />
general instructions.)<br />
1 In the Import from CDROM/Diskette area select the location <strong>of</strong> the patch<br />
you want to load. The options are:<br />
79
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
80<br />
Figure 36: S<strong>of</strong>tware<br />
Management: Install tab<br />
Entering information<br />
on the Install tab<br />
• CDROM—Select this option if the patch resides on CD.<br />
• Diskette—Select this option if the patch resides on diskette.<br />
2 Insert the CD-ROM or diskette into the appropriate drive on the <strong>Sidewinder</strong><br />
<strong>G2</strong> and click Import Now.<br />
Note: If the patch resides on multiple diskettes, insert the first diskette, click<br />
Import Now, and follow the on-screen prompts.<br />
The patch(es) are loaded onto the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Installing a patch<br />
Patches that you load or download are not automatically installed. Rather, you<br />
can install them at a time that is convenient for you. This is important because<br />
the <strong>Sidewinder</strong> <strong>G2</strong> must be rebooted during the installation process. The<br />
Admin Console allows you to define exactly when you want patch installation to<br />
occur.<br />
To install a patch, select Firewall <strong>Administration</strong> > S<strong>of</strong>tware Management, then<br />
select the Install tab. A window similar to the following appears:<br />
Important: It is recommended that you perform a system backup before installing<br />
any patches. See “Backing up system files” on page 638 for details.<br />
The Install tab is used to install a patch that is already loaded on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To install a patch, follow the steps below.<br />
Important: If you have an existing HA or One-To-Many cluster, refer to the<br />
appropriate patch Release Notes for information on installing a patch on an HA or<br />
One-To-Many cluster. Release notes for each patch are available at<br />
www.securecomputing.com/goto/updates.
Chapter 3: General System Tasks<br />
Loading and installing patches<br />
1 Select the patch(es) you want to install from the Package table. This table<br />
lists all the patches currently installed or available for installation on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To select multiple patches, press the Ctrl key as you select<br />
the patch names.<br />
2 Select the Enable Automated Package Install check box to activate the<br />
installation options. (A check mark appears when the field is enabled.) You<br />
cannot select an installation option unless this check box is selected.<br />
To cancel a scheduled automated patch installation, disable this field and<br />
click the Save icon.<br />
3 Select an installation option for the patch(es) you selected. The following<br />
options are available:<br />
• Install Immediately—Select this option if you want to install the selected<br />
patch(es) as soon as you click the Save icon.<br />
Note: The Admin Console will be disconnected when the <strong>Sidewinder</strong> <strong>G2</strong><br />
begins its reboot process. Wait a few minutes for the reboot process to<br />
complete, then try reconnecting.<br />
• Install Later—Select this option to specify a date and time in the future<br />
that you want to automatically install the selected patch(es).<br />
4 [Conditional] If you selected Install Later in the previous step, fill in the<br />
following information:<br />
• Date—Specify the date the automatic patch installation will be<br />
performed. A typical practice is to define a date when you expect very<br />
little network traffic (for example, a holiday).<br />
• Time—Specify the time <strong>of</strong> day that the patch installation will be<br />
performed. A typical practice is to define a time when you expect very<br />
little network traffic (for example, 2:00 a.m.).<br />
5 [Optional] If you want a report e-mailed to the <strong>Sidewinder</strong> <strong>G2</strong> administrator<br />
each time a patch is automatically installed, select the Generate E-mail<br />
Report check box. If this check box is selected, the report is e-mailed to the<br />
root e-mail alias on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
6 Click the Save icon to save the changes and to implement the install.<br />
Note: In the unlikely event that the patch installation fails, refer to “If a patch<br />
installation fails” for troubleshooting information.<br />
7 Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished installing the patch and has been<br />
rebooted, launch the Admin Console. You will be prompted to load and<br />
install the Admin Console update for the patch. To upgrade the Admin<br />
Console, follow the prompts that appear. The Admin Console program will<br />
exit automatically during its update process.<br />
81
Chapter 3: General System Tasks<br />
Modifying the burb configuration<br />
Modifying the<br />
burb<br />
configuration<br />
82<br />
Figure 37: Burb<br />
Configuration window<br />
Entering information<br />
on the Burb<br />
Configuration<br />
window<br />
.<br />
A burb is a type enforced network area used to isolate network interfaces from<br />
each other. The burbs in your <strong>Sidewinder</strong> <strong>G2</strong> are initially defined during the<br />
installation process. Using the Admin Console you can create new, modify, and<br />
delete burbs.<br />
To modify your burb configuration, start the Admin Console and select Firewall<br />
<strong>Administration</strong> > Burb Configuration. The following window appears.<br />
This window allows you to add, modify, or delete burbs within your current<br />
configuration. Follow the steps below.<br />
Note: You can configure a maximum <strong>of</strong> 64 burbs on a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1 Do one <strong>of</strong> the following:<br />
• To create a new burb, click New. In the Create New Burb window, enter<br />
a name for the new burb. Click OK to return to the Burb Configuration<br />
window and configure the burb.<br />
Caution: Do not use “Firewall” or “firewall” as a burb name, as this name is<br />
already used elsewhere in the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• To modify a burb, highlight the burb in the Burbs list. The settings for<br />
that burb will appear in the right portion <strong>of</strong> the window.<br />
• To delete a burb, highlight the burb in the Burbs list and click Delete.<br />
You cannot delete a burb that is currently referenced elsewhere on the<br />
system (for example, a rule or interface configuration). To determine<br />
whether a burb is currently being referenced, highlight the burb and click<br />
Usage.<br />
• To view all areas where a burb is currently being used, highlight the burb<br />
in the Burbs list and click Usage. The Burb Usage window appears<br />
listing every area in which the burb is currently used. When you are<br />
finished viewing the information, click Close to return to the Burb<br />
Configuration window.
Modifying the<br />
interface<br />
configuration<br />
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
2 The following settings may be enabled or disabled for each burb:<br />
• Hide port unreachables—If this parameter is enabled, the <strong>Sidewinder</strong><br />
<strong>G2</strong> will give no response if a node on the network attempts to connect to<br />
a port on which the <strong>Sidewinder</strong> <strong>G2</strong> is not listening. This increases<br />
security by not divulging configuration information to potential hackers.<br />
• Intra-burb packet forwarding—If enabled, traffic will be forwarded<br />
between network interfaces located within this burb. Disabling this<br />
parameter in a burb with two or more network interfaces has the effect<br />
<strong>of</strong> separating the interfaces. This parameter should be disabled in burbs<br />
with only one network interface.<br />
Note: There is an interaction between the Intra-burb packet forwarding<br />
parameter and NAT. NAT changes the source address <strong>of</strong> outbound packets<br />
to the IP address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> in the external (outgoing) burb. If<br />
multiple interfaces exist in the same burb, that <strong>Sidewinder</strong> <strong>G2</strong> has to select<br />
an appropriate address based upon how it routes packets. By enabling this<br />
option, the <strong>Sidewinder</strong> <strong>G2</strong> must choose one <strong>of</strong> the interfaces for the source<br />
address. In this case the <strong>Sidewinder</strong> <strong>G2</strong> will always choose the address <strong>of</strong><br />
the first interface in the burb. Problems could occur if the destination is not<br />
defined to use the same route back to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Honor ICMP redirects—ICMP messages are used to optimize the<br />
routes for getting IP traffic to the proper destination. On a trusted<br />
network, honoring ICMP redirects can improve the throughput <strong>of</strong> the<br />
system. On an untrusted network, ICMP redirects can be used by<br />
hackers to examine, reroute, or steal network traffic. Enabling this<br />
parameter allows the <strong>Sidewinder</strong> <strong>G2</strong> to honor ICMP redirects.<br />
• Respond to ICMP echo and timestamp—ICMP echo and timestamp<br />
messages (also known as ping messages) are used to test addresses<br />
on a network. The messages are a handy diagnostic tool, but can also<br />
be used by hackers to probe for weaknesses. Enabling this parameter<br />
allows the <strong>Sidewinder</strong> <strong>G2</strong> to respond to these messages.<br />
3 In the Internet burb drop-down list, specify which <strong>of</strong> the burbs defined on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> is the Internet burb. The Internet burb is unique because<br />
it is the only burb that communicates directly with the outside world.<br />
4 Click the Save icon to save your changes.<br />
The installation process defines <strong>Sidewinder</strong> <strong>G2</strong>’s internal and external network<br />
interfaces. You can configure up to 64 interfaces, using a combination <strong>of</strong><br />
physical and VLAN interfaces. Using the Admin Console you can configure the<br />
media type, the IP address, the subnet mask associated with an interface, and<br />
the burb assigned to an interface. You can also enable hardware acceleration,<br />
VLANs, DHCP, support for jumbo frames, and TCP checksum <strong>of</strong>floading.<br />
To modify your interface configuration, start the Admin Console and select<br />
Firewall <strong>Administration</strong> > Interface Configuration. The following window<br />
appears.<br />
83
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
84<br />
Figure 38: Interface<br />
Configuration window<br />
About the Interface<br />
Configuration main<br />
window<br />
.<br />
The Interface Configuration main window contains an Interfaces tab (in the<br />
upper portion <strong>of</strong> the window) that displays the configuration settings for each<br />
interface on the <strong>Sidewinder</strong> <strong>G2</strong> in a table format. The Configuration tab (in the<br />
lower portion <strong>of</strong> the window) displays the configuration information for the<br />
interface that is selected in the Interfaces table.<br />
For a description <strong>of</strong> each interface field, see “Modifying the Configuration tab”<br />
on page 85. You can perform the following actions in the Interface<br />
Configuration window:<br />
Note: The Hardware Acceleration tab will only appear if you are using a supported<br />
hardware accelerator. For information on the Hardware Accelerator tab, see “About<br />
the Hardware Acceleration tab” on page 89.<br />
• To view the status <strong>of</strong> all interfaces, click Interface Status. For more<br />
information, see “About the Interface Status window” on page 85<br />
• To delete an interface, highlight the interface and click Delete. You can only<br />
delete interfaces that are disabled. Physical interfaces must have the NIC<br />
removed as well.
About the Interface<br />
Status window<br />
Modifying the<br />
Configuration tab<br />
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
• To modify an interface, highlight that interface in the table. The<br />
configuration information appears in the Configuration tab in the lower<br />
portion <strong>of</strong> the window. (You can also highlight the appropriate table row and<br />
click Modify to access the configuration information in a separate window.)<br />
• To switch the interface configuration settings between two interfaces,<br />
highlight the two interfaces for which you want to swap properties (you will<br />
need to press and hold the Ctrl key to select multiple interfaces), and then<br />
click Swap Parameters. You will receive a warning message indicating that<br />
the system may not function properly until it is rebooted. To swap the<br />
parameters, click Yes and be sure to reboot your system. To cancel, click<br />
No.<br />
If you swap interfaces, the MTU settings will not be swapped. Therefore, if<br />
you swap an interface with modified MTU settings, you will need to reconfigure<br />
those settings after swapping the interfaces.<br />
Caution: Swapping interface parameters after you have initially configured your<br />
<strong>Sidewinder</strong> <strong>G2</strong> could have unexpected results. This process should only be used<br />
immediately after installation, or when an interface has been added or replaced.<br />
This window provides traffic information for each <strong>of</strong> the physical and VLAN<br />
network interfaces on this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Interface — Displays the name <strong>of</strong> the interface.<br />
• IP Address — Displays IP address assigned to that interface.<br />
• Status — Displays if the interface’s status is up (ready for an active network<br />
connection) or down (will not accept an active network connection).<br />
• Connected — Displays Connected if <strong>Sidewinder</strong> <strong>G2</strong> detects an active<br />
network connection and Disconnected if it does not.<br />
You can also view this information at a command line interface by typing<br />
netstat -is.<br />
When you are finished viewing the status, click Close.<br />
The Configuration tab displays the interface name and MAC address that you<br />
are modifying. The following interface settings can be modified:<br />
• Enabled—To enable an interface, select On. To disable an interface, select<br />
Off.<br />
Note: You must select a burb in the Burb field before you can enable an<br />
interface.<br />
85
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
86<br />
• Interface Type—Select one <strong>of</strong> the following options:<br />
– Physical Interface — Select this option to configure a standard physical<br />
interface.<br />
– VLAN-Enabled Interface — Select this option to configure VLANs<br />
(Virtual Local Area Network) for this interface. A VLAN is a virtual<br />
interface that allows administrators to segment a LAN into different<br />
broadcast domains regardless <strong>of</strong> the physical location. VLANs are only<br />
supported on bge, em, and exp NICs.<br />
When you select the VLAN-Enabled Interface option, the Configuration<br />
tab displays a table listing all <strong>of</strong> the VLANs that are currently configured<br />
for this interface. To configure VLANs for an interface, click New under<br />
the VLANs table and go to “Configuring VLANs” on page 87.<br />
Important:You must use a router that can decipher VLAN traffic to use<br />
VLANs. Also, you cannot create VLANs on an interface that has DHCP<br />
enabled.<br />
• IP Address—Select one <strong>of</strong> the following options:<br />
– Obtain an IP address automatically: This option allows you to use the<br />
Dynamic Host Configuration Protocol (DHCP) to centrally manage IP<br />
addresses within your network. When you select this option, the IP<br />
Address and Network Mask fields are filled in with a value <strong>of</strong> DHCP,<br />
indicating that DHCP will be used to manage IP addresses.<br />
Important:You cannot configure HA or One-To-Many on a <strong>Sidewinder</strong> <strong>G2</strong><br />
that has DHCP configured.<br />
– Use the following IP address: This option allows you to specify the IP<br />
address, network mask, and burb for a physical interface.<br />
• Network Mask—To modify the Network Mask, enter the new network mask<br />
in this field. The value specified is used to identify the significant portion <strong>of</strong><br />
the IP address.<br />
• Burb—To modify the burb, select the appropriate burb for this interface<br />
from the drop-down list.<br />
• Media Type—To modify the media type, select the appropriate type from the<br />
drop-down list.<br />
• MTU—This field allows you to specify the size <strong>of</strong> the Maximum Transfer<br />
Unit (MTU) for outgoing packets. Select one <strong>of</strong> the following:<br />
– Standard (1500)—Select this option to use the standard MTU.<br />
– Jumbo (9000)—Select this option to allow jumbo frames. This option is<br />
only available on NICs that support jumbo frames.<br />
– Custom (576–9216)—Select this option if you need to specify a custom<br />
MTU. The range may change, based on the following:<br />
• If you are using a current version <strong>of</strong> the Admin Console to manage a<br />
pre-<strong>6.1.2</strong> <strong>Sidewinder</strong> <strong>G2</strong>, the range for this option will be 576-16000.<br />
• If the NIC does not support jumbo frames, the range for this option<br />
will be 576–1500.
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
Note: The receive_jumbo_frames option (in the Hardware Capabilities area),<br />
allows the interface to receive larger MTUs. This option is automatically enabled<br />
when you specify a size that is larger than 1500 (standard). You must also ensure<br />
that the destination is able to receive the MTU size when using non-standard sizes.<br />
Important: If you swap interfaces, the MTU settings will not be swapped.<br />
Therefore, if you swap an interface with modified MTU settings, you will need to<br />
reconfigure those settings after swapping the interfaces.<br />
• Hardware Capabilities—This option will only appear if the interface you are<br />
modifying has hardware capabilities that can be configured. To select all <strong>of</strong><br />
the available options, click Select All. To deselect all options, click Deselect<br />
All. The following options may be available for selection:<br />
– rxcsum: Enable transmission <strong>of</strong> checksum <strong>of</strong>fload for IPv4 packets.<br />
– txcsum: Enable reception <strong>of</strong> checksum <strong>of</strong>fload for IPv4 packets.<br />
– tcpseg: Enable TCP/IPv4 segmentation <strong>of</strong>fload for large packets.<br />
When you are finished modifying the interface, click the Save icon to save your<br />
changes. (If you modified the interface in a separate window, you will need to<br />
click OK to return to the Interface Configuration window.)<br />
Configuring VLANs<br />
The VLAN-Enabled Interface Configuration: Modify Interface Configuration<br />
window allows you to create and modify VLANs for an interface. You can<br />
assign up to 64 VLANs/NICs on the <strong>Sidewinder</strong> <strong>G2</strong>. For example, if your<br />
<strong>Sidewinder</strong> <strong>G2</strong> has three NICs, you could configure up to 61 VLANS. Other<br />
information about how VLANs function on <strong>Sidewinder</strong> <strong>G2</strong> include:<br />
• VLANs are supported in a High Availability (HA) configuration. For best<br />
results, configure VLANs before configuring HA.<br />
• You must use a router that can decipher VLAN traffic to use VLANs.<br />
• You cannot create VLANs on an interface that has DHCP enabled.<br />
• To filter traffic for a VLAN, use the following syntax:<br />
tcpdump -pni interface_name vlan vlanID<br />
To configure a VLAN, follow the steps below.<br />
87
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
88<br />
Figure 39: VLAN-<br />
Enabled Interface<br />
Configuration: Modify<br />
Interface Configuration<br />
window<br />
About the VLAN-<br />
Enabled Interface<br />
Configuration:<br />
Modify Interface<br />
Configuration<br />
window<br />
To create or modify a VLAN, do the following:<br />
1 In the Enable field, select one <strong>of</strong> the following options:<br />
• On—Select this option to enable this VLAN.<br />
• Off—Select this option to disable this VLAN.<br />
2 In the VLAN ID field, specify a numeric ID for this VLAN. Valid values are 2–<br />
4094.<br />
3 In the IP Address field, enter an IP address for the VLAN.<br />
4 In the Network Mask field, enter a network mask for the VLAN. The value<br />
specified is used to identify the significant portion <strong>of</strong> the IP address.<br />
5 In the Burb drop-down list, select the burb for this VLAN.<br />
6 Click OK to add the VLAN and return to the main Interface Configuration<br />
window.<br />
7 Click the Save icon to save your changes.<br />
About the Aliases tab<br />
The Interface Configuration Aliases tab contains an Interface Aliases table that<br />
displays any alias IP addresses defined for the selected network interface.<br />
Alias IP addresses are used in Multiple Address Translation (MAT). Adding<br />
alias IP addresses to a network interface can be used for purposes such as:<br />
• Specific logical networks connected to one interface can be consistently<br />
mapped to specific IP aliases on another interface when using address<br />
hiding.<br />
• The NIC can accept connection requests for any defined alias.<br />
• The NIC can communicate with more than one logical network without the<br />
need for a router.<br />
• The NIC can have more than one address on the same network and have<br />
DNS resolve different domains to each host address.<br />
To delete an alias IP address, select the item, and click Delete.<br />
To add or modify an alias IP address, select the item, click New or Modify, and<br />
see “About the Aliases: New/Modify Network Alias window” below.
About the Aliases:<br />
New/Modify Network<br />
Alias window<br />
Chapter 3: General System Tasks<br />
Modifying the interface configuration<br />
To add or modify an alias IP address in the Interface Configuration: Aliases<br />
window, follow the steps below.<br />
1 In the Network Address field, select the appropriate network address for<br />
the interface you want to configure.<br />
2 In the Alias Address field, type the alias IP address that will be associated<br />
with the network interface selected in the Interface Configuration window.<br />
3 In the Network Mask field, type a network mask. The value specified is<br />
used to identify the significant portion <strong>of</strong> the IP address.<br />
4 Click OK to add the alias IP address, or click Cancel to return to the<br />
Interface Configuration window without saving your changes.<br />
After adding or modifying an entry you should be able to ping the address<br />
from an external device, unless the Respond to ICMP echo and timestamp<br />
parameter is disabled for this burb. See “Entering information on the Burb<br />
Configuration window” on page 82.<br />
5 Click the Save icon to save the changes.<br />
About the Hardware Acceleration tab<br />
The Hardware Acceleration tab will only appear if you are using a supported<br />
hardware accelerator. The Hardware Acceleration tab contains a table listing<br />
the supported hardware accelerators that are currently installed on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The following table columns appear:<br />
• Hardware Accelerator—This column lists the type <strong>of</strong> hardware accelerator<br />
(for example, Cavium).<br />
• Accelerator Type—This column lists the type <strong>of</strong> hardware acceleration (for<br />
example, SSL).<br />
• Enabled—This column lists whether the hardware accelerator is enabled<br />
(On) or disabled (Off).<br />
To enable a hardware accelerator, select the hardware accelerator you want to<br />
enable and click Enable.<br />
To disable a hardware accelerator, select the hardware accelerator you want to<br />
disable and click Disable.<br />
Click the Save icon to save your changes.<br />
89
Chapter 3: General System Tasks<br />
Modifying the static route<br />
Modifying the<br />
static route<br />
90<br />
Figure 40: Static window<br />
About the Static<br />
window<br />
Traffic between machines on different networks or subnets requires routing.<br />
Each computer must be told where to direct traffic it cannot deliver directly; this<br />
“default gateway” is generally a router which allows access to distant subnets.<br />
A “default route” (route <strong>of</strong> last-resort) is used to specify the IP address where<br />
packets are forwarded that have no explicit route. It is usually the IP address <strong>of</strong><br />
a router (for example, a Cisco box) that will forward packets to your Internet<br />
Service Provider (ISP).<br />
Note: For more detailed information on routing, please refer to “Routing options” in<br />
the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong>.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, this default route is typically defined while using the<br />
Quick Start Wizard during the initial configuration process. Once it is set it<br />
rarely needs to change; hence it is also known as a static route. However, if<br />
your network configuration should change, you may find it necessary to<br />
change this static route. You can do this using the Admin Console. To change a<br />
static route, select Services Configuration > Routing > Static. The Static<br />
window appears.<br />
The Static window contains a static route definition table that lists all <strong>of</strong> the<br />
route definitions. To modify the static routes currently defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, follow the steps below.<br />
Note: Interface routes cannot be modified or deleted.
About the Static:<br />
Route window<br />
Configuring<br />
Admin Console<br />
access<br />
Chapter 3: General System Tasks<br />
Configuring Admin Console access<br />
1 To change the IP address <strong>of</strong> the router that is used as your default or<br />
“static” route, type the new address in the Default Route field. The address<br />
must be entered using standard quad notation.<br />
Note: If your <strong>Sidewinder</strong> <strong>G2</strong> is defined with two DNS servers, the IP address for<br />
the static route must be an address on the external burb.<br />
2 Perform one <strong>of</strong> the following actions:<br />
• To add a static route, click New. The Static Route window appears.<br />
Proceed to step 3.<br />
• To modify an existing static route, highlight the route you want to modify<br />
and click Modify. The Static Route window appears. Proceed to step 3.<br />
• To delete an existing static route, highlight the route you want to delete<br />
and click Delete. When you click this button, the system checks for any<br />
sessions that are currently using the address that you want to delete. If<br />
the address is in use, you will not be allowed to delete the entry.<br />
Proceed to step 8.<br />
3 In the Entry Type field, select the type <strong>of</strong> route: Net or Host.<br />
4 In the Net/Host Address field, type the subnet address for this route.<br />
5 In the Gateway field, type the gateway address the route will use.<br />
6 [Conditional] In the Net Mask field, type the network mask that will be used<br />
for this route. This field is only available if Net is selected in the Entry Type<br />
field.<br />
7 Click Add to add the information you entered to the static route definition<br />
table. (To exit the window without saving your changes, click Close.)<br />
8 In the Static window, click the Save icon to write all non-interface routes to<br />
/etc/gateways and automatically add changes to the current routing table,<br />
or click Cancel to cancel the change.<br />
<strong>Sidewinder</strong> <strong>G2</strong> is managed from a Windows machine installed with the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Admin Console. The Quick Start Wizard enables access on the<br />
internal burb. Before you can establish an Admin Console connection to a<br />
different burb, you must enable Admin Console access for that burb. Use the<br />
following steps to enable or disable administration in a particular burb.<br />
Start the Admin Console and select Firewall <strong>Administration</strong> > UI Access<br />
Control. A window similar to the following appears.<br />
91
Chapter 3: General System Tasks<br />
Configuring Admin Console access<br />
92<br />
Figure 41: Remote<br />
<strong>Administration</strong> tab<br />
About the Remote<br />
<strong>Administration</strong> tab<br />
This window allows you to enable management for the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
the Admin Console. When enabled, users with administrative privileges will be<br />
able to use the Admin Console connect to and administer the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
You can enable Admin Console management on a per burb basis. For<br />
example, if you enable Admin Console management for Burb A but not Burb B,<br />
only those users with access to the interfaces assigned to Burb A will be able<br />
to administer the <strong>Sidewinder</strong> <strong>G2</strong> using an Admin Console.<br />
Note: For information on configuring the Firewall Certificate tab, see “Configuring<br />
and displaying firewall certificates” on page 424.<br />
Follow the steps below to configure Admin Console management.<br />
Note: During the initial configuration, the Quick Start Wizard enables Admin<br />
Console access on the internal burb.<br />
1 In the Allow Secure Sessions From list, select the burbs that will allow<br />
administration access from a Windows system. Connections to the burbs in<br />
this list are encrypted using SSL.<br />
2 In the Secure Ports field, specify the range <strong>of</strong> ports on which secure<br />
sessions will be allowed.<br />
Note: See “NSS regulation <strong>of</strong> valid ports for the Admin Console” on page 15 for<br />
details on selecting valid ports.<br />
3 Click the Save icon to save your changes. To configure the SSL certificate<br />
fields for the Admin Console, see the following section.
About the SSL<br />
certificate fields for<br />
the Admin Console<br />
Configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to<br />
use a UPS<br />
Chapter 3: General System Tasks<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
The Admin Console provides secure access to the <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Secure Socket Layer (SSL) protocol. The SSL protocol requires the use <strong>of</strong><br />
certificates by both the client and the server when creating the secure<br />
connection. Follow the steps below to configure the SSL certificate for the<br />
Admin Console.<br />
Important: Secure Computing recommends assigning a new certificate to the<br />
Admin Console before using the <strong>Sidewinder</strong> <strong>G2</strong> in an operational environment.<br />
A default SSL certificate is initially assigned to the Admin Console. When using<br />
the <strong>Sidewinder</strong> <strong>G2</strong> in an operational environment, however, it is highly<br />
recommended that you assign a different certificate to the Admin Console. For<br />
more information, see “Assigning new certificates for Admin Console and<br />
synchronization services” on page 430.<br />
To assign a new SSL certificate to the Admin Console, select the certificate<br />
from the Certificate drop-down list. Only self-signed, RSA/DSA certificates that<br />
are defined in Services Configuration > Certificate Management in the<br />
Firewall Certificates tab are displayed in this field. The Firewall Certificates tab<br />
is used to define a new certificate for use by the Admin Console. After creating<br />
the new certificate you can return to the UI Access Control window and assign<br />
the new certificate to the Admin Console.<br />
Many organizations connect the <strong>Sidewinder</strong> <strong>G2</strong> to an Uninterruptible Power<br />
Supply (UPS). This allows the <strong>Sidewinder</strong> <strong>G2</strong> to continue to be operational if a<br />
power outage occurs. If the power outage is long enough, however, the battery<br />
in the UPS will begin to fail. To avoid an uncontrolled shutdown, you can<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to initiate an orderly shutdown before the UPS<br />
fails. The <strong>Sidewinder</strong> <strong>G2</strong> is much more likely to restart in a good condition<br />
following an orderly shutdown than from an uncontrolled shutdown.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS, select Services Configuration ><br />
Servers and select upsd in the list <strong>of</strong> server names. Click the Configuration<br />
tab. The following window appears.<br />
93
Chapter 3: General System Tasks<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS<br />
94<br />
Figure 42: UPS<br />
Configuration window<br />
About the UPS<br />
Configuration<br />
window<br />
The UPS Configuration window enables you to configure how the <strong>Sidewinder</strong><br />
<strong>G2</strong> will interact with an uninterruptible power supply. The window contains the<br />
following fields.<br />
• UPS Serial Port—Click the drop-down list to select the <strong>Sidewinder</strong> <strong>G2</strong> port<br />
being used to monitor the UPS.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> only supports COM1 port (COM2 is not supported).<br />
Therefore, you cannot enable the uninterruptible power supply (UPS) service<br />
AND connect a console directly on your <strong>Sidewinder</strong> <strong>G2</strong> on the COM1<br />
port at the same time. Doing so will cause your <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Appliance to shutdown immediately. If this happens, you must do one <strong>of</strong> the<br />
following:<br />
– Disable upsd and use a serial console: Disconnect the <strong>Sidewinder</strong> <strong>G2</strong><br />
console, disable upsd using the Admin Console, and then reconnect to<br />
the <strong>Sidewinder</strong> <strong>G2</strong> console.<br />
– Remove the serial console and use upsd: Disconnect the <strong>Sidewinder</strong><br />
<strong>G2</strong> console, and then connect the UPS cable.<br />
• Battery Time—Specify the estimated amount <strong>of</strong> time (in seconds) that the<br />
UPS battery will last before running low. The <strong>Sidewinder</strong> <strong>G2</strong> will initiate an<br />
orderly shutdown when this timer expires, regardless <strong>of</strong> the amount <strong>of</strong><br />
battery power remaining in the UPS.
Enabling/disabling the UPS server<br />
Chapter 3: General System Tasks<br />
Enforcing FIPS<br />
1 Connect the UPS’s serial cable to the <strong>Sidewinder</strong> <strong>G2</strong>’s COM1 port.<br />
2 Select Services Configuration > Servers.<br />
3 Select upsd from the list <strong>of</strong> server names.<br />
4 Click Enable or Disable.<br />
• Enabled—Indicates the <strong>Sidewinder</strong> <strong>G2</strong> is configured to use a UPS. If a<br />
power outage occurs, the <strong>Sidewinder</strong> <strong>G2</strong> will monitor the UPS and will<br />
perform an orderly shutdown when the UPS battery begins to run low.<br />
• Disabled—Indicates the <strong>Sidewinder</strong> <strong>G2</strong> is not configured to use a UPS.<br />
If a power outage occurs and the <strong>Sidewinder</strong> <strong>G2</strong> IS connected to a<br />
UPS, the <strong>Sidewinder</strong> <strong>G2</strong> will not monitor the UPS and will not perform<br />
an orderly shutdown when the UPS battery begins to run low.<br />
5 Click the Save icon.<br />
Enforcing FIPS Federal Information Processing Standard (FIPS) 140-2 is a standard that<br />
describes the U.S. federal government requirements for a cryptographic<br />
module used in a security system. Select this option to configure settings that<br />
make a managed <strong>Sidewinder</strong> <strong>G2</strong> FIPS 140-2 compliant. For more information<br />
on how enabling this option affects <strong>Sidewinder</strong> <strong>G2</strong>, see the FIPS application<br />
note at www.securecomputing.com/goto/appnotes.<br />
Figure 43: Enforcing<br />
FIPS<br />
Note: This option is appropriate only for organizations that are explicitly required<br />
by the U.S. federal government to be FIPS 140-2 compliant.<br />
To enable FIPS, do the following:<br />
1 Select Firewall <strong>Administration</strong>. The FIPS check box appears in the righthand<br />
pane.<br />
2 Select Enforce US Federal Information Processing Standard.<br />
3 Click the Save icon to save the configuration change.<br />
4 Select Firewall <strong>Administration</strong> > System Shutdown and reboot the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the Operational kernel to activate the change.<br />
95
Chapter 3: General System Tasks<br />
Enforcing FIPS<br />
96
4 CHAPTER<br />
Understanding Policy<br />
Configuration<br />
In this chapter...<br />
Policy configuration basics.............................................................98<br />
Rule elements ..............................................................................103<br />
Application Defenses....................................................................109<br />
Proxy rule basics ..........................................................................112<br />
IP Filter rule basics.......................................................................121<br />
97
Chapter 4: Understanding Policy Configuration<br />
Policy configuration basics<br />
Policy<br />
configuration<br />
basics<br />
98<br />
Figure 44: Basic rule<br />
group structure Sample rule group<br />
Your site’s security policy is implemented and enforced by applying rules to all<br />
traffic that passes through the <strong>Sidewinder</strong> <strong>G2</strong>. Each rule is basically a mini<br />
policy that contains criteria which are used to inspect incoming or outgoing<br />
traffic. Rules determine whether that traffic will be allowed to continue to its<br />
destination. There are two distinct rules types that you can configure on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>:<br />
• Proxy rules—Proxy rules allow you to control access to <strong>Sidewinder</strong> <strong>G2</strong><br />
proxies and servers. Proxy rules determine whether traffic will be allowed<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> or denied using various criteria such as source<br />
and destination address.<br />
Proxy rules are automatically bi-directional, meaning that a rule allows traffic<br />
or sessions to be initiated from both source and destination addresses.<br />
Also, each rule automatically allows the response(s) to the initial request.<br />
Note: When you are configuring proxy rules for a particular proxy or service,<br />
you must ensure that the corresponding proxies and/or servers have also been<br />
enabled and configured before the rule will pass traffic. This can be verified at<br />
Policy Configuration > Proxies and Policy Configuration > Servers.<br />
• IP Filter rules—IP Filter rules allow you to configure your <strong>Sidewinder</strong> <strong>G2</strong> to<br />
securely forward IP packets between networks. IP Filter rules operate<br />
directly on the IP packets, allowing you to configure filtering for TCP/UDP<br />
and non-TCP/UDP traffic passing between networks.<br />
After you plan and create all <strong>of</strong> the rules you need to enforce your security<br />
policy, you can organize them into sets, called rule groups. A rule group can<br />
consist <strong>of</strong> both rules and nested rule groups. A nested rule group is a rule<br />
group that you place within another rule group. You can nest multiple rule<br />
groups within a rule group.<br />
Figure 44 demonstrates the basic structure <strong>of</strong> a rule group that uses nested<br />
rules.<br />
Rule 1<br />
Rule group<br />
Rule group<br />
Rule 9<br />
Rule Rule 21<br />
Rule 3<br />
Rule 4<br />
Rule 5<br />
Rule 6<br />
Rule 7<br />
Rule 8
Figure 45: Example <strong>of</strong><br />
active rules<br />
Chapter 4: Understanding Policy Configuration<br />
Policy configuration basics<br />
While you can create numerous rules and groups, the <strong>Sidewinder</strong> <strong>G2</strong> will only<br />
load and use the rules contained in the groups that you select in the Active<br />
Rules window. These active rules are the rules that enforce your security<br />
policy. When you select the active rule groups (you can select one active proxy<br />
group and one active IP Filter group), those groups begin actively monitoring<br />
traffic coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong>. All rules and rule groups that<br />
are not part <strong>of</strong> the active rules will remain inactive unless you add them to an<br />
active rule group. You can modify your existing active rule group to add or<br />
delete rules and/or nested rule groups as your security needs change. You can<br />
also re-organize the rules within a group as needed.<br />
When you select an active group, the individual rules and the rules within<br />
nested groups are extracted into a single table <strong>of</strong> ordered rules as shown in<br />
Figure 45.<br />
rule group<br />
Rule 1<br />
Rule group<br />
Rule group<br />
Rule 9<br />
active rules<br />
Rule 1<br />
Rule 2<br />
Rule 3<br />
Rule 4<br />
Rule 5<br />
Rule 6<br />
Rule 7<br />
Rule 8<br />
Rule 9<br />
contents <strong>of</strong><br />
rule group A<br />
contents <strong>of</strong><br />
rule group B<br />
The rules within an active group are processed in sequential order. When<br />
traffic arrives at the <strong>Sidewinder</strong> <strong>G2</strong>, it will first be processed by the active IP<br />
Filter rules. If the traffic does not match any IP Filter rules or matches a<br />
Bypass IP Filter Rules rule, it is forwarded on to the active proxy rules. If a rule<br />
match is found, the traffic is processed according to that rule and will not be<br />
processed by any other rules. Therefore, the order <strong>of</strong> the rules and nested rule<br />
groups within an active rule group is very important.<br />
The rule groups you specify in the Active Rules window (one for proxy and one<br />
for IP Filter) work together as follows: All traffic coming into and leaving the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is compared to any active IP Filter rules that you have<br />
configured. The IP Filter rules examine packets at the IP layer. If a match is not<br />
found in the IP Filter rules, the traffic is then examined by the active proxy<br />
rules, which examine the traffic at the Application layer.<br />
99
Chapter 4: Understanding Policy Configuration<br />
Policy configuration basics<br />
100<br />
Figure 46: Traffic passing through the active rule groups<br />
traffic<br />
1. Traffic enters<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
and is processed<br />
by the active<br />
IP Filter rules.<br />
active IP Filter rules proxies<br />
Rule group A<br />
Rule<br />
Rule group B<br />
Rule group C<br />
Rule<br />
2. No match is found,<br />
so traffic is forwarded<br />
to the proxies.<br />
Proxy<br />
Proxy<br />
Proxy - enabled<br />
Proxy<br />
Proxy<br />
3. A match is found at<br />
Proxy C, so the traffic is<br />
forwarded to the active<br />
proxy rules.<br />
active proxy rules<br />
Rule group A<br />
Rule group B<br />
Rule group C<br />
Tip: Always place the deny_all rule at the end <strong>of</strong> the active proxy rules list. This<br />
rule denies any traffic that reaches it. Therefore, any rules that are listed after the<br />
deny_all rule will not process any traffic.<br />
An example <strong>of</strong> traffic being processed by the active rules<br />
The following scenario walks you through the basic process used by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to process an outbound Telnet connection request. For<br />
simplicity, this scenario assumes that the active rules table consists <strong>of</strong> the<br />
following items:<br />
• Some non-TCP/UDP IP Filter rules.<br />
• A rule called NetMeeting that allows users to use audio and video<br />
conferencing components for NetMeeting ® .<br />
• A rule group called <strong>Administration</strong>, which allows <strong>Sidewinder</strong> <strong>G2</strong><br />
administrators to access the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• A rule called Internet Services, which includes a service group that allows<br />
access to the most commonly used Internet services, including Telnet. (For<br />
information on service groups, see “Service groups” on page 108.)<br />
• All proxies included in those rules are enabled in the appropriate burbs.<br />
• A deny_all rule that will deny any requests that did not match any other<br />
rules. This rule acts as a safeguard against traffic that did not meet any rule<br />
criteria, and may or may not be desirable depending on your site’s security<br />
policy.<br />
Rule<br />
Rule<br />
4. A match is found in Rule<br />
Group B. The traffic is<br />
processed by the rule<br />
specifications.
Chapter 4: Understanding Policy Configuration<br />
Policy configuration basics<br />
The following steps outline the basic processing that takes place when an<br />
outbound Telnet connection request arrives at a <strong>Sidewinder</strong> <strong>G2</strong> with the above<br />
active rules in place.<br />
1 A outbound Telnet request arrives at the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 The request is processed by the active IP Filter rules. No match is found, so<br />
the request is forwarded to the proxies.<br />
3 The request is processed by the proxies. The telnet proxy is listening<br />
(enabled), so the request is forwarded to the active proxy rules.<br />
4 The request is processed by the first rule in the Active Rules table, which is<br />
the NetMeeting rule. The request does not match the rule criteria.<br />
5 The request is forwarded to the next rule in the table, a rule group called<br />
<strong>Administration</strong>, and is inspected in sequential order by each rule contained<br />
within that group. No match is found in this rule group.<br />
6 The request is forwarded to the next rule in the table, a rule called Internet<br />
Services. A match is found (because the Telnet proxy is included in the<br />
service group used in this rule).<br />
7 The request is processed according to the specifications in the Internet<br />
Services rule. The Internet Services rule is an allow rule with NAT enabled.<br />
The request bypasses all other rules and groups contained in the active<br />
rules table, the internal address <strong>of</strong> the request is translated, and the request<br />
is granted.<br />
Ordering proxy rules within a rule group<br />
The order in which rules and nested groups appear in the active rule group is<br />
significant. When the <strong>Sidewinder</strong> <strong>G2</strong> is looking for a rule match, it searches the<br />
active rules in sequential order (beginning with the first rule or nested group<br />
within the group, then the second, and so on). The first rule that matches all the<br />
characteristics <strong>of</strong> the connection request (service type, source, destination,<br />
and so on) is used to determine whether to allow or deny the connection.<br />
Therefore, you should always place rules that allow or deny the most frequent<br />
traffic near the top <strong>of</strong> an active rule group to reduce the processing time.<br />
Important: If the characteristics <strong>of</strong> a connection request matches more than one<br />
rule, the first one it matches will be used and the search will stop.<br />
For example, suppose you want to allow access to FTP services on the<br />
Internet for all systems except those included in a netgroup called<br />
“publications.” The scenarios below illustrate both the incorrect and correct rule<br />
placement.<br />
101
Chapter 4: Understanding Policy Configuration<br />
Policy configuration basics<br />
102<br />
Incorrect placement <strong>of</strong> rules in a rule group<br />
The following shows a rule group list that is INCORRECT for this scenario.<br />
Rule 1: Allow FTP service for all internal systems to all external systems.<br />
Rule 2: Deny FTP service for the netgroup “publications” to all external<br />
systems.<br />
The first rule in the rule group allows all systems (via a wildcard) to use FTP<br />
and the second rule denies one particular netgroup.<br />
Problem: When a system specified in the “publications” netgroup requests an<br />
FTP connection to somewhere in the Internet, the <strong>Sidewinder</strong> <strong>G2</strong> will check<br />
rule 1 in the active proxy rule group. Because that rule allows all systems FTP<br />
service to the Internet, the <strong>Sidewinder</strong> <strong>G2</strong> detects a match, stops searching the<br />
rule group, and grants the connection.<br />
Correct placement <strong>of</strong> rules in a rule group<br />
To deny a particular netgroup in this example, the deny rule should be placed<br />
before the allow rule. The correct way to order the rules in the rule group for<br />
this example is as follows.<br />
Rule 1: Deny FTP service for the netgroup “publications” to all external<br />
systems.<br />
Rule 2: Allow FTP service for all internal systems to all external systems.<br />
Important: As a basic guideline when configuring a rule group, place specific rules<br />
before any general (wildcard) rules.
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
Rule elements Rule elements are the building blocks for your rules and help you save time<br />
and effort by allowing you to group information, reducing the number <strong>of</strong> rules<br />
you need to create. Rule elements consist <strong>of</strong> the following:<br />
• Users and user groups—Users can be placed in user groups, allowing you<br />
to apply a single proxy rule to multiple users who share the same access<br />
privileges. See “Users and user groups” on page 104.<br />
• Network objects—Network objects are entities for which you configure the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow or deny connections. They can consist <strong>of</strong> IP<br />
addresses, hosts, domains, netmaps, subnets, or netgroups. See “Network<br />
objects” on page 105.<br />
• Service groups—A service group is a collection <strong>of</strong> proxies and/or servers.<br />
When specified in a proxy rule, the rule will regulate access to all proxies<br />
and servers defined within that service group. See “Service groups” on<br />
page 108.<br />
Planning for rule elements<br />
In providing network security, the main objective <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> is to<br />
enforce a set <strong>of</strong> rules that reflect your desired security policy. Properly defining<br />
and creating user groups, network objects, and service groups provides you<br />
with building blocks you can use to create sound rules. Remember, the groups<br />
you create and the rules you define serve as the embodiment <strong>of</strong> your site’s<br />
security policy.<br />
The following list provides guidelines to consider when planning your rule<br />
elements:<br />
• Start by considering your security policy. If you do not have a security<br />
policy, see the Perimeter Security Planning <strong>Guide</strong> (located on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Management Tools CD) for information on how to develop<br />
one.<br />
• Decide if you want to control access based on user groups, netgroups, or<br />
both.<br />
• If you want to control access based on user groups, make a list defining all<br />
users, and organize the list by the networking services they will be granted<br />
and authentication methods they must use.<br />
• Plan to include all users who require access to the same services using the<br />
same authentication methods in the same group.<br />
• Plan to create service groups for each user or netgroup that requires<br />
access to the same services to reduce the number <strong>of</strong> rules you need to<br />
create.<br />
103
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
104<br />
• If you want to control access based on netgroups, make a list defining all<br />
your machines, and organize the list by the networking services they will be<br />
granted.<br />
• Create a proxy rule for each user group and/or netgroup.<br />
Important: Creating netgroups saves you the trouble <strong>of</strong> entering multiple<br />
versions <strong>of</strong> the same proxy rule. It is important to model (define) all network<br />
objects for which you want to allow access before you set up your rules.<br />
Users and user groups<br />
Users are people who use the networking services provided by the <strong>Sidewinder</strong><br />
<strong>G2</strong>. User accounts are a mechanism used to authenticate people before they<br />
are permitted to make a network connection through (or to) the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Users and user groups are used only in proxy rules.<br />
As described in the following chapter, you can use the Admin Console to<br />
create user accounts which are stored in a user database located on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> or in a separate authentication server. A single account in a<br />
user database includes information such as the user’s login name and<br />
password. (“Supported authentication methods” on page 277 provides detailed<br />
information on various methods used to authenticate users during a<br />
<strong>Sidewinder</strong> <strong>G2</strong> connection attempt.)<br />
A user group is a logical grouping <strong>of</strong> one or more users, identified by a single<br />
name. Also, a user group can include another “nested” user group. Figure 47<br />
shows an example <strong>of</strong> two user groups.<br />
Important: User groups can be used in an allow rule only if the specified service<br />
supports authentication (login, Telnet, FTP, Web, secure shell [SSH], or SSO).
Figure 47: User Groups<br />
user group<br />
named<br />
“Accounting”<br />
user group<br />
named<br />
“Engineering”<br />
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
Figure 47 shows five users divided into two user groups: “Accounting” and<br />
“Engineering.” Suppose you want to allow both user groups Telnet access to<br />
the Internet. Also suppose you want to authenticate the “Accounting” user<br />
group differently from the “Engineering” user group. In this example you create<br />
two nearly identical rules to allow Telnet access, one for each user group. The<br />
only difference in the rules for each user group would be the authentication<br />
method you specify for each group.<br />
Network objects<br />
A network object is an entity for which you configure the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
allow or deny connections. A network object can be an IP address, a host, a<br />
domain, a netmap, a subnet, or netgroup. When you create rules, you must<br />
specify a network object as the source or destination <strong>of</strong> the connection. (You<br />
may also select the All option, which serves as a wildcard.) The following<br />
subsections provide an overview <strong>of</strong> how each network object is used.<br />
Domain objects<br />
internal<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
A domain object specifies a domain name that is registered in the Domain<br />
Name System (DNS). A domain object matches any domain or host name<br />
within the specified domain; for example, somehost.example.com matches<br />
example.com. See “Configuring domain objects” on page 142 for more<br />
information.<br />
Domain network objects are not supported in IP Filter rules.<br />
Internet<br />
105
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
106<br />
Host objects<br />
A host object specifies an individual machine connected to the network. When<br />
specifying a host object, you must use a host name that is resolvable by DNS,<br />
or provide at least one IP address. See “Configuring host objects” on page 143<br />
for more information.<br />
In IP Filter rules, the localhost network object is supported but DNS-resolvable<br />
host names should be avoided. DNS-resolvable host names become<br />
inoperative during any periods when the appropriate DNS server is unavailable<br />
or unreachable.<br />
IP address objects<br />
A network object can be an IP address <strong>of</strong> an individual machine connected to<br />
the network. A machine can have more than one IP address. See “Configuring<br />
IP address objects” on page 145 for more information.<br />
Netmap objects<br />
Many organizations use network address translation (NAT) and/or redirection<br />
to prevent internal addresses from being visible to external users. On the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, NAT refers to rewriting the source address <strong>of</strong> the packet, while<br />
redirection refers to rewriting the destination address <strong>of</strong> the packet.<br />
For example, when a user sends a packet from an internal IP address on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to an external IP address, the <strong>Sidewinder</strong> <strong>G2</strong> intercepts the<br />
packet. If NAT is enabled for the matching rule, the <strong>Sidewinder</strong> <strong>G2</strong> re-assigns<br />
(or translates) the source address to its external address (or an address you<br />
specify). Therefore, all traffic leaving your system appears to come from a<br />
single external IP address.<br />
If an organization requires many different address translations for multiple IP<br />
addresses, you would normally need to create an individual rule for each<br />
different NAT or redirection scenario, which can become difficult to manage.<br />
However, using netmaps you can map multiple IP addresses and subnets to<br />
alternate addresses without creating numerous rules.<br />
A netmap consists <strong>of</strong> one or more netmap members. A netmap member is any<br />
IP address or subnet object that you define. Each member in the netmap is<br />
mapped to an alternate address that you specify. See “Configuring netmaps”<br />
on page 145 for more information.<br />
When creating a rule, you can use netmaps as follows:<br />
• If you select a netmap in the source address field for a rule, the appropriate<br />
NAT properties are automatically supplied based on the mapping<br />
configured for each IP address or subnet in that netmap.<br />
• If you select a netmap as the destination address in a rule, the appropriate<br />
redirection properties are automatically supplied based on the mapping<br />
configured for each IP address and subnet in that netmap.
Figure 48: Netgroup<br />
Subnet objects<br />
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
A subnet object is a subset <strong>of</strong> a larger network, and consists <strong>of</strong> a network<br />
address and a subnet mask. A subnet object defines a range <strong>of</strong> IP addresses<br />
within a specific subnet. See “Configuring subnet objects” on page 147 for<br />
more information.<br />
Note: For more information on subnets, refer to Section 13.4 in the UNIX System<br />
<strong>Administration</strong> Handbook, third edition.<br />
Netgroup objects<br />
A netgroup object consists <strong>of</strong> two or more network objects, identified by a<br />
single name. You can create netgroups for network objects that are inside or<br />
outside <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. A netgroup can include nested netgroups.<br />
For example, you can define a netgroup that includes a number <strong>of</strong> domains,<br />
several hosts that are outside <strong>of</strong> these domains, and a subnet. See<br />
“Configuring netgroup objects” on page 148 for more information.<br />
Figure 48 shows a sample netgroup configuration.<br />
members <strong>of</strong><br />
“sales”<br />
network<br />
group<br />
presales.example.co<br />
sales.example.co<br />
172.16.12.3<br />
internal<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
As shown in Figure 48, a netgroup named “Sales” is comprised <strong>of</strong> two domains<br />
within a sales organization and an individual system using IP address<br />
172.16.12.3. Suppose you want to allow users in all three <strong>of</strong> these network<br />
objects to access Telnet servers anywhere on the Internet. You need to create<br />
a rule to configure the connection, specifying ‘Sales’ as the source and a<br />
wildcard (leave the field blank to indicate a wildcard) as the destination.<br />
Without creating the Sales netgroup, you would need to make three rules to<br />
configure the Telnet access, one for each network object.<br />
107
Chapter 4: Understanding Policy Configuration<br />
Rule elements<br />
108<br />
Service groups<br />
A service group is a collection <strong>of</strong> selected proxies and/or servers. Once<br />
defined, a service group can be used in a proxy rule to regulate access to the<br />
services in the group. There are important administrative benefits gained by<br />
using service groups: While a typical proxy rule will regulate access for a single<br />
proxy or server, a proxy rule that is implemented using a service group can<br />
regulate access for multiple proxies and/or servers. Grouping services together<br />
in this manner enables you to reduce the overall number <strong>of</strong> rules you define,<br />
which in turn reduces the overall complexity <strong>of</strong> your rule database. A less<br />
complex rule database means there is less chance <strong>of</strong> introducing errors that<br />
may affect the integrity <strong>of</strong> your security policy. You can also configure<br />
Application Defense groups for rules that use service groups to specify<br />
advanced properties for each proxy included in that rule. (See “Application<br />
Defenses” on page 109 for an overview <strong>of</strong> Application Defenses.)<br />
Example <strong>of</strong> a rule that uses a service group<br />
Here’s an example that illustrates the power <strong>of</strong> a service group.<br />
Assume you have a netgroup named eng_net_grp that consists <strong>of</strong> all the<br />
engineers in your organization. If you want to grant Web, FTP, and Telnet<br />
access to this group, you might do so by defining three separate rules. Table 9<br />
illustrates how these three rules might look in the rule database.<br />
Table 9: Typical rules not using service groups<br />
No. Name Service Service Type Enabled Action<br />
1 http_out HTTP proxy Enabled Allow<br />
2 ftp_out FTP proxy Enabled Allow<br />
3 telnet_out Telnet proxy Enabled Allow<br />
A better option, however, is to use a service group. This enables you to<br />
accomplish the same thing with one proxy rule. Create a service group that<br />
contains the HTTP, FTP, and Telnet proxies, then use this service group when<br />
defining the proxy rule. Table 10 illustrates the service group you might create,<br />
and Table 11 illustrates how the resulting proxy rule will appear in a rule.<br />
Table 10: Sample service group<br />
Service Group Name Selected Proxies Selected Servers<br />
EngServGrp HTTP, FTP, Telnet
Application<br />
Defenses<br />
Table 11: Sample proxy rule using a service group<br />
Please note the following points about service groups:<br />
Chapter 4: Understanding Policy Configuration<br />
Application Defenses<br />
No. Name Service Service Type Enabled Action<br />
1 Eng_rule EngServGrp servicegroup Enabled Allow<br />
• The proxies in a service group must be enabled on the<br />
Services Configuration > Proxies window before they will pass traffic.<br />
• Service groups are not supported in IP Filter rules.<br />
• The services in a service group can be either all allowed or all denied on a<br />
proxy rule. It is not possible to use the same proxy rule to allow access to a<br />
subset <strong>of</strong> services in a service group while at the same time deny access to<br />
a different subset <strong>of</strong> services.<br />
• Service groups are extremely effective when implemented in a proxy rule<br />
that regulates access for a user group or netgroup. Keep in mind, however,<br />
that all members in the user group or netgroup must conform to the same<br />
security policy (that is they will all be allowed or denied access to the same<br />
collection <strong>of</strong> services).<br />
• Authentication can be configured for a service group rule, even if not every<br />
service in the group permits authentication. The <strong>Sidewinder</strong> <strong>G2</strong> is able to<br />
differentiate which services require authentication within a group. Mixed<br />
service groups (authenticating and non-authenticating services) are best<br />
used with allow rules. You can use SSO to require authentication for all<br />
services in a service group.<br />
• You can define as many service groups as needed.<br />
• As always, the sequencing <strong>of</strong> rules within the active rule group remains<br />
important, regardless <strong>of</strong> whether a service group is used.<br />
Application Defenses allow you to configure advanced application-specific<br />
properties for each proxy, including basic time-out properties and applicationspecific<br />
permissions. You can also configure key services such as anti-virus/<br />
anti-spyware, anti-spam/anti-fraud, SSL decryption, and Web services<br />
management.<br />
You can create Application Defenses in advance and then select the defense<br />
for each rule that you create, or you can create defenses during rule creation.<br />
Whether you create Application Defenses in advance or within a proxy rule, the<br />
defense will be saved to a common database and can be used for other proxy<br />
rules without needing to be recreated for other rules.<br />
109
Chapter 4: Understanding Policy Configuration<br />
Application Defenses<br />
110<br />
Application proxies that allow you to configure connection properties are<br />
included in the Standard Application Defense. (You can also configure<br />
transparency properties for the Telnet proxy within a Standard Application<br />
Defense.) Application proxies that allow you to configure advanced,<br />
application-specific options (such as anti-virus, application permissions, etc.)<br />
as well as connection properties have their own branch in the Defenses branch<br />
(e.g., Web, Secure Web, Mail, Multimedia).<br />
You can also create Application Defense groups that allow you to specify an<br />
Application Defense for each category (Web, Secure Web, Mail, Standard,<br />
etc.). Application Defense groups are most useful when creating rules that use<br />
service groups. When you create an Application Defense group, you can<br />
configure and specify an Application Defense for each application included in a<br />
service group. For an example <strong>of</strong> how an Application Defense group is used in<br />
a rule, see Table 12 on page 112.<br />
The following list summarizes the various categories <strong>of</strong> Application Defenses:<br />
Note: For information on specifying an Application Defense in a proxy rule, see<br />
“Creating proxy rules” on page 222.<br />
• Web—This category allows you to configure advanced parameters for<br />
HTTP, including header filtering and MIME/virus/spyware filtering. It also<br />
provides support for SmartFilter 4.x. For information on configuring a Web<br />
Application Defense, see “Creating Web or Secure Web Application<br />
Defenses” on page 156.<br />
• Secure Web—This category allows you to configure advanced parameters<br />
for Web-based proxies, such as HTTPS and SSO. It also provides support<br />
for SmartFilter 4.x. For information on configuring a Secure Web<br />
Application Defense, see “Creating Web or Secure Web Application<br />
Defenses” on page 156.<br />
• Web Cache—This category allows you to configure Squid parameters for<br />
SmartFilter 3.x. For information on configuring a Web Cache Application<br />
Defense, see “Creating Web Cache Application Defenses” on page 170.<br />
• Mail (Sendmail)—This category allows you to configure mail filtering and<br />
anti-virus services to ensure that all e-mail traffic is scanned and filtered<br />
before being allowed through to your internal networks. For information on<br />
configuring a mail (sendmail) Application Defense, see “Creating Mail<br />
(Sendmail) Application Defenses” on page 172.<br />
• Mail (SMTP proxy)—This category allows you to filter mail using the SMTP<br />
proxy based on destination address and determine if source routing is<br />
supported. It also allows you to limit the length <strong>of</strong> replies received from mail<br />
servers. For information on configuring a mail (SMTP proxy) Application<br />
Defense, see “Creating Mail (SMTP proxy) Defenses” on page 181.<br />
• Citrix—This category allows you to configure advanced ICA proxy<br />
parameters. For information on configuring a Citrix Application Defense,<br />
see “Creating Citrix Application Defenses” on page 185.
Chapter 4: Understanding Policy Configuration<br />
Application Defenses<br />
• FTP—This category allows you to configure FTP permissions and scanning<br />
<strong>of</strong> FTP files. For information on configuring an FTP Application Defense,<br />
see “Creating FTP Application Defenses” on page 186.<br />
• IIOP—This category allows you to configure filtering properties for the<br />
Internet Inter-ORB Protocol (IIOP) proxy. For information on configuring an<br />
IIOP Application Defense, see “Creating IIOP Application Defenses” on<br />
page 191.<br />
• Multimedia—This category allows you to configure permissions for T.120<br />
and H.323 proxies. For information on configuring a multimedia Application<br />
Defense, see “Configuring the IIOP Connection tab” on page 191.<br />
• Oracle—This category allows you to configure continuous session<br />
monitoring to prevent spo<strong>of</strong>ing and tunneling attacks while sessions are in<br />
progress for the SQL proxy. For information on configuring an Oracle<br />
Application Defense, see “Creating Oracle Application Defenses” on page<br />
194.<br />
• MS SQL—This category allows you to configure the standard connection<br />
properties. For information on configuring an MS SQL Application Defense,<br />
see “Creating MS SQL Application Defenses” on page 196.<br />
• SOCKS—This category allows you to configure advanced properties for the<br />
SOCKS proxy. For information on configuring a SOCKS Application<br />
Defense, see “Creating SOCKS Application Defenses” on page 197.<br />
• SNMP—This category allows you to configure advanced properties for the<br />
SNMP proxy. For information on configuring an SNMP Application Defense,<br />
see “Creating SNMP Application Defenses” on page 198.<br />
• Standard—This category allows you to configure connection properties for<br />
application proxies that do not require additional configuration options. You<br />
can also configure transparency properties for the Telnet proxy. For<br />
information on configuring a standard Application Defense, see “Creating<br />
Standard Application Defenses” on page 201.<br />
The pre-configured rule called Internet Services uses a service group by the<br />
same name (Internet Services). This service group consists <strong>of</strong> multiple<br />
applications such as HTTP, HTTPS, FTP, ping, and Telnet that require Internet<br />
access. Using an Application Defense group in this rule allows you to configure<br />
advanced, application-specific properties for each service contained in that<br />
service group without creating a separate rule for each application. The<br />
following table lists the applications that are contained in the Internet Services<br />
service group and how each application uses the Application Defense group.<br />
111
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
112<br />
Table 12: Application Defense group used in the Internet Services rule<br />
Service Group Apps Application Defense Used in Group<br />
ftp FTP (FTP allowed permits, connection properties)<br />
http Web (header filtering, MIME/virus/spyware filtering, etc)<br />
https SecureWeb (SSL decryption, MIME/virus/spyware<br />
filtering, etc)<br />
ping Standard (ping-specific connection properties)<br />
RealMedia Standard (RealMedia-specific connection properties)<br />
rtsp Standard (rtsp-specific connection properties)<br />
telnet Standard (Telnet-specific connection properties)<br />
Proxy rule basics The following subsections provide information on the basic components that<br />
comprise a proxy rule.<br />
Note: This section provides an overview <strong>of</strong> proxy rules. For instructions on<br />
creating proxy rules, see “Creating proxy rules” on page 222.<br />
Basic criteria used to allow or deny a connection<br />
<strong>Sidewinder</strong> <strong>G2</strong> determines whether to allow or deny a proxy or server<br />
connection by sequentially checking the rules in the active proxy rule group for<br />
the first match to all criteria attributed to the connection request. When a match<br />
is found, the connection will be allowed or denied based on the option selected<br />
in the Action field. The <strong>Sidewinder</strong> <strong>G2</strong> uses the first proxy rule that matches all<br />
characteristics <strong>of</strong> the connection request to determine whether the connection<br />
will be allowed or denied. The basic criteria used to allow or deny a connection<br />
includes the following:<br />
• source or destination burb—You can configure a proxy rule to allow or<br />
deny connections based on the source burb, the destination burb, or both.<br />
• source or destination network object—You can configure a proxy rule to<br />
allow or deny connections based on the source network object, the<br />
destination network object, or both. The source or destination object can be<br />
an IP address, a host name, a domain name, a netmap, a subnet, or a<br />
netgroup. A netgroup is a grouping <strong>of</strong> network objects defined by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator (see “Network objects” on page 105 for more<br />
information on netgroups).<br />
• connection service type—You can configure a proxy rule to allow or deny<br />
connections based on the service type providing the connection in the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Service types include:
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
– All—Allows connection service for both proxies and servers, but not<br />
service groups.<br />
– Proxy—Provides a connection through the <strong>Sidewinder</strong> <strong>G2</strong> in order to<br />
access a remote system.<br />
– Server—Provides a service (such as Telnet) directly on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
– Service group—Allows multiple proxies and/or servers to be grouped<br />
together and used to define a single proxy rule.<br />
• type <strong>of</strong> network service requested—You can configure a proxy rule to allow<br />
or deny connections based on the type <strong>of</strong> network service that will be<br />
provided between the client and server. For proxy connections, the services<br />
include FTP, Telnet, and Web (HTTP), as well as many others.<br />
Optional criteria used to allow or deny a connection<br />
When setting up a proxy rule, you can also specify the following optional<br />
criteria for a connection.<br />
Note: You can specify any <strong>of</strong> the following criteria in an ‘allow” rule. However, only<br />
the authentication and date/time bullets apply to a ‘deny’ rule.<br />
• the user requesting the connection—You can configure a proxy rule to<br />
allow connections based on a group for which the user requesting the<br />
connection is a member. A user group is comprised <strong>of</strong> multiple users<br />
defined by the <strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Users and user groups”<br />
on page 104 for more information on user groups.<br />
This option is only valid when using authentication or SSO.<br />
• authentication—You can configure a proxy rule to require the <strong>Sidewinder</strong><br />
<strong>G2</strong> to authenticate the user requesting the connection before granting the<br />
connection request. See “Supported authentication methods” on page 277<br />
for detailed information on the types <strong>of</strong> authentication services you can use.<br />
You can also configure a proxy rule to deny with authentication. The purpose<br />
<strong>of</strong> this type <strong>of</strong> rule would be to allow access to everyone except a specific<br />
group <strong>of</strong> users. For example, you might want to deny Telnet access to<br />
your contractors but allow access for your regular employees.<br />
Important: If you are not using SSO, configuring a deny with authentication<br />
proxy rule in a mixed service group (authenticating and non-authenticating<br />
services like Telnet and ping, respectively) will deny all non-authenticating<br />
services. However, if SSO authentication is configured, initial authentication will<br />
apply to all services contained in the service group. See “Service groups” on<br />
page 108 for more information.<br />
• the time and day when the connection request is made—You can<br />
configure a proxy rule to allow or deny connections based on the time, the<br />
day, or both.<br />
113
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
114<br />
• Application Defense properties—You can configure a proxy rule to allow<br />
connections based on advanced application-specific parameters by<br />
selecting the appropriate Application Defense. You can also configure<br />
whether the connection will be transparent or non-transparent for some<br />
proxies. See “Application Defenses” on page 109 for information.<br />
Using NAT and redirection in proxy rules<br />
You can configure proxy rules to perform Network Address Translation (NAT)<br />
and/or redirection. On the <strong>Sidewinder</strong> <strong>G2</strong>, NAT refers to rewriting the source<br />
address <strong>of</strong> the packet, while redirection refers to rewriting the destination<br />
address <strong>of</strong> the packet. This protects IP addresses behind the <strong>Sidewinder</strong> <strong>G2</strong><br />
(on your internal network). The following scenarios demonstrate how NAT and<br />
redirection work.<br />
Scenario 1 - Internal network to external network Telnet access<br />
using NAT<br />
Internal network 172.17.0.0 requires Telnet access to the external network<br />
192.101.0.0. The IP address <strong>of</strong> a machine on the internal network should not<br />
be passed through the <strong>Sidewinder</strong> <strong>G2</strong>. Traffic sent from the internal network to<br />
the external network should appear as if it originated at the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Therefore, a rule must be created that will translate the internal host addresses<br />
to the external address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. To allow this type <strong>of</strong> access, the<br />
NAT information would be configured as follows:<br />
Source Burb: internal<br />
Destination Burb: external<br />
Source: 172.17.0.0 (internal address)<br />
Destination: 192.101.0.0 (destination address)<br />
NAT Address: localhost<br />
Scenario 2 - Redirect external connections to an internal Telnet<br />
server<br />
An external network at 192.101.0.0 requires Telnet access to the internal host<br />
at 172.17.120.123. However, 192.101.0.0 is not allowed to directly route to the<br />
internal host. External hosts will initiate a Telnet connection to the external side<br />
<strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> (localhost). The rule will then rewrite the destination<br />
address to that <strong>of</strong> the internal host and then forward the traffic onward. The<br />
TCP/UDP allow information for the rule could be configured as follows:<br />
Source Burb: external<br />
Destination Burb: internal<br />
Source: 192.101.0.0 (source address)<br />
Destination: localhost<br />
Redirection Address: 172.17.120.123 (internal host)
Simple proxy rule examples<br />
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
This section provides several examples <strong>of</strong> proxy rules to help you better<br />
understand how the <strong>Sidewinder</strong> <strong>G2</strong> uses a rule to determine whether to allow<br />
or deny a connection request.<br />
Table 13 summarizes criteria for a proxy rule that permits any client in a trusted<br />
burb to connect to any Web server located in the Internet burb. This criteria<br />
reflects only the basic settings needed to allow access.<br />
Table 13: Sample settings for a simple proxy rule<br />
Basic rule<br />
Criteria<br />
Service Type<br />
Service<br />
Action<br />
Setting<br />
Comments<br />
Proxy S<strong>of</strong>tware service type: proxy, server, or<br />
service group.<br />
HTTP Type <strong>of</strong> service: Telnet, FTP, Web (HTTP),<br />
etc.<br />
Allow Specifies whether to allow or deny a<br />
service.<br />
Source Burb Internal Name <strong>of</strong> the source burb.<br />
Source<br />
Destination<br />
Burb<br />
Destination<br />
any (leave<br />
blank)<br />
Name <strong>of</strong> the source network object.<br />
Internet Name <strong>of</strong> the destination burb.<br />
any (leave<br />
blank)<br />
Name <strong>of</strong> the destination network object.<br />
App. Defense Web Contains application-specific properties.<br />
There are a number <strong>of</strong> optional effects you can configure for each proxy rule.<br />
For example, by adding the entry options shown in Table 14, you can specify<br />
which internal users are allowed Web access, specify a time interval when<br />
Web access is allowed, and require authentication.<br />
115
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
116<br />
Figure 49: Sample<br />
Network Configuration<br />
Table 14: Optional proxy rule options<br />
Optional Rule<br />
Criteria<br />
Setting<br />
Comments<br />
User Group marketing Specify the name <strong>of</strong> a user group.<br />
Authentication Password Specify the authentication method(s). FTP<br />
and Telnet proxies and console logins can<br />
also specify Password, Radius, SafeWord,<br />
SecurID, or SNK.<br />
Times/Day Mon-Fri<br />
7am-7pm<br />
Important: If you are not using SSO, user groups can be used in an allow rule only<br />
if the specified service supports authentication (login, Telnet, FTP, Web, or secure<br />
shell [SSH]).<br />
Example <strong>of</strong> proxy rules using netgroups<br />
Specify the time restrictions for allowing or<br />
denying service.<br />
For the configuration shown in Figure 13, the <strong>Sidewinder</strong> <strong>G2</strong> administrator has<br />
grouped all internal systems into one <strong>of</strong> three netgroups: marketing<br />
(mkt_net_group), engineering (eng_net_group), and accounting<br />
(acct_net_group).<br />
Note: For more information on netgroups, see “Network objects” on page 105.<br />
mkt_net_grp<br />
eng_net_grp<br />
acct_net_grp<br />
internal burb<br />
172.20.1.1<br />
proxies<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external burb<br />
192.55.214.2<br />
Internet<br />
192.55.12.3
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
Suppose you want to allow all groups access to external FTP sites but only the<br />
engineering group access to FTP host 192.55.12.3. Table 15 shows the proxy<br />
rules in the order that they should be added to the rule group.<br />
Table 15: Proxy rules for sample configuration shown in Figure 49<br />
Proxy rule<br />
Criteria<br />
Rule 1:<br />
allow_eng_ftp<br />
Rule 2:<br />
deny_other_ftp<br />
Service Type Proxy Proxy Proxy<br />
Service FTP FTP FTP<br />
Action Allow Deny Allow<br />
Rule 3:<br />
allow_oth_ftp<br />
Source Burb Internal Internal Internal<br />
Source eng_net_group any (leave blank) any (leave blank)<br />
Destination Burb Internet Internet Internet<br />
Destination 192.55.12.3 192.55.12.3 any (leave blank)<br />
User Group any (leave blank) any (leave blank) any (leave blank)<br />
Authentication SafeWord<br />
Times/Days Fri 7am-7pm<br />
Application<br />
Defense (FTP)<br />
Allow Put/Get deny_all Allow Put/Get<br />
The following list summarizes key points to consider for the proxy rules listed in<br />
Table 15.<br />
• Rule 1 allows all systems in the engineering group authenticated FTP<br />
access to IP address 192.55.12.3 on the Internet, but only on Friday<br />
between 7:00 a.m. and 7:00 p.m.<br />
• This rule requires users to authenticate themselves via SafeWord before an<br />
FTP connection is allowed.<br />
• Rule 2 denies all systems in the trusted burb named internal from FTP<br />
service to IP address 192.55.12.3 on the Internet.<br />
• Rule 3 allows FTP service from all systems in the internal trusted burb to<br />
any external system in the Internet burb.<br />
117
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
118<br />
Advanced proxy rule example using service groups<br />
Now assume you want to specify all the various privileges afforded each <strong>of</strong> the<br />
three netgroups in Figure 15. You could do this by defining many different allow<br />
and deny proxy rules. However, because the source and destination criteria for<br />
each <strong>of</strong> the network objects within a group are identical, a more elegant option<br />
is to use service groups. Service groups enable you to use a single proxy rule<br />
to define all the privileges assigned to a particular group.<br />
Note: For more information on service groups, see “Service groups” on page 108.<br />
For example, assume you want to assign the following privileges to each <strong>of</strong> the<br />
netgroups in Figure 15:<br />
• Engineering group—Access to all <strong>Sidewinder</strong> <strong>G2</strong> proxies and servers<br />
• Marketing group—Access to the Web, FTP, and e-mail via the http, ftp, and<br />
smtp proxies<br />
• Accounting group—Access to FTP and e-mail via the ftp and smtp proxies<br />
You first define three different service groups. This is illustrated in Table 16.<br />
Table 16: Sample service groups<br />
Service group<br />
Criteria<br />
Selected<br />
Proxies<br />
Selected<br />
Servers<br />
EngServiceGrp MktServiceGrp AcctServiceGrp<br />
All proxies HTTP, FTP,<br />
SMTP<br />
All servers None None<br />
FTP, SMTP<br />
You then use the service groups when defining your proxy rules. Table 17<br />
shows the sample proxy rules.
Table 17: Proxy rules for the advanced rule group example<br />
Proxy rule<br />
Criteria<br />
Entry 1:<br />
eng_rule<br />
Entry 2:<br />
deny_other_ftp<br />
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
Entry 3:<br />
mkt_rule<br />
Entry 4:<br />
acct_rule<br />
Service Type Service Group Proxy Service Group Service Group<br />
Service EngServiceGroup FTP MktServiceGroup AcctServiceGroup<br />
Action Allow Deny Allow Allow<br />
Source Burb Internal Internal Internal Internal<br />
Source eng_net_group Any (leave blank) mkt_net_group acct_net_group<br />
Destination Burb Any (leave blank) Internet Internet Internet<br />
Destination Any (leave blank) 192.55.12.3 Any (leave blank) Any (leave blank)<br />
User Group Any (leave blank) Any (leave blank) Any (leave blank) Any (leave blank)<br />
Authentication SafeWord SafeWord SafeWord<br />
Times/Days<br />
Application<br />
Defense group<br />
Web<br />
FTP<br />
Mail<br />
deny_all Web<br />
FTP<br />
Mail<br />
Web<br />
FTP<br />
Mail<br />
119
Chapter 4: Understanding Policy Configuration<br />
Proxy rule basics<br />
120<br />
Default rules<br />
As mentioned earlier in this chapter, when you configure <strong>Sidewinder</strong> <strong>G2</strong> you<br />
can select from one <strong>of</strong> two sets <strong>of</strong> default services that will be automatically<br />
placed in the active proxy rule group during initial configuration. The following<br />
options are available and described in Table 18 on page 120:<br />
• Allow administrative services only: If you select this option, <strong>Sidewinder</strong><br />
<strong>G2</strong>’s active rule group will contain only rules necessary for administration.<br />
Other pre-configured rules appear on the Rules screen by default, but are<br />
not in the active proxy rule group and therefore do not pass traffic.<br />
• Allow administrative and basic outbound Internet services: If you select<br />
this option, <strong>Sidewinder</strong> <strong>G2</strong>’s active rule group will include rules for<br />
administration and a rule providing users access to the most commonly<br />
used Internet services.<br />
Table 18: Initial active policy<br />
Proxy rule<br />
name<br />
dnsp (names<br />
vary)<br />
Admin<br />
Console<br />
Login<br />
Console<br />
Internet<br />
Services<br />
Summary<br />
Allow DNS traffic to proxy between indicated burbs. Which<br />
rules are created depends on the location <strong>of</strong> the DNS resolver<br />
IP addresses (internal burb, external burb, assumed to be<br />
reach-by-default route) provided in the Network Information<br />
window.<br />
Allows administrators to connect to the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
the Admin Console.<br />
Allows administrators to log in directly at the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
using an attached keyboard and monitor.<br />
This rule is added if you select “Allow administrative services<br />
and basic outbound Internet services” on the policy window.<br />
The rule provides users access to the most commonly used<br />
Internet services using a pre-configured “Internet Services”<br />
service group. The Internet Services rule regulates access to<br />
the following proxies and servers:<br />
• FTP<br />
• HTTP<br />
• HTTPS<br />
• Ping<br />
• Real Media<br />
• RTSP<br />
• Telnet<br />
Deny All Denies all connections from any source burb to any destination<br />
burb.
IP Filter rule<br />
basics<br />
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
IP Filter rules allow you to securely forward IP packets between networks,<br />
allowing traffic to pass between the networks (for example, encrypted VPN<br />
sessions). You can create IP Filter rules for TCP, UDP, ICMP, and many other<br />
protocols (such as AH).<br />
Security Alert: Secure Computing strongly recommends that you use IP Filter only<br />
for non-TCP/UDP protocols, such as Vines, PPTP, NES, etc. Using IP Filter for a<br />
TCP/UDP protocol will, in most cases, severely degrade the effectiveness <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and will expose your network to security hazards.<br />
Functionally, IP Filter is based upon a rule database in the <strong>Sidewinder</strong> <strong>G2</strong><br />
kernel. IP Filter rules filter incoming packets based on source IP address,<br />
destination IP address, and ports. Like proxy rules, IP Filter rules also have the<br />
option <strong>of</strong> using network address translation (NAT) and/or redirection. You can<br />
configure and manage the IP Filter rule database using the Admin Console.<br />
IP Filter processing can be configured to reject the following source address<br />
packets:<br />
• Packets with broadcast source addresses<br />
• Packets with source addresses on a loopback network that were received<br />
on a non-loopback device<br />
Note: Packets that are rejected for source route information will generate a<br />
netprobe audit event.<br />
When you initially configure the <strong>Sidewinder</strong> <strong>G2</strong>, you will have a default IP Filter<br />
rule group that is assigned in the active rules. This rule group is empty. You can<br />
create and add rules and/or rule groups to this group, or create your own group<br />
and assign it as the active rule group instead.<br />
The following sections summarize how IP Filtering works when stateful packet<br />
inspection (also known as session tracking) is enabled and when it is not<br />
enabled. The sections also provide information on what criteria is used to<br />
determine rule matches and what happens after the <strong>Sidewinder</strong> <strong>G2</strong> checks the<br />
packet against the active IP Filter rules.<br />
Note: For information on creating IP Filter rules, see “Creating IP Filter rules” on<br />
page 228.<br />
121
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
122<br />
How traffic is filtered if stateful packet inspection is<br />
enabled<br />
When <strong>Sidewinder</strong> <strong>G2</strong> receives TCP, UDP, and ICMP traffic, it starts by<br />
checking an IP Filter session record database to determine if an active session<br />
record exists for this traffic. A session record indicates that this traffic is in<br />
response to a previous successful match to an allow rule. Session records only<br />
exist if the matching rule had stateful packet inspection enabled. Stateful<br />
packet inspection is only an option for TCP, UDP, and ICMP IP Filter rules.<br />
If an active session record exists, the following occurs:<br />
a Perform address rewriting, if required<br />
b Perform session processing<br />
c Forward packet directly to the correct destination interface without any<br />
additional processing<br />
If no active session record exists, the following occurs:<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses the criteria in Table 19 to check the active IP Filter rules<br />
and find a match. The description for how the packet proceeds through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> comes after the table. The flowchart in Figure 50 illustrates the<br />
complete process.<br />
Table 19: Rule matching criteria with stateful packet inspection enabled<br />
Protocol Criteria<br />
TCP/UDP • source IP address<br />
• destination IP address<br />
• ports<br />
ICMP • packet type (echo, message, timestamp)<br />
• source IP address<br />
• destination IP address<br />
• If a matching allow rule does exist, the following occurs:<br />
a Add a session record to the session record database.<br />
b Perform Network Address Translation (NAT) if required.<br />
c Session processing occurs.<br />
d Forward packet directly to the correct destination interface without any<br />
additional processing by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• If a matching deny rule exists, the packet is discarded without any further<br />
processing.
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
• If a matching bypass rule exists, the packet is forwarded directly to<br />
application-layer processing.<br />
Tip: Bypass rules are used to expedite processing <strong>of</strong> specified traffic by not<br />
checking them against all IP Filters rules before sending them to applicationlevel<br />
processing. Therefore, position bypass IP Filter rules early in the active<br />
rule group.<br />
• If no matching IP Filter rule exists, the packet is forwarded to normal<br />
<strong>Sidewinder</strong> <strong>G2</strong> application-layer processing.<br />
Figure 50: IP Filtering on packets with rules that have stateful packet inspection enabled<br />
TCP/UDP/<br />
ICMP<br />
in<br />
does a<br />
session<br />
exist?<br />
translate as<br />
required<br />
perform<br />
session<br />
processing<br />
forward<br />
message w/o<br />
further<br />
processing<br />
no<br />
match<br />
“bypass”<br />
rule?<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
no<br />
match<br />
“allow”<br />
rule?<br />
yes yes<br />
yes<br />
add a<br />
session<br />
no<br />
match<br />
“deny”<br />
rule?<br />
yes<br />
discard<br />
packet<br />
no<br />
perform<br />
application-layer<br />
processing<br />
out<br />
123
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
124<br />
How traffic is filtered if stateful packet inspection is not<br />
enabled<br />
When <strong>Sidewinder</strong> <strong>G2</strong> receives traffic, it checks the active IP Filter rules for a<br />
matching rule. If a rule does not have stateful packet inspection enabled,<br />
<strong>Sidewinder</strong> <strong>G2</strong> checks the criteria in Table 20 to find a match.<br />
Table 20: Rule matching criteria without stateful packet inspection enabled<br />
Protocol Criteria<br />
TCP/UDP • source IP address<br />
• destination IP address<br />
• ports<br />
ICMP • source IP address<br />
• destination IP address<br />
Other • source IP address<br />
• destination IP address<br />
Using this criteria, the <strong>Sidewinder</strong> <strong>G2</strong> determines if the packet matches any <strong>of</strong><br />
the active allow, bypass, or deny rules. (Bypass rules are not available when<br />
creating rules <strong>of</strong> type Other.) <strong>Sidewinder</strong> <strong>G2</strong> then does one <strong>of</strong> the following:<br />
• If a rule match is found, the packet source or destination address will be<br />
translated according to the translation information that is configured for that<br />
rule. The packet then is forwarded on for any further <strong>Sidewinder</strong> <strong>G2</strong><br />
processing. The flowchart in Figure 51 illustrates this process.<br />
• If there are no matching rules in the IP Filter database, the <strong>Sidewinder</strong> <strong>G2</strong><br />
sends the packet onto application-layer processing.<br />
Figure 51: IP Filtering on packets that do not have stateful inspection disabled<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
incoming<br />
packet A<br />
incoming<br />
packet B<br />
active<br />
IP Filter<br />
rules<br />
no match<br />
match<br />
allow, bypass<br />
or deny rule?<br />
Deny Rule<br />
reject packet<br />
no further<br />
processing<br />
Allow Rule<br />
translate<br />
packet (as<br />
rule required)<br />
Bypass Rule<br />
do not check<br />
against rest <strong>of</strong><br />
IP filter rules<br />
continue application<br />
layer proxy<br />
processing
Figure 52: Example<br />
network<br />
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
Using NAT and redirection for IP Filter rules<br />
Many organizations use network address translation (NAT) and/or redirection<br />
to prevent internal addresses from being visible to external users. On the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, NAT refers to rewriting the source address <strong>of</strong> the packet to the<br />
external address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> (or an address you specify). This allows<br />
you to protect (or hide) the actual client source address, and in the case <strong>of</strong><br />
non-routable source addresses (such as 10.0.0.0) rewrite it to an address that<br />
can be routed on the Internet. Redirection refers to rewriting the destination<br />
address <strong>of</strong> an incoming packet to a redirect host for delivery.<br />
Note: NAT and redirection function independently <strong>of</strong> one another. For applications<br />
that allow either side <strong>of</strong> a connection to act as the client, you will generally create<br />
two rules: one using NAT, and one using redirection.<br />
Caution: Allowing IP Filter to pass traffic without NAT or redirection is possible<br />
assuming all addresses are routable. However, it is not recommended because it<br />
will expose internal addresses to the external side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> without<br />
the protection <strong>of</strong> a proxy.<br />
When NAT or redirection is enabled in a rule, the source address in the rule is<br />
always protected, as follows:<br />
• For a rule <strong>of</strong> source -> destination, enabling NAT will “hide” the source<br />
address from the destination for traffic originating from the source by<br />
translating that address to the external address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• For a rule <strong>of</strong> source -> redirect address, the destination (or external<br />
<strong>Sidewinder</strong> <strong>G2</strong> address) will be redirected to the actual source address and<br />
hides the redirected address for traffic returning to the source.<br />
Note: NAT or redirection are not allowed for bi-directional IP Filter rules with<br />
stateful inspection enabled.<br />
For the following scenarios, assume your network looks like this:<br />
172.17.0.0<br />
internal network<br />
172.17.129.130 10.11.12.13<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
192.101.0.0<br />
external network<br />
125
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
126<br />
Limitations <strong>of</strong> NAT for IP Filter protocols<br />
Note the following limitations when setting up rules involving address rewriting<br />
for TCP/UDP/ICMP protocols.<br />
• NAT and redirection are not allowed for bi-directional IP Filter rules with<br />
stateful packet inspection enabled.<br />
• For address rewrite rules with redirection to the source address, only unidirectional<br />
rules are allowed. Furthermore, the destination address in this<br />
type <strong>of</strong> rule must have a significant bits value <strong>of</strong> 32 (that is, it must be a<br />
single host or netmap). This is because the redirect address must be a<br />
single host.<br />
Setting the IP Filter NAT port rewrite range<br />
When a packet from a source reaches the <strong>Sidewinder</strong> <strong>G2</strong> and matches an IP<br />
Filter rule with NAT configured, the source port and source address will be<br />
rewritten and the packet will then be forwarded to its destination.<br />
To facilitate this process, the IP Filter reserves a block <strong>of</strong> 875 ports for its own<br />
use. The OS will never allow a process to bind to a port in this range. Creating<br />
a TCP generic services proxy in this port range will not work. The default range<br />
is set to 9210—9995.<br />
If you need a port in IP Filter's reserved range (perhaps for a generic proxy),<br />
the range can be moved by modifying the Start <strong>of</strong> Reserved Ports field in the<br />
IP Filter Properties window. See “Viewing and modifying general IP Filter<br />
properties” on page 241.<br />
It is possible that an existing TCP proxy connection may be using a port in the<br />
range you specify. In this case the cf ipfilter command will fail. You should<br />
look at the current port usage by entering the netstat -a command and<br />
adjust the IP Filter port range accordingly.<br />
Specifying the source port in an IP Filter rule<br />
The <strong>Sidewinder</strong> <strong>G2</strong> enables you to specify the source port value to use in an<br />
TCP or UDP IP Filter connection. This capability is typically only used when<br />
connecting to an application that requires the source port to be a specific<br />
value. (In some cases the application will require the source port to be the<br />
same value as the port on which the application is listening.)<br />
This capability is implemented by configuring NAT on the appropriate IP Filter<br />
rule. This “source port” implementation <strong>of</strong> NAT, however, is different from a<br />
normal implementation <strong>of</strong> NAT.
Figure 53: Normal NAT<br />
IP Filter rule<br />
implementation<br />
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
• Normal—Each connection uses the same IP address but gets its source<br />
port from a pool <strong>of</strong> ports. When using normal NAT rules, the total number <strong>of</strong><br />
connections is dependent on the number <strong>of</strong> ports reserved for IP Filter in<br />
the IP Filter Properties window.<br />
• Source port—Each connection uses the original client source port, but gets<br />
its translated IP address from a pool <strong>of</strong> IP addresses. (The pool <strong>of</strong> IP<br />
addresses is derived from whatever IP aliases are defined for the<br />
associated NIC. The total number <strong>of</strong> connections is therefore dependent on<br />
the number <strong>of</strong> alias addresses defined for the NIC.) The pool <strong>of</strong> addresses<br />
is normally a group <strong>of</strong> alias IP addresses associated with the destination<br />
NIC. The total number <strong>of</strong> connections is therefore dependent on the<br />
number <strong>of</strong> IP addresses specified by the rule.<br />
By specifying one or more IP aliases, you can have multiple connections (each<br />
connection uses the same port number but a different IP address).Figure 53<br />
and Figure 54 illustrate the differences in the two implementations.<br />
internal<br />
A network<br />
172.27.18.9<br />
Possible connections from<br />
workstation A to application B<br />
using a normal NAT IP Filter rule<br />
Internal IP<br />
172.27.18.9<br />
172.27.18.9<br />
172.27.18.9<br />
172.27.18.9<br />
9120<br />
....<br />
9995<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
11.80.1.1<br />
pool <strong>of</strong> available IP<br />
Filter ports<br />
app. B<br />
Source IP Source Port Dest IP Dest Port<br />
11.80.1.1 9142 192.1.1.1 50<br />
11.80.1.1 9877 192.1.1.1 50<br />
11.80.1.1 9812 192.1.1.1 50<br />
11.80.1.1 9884 192.1.1.1<br />
50<br />
192.1.1.1 listening<br />
on port 50<br />
127
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
128<br />
Figure 54: “Source port”<br />
NAT IP Filter rule<br />
implementation<br />
internal<br />
A network<br />
172.27.18.9<br />
Requirements<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Possible connections from workstation<br />
A to application B using “source port<br />
NAT IP Filter rule<br />
Internal IP<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
172.27.18.9:50<br />
IP aliases<br />
11.80.1.4<br />
11.80.1.5<br />
11.80.1.6<br />
11.80.1.7<br />
11.80.1.1<br />
Please note the following requirements when using NAT to specify the source<br />
port <strong>of</strong> an IP Filter connection.<br />
• This configuration only applies to uni-directional (source -> destination) IP<br />
Filter rules with stateful inspection enabled.<br />
• Use Source Port when specifying the source port in an IP Filter connection.<br />
See “Creating IP Filter rules” on page 228 for more information.<br />
Sharing IP Filter sessions in an HA cluster<br />
pool <strong>of</strong> available<br />
IP addresses<br />
app. B<br />
192.1.1.1<br />
listening on port 50<br />
Source IP Source Port Dest IP Dest Port<br />
11.80.1.4 50 192.1.1.1 50<br />
11.80.1.5 50 192.1.1.1 50<br />
11.80.1.6 50 192.1.1.1 50<br />
11.80.1.7 50 192.1.1.1 50<br />
When IP Filter session sharing is configured for an HA cluster, the processing<br />
(<strong>of</strong>ten primary) <strong>Sidewinder</strong> <strong>G2</strong> sends out multicast messages to notify the other<br />
nodes (such as the secondary or standby) <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong> IP Filter session<br />
activity (such as a new session, closed session, or change in session state).<br />
Each time a <strong>Sidewinder</strong> <strong>G2</strong> receives a message, it updates its local session<br />
table accordingly. All sessions received from the primary <strong>Sidewinder</strong> <strong>G2</strong> will<br />
have a status <strong>of</strong> shared on the secondary/standby <strong>Sidewinder</strong> <strong>G2</strong>.<br />
When HA causes a secondary/standby <strong>Sidewinder</strong> <strong>G2</strong> to take over as the<br />
acting primary, the shared sessions on the acting primary become available.<br />
When a packet is received for a session, it will be validated against the rules <strong>of</strong><br />
the processing <strong>Sidewinder</strong> <strong>G2</strong>. The processing <strong>Sidewinder</strong> <strong>G2</strong> will then begin<br />
sending multicast state-change messages.
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
Specifying the number <strong>of</strong> TCP or UDP IP Filter sessions<br />
By default, the <strong>Sidewinder</strong> <strong>G2</strong> allows only 1,000 active TCP and UDP filter<br />
sessions. These limits can be changed by modifying the Max TCP Sessions or<br />
Max UDP Sessions field in the IP Filter General Properties window. See “About<br />
the IP Filter General Properties window” on page 241.<br />
129
Chapter 4: Understanding Policy Configuration<br />
IP Filter rule basics<br />
130
5 CHAPTER<br />
Creating Rule Elements<br />
In this chapter...<br />
Creating users and user groups ...................................................132<br />
Creating network objects..............................................................139<br />
Creating service groups ...............................................................150<br />
131
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
Creating users<br />
and user groups<br />
132<br />
Figure 55: Users and<br />
User Groups window<br />
About the Users and<br />
User Groups<br />
window<br />
A user is a person who uses the networking services provided by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. A user group is a logical grouping <strong>of</strong> one or more users,<br />
identified by a single name. You can also nest one or more user groups within<br />
a user group.<br />
Note: For basic information on users and user groups, see “Users and user<br />
groups” on page 104.<br />
To display the current users and user groups configured for your <strong>Sidewinder</strong><br />
<strong>G2</strong>, using the Admin Console select Policy Configuration > Rule Elements ><br />
Users & User Groups. The following window appears.<br />
This window displays the users and user groups currently configured in the<br />
user database. In this window you can perform the following actions:<br />
Note: When you initially install your <strong>Sidewinder</strong> <strong>G2</strong>, the only user that will appear<br />
is the user name for the administrator account you defined during installation.<br />
There will not be any user groups defined.<br />
• Select multiple entries by pressing the Shift key while you select entries. To<br />
select several non-consecutive entries, press the Ctrl key as you select the<br />
desired entries.<br />
• Display users, groups, or both—You can display only users (Users), only<br />
groups (Groups) or both users and groups (All) using the Show drop-down<br />
list.
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
• Filter users and/or groups—You can filter the users and/or groups that are<br />
displayed in the window by typing alphabetic characters for which you want<br />
to filter in the Match field. For example, if you type br in the Match field, only<br />
users and groups whose name begins with “br” will appear in the list. The<br />
Match field is case sensitive.<br />
• Add or modify a user or user group—To add a new user or user group, see<br />
“Configuring users or user groups” on page 133. To modify an existing user<br />
or user group, highlight the entry you want to modify and click Modify.<br />
Tip: You may find it more convenient to create user groups before creating<br />
individual user accounts. That way, as you set up your user accounts, you will<br />
be able to assign them to a group at the same time.<br />
• Modify the members <strong>of</strong> a user group—To modify the members in a user<br />
group, highlight the user group and click Members. See “Managing user<br />
group membership” on page 138 for details.<br />
• Delete a user or user group—To delete a user or user group, highlight the<br />
entry you want to delete and click Delete. You will be prompted to confirm<br />
this action.<br />
Configuring users or user groups<br />
To create or modify a user or user group, follow the steps below.<br />
1 Using the Admin Console, select Policy Configuration > Rule Elements ><br />
Users & User Groups. The Users and User Groups window appears.<br />
2 In the Show drop-down list, select one <strong>of</strong> the following options and then<br />
click New:<br />
• All—Select this option to display both users and groups. If you select<br />
this option, when you click New the Create User or Group Object<br />
window appears. See “About the Create New User or Group Object<br />
window” on page 134.<br />
• Groups—Select this option to display only user groups. If you select this<br />
option, when you click New the New Group Object window appears.<br />
See “Configuring a new group using the New Group Object window” on<br />
page 135.<br />
• Users—Select this option to display only users. If you select this option,<br />
when you click New the New User Object window appears. See<br />
“Configuring individual user accounts using the New User Object<br />
window” on page 136.<br />
3 To edit a user or user group, highlight the entry you want to modify and click<br />
Modify. You can also double-click the entry.<br />
4 To delete an entry, select that entry by clicking it, and then click Delete. You<br />
are prompted to verify your action—click Yes to delete the entry or click No<br />
to cancel the action.<br />
133
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
134<br />
Figure 56: Create New<br />
User or Group Object<br />
window<br />
About the Create<br />
New User or Group<br />
Object window<br />
This window allows you to select whether you want to create a user or user<br />
group.<br />
1 Select one <strong>of</strong> the following options in the Create field:<br />
• New User—Select this option to create a new user.<br />
• New Group—Select this option to create a new user group.<br />
2 (New User only) If you want to create a new user account using the<br />
information contained in an existing user account, select the Copy from<br />
existing user option and then select the user account that you want to copy.<br />
This option will copy the following information fields from the existing user’s<br />
account: Organization, User Fields 1–4, Description, Employee ID, and<br />
Group Membership information. You will still need to enter information for<br />
the Username and Password, as these fields contain information specific to<br />
each individual user.<br />
3 Click OK.<br />
• If you are creating a new user group, the New Group Object window<br />
appears. See “Configuring a new group using the New Group Object<br />
window” on page 135.<br />
• If you are creating a new user, the New User Object window appears.<br />
See “Configuring individual user accounts using the New User Object<br />
window” on page 136.
About the Group<br />
Information tab<br />
About the Group<br />
Membership<br />
Information tab<br />
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
Configuring a new group using the New Group Object window<br />
The New Group Object window contains two tabs:<br />
• Group Information—This tab is used to define the name <strong>of</strong> a new group.<br />
Follow the steps below.<br />
• Group Membership Information—This is an optional tab that enables you<br />
to make this group a member <strong>of</strong> one or more other groups (called a “nested<br />
group”). See “About the Group Membership tab” on page 138 for details.<br />
Note: You cannot edit the name <strong>of</strong> an existing group from this window. To<br />
change a group name you must delete the group, then add it back using the<br />
new name.<br />
1 In the Group Name field, type a name for this group. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
2 [Optional] In the Comments field, type any additional information about the<br />
user group.<br />
3 [Optional] If you want to add or remove this group as a member <strong>of</strong> another<br />
group, click the Group Membership Information tab and follow the steps<br />
below. If not, click OK.<br />
The Group Membership Information tab enables you to make this group a<br />
member <strong>of</strong> one or more other groups (called a nested group).<br />
1 To add the group that is being created (or modified) as a member <strong>of</strong> one or<br />
more other groups, click an existing group in the Available Groups list to<br />
select it, and then click the ==>> button.<br />
You can move multiple groups simultaneously by pressing the Shift key as<br />
you select groups. To select multiple groups, press the Ctrl key and then<br />
clicking the desired entries.<br />
2 To remove the group from one or more groups, select the group in the<br />
Member <strong>of</strong> Groups list to select it, and then click the
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
136<br />
Figure 57: User<br />
Information window<br />
About the User<br />
Information tab<br />
Configuring individual user accounts using the New User<br />
Object window<br />
The New User Object window contains three tabs: User Information, User<br />
Password, and Member Information. Use these tabs to create and modify user<br />
accounts and user groups.<br />
Tip: You may find it more convenient to create user groups before creating<br />
individual user accounts. That way, as you set up your user accounts you will be<br />
able to assign them to a group at the same time.<br />
When you create a new user account or modify an existing user account, the<br />
User Information window appears. This window contains three tabs that are<br />
used to enter information about a user.<br />
The User Information tab is used to enter descriptive information about a user.<br />
Follow the steps below.<br />
1 In the Username field, type the name the user will enter when he or she<br />
requests a connection that requires authentication. This entry can consist <strong>of</strong><br />
up to 16 alphanumeric characters (upper or lower case) but must start with<br />
an alphabetic character. Apostrophes are not allowed (for example,<br />
O’Hare).<br />
2 [Optional] In the Description field, type any information about the user that<br />
may be helpful.<br />
3 [Optional] In the Employee ID field, type an employee ID number, if<br />
applicable.<br />
4 [Optional] In the Organization field, type the organization that the user is<br />
associated with, if applicable.
About the User<br />
Password tab<br />
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
5 [Optional] In the four User Fields, enter any additional information that your<br />
organization requires. For example, if you will be generating chargeback<br />
reports for authenticated FTP, Telnet, or Web connections, you might enter<br />
account numbers in these fields.<br />
You cannot modify the field names.<br />
6 Select the User Password tab and see “About the User Password tab”<br />
below to define password information for this user.<br />
The User Password tab is used to enter password information for a user.<br />
Follow the steps below.<br />
1 In the Password area, create the user’s password using one <strong>of</strong> the<br />
following methods:<br />
• Manually create password—If you want to manually create a password<br />
that the user must type when requesting a connection that requires<br />
authentication, click in the text box and type a password. Then retype<br />
the password in the Confirm Password field. The password must not<br />
exceed 64 characters.<br />
• Generate Password—If you want the <strong>Sidewinder</strong> <strong>G2</strong> to automatically<br />
create a password, click Generate Password. This will be the password<br />
the user must type when he or she requests a connection that requires<br />
authentication. Be sure to memorize the password that appears in the<br />
Generated Password window before clicking OK. Once you click OK,<br />
the password will no longer be visible.<br />
2 If you want the user’s password to expire so they are required to change it,<br />
do the following:<br />
a Click Expire Password. A confirmation window appears.<br />
b Click Yes. The Expire Password button changes to a Reinstate<br />
Password button.<br />
c Click OK and then click the Save icon to save your changes. If the user’s<br />
password is expired, the password will appear in the Password field with<br />
asterisks (*) prepended to the password.<br />
3 If you need to re-instate a user’s expired password, click Reinstate<br />
Password, click OK, and then click the Save icon in the toolbar.<br />
4 To delete a user’s password account from the database, click Discard<br />
Password Info. For example, this can be used if you are changing a user’s<br />
authentication method from password to SafeWord and need to remove the<br />
previous password information.<br />
5 Select the Group Membership tab and see “About the Group Membership<br />
tab” below to define group information for this user.<br />
137
Chapter 5: Creating Rule Elements<br />
Creating users and user groups<br />
About the Group<br />
Membership tab<br />
138<br />
Figure 58: User Group<br />
Membership window<br />
The Group Membership tab is used to assign the user to one or more existing<br />
groups. (For information on setting up a user group, see “Configuring users or<br />
user groups” on page 133.)<br />
1 To add the user to a group, select a group in the Available Groups list and<br />
then click the ==>> button.<br />
2 To remove the user from a group, click a group in the Group Membership<br />
list and then click the Users & User Groups. The Group Information window appears.<br />
2 In the Show drop-down list, select Groups.<br />
3 Select a group name, and then click the Members button in the lower<br />
portion <strong>of</strong> the window. The User Group Membership window appears.
About the User<br />
Group Membership<br />
window<br />
Creating network<br />
objects<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
This window displays the users and groups that are members <strong>of</strong> the selected<br />
group. You can perform the following actions from this window:<br />
• Select a group to modify—In the Group Name drop-down list, select the<br />
group for which you want to add or remove members.<br />
• Determine which users and groups are displayed—To display only users,<br />
only groups, or both users and groups (all), select the appropriate item from<br />
either Show drop-down list. To further filter the list, in the Match field enter<br />
alphabetic characters for which you want to filter. For example, if you type<br />
br in the text box, only entries that begin with “br” appear in the list.<br />
The Match field is case sensitive.<br />
• Add or remove users as members <strong>of</strong> the selected group—To add a user or<br />
group to this group, select an entry in the Available Users and Groups list<br />
and then click the ==>> button. To remove a user from this group, select a<br />
user in the Current Group Members list and then click the <br />
Network Objects. The following window appears.<br />
139
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
140<br />
Figure 59: Network<br />
Objects window<br />
About the Network<br />
Objects window<br />
This window lists the network objects currently configured on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. You can perform the following actions in this window:<br />
• Filter the list <strong>of</strong> network objects—To modify the list that is displayed, select<br />
an object type from the Filter drop-down list. The list will then display only<br />
network objects <strong>of</strong> that type.<br />
• Configure a new network object—To configure a new object, click New.<br />
The New Network Object window appears. See “About the New Network<br />
Object window” on page 141.<br />
• Modify an existing network object—To modify an existing network object,<br />
highlight the appropriate item within the list and click Modify. For<br />
information on modifying specific fields, refer to the following sub-sections.<br />
• Delete an existing network object—To delete a network object, highlight<br />
the item you want to delete in the list and then click Delete.<br />
• Add or remove a network object from a netgroup—To add or remove a<br />
network object from one or more netgroups, highlight the netgroup and click<br />
the Groups Object In button in the lower portion <strong>of</strong> the window. See<br />
“Managing the groups to which a network object belongs” on page 149.<br />
• View the areas that are currently using a particular network object—To<br />
view the areas (netgroup, netmap, proxy rule) that are currently using a<br />
particular network object, highlight the network object and click the Object<br />
Usage button in the lower portion <strong>of</strong> the window. Click Close to exit the<br />
Object Usage window.<br />
Note: You cannot modify the information in the Object Usage window.
Figure 60: New Network<br />
Object window<br />
About the New<br />
Network Object<br />
window<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
In the Type drop-down list, select the type <strong>of</strong> object you want to create. The<br />
following options are available:<br />
Note: The fields that appear will vary depending on the type <strong>of</strong> object you select.<br />
• Domain—For information on configuring a domain object, see “Configuring<br />
domain objects” on page 142.<br />
• Host—For information on configuring a host object, see “Configuring host<br />
objects” on page 143.<br />
• IP Address—For information on configuring an IP address object, see<br />
“Configuring IP address objects” on page 145.<br />
• Netmap—For information on configuring a netmap object, see “Configuring<br />
netmaps” on page 145.<br />
• Subnet—For information on configuring a subnet object, see “Configuring<br />
subnet objects” on page 147.<br />
• Netgroup—For information on configuring a netgroup object, see<br />
“Configuring netgroup objects” on page 148.<br />
141
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
142<br />
Figure 61: Network<br />
Objects: Domain window<br />
Entering domain<br />
information<br />
Configuring domain objects<br />
When you add a new domain using the Admin Console, the following window<br />
appears.<br />
This window is used to define information about a domain. (To create a<br />
different network object, change the Type field.) Each domain you define<br />
becomes a network object that can be used in a rule. Follow the steps below.<br />
1 In the Name field, type a name for this domain object (for example,<br />
“example” for example.com). Valid values include alphanumeric characters,<br />
periods (.), dashes(-), and underscores (_), and spaces ( ). However, the<br />
first and last character <strong>of</strong> the name must be alphanumeric. The name<br />
cannot exceed 100 characters.<br />
This field cannot be edited if you are modifying an existing domain.<br />
2 [Optional] In the Description field, enter any useful information for this<br />
domain object.<br />
3 In the Domain field, enter the domain to use for this object (for example,<br />
“example.com”).<br />
4 Click Add to add the domain object. (If you are modifying an existing<br />
domain object, click OK.)
Figure 62: Host network<br />
object window<br />
Entering host<br />
information<br />
Configuring host objects<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
When you add a new host, a window similar to the following appears:<br />
This window is used to define information about a host. (To create a different<br />
network object, change the Type field.) Each host you define becomes a<br />
network object that can be used in a rule.<br />
Note: In IP Filter rules, the localhost network object is supported, but DNSresolvable<br />
host names should be avoided. DNS-resolvable host names become<br />
inoperative during any periods when the appropriate DNS server is unavailable or<br />
unreachable.<br />
1 In the Name field, type a name <strong>of</strong> the host. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
This field cannot be edited if you are modifying an existing host.<br />
2 [Optional] In the Description field, enter any useful information about this<br />
host.<br />
3 In the Host field, enter the hostname for this host object (for example,<br />
mail.example.com).<br />
4 In the DNS drop-down list, determine whether this host will use DNS:<br />
• DNS—Select this option to perform normal DNS look-ups.<br />
• No DNS—Select this option if you do not want to perform DNS lookups<br />
for this host.<br />
143
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
Managing host IP<br />
addresses<br />
144<br />
5 If you selected DNS in the previous step, and you need to override the DNS<br />
time-to-live value, do the following:<br />
Note: Overriding the default DNS time-to-live value is not recommended.<br />
a Select the Override TTL check box.<br />
b Specify a time value in the first text field.<br />
c Specify the appropriate time increment in the drop-down list.<br />
For example, if you wanted the DNS time-to-live value to be 30 minutes you<br />
would type 30 in the text field and select minutes from the drop-down list.<br />
6 To configure the IP address list for a host, do one <strong>of</strong> the following:<br />
• To add a new IP address, click New and refer to “Managing host IP<br />
addresses” on page 144.<br />
• To modify an existing IP address, highlight the IP address and click<br />
Modify and refer to “Managing host IP addresses” on page 144.<br />
• To delete an IP address, highlight an entry and click Delete.<br />
7 Click Add to add the host information. (If you are modifying an existing host<br />
object, click OK.)<br />
The IP Addresses window allows you to add an IP address for this host. (To<br />
create a different network object, change the Type field.) When you add IP<br />
addresses, if the host name is not known to DNS, it can be identified here. To<br />
assign a new IP address to this host or modify an existing IP address, follow<br />
the steps below.<br />
1 In the Host IP Address field, type the host IP address associated with that<br />
host.<br />
Note: A host IP address should only be specified if it cannot be derived<br />
dynamically from DNS.<br />
2 Click Add, and then click Close.
Figure 63: IP Address<br />
network object window<br />
Entering IP address<br />
information<br />
Configuring IP address objects<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
When you add a new IP address, a window similar to the following appears.<br />
This window is used to define information about an IP address. (To create a<br />
different network object, change the Type field.) Each IP address you define<br />
becomes a network object that can be used in a rule. Follow the steps below.<br />
1 In the Name field, enter a name for this object. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
This field cannot be edited if you are modifying an existing IP address.<br />
2 [Optional] In the Description field, enter any useful information about this IP<br />
address object.<br />
3 In the IP Address field, type the value <strong>of</strong> the IP address.<br />
4 Click Add to add the IP address information. (If you are modifying an<br />
existing IP address object, click OK.)<br />
Configuring netmaps<br />
Netmap objects allow you to map multiple IP addresses and subnets to<br />
alternate addresses without creating numerous rules. A netmap consists <strong>of</strong><br />
one or more netmap members. A netmap member is any IP address or subnet<br />
that you add to a particular netmap. Each member in the netmap is mapped to<br />
an alternate address that you specify. For more information about netmaps,<br />
see “Rule elements” on page 103.<br />
145
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
146<br />
Figure 64: Network<br />
Object: Netmap window<br />
Creating/modifying<br />
a netmap entry<br />
About the Netmap<br />
Members window<br />
To create a netmap, in the New Network Object window, select netmap. A<br />
window similar to the following appears.<br />
This window is used to create or modify a netmap. (To create a different<br />
network object, change the Type field.) Each netmap you define becomes a<br />
network object that can be used in a rule. Follow the steps below.<br />
1 In the Name field, type the name <strong>of</strong> the new netmap. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_).<br />
However, the first and last character <strong>of</strong> the name must be alphanumeric.<br />
The name cannot exceed 100 characters.<br />
This field cannot be edited if you are modifying an existing netmap.<br />
2 In the Description field, enter any useful information for this netmap.<br />
3 To create a new netmap member, click New. The Netmap Members window<br />
appears.<br />
Once you add netmap members, you can sort them in the table by clicking<br />
the column name that you want to sort. For example, if you want to sort the<br />
table by type, click the Type column heading. All <strong>of</strong> the entries in the table<br />
will be sorted by type and will appear in alphanumeric order. If you click the<br />
heading a second time, the table will be sorted by type in the reverse alphanumeric<br />
order.<br />
4 Click Add to add the netmap information. (If you are modifying an existing<br />
netmap, click OK.)<br />
The Netmap Members window allows you to map an IP address or subnet<br />
address to an alternate address within a netmap. (To create a different network<br />
object, change the Type field.) Follow the steps below.<br />
1 In the drop-down list that appears, select one <strong>of</strong> the following:<br />
• IP Address—Select this option if you want to map an internal IP address<br />
to be translated to a different IP address.
Figure 65: Subnet<br />
network object window<br />
Entering subnet<br />
information<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
• Subnet—Select this option if you want to map a subnet address to be<br />
translated to a different subnet address.<br />
2 In the Original list, select the IP address or subnet that you want to map to<br />
a different address.<br />
3 In the Mapped list, select the IP address to which the original IP address or<br />
subnet (that you selected in the previous step) will be mapped.<br />
4 Click Add.<br />
Configuring subnet objects<br />
When you add a subnet, the following window appears.<br />
This window is used to define information about a subnet. (To create a different<br />
network object, change the Type field.) Each subnet you define becomes a<br />
network object that can be used in a rule.<br />
1 In the Name field, type a name for this object. Valid values include<br />
alphanumeric characters, periods (.), dashes(-), and underscores (_), and<br />
spaces ( ). However, the first and last character <strong>of</strong> the name must be<br />
alphanumeric. The name cannot exceed 100 characters.<br />
This field cannot be edited if you are modifying an existing subnet.<br />
2 In the Description field, type any useful information about the object.<br />
147
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
148<br />
Figure 66: Network<br />
Object: netgroup window<br />
Entering netgroup<br />
information<br />
3 In the Subnet field, enter the following information:<br />
• In the Subnet text field, type the subnet address. You must enter a valid<br />
IP address containing four distinct fields separated by periods (for<br />
example, 1.2.3.4).<br />
• In the numeric text box following the subnet field, enter the number <strong>of</strong><br />
significant bits for the subnet address. You must enter an integer value<br />
in the range 0–32. For example, if you enter 16, only the first 16 bits <strong>of</strong><br />
the address are important.<br />
4 Click Add to add the subnet object. If you are modifying an existing subnet,<br />
click OK.<br />
Configuring netgroup objects<br />
When you add a new netgroup object, the following window appears.<br />
This window is used to define information about a netgroup. (To create a<br />
different network object, change the Type field.) Each group you define<br />
becomes a network object that can be used in a rule. Follow the steps below.<br />
Tip: You may find it more convenient to create all <strong>of</strong> your network objects before<br />
defining your netgroup objects. That way, as you set up your netgroup objects, you<br />
will be able to immediately assign the desired network objects to the group.<br />
1 In the Name field, type the name <strong>of</strong> the new netgroup. The name will be<br />
used by rules to identify the netgroup when you set up <strong>Sidewinder</strong> <strong>G2</strong><br />
connections. Valid values include alphanumeric characters, periods (.),<br />
dashes(-), and underscores (_), and spaces ( ). However, the first and last<br />
character <strong>of</strong> the name must be alphanumeric. The name cannot exceed<br />
100 characters.
Figure 67: Group<br />
Membership window<br />
Chapter 5: Creating Rule Elements<br />
Creating network objects<br />
This field cannot be edited if you are modifying an existing group.<br />
2 [Optional] In the Description field, enter any useful information about this<br />
group.<br />
3 Modify the netgroup’s members by doing the following:<br />
• To add a member to this netgroup, highlight the member in the Available<br />
Members list that you want to add, and then click the ==>> button to<br />
move it to the Chosen Members list.<br />
• To remove a network object from this netgroup, highlight the object in<br />
the Chosen Members list, and then click the
Chapter 5: Creating Rule Elements<br />
Creating service groups<br />
About the Group<br />
Membership window<br />
Creating service<br />
groups<br />
150<br />
Figure 68: Service<br />
Groups window<br />
This window allows you to configure the groups to which a particular network<br />
object belongs. The Available list displays all the available groups. The<br />
Selected list displays the groups to which the object currently belongs. To add/<br />
remove the network object to/from a particular group, do the following:<br />
• To add this network object to another group, select the group in the<br />
Available list and then click the ==>> button to move the group to the<br />
Selected list.<br />
• To delete a network object from a group, select the group in the Selected<br />
list and then click the Service Groups. The following window appears:
About the Service<br />
Groups window<br />
Chapter 5: Creating Rule Elements<br />
Creating service groups<br />
This window allows you to view information for individual service groups. The<br />
Service Group Name list contains all currently defined service groups.<br />
To view information for a particular service group, highlight the service group<br />
and the information will appear in the right-hand portion <strong>of</strong> the window. To add<br />
a new service group, follow the steps below.<br />
1 Determine if you want to create a new service group, modify an existing<br />
service group, or delete a service group, and then do the following:<br />
• To create a new service group, click New. The New Service Group<br />
window appears. Proceed to step 2.<br />
• To modify a service group, highlight the service group name in the<br />
Service Group Name list and proceed to step 3.<br />
• To delete a service group, highlight the service group and click Delete.<br />
2 Type a name for the service group in the New Service Group field and click<br />
Add. The service group is added to the list <strong>of</strong> service groups in the main<br />
Service Group window. Valid values include alphanumeric characters,<br />
periods (.), dashes(-), and underscores (_), and spaces ( ). However, the<br />
first and last character <strong>of</strong> the name must be alphanumeric. The name<br />
cannot exceed 100 characters.<br />
3 Determine which proxies you want to assign to the selected service group.<br />
The proxies currently assigned to the selected service group are listed in<br />
the Selected Proxies list. The proxies that are available on the <strong>Sidewinder</strong><br />
<strong>G2</strong> are listed in the Available Proxies list.<br />
• To add a proxy to the Selected Proxies list, click a proxy name in the<br />
Available Proxies list, and then click the ==>> button.<br />
• To remove a proxy from the Selected Proxies list, click a proxy name,<br />
and then click the button.<br />
• To remove a server from the Selected Servers list, click a server name,<br />
and then click the
Chapter 5: Creating Rule Elements<br />
Creating service groups<br />
152
6 CHAPTER<br />
Configuring Application<br />
Defenses<br />
In this chapter...<br />
Viewing Application Defense information .....................................154<br />
Creating Web or Secure Web Application Defenses....................156<br />
Creating Web Cache Application Defenses .................................170<br />
Creating Mail (Sendmail) Application Defenses ...........................172<br />
Creating Mail (SMTP proxy) Defenses.........................................181<br />
Creating Citrix Application Defenses............................................185<br />
Creating FTP Application Defenses .............................................186<br />
Creating IIOP Application Defenses.............................................191<br />
Creating Multimedia Application Defenses...................................192<br />
Creating Oracle Application Defenses .........................................194<br />
Creating MS SQL Application Defenses ......................................196<br />
Creating SOCKS Application Defenses .......................................197<br />
Creating SNMP Application Defenses..........................................198<br />
Creating Standard Application Defenses......................................201<br />
Configuring Application Defense groups ......................................202<br />
Configuring connection properties................................................203<br />
153
Chapter 6: Configuring Application Defenses<br />
Viewing Application Defense information<br />
Viewing<br />
Application<br />
Defense<br />
information<br />
154<br />
Figure 69: Application<br />
Defenses window (Web)<br />
To view the Application Defenses windows, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses and then select the type <strong>of</strong><br />
Application Defense you want to view from the tree. A window similar to the<br />
following appears.<br />
The top portion <strong>of</strong> each Application Defense window consists <strong>of</strong> a table that<br />
lists all <strong>of</strong> the Application Defenses (by row) that are currently configured for a<br />
particular category. The table columns display the individual attributes for the<br />
defenses. Basic default defenses (such as Default and Deny All) are preconfigured<br />
for each category <strong>of</strong> Application Defense.<br />
Note: The Application Defenses that are displayed in the table will vary depending<br />
on the defense category you select from the tree.<br />
You can perform the following actions in any <strong>of</strong> the Application Defense<br />
windows:<br />
• Create/modify/delete an Application Defense—To create a new Application<br />
Defense, click New in the upper portion <strong>of</strong> the window. To create a new<br />
Application Defense based on an existing defense, select the defense that<br />
you want to duplicate, and then click Duplicate. You can then modify the<br />
defense as needed to suit your needs. See “About the New/Duplicate<br />
Application Defense window” on page 156.<br />
To modify an existing Application Defense, select the defense that you want<br />
to modify from the table. The configuration information is displayed in the<br />
bottom portion <strong>of</strong> the window. To modify the Application Defense in a popup<br />
window format, click Modify.
Chapter 6: Configuring Application Defenses<br />
Viewing Application Defense information<br />
For information on configuring a specific Application Defense, see the following:<br />
– Web/Secure Web (page 156)<br />
– Web Cache (page 170)<br />
– Mail (Sendmail) (page 172)<br />
– Mail (SMTP proxy) (page 181)<br />
– Citrix (page 185)<br />
– FTP (page 186)<br />
– IIOP (page 191)<br />
– Multimedia (page 191)<br />
– Oracle (page 194)<br />
– SOCKS (page 197)<br />
– SNMP (page 198)<br />
– Standard (page 201)<br />
Note: For information on configuring Application Defense groups, see<br />
“Configuring Application Defense groups” on page 202.<br />
To delete an Application Defense, select the Application Defense that you<br />
want to delete, and click Delete. You will be prompted to confirm your decision.<br />
However, you cannot delete an Application Defense if it is being used<br />
in a proxy rule. If the Application Defense is used in a rule, a pop-up window<br />
will appear informing you which rules are currently using this defense.<br />
Before you can delete the defense, you will need to modify each <strong>of</strong> the rules<br />
to remove the specified defense from those rules.<br />
• View the rules in which an Application Defense/Group is currently used—<br />
To view the rules or rule groups that currently use a particular Application<br />
Defense (or group), highlight the appropriate defense (or group) and click<br />
Usage. A pop-up window appears listing the rule names that are currently<br />
using the specified defense. Click Close when you are finished viewing the<br />
rule list.<br />
The bottom portion <strong>of</strong> each window (or pop-up, if you clicked Modify) displays<br />
the actual configuration information for the selected Application Defense. The<br />
information will vary depending on the Application Defense category you<br />
select. The following fields remain constant among all Application Defense<br />
windows:<br />
• Name—This field contains the name <strong>of</strong> the Application Defense that you<br />
are viewing. This field cannot be modified. If you need to rename an<br />
Application Defense, you can create a duplicate defense with the desired<br />
name, and then delete the existing Application Defense.<br />
• [Web/Secure Web only] Type—This field allows you to specify whether a<br />
defense will be used to protect a server, client, or both. For more<br />
information about the Type field, see “Creating Web or Secure Web<br />
Application Defenses” on page 156.<br />
• Description—This field allows you to provide information about the<br />
Application Defense to help you more easily identify it.<br />
155
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
Creating Web or<br />
Secure Web<br />
Application<br />
Defenses<br />
156<br />
Figure 70: Application<br />
Defense: Web and Secure<br />
Web<br />
About the New/Duplicate Application Defense window<br />
When you click New or Duplicate in the Application Defense window, the New/<br />
Duplicate Application Defense window appears. This window allows you to<br />
specify a name for the Application Defense. If you are creating a Web or<br />
Secure Web Application Defense, the type <strong>of</strong> Web filtering this Application<br />
Defense will protect against is also listed. You cannot modify the Type field<br />
when creating a duplicate defense. Click OK.<br />
When you click OK, the Application Defense is added to the table and the<br />
properties for that defense are displayed in the lower portion <strong>of</strong> the window. To<br />
configure the new Application Defense, either use the lower portion <strong>of</strong> the<br />
window, or click Modify to configure the properties within a pop-up window.<br />
The remaining sections in this chapter provide information for configuring each<br />
Application Defense category.<br />
The Web/Secure Web Application Defenses allow you to configure advanced<br />
parameters for Web (HTTP) or Secure Web (HTTPS and SSO) proxy rules. To<br />
create Web or Secure Web Application Defenses, in the Admin Console select<br />
Policy Configuration > Application Defenses > Defenses and then select Web<br />
or Secure Web respectively. One <strong>of</strong> the following windows appears. (Figure 70<br />
displays only the bottom portion <strong>of</strong> the windows.)<br />
Web Secure Web<br />
Configuring the Web/Secure Web Enforcements tab<br />
The Enforcements tab allows you to select the feature enforcement tabs that<br />
you want to make available for configuration, as well as relax enforcement <strong>of</strong><br />
HTTP proxy standards. If you are configuring a Secure Web Application<br />
Defense, you can also configure SSL decryption properties in the<br />
Enforcements tab.
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
In the Type field, you can specify whether this defense will be used to protect a<br />
server, client, or both, as follows.<br />
• Combined—[Web only] This option allows you to create an Application<br />
Defense that can protect both a Web client (outbound) and a Web server<br />
(inbound) behind the <strong>Sidewinder</strong> <strong>G2</strong>. When you select this option, all <strong>of</strong> the<br />
configuration options for this defense will appear. However, some <strong>of</strong> the<br />
options that you configure will only apply to the client or server. (For<br />
example, HTTP Request properties do not apply to the client. Therefore, if<br />
you select Combined, HTTP Request properties that you configure will only<br />
apply to the server.)<br />
• Client—This option allows you to create an Application Defense that<br />
protects a client behind the <strong>Sidewinder</strong> <strong>G2</strong>. Options that do not apply for<br />
client protection (such as HTTP Requests) will not be available for<br />
configuration.<br />
• Server—This option allows you to create an Application Defense that<br />
protects a server behind the <strong>Sidewinder</strong> <strong>G2</strong>. Options that do not apply for<br />
server protection (such as Content Control options other than SOAP) will<br />
not be available for configuration.<br />
To enable enforcement <strong>of</strong> HTTP proxy standards in a manner that allows traffic<br />
from systems that do not adhere to strict RFC standards for the HTTP proxy,<br />
select the Relax Protocol Enforcements option. Enabling relaxed mode allows<br />
the following RFC infractions:<br />
• Media types in Content-Type: headers in a relaxed form, where the subtype<br />
is not required<br />
• Empty headers<br />
• Duplicated responses from the server where the response is the same but<br />
the version is different<br />
• Query strings containing arbitrary data<br />
Caution: Each listed infraction introduces an element <strong>of</strong> risk into your security<br />
policy, particularly if enabled on server-side rules. Use this mode only when<br />
necessary, and implement on a rule-by-rule basis.<br />
Select this option if the above infractions are acceptable or required in your<br />
network. When you enable this option, you will also need to specify whether<br />
the protocol enforcements will be relaxed when receiving HTTP traffic from<br />
clients, servers, or both by selecting one <strong>of</strong> the following options from the dropdown<br />
list:<br />
• Client—Select this option to relax protocol enforcements only when<br />
receiving HTTP traffic from clients.<br />
• Server—Select this option to relax protocol enforcements only when<br />
receiving HTTP traffic from servers.<br />
• Client and Server—Select this option to relax protocol enforcements when<br />
receiving HTTP traffic from both clients and servers.<br />
157
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
158<br />
Enabling Web/Secure Web configuration tabs<br />
To enable (or disable) feature enforcement tabs for Web/Secure Web, you<br />
must first select the appropriate check box in the Enforcements tab. When you<br />
select the check box for a feature, that tab becomes enabled.<br />
Note: The Connection tab does not need to be enabled before you can configure<br />
it.<br />
The following tabs can be enabled:<br />
Note: If you are configuring a Secure Web defense and you select the Decrypt<br />
Web Traffic check box, you can enable any <strong>of</strong> the tabs below. If you select the Do<br />
Not Decrypt Web Traffic check box, you can only enable the SmartFilter tab.<br />
• URL Control—The URL Control tab allows you to configure filtering on the<br />
URL contained in the HTTP request. To enable URL filtering, select this<br />
check box. To configure URL filtering properties, select the URL Control tab<br />
and see “Configuring the Web/Secure Web URL Control tab” on page 160.<br />
• HTTP Request—The HTTP Request tab allows you to configure header<br />
filtering on HTTP requests. To enable HTTP header filtering for HTTP<br />
requests, select this check box. To configure HTTP header request<br />
properties, select the HTTP Request tab and see “Configuring the Web/<br />
Secure Web HTTP Request tab” on page 162.<br />
• HTTP Reply—The HTTP Reply tab allows you to configure header filtering<br />
on HTTP replies. To enable HTTP header filtering for HTTP replies, select<br />
this check box. To configure HTTP header reply properties, select the<br />
HTTP Reply tab and see “Configuring the Web/Secure Web HTTP Reply<br />
tab” on page 163.<br />
• MIME/Virus/Spyware—The MIME/Virus/Spyware tab allows you to<br />
configure MIME (Multi-Purpose Internet Mail Extensions) and anti-virus/<br />
spyware filtering, virus signature scanning, and infected file handling. To<br />
enable filtering for MIME/virus/spyware, select this check box. To configure<br />
MIME/virus/spyware properties, select the MIME/Virus/Spyware tab and<br />
see “Configuring the Web/Secure Web MIME/Virus/Spyware tab” on page<br />
165.<br />
• Content Control—The Content Control tab allows you to configure filtering<br />
for Web content types including Active X, Java, scripting languages, and<br />
SOAP. (For Secure Web, you can only configure SOAP filtering.) To enable<br />
content filtering, select this check box. To configure content control<br />
properties, select the Content Control tab and see “Configuring the Web/<br />
Secure Web Content Control tab” on page 168.<br />
• SmartFilter —The SmartFilter tab allows you to enable filtering <strong>of</strong> Web<br />
traffic using SmartFilter. For information on configuring the SmartFilter tab,<br />
see “Configuring the Web/Secure Web SmartFilter tab” on page 169.
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
Configuring SSL decryption properties [Secure Web server<br />
only]<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can perform SSL decryption services at the firewall level<br />
on a per rule basis, increasing the security <strong>of</strong> your data transactions. You can<br />
also use SSL decryption to allow clientless VPN connections for trusted remote<br />
users to provide secure access to the internal network. (For information on<br />
configuring clientless VPN services, see “Setting up clientless VPN access for<br />
trusted remote users” on page 379.)<br />
To use SSL decryption services on <strong>Sidewinder</strong> <strong>G2</strong>, you must have the<br />
following features licensed:<br />
• Strong Cryptography—This feature is included with the basic <strong>Sidewinder</strong><br />
<strong>G2</strong> Security Appliance license.<br />
• SSL Decryption—This feature is an add-on module. If it is purchased after<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s initial activation, you will need to relicense your<br />
<strong>Sidewinder</strong> <strong>G2</strong> to activate this feature. For licensing information, see<br />
“Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 55<br />
Tip: If using SSL decryption, you may use a supported hardware accelerator<br />
board (such as Cavium) in your <strong>Sidewinder</strong> <strong>G2</strong> to <strong>of</strong>fload decryption, increasing<br />
system performance. If you do not currently have a supported hardware<br />
accelerator board installed on your <strong>Sidewinder</strong> <strong>G2</strong>, contact your sales<br />
representative for assistance.<br />
To configure decryption properties for a Secure Web Application Defense,<br />
follow the steps below.<br />
Important: Proxy rules that use Secure Web Application Defenses with the<br />
Decrypt Web Traffic option enabled must have redirection configured.<br />
1 Select from the following:<br />
• To enable SSL decryption for an Application Defense, select Decrypt<br />
Web Traffic. Remember to verify that the SSL Decryption and Strong<br />
Cryptography features are licensed.<br />
• To allow Web traffic to pass through without being decrypted, select Do<br />
Not Decrypt Web Traffic. SSL connections will be validated when this<br />
option is selected. If you select this option, you can select the<br />
SmartFilter check box to enable Web filtering and enable the SmartFilter<br />
tab for configuration.<br />
2 [Conditional] If you are configuring a Secure Web defense to allow<br />
clientless VPN sessions to access a Micros<strong>of</strong>t Exchange® Server, select<br />
the Rewrite Micros<strong>of</strong>t OWA HTTP check box. For details on configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow clientless VPN connections for trusted remote<br />
users, see “Setting up clientless VPN access for trusted remote users” on<br />
page 379.<br />
159
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
160<br />
Figure 71: Web/Secure<br />
Web: URL Control tab<br />
3 Select the appropriate firewall certificate from the Firewall Certificate dropdown<br />
list. This is the certificate that is used to authenticate the <strong>Sidewinder</strong><br />
<strong>G2</strong> to the remote HTTPS/SSL client. For information on configuring firewall<br />
certificates, see “Configuring Certificate Management” on page 415.<br />
4 Click SSL Settings to configure SSL properties:<br />
a Specify the SSL/TLS versions that will be accepted for secure Web<br />
connections.<br />
• SSL2—When this check box is selected, the SSL version 2 protocol<br />
will be accepted.<br />
Note: SSL2 is not recommended. It is only provided to allow compatibility<br />
with older Web browsers/SSL applications. Diffe-Hellman Key Exchange is<br />
not supported for SSL2. You must deselect SSL2 to enable the Require<br />
Diffe-Hellman Key Exchange field.<br />
• SSL3—When this check box is selected, the SSL version 3 protocol<br />
will be accepted.<br />
• TLS1—When this check box is selected, the TLS version 1 protocol<br />
will be accepted.<br />
b Select the minimum level <strong>of</strong> cryptography from the Minimum Crypto<br />
Level Strength drop-down list.<br />
c Click OK to return to the Enforcements tab.<br />
Configuring the Web/Secure Web URL Control tab<br />
To configure URL control properties for a Web/Secure Web defense, click the<br />
URL Control tab.
About the URL<br />
Control tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
The URL Control tab allows you to configure URL properties, such as which<br />
HTTP operations will be allowed and which URLs will be explicitly denied.<br />
Follow the steps below.<br />
Note: The fields in this tab will be disabled unless you select the URL Control<br />
check box on the Enforcements tab.<br />
1 In the Allow Selected HTTP Commands area, select the commands<br />
(operations) that you want to allow users to issue by clicking in the<br />
corresponding check box(es).<br />
To select all <strong>of</strong> the commands, click Select All. To deselect all <strong>of</strong> the commands,<br />
click Deselect All. A description <strong>of</strong> each command is provided<br />
within the window.<br />
2 To disallow special characters in a query, select the Enforce Strict URLs<br />
check box. If you select this option, URLs with certain special characters<br />
will be disallowed under certain circumstances (such as RFC violation). For<br />
example: quote (“), single quote (‘), back quote (`), brackets ( [ ], { }, < >),<br />
pipe (|), back slash (\), caret (^), and tilde (~).<br />
3 To allow international multi-byte characters in a query, select the Allow<br />
Unicode check box.<br />
4 [Server or Combined only] In the Maximum URL Length field, specify the<br />
maximum length allowed for a URL. The default value is 1024 characters.<br />
Valid values are 1–10000.<br />
5 To require that the HTTP version be included in all requests, select the<br />
Require HTTP Version in Request check box.<br />
6 [Conditional] If you selected Require HTTP Version in Request in the<br />
previous step, specify the HTTP versions that you want to allow in the<br />
Allow Selected HTTP Versions area. Valid versions are 1.0 and 1.1.<br />
7 In the Deny Specified URL Matches table, you can specify which URLs to<br />
explicitly deny. The table lists any URLs that are currently denied.<br />
To add a URL to the list, click New. To modify a URL in the list, highlight the<br />
URL and click Modify. The Edit URL Parsing Values window appears. See<br />
“Configuring the Edit URL Parsing Values window” on page 161 for information<br />
on adding a URL.<br />
Configuring the Edit URL Parsing Values window<br />
This window allows you to create a URL value to add to the Deny Specified<br />
URL Matches table. Follow the steps below.<br />
1 In the String field, type the character string that, if found while checking<br />
URLs, you want to deny.<br />
2 In the Match Parameter area, select the portion <strong>of</strong> the URL to check when<br />
attempting to match the String value:<br />
161
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
162<br />
Figure 72: Web/Secure<br />
Web: HTTP Request tab<br />
About the HTTP<br />
Request tab<br />
• Host — Select this option to filter on the URL host.<br />
(http://hostname/path)<br />
• Path — Select this option to filter on the URL path<br />
(http://hostname/path)<br />
• All — Select this option to filter on the entire request<br />
(http://hostname/path)<br />
For example, <strong>Sidewinder</strong> <strong>G2</strong> encounters the URL http://www.example.com/<br />
info/cookies.html. <strong>Sidewinder</strong> <strong>G2</strong> is looking for the character string “cookie.” If<br />
the Host option is selected, this URL will be allowed. If the Path or All option is<br />
selected, this URL will be denied.<br />
Configuring the Web/Secure Web HTTP Request tab<br />
To configure HTTP Request properties for a Web/Secure Web defense, click<br />
the HTTP Request tab. The following window appears.<br />
The HTTP Request tab allows you to configure header filtering for HTTP<br />
requests. This tab is only available if you selected Server or Combined in the<br />
Type field. Follow the steps below.<br />
Note: The fields in this tab will be disabled unless you select the HTTP Request<br />
check box on the Enforcements tab.<br />
1 Select the type <strong>of</strong> HTTP header filtering you want to allow or deny in the<br />
Selected HTTP Request Header Filter Types area. The following options<br />
are available:<br />
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx<br />
request headers (commonly found in user-defined headers). If you create an<br />
Allow list and do not include the X-* filter type, most Web traffic will be denied.
Figure 73: Web/Secure<br />
Web: HTTP Reply tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
• None—Select this option if you want to deselect all HTTP request<br />
header filter types in the list. (You can also deselect all <strong>of</strong> the types by<br />
clicking Deselect All.)<br />
• Standard—Select this option if you want to automatically select all <strong>of</strong> the<br />
header types contained in the list. (You can also select all header types<br />
by clicking Select All.)<br />
• Paranoid—Select this option if you want to exclude all options not<br />
defined in the RFC.<br />
• Custom—Select this option if you want to manually configure which<br />
HTTP header types you will allow or deny.<br />
2 In the Filter Option field, determine whether you want to allow or deny the<br />
header types you select, as follows:<br />
• Allow—Select this option to allow all header types that are selected in<br />
the HTTP Request Header Filter Types window. All other types will be<br />
denied.<br />
• Deny—Select this option to deny all header types that are selected<br />
selected in the HTTP Request Header Filter Types window. All other<br />
types will be allowed.<br />
3 In the Denied Header Action area, select one <strong>of</strong> the following options:<br />
• Block Entire Page—Select this option to block the entire page when an<br />
HTTP header is denied.<br />
• Allow Page Through Without Denied Headers—Select this option to<br />
mask the denied HTTP header, but still allow the page to be viewed. (A<br />
denied HTTP header will be overwritten with X’s.)<br />
Configuring the Web/Secure Web HTTP Reply tab<br />
To configure HTTP Reply properties for a Web/Secure Web defense, click the<br />
HTTP Reply tab. The following window appears.<br />
163
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
About the HTTP<br />
Reply tab<br />
164<br />
The HTTP Reply tab allows you to configure header filtering for HTTP replies.<br />
Follow the steps below.<br />
Note: The fields in this tab will be disabled unless you select the HTTP Reply<br />
check box on the Enforcements tab. Also, this tab is not available for Secure Web if<br />
you select Client in the Type field.<br />
1 In the Filter Option field, determine whether you want to allow or deny the<br />
header types you select, as follows:<br />
• Allow—Select this option to allow all header types that are selected in<br />
the HTTP Reply Header Filter Types window. All other types will be<br />
denied.<br />
• Deny—Select this option to deny all header types that are selected<br />
selected in the HTTP Reply Header Filter Types window. All other types<br />
will be allowed.<br />
2 Select the type <strong>of</strong> HTTP header filtering you want to allow or deny in the<br />
Selected HTTP Reply Header Filter Types area. The following options are<br />
available:<br />
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx reply<br />
headers (commonly found in user-defined headers). If you create an Allow list<br />
and do not include the X-* filter type, most Web traffic will be denied.<br />
• None—Select this option if you want to deselect all HTTP reply header<br />
filter types in the list. (You can also deselect all <strong>of</strong> the types by clicking<br />
Deselect All.)<br />
• Standard—Select this option if you want to automatically select all <strong>of</strong> the<br />
header types contained in the list. (You can also select all header types<br />
by clicking Select All.)<br />
• Paranoid—Select this option if you want to exclude all options not<br />
defined in the RFC.<br />
• Custom—Select this option if you want to manually configure which<br />
HTTP reply header types you will allow or deny.<br />
3 In the Denied Header Action area, select one <strong>of</strong> the following options:<br />
• Block Entire Page—Select this option to block the entire page when an<br />
HTTP reply header is denied.<br />
• Allow Page Through Without Denied Headers—Select this option to<br />
mask the denied HTTP reply header, but still allow the page to be<br />
viewed. (A denied HTTP reply header will be scrubbed.)
Figure 74: Web/Secure<br />
Web: MIME/Virus/<br />
Spyware tab<br />
About the MIME/<br />
Virus/Spyware tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
Configuring the Web/Secure Web MIME/Virus/Spyware tab<br />
To configure MIME/virus/spyware properties for a Web/Secure Web defense,<br />
click the MIME/Virus/Spyware tab. The following window appears.<br />
The MIME/Virus/Spyware tab allows you to configure filtering for MIME, virus,<br />
and spyware scanning services. The tab contains a rule table that displays any<br />
MIME/Virus/Spyware filtering rules that have been created. The tab also<br />
contains various virus scanning and handling configuration options.<br />
Note the following:<br />
• The fields in the MIME/Virus/Spyware tab will be disabled unless you select<br />
the MIME/Virus/Spyware check box on the Enforcements tab.<br />
• For Web defenses, MIME/Virus/Spyware scanning services are not<br />
available if you select Server in the Type field.<br />
• For Secure Web defenses, MIME/Virus/Spyware scanning services are not<br />
available if you select Client in the Type field.<br />
• Virus and spyware scanning is performed on data sent from the client if the<br />
request method is either PUT or POST, and the appropriate file type is<br />
specified for scanning in the MIME/Virus/Spyware filtering rules table.<br />
To configure MIME/Virus/Spyware properties for an Application Defense, follow<br />
the steps below.<br />
Important: You must license and configure scanning services before the MIME/<br />
Virus/Spyware filter rules you create will scan HTTP/HTTPS traffic. See<br />
“Configuring virus scanning services” on page 69.<br />
1 Configure the appropriate MIME/Virus/Spyware filter rules in the MIME/<br />
Virus/Spyware Filter Rules table, as follows:<br />
• Create a new filter rule—To create a new filter rule, click New and see<br />
“Configuring MIME filtering rules” on page 166.<br />
165
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
166<br />
• Modify an existing filter rule—To modify an existing filter rule, select the<br />
rule you want to modify, and click Modify. See “Configuring MIME<br />
filtering rules” on page 166. (If you are modifying the default MIME<br />
filtering rule, see “Configuring the Default filtering rule action” on page<br />
168.)<br />
• Delete a filter rule—To delete an existing filter rule, select the rule you<br />
want to delete and click Delete. You will be prompted to confirm your<br />
decision.<br />
2 Determine how infected files will be handled in the Infected File Handling<br />
area as follows:<br />
• To discard infected files, select Discard Infected Files.<br />
• To remove the virus from the file and then continue processing the file,<br />
select Repair Infected Files.<br />
3 To reject all files in the event that scanning is not available, select the<br />
Reject All Files If Scanning Is Unavailable check box. If you select this<br />
option, the connection will be dropped if scanning is unavailable.<br />
4 In the Scan File Size Limit (KB) field, specify the maximum file size that will<br />
be allowed in KB. If a file exceeds the size specified in this field, filtering will<br />
not take place and the file will be denied.<br />
Configuring MIME filtering rules<br />
When you click New or Modify beneath the MIME/Virus/Spyware Filter Rules<br />
area, the MIME/Virus/Spyware Rule Edit window appears. This window allows<br />
you to add or modify MIME/Virus/Spyware filtering rules.<br />
Important: Rules that are configured with an allow or deny action will allow or deny<br />
traffic based on the rule criteria that is defined for those rules. Allow and deny rules<br />
do not perform virus scanning. To perform virus scanning for traffic that matches a<br />
rule before it is allowed, you must specify Virus/Spyware Scan in the rule’s Action<br />
field.<br />
By default, a single allow rule is contained in the filter rule table. If you choose<br />
to leave the default allow rule as the last rule in your table (that is, all traffic that<br />
isn’t explicitly denied will be allowed), you will need to configure the appropriate<br />
virus scan and/or deny rules and place them in front <strong>of</strong> the default allow rule. If<br />
you configure the default rule action to deny (that is, all traffic that is not<br />
explicitly allowed will be denied) you will need to configure the appropriate<br />
virus scan and/or allow rules and place them in front <strong>of</strong> the default deny rule.<br />
To create MIME/Virus/Spyware rules, follow the steps below.<br />
Note: Rules that specify both a MIME type/subtype and file extensions will allow or<br />
deny any traffic that matches either the MIME Type or a File Extension type. That<br />
is, the traffic does not need to match both criteria to match the rule.
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
1 In the MIME Type drop-down list, select the MIME type for which you want<br />
to filter. If you select the asterisk (*) option, the filter rule will ignore this field<br />
when determining a match.<br />
2 In the MIME Subtype drop-down list, select a subtype for the MIME type<br />
that you selected in the previous step (the available options will vary<br />
depending on the MIME type you selected in the previous step). If you<br />
select the asterisk (*) option, the filter rule will ignore this field when<br />
determining a match.<br />
3 In the File Extensions area, specify the type <strong>of</strong> file extensions that you want<br />
to filter:<br />
• Ignore Extensions (*)—Select this option to ignore extensions when<br />
determining a match.<br />
• Archive Extensions—Select this option to specify basic archive<br />
extensions (such as .tar, .zip, etc.) for the specified MIME types/subtype.<br />
• Standard Extensions—Select this option to specify the standard file<br />
extensions associated with the selected MIME type/subtype. For<br />
example, if you select text in the MIME Type field, and HTML in the<br />
MIME Subtype field, the .htm and .html file extensions will appear in the<br />
standard list.<br />
• Custom—Select this option to create a custom list <strong>of</strong> file extensions for<br />
the selected MIME type/subtype. To add a file extension to the list, click<br />
New and see “Configuring the Add New File Extension window” on page<br />
167. To delete a file extension, select the extension you want to delete<br />
and click Delete. You can use the Reset button to clear all extensions<br />
from the list, or to select a different file extension list (Archive or<br />
Standard).<br />
4 In the Action area, select one <strong>of</strong> the following options:<br />
• Allow—Select this option if you want to explicitly allow the file<br />
extensions that you specified in the previous steps. (Virus scanning will<br />
not be performed.)<br />
• Deny—Select this option if you want to explicitly deny the file extensions<br />
that you specified in the previous steps. (Virus scanning will not be<br />
performed.)<br />
• Virus/Spyware Scan—Select this option if you want to perform virus<br />
scanning on the file extensions that you specified in the previous steps.<br />
If no viruses are detected, the file will be allowed through the system.<br />
Configuring the Add New File Extension window<br />
This window allows you to specify additional file extensions on which to filter. In<br />
the File Extension field, type the extension (without the leading period) that<br />
you want to add, and then click Add. The file extension is added to the Custom<br />
file extension list.<br />
If you select the Custom file extension option, all file extensions listed in the<br />
box will be allowed, denied, or filtered, depending on the action you select.<br />
167
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
168<br />
Figure 75: Web/Secure<br />
Web Content Control tab<br />
About the Content<br />
Control tab<br />
Configuring the Default filtering rule action<br />
The default filter rule is a catch-all rule designed to occupy the last position in<br />
your rule table. To modify the default action for the default MIME filtering rule,<br />
do the followings:<br />
1 Select the default rule in the table and click Modify. The MIME Default<br />
Action window appears.<br />
2 Select the appropriate action for this rule and then click OK.<br />
• Allow—The default rule is initially configured to allow all data that does<br />
not match other filter rules. If you leave the default rule as an allow rule,<br />
you must create filter rules that require virus scanning or explicitly deny<br />
any MIME types that you do not want to allow, and place them in front <strong>of</strong><br />
the default allow rule.<br />
• Deny—If you prefer the default rule to deny all data that did not match a<br />
filter rule, you must create the appropriate virus scan and allow rules<br />
and place them in front <strong>of</strong> the default deny rule.<br />
• Virus/Spyware Scan—If you want to perform virus and spyware<br />
scanning for traffic that does not match any allow or deny filter rules you<br />
create, select this option. You will then need to create the appropriate<br />
allow and deny rules that will not require scanning.<br />
Configuring the Web/Secure Web Content Control tab<br />
To configure content control properties for a Web/Secure Web defense, click<br />
the Content Control tab. The following window appears.<br />
The Content Control tab allows you to configure filtering to deny certain types<br />
<strong>of</strong> embedded objects. Follow the steps below.<br />
Note: If you are configuring a Web or Secure Web defense for type Server, you<br />
will only be allowed to select the Deny SOAP option. If you are configuring a Web<br />
defense for type Client, the Deny SOAP option is not available.
Figure 76: Web/Secure<br />
Web: SmartFilter tab<br />
About the Web/<br />
SecureWeb<br />
SmartFilter tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Web or Secure Web Application Defenses<br />
1 Select the Deny ActiveX Controls check box to scrub the ActiveX<br />
embedded objects from the Web content.<br />
2 Select the Deny Java Applets check box to scrub the Java Applet objects<br />
from the Web content.<br />
3 Select the Deny Scripting Languages check box to scrub scripting<br />
languages from the Web content.<br />
4 Select the Deny SOAP check box to scrub SOAP embedded objects from<br />
the Web content. In some cases, selecting this option can cause the entire<br />
page to be denied if it contains SOAP embedded objects.<br />
Configuring the Web/Secure Web SmartFilter tab<br />
When SmartFilter is configured, the SmartFilter tab allows you to determine<br />
whether requests will be rejected if the SmartFilter server is unavailable.<br />
Select the Reject all requests if SmartFilter is unavailable check box to reject<br />
any requests that occur when the SmartFilter server on <strong>Sidewinder</strong> <strong>G2</strong> is<br />
unavailable.<br />
For more information about configuring SmartFilter 4.x for <strong>Sidewinder</strong> <strong>G2</strong>, see<br />
“Configuring SmartFilter for HTTP/HTTPS” on page 630.<br />
Configuring the Web/Secure Web Connection tab<br />
The Web/Secure Web Connection tab allows you to configure basic connection<br />
properties, such as the type <strong>of</strong> connection that will be allowed (transparent,<br />
non-transparent, or both), timeout properties, and fast path session properties.<br />
You can also configure whether to send traffic to an upstream proxy.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
169
Chapter 6: Configuring Application Defenses<br />
Creating Web Cache Application Defenses<br />
Creating Web<br />
Cache<br />
Application<br />
Defenses<br />
170<br />
Figure 77: Application<br />
Defenses: Web Cache<br />
window<br />
To configure Web Cache Application Defenses, in the Admin Console select<br />
Policy Configuration > Application Defenses > Defenses > Web Cache. The<br />
following window appears. (Figure 77 displays only the bottom portion <strong>of</strong> the<br />
window.)<br />
Configuring the Web Cache Application Defense window<br />
This window allows you to configure SmartFilter 3.x properties for the Web<br />
Proxy server (Squid). Follow the steps below.<br />
Note: A newer SmartFilter version (4.0.2) is available and configured using the<br />
Web or Secure Web application defense. New web filtering subscribers should start<br />
with SmartFilter for Web and Secure Web, and existing users should consider<br />
upgrading. For either version, you must first enable SmartFilter (Services<br />
Configuration > SmartFilter).<br />
1 Configure the SmartFilter category table.<br />
The SmartFilter category table displays the available SmartFilter categories,<br />
as well as the configured properties for each category. To modify the<br />
properties for a SmartFilter category, select the category that you want to<br />
modify, and click Modify. See “Modifying a SmartFilter category” on page<br />
171.<br />
2 To filter URLs to deny specific file extension types, click New in the Denied<br />
File Extensions area. To modify an existing file extension, select the file<br />
extension you want to modify and click Modify in the Denied File<br />
Extensions area. See “Configuring the SmartFilter File Extension window”<br />
on page 172 for information about adding or modifying a denied file<br />
extension.
Chapter 6: Configuring Application Defenses<br />
Creating Web Cache Application Defenses<br />
3 [Conditional] To slow the download process for filtered sites, in the Delay<br />
field, type the amount <strong>of</strong> time (in seconds) that you want to delay the Web<br />
page display.<br />
Delaying the download time discourages users from browsing certain sites<br />
because it takes longer for those pages to be displayed. Valid values are<br />
from 1–999.<br />
Note: The Delay field applies to ALL categories in a rule that are set to Delay.<br />
For example, if you have set Chat, Entertainment, and Art/Culture to delay, and<br />
enter 30 seconds in the Delay field, sites that fall into any <strong>of</strong> the three categories<br />
will be delayed by 30 seconds.<br />
4 To deny Web access if a user attempts to access a site using an IP address<br />
rather than a URL, select the Deny IP Addresses check box. Secure<br />
Computing recommends enabling this check box.<br />
5 To deny unclassified personal pages, select the Deny Unclassified<br />
Personal Pages check box.<br />
Note: Unclassified personal pages are pages that consist <strong>of</strong> uncategorized<br />
URLs that contain a tilde, such as www.rootsweb.com/~wgnorway/. This<br />
option does not refer to the Personal Pages category. It only refers to pages<br />
that contain a tilde (~), as described above.<br />
6 Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
Modifying a SmartFilter category<br />
When you select a SmartFilter category and click Modify in the SmartFilter tab,<br />
the SmartFilter Modification window appears. This window enables you to<br />
change the settings for the selected SmartFilter category. The Category field in<br />
the top portion <strong>of</strong> the window displays the SmartFilter category you selected for<br />
modification. Follow the steps below.<br />
1 In the Permission field, specify whether access to the selected SmartFilter<br />
category will be allowed or denied by selecting the appropriate option from<br />
the drop-down list.<br />
2 In the Special Handling field, specify whether SmartFilter will process Web<br />
requests to this category in a special manner. Valid options are:<br />
• None—No special handling is performed.<br />
• Coach—A predefined message is displayed to users informing them<br />
that the site has been filtered, but allows them to proceed at their own<br />
risk. The predefined message can be modified by editing the<br />
/usr/local/squid/etc/errors/ERR_SCC_SMARTFILTER_COACH file.<br />
Note: The Coaching feature works with all Internet Explorer browsers and<br />
with Netscape browsers at version 6.0 or greater.<br />
171
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
Creating Mail<br />
(Sendmail)<br />
Application<br />
Defenses<br />
172<br />
Figure 78: Application<br />
Defenses: Mail (Sendmail)<br />
window<br />
• Delay—Slows the download process <strong>of</strong> filtered sites. This discourages<br />
users from browsing certain sites because it takes longer for those<br />
pages to be displayed. The delay time is specified on the Set<br />
SmartFilter Delay field on the main SmartFilter tab.<br />
Configuring the SmartFilter File Extension window<br />
This window allows you to specify file extensions that will be denied. To add a<br />
file extension that you want to deny, type the extension in the Denied File<br />
Extension window. Do not include a period (.) in front <strong>of</strong> the file extension.<br />
Mail (Sendmail) Application Defenses are used in SMTP proxy rules. To<br />
configure Mail (Sendmail) Application Defenses, in the Admin Console select<br />
Policy Configuration > Application Defenses > Defenses > Mail (Sendmail).<br />
The following window appears. (Figure 78 displays only the bottom portion <strong>of</strong><br />
the window.)<br />
Note: You must have Secure Split SMTP mail servers configured to use mail<br />
filtering.<br />
Configuring the Mail (Sendmail) Control tab<br />
This tab allows you to configure filtering for sendmail services. The Anti-Relay<br />
feature prevents your mailhost from being used by a hacker as a relay point for<br />
spam to other sites. This option is automatically enabled for all mail defenses<br />
and cannot be disabled.
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
To configure a Mail (Sendmail) Application Defense, follow the steps below.<br />
1 To enable (or disable) a particular type <strong>of</strong> filtering, you must select the<br />
appropriate check box in the Enable Mail Filters area. Once you enable a<br />
mail filter, you can configure it by selecting the appropriate tab. You cannot<br />
configure a mail filter unless you have selected it in this tab. The following<br />
filters can be enabled:<br />
• Size Filter—The Size filter allows you to specify the maximum size for<br />
mail messages. To configure the Size filter once it has been enabled,<br />
select the Size Filter tab and see “About the Mail (Sendmail) Size tab”<br />
on page 174.<br />
• Keyword Search Filter—The Keyword Search filter allows you to filter<br />
mail messages based on the presence <strong>of</strong> defined key words (character<br />
strings). To configure the Keyword Search filter once it has been<br />
enabled, select the Keyword Search tab and see “About the Keyword<br />
Search tab” on page 175.<br />
• MIME/Virus/Spyware Filter—The MIME/Virus/Spyware Filter allows you<br />
to configure MIME, virus, and spyware filtering for e-mail messages. To<br />
configure the filter once it has been enabled, select the MIME/Virus/<br />
Spyware tab and see “Configuring the Mail (Sendmail) MIME/Virus/<br />
Spyware tab” on page 177.<br />
• Spam/Fraud Filter—The Spam/Fraud filter allows you to filter out mail<br />
messages that fall under the “spam” and “fraud” pr<strong>of</strong>ile. The Spam/<br />
Fraud filter can only be enabled or disabled in this window.<br />
• To enable spam and fraud filtering, select this check box. To disable<br />
spam and fraud filtering, clear the check box.<br />
• To receive automatic updates for the spamfilter server, enable the<br />
spamfilter cron job. See “Spamfilter cron job” on page 599 for more<br />
information.<br />
• If desired, you can modify the default actions for the Spam/Fraud<br />
filter in the appropriate configuration file(s) using the Admin Console<br />
File Editor. See “Configuring advanced anti-spam and anti-fraud<br />
options” on page 356 for details.<br />
Before using anti-spam service, the Anti-Spam add-on module must be<br />
licensed and the spamfilter server must be enabled.<br />
2 To specify how mail messages that are rejected should be handled, select<br />
one <strong>of</strong> the following options in the Rejected Mail Handling field:<br />
• Discard—Select this option if you want to discard rejected mail<br />
messages without notifying the sender.<br />
• Return To Sender—Select this option if you want to send a rejection<br />
notice to the sender.<br />
Note: If a message is denied by the MIME/Virus/Spyware filter rules (configured<br />
in the MIME/Virus/Spyware tab), that message will be discarded without<br />
sending a rejection notice regardless <strong>of</strong> which option you select here.<br />
173
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
174<br />
Figure 79: Mail<br />
(Sendmail) Size tab<br />
About the Mail<br />
(Sendmail) Size tab<br />
Figure 80: Keyword<br />
Search tab<br />
Configuring the Mail (Sendmail) Size tab<br />
To configure size restrictions for a Mail (Sendmail) defense, select the Size tab.<br />
The following window appears.<br />
The Size filter checks e-mail messages for the number <strong>of</strong> bytes the message<br />
contains, including the message header. A message is rejected if it is greater<br />
than or equal to the threshold size you specify when you configure a filter.<br />
To configure the Size filter, in the Maximum Message Size field specify the<br />
maximum message size (in KB) that will be allowed to pass through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The default is 1024KB. Valid values are 1–2147483647 KB.<br />
Configuring the Mail (Sendmail) Keyword Search tab<br />
To configure key words (character strings) that will be filtered for a Mail<br />
(Sendmail) defense, select the Keyword Search tab. The following window<br />
appears.
About the Keyword<br />
Search tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
The Keyword Search tab allows you to configure the <strong>Sidewinder</strong> <strong>G2</strong> to perform<br />
a search for specified character set(s), or key words, within an e-mail<br />
message. The search scans the message’s header and body sections. If the<br />
mail body contains mime encoded attachments, the encoded attachments are<br />
scanned. If the filter finds a specific number <strong>of</strong> key word matches, the message<br />
is rejected. If the filter does not match a specific number <strong>of</strong> key words, it passes<br />
the message onto the next filter or to the intended recipient.<br />
Select your key words carefully. For best results:<br />
• Use spaces before and after each defined phrase.<br />
• Create a comprehensive list <strong>of</strong> phrases instead <strong>of</strong> relying on wildcard-like<br />
searching.<br />
• Note that key word searching is most reliable on MIME attachments with<br />
ASCII content-types. If dealing with non-ASCII types <strong>of</strong> attachments, false<br />
positives are likely if the length <strong>of</strong> the key words are short and the<br />
attachments are long.<br />
Following these guidelines can decrease the chance <strong>of</strong> mistakenly rejecting a<br />
legitimate message.<br />
To configure character sets to search for, follow the steps below.<br />
1 Verify that kmvfilter server is enabled in the appropriate burbs (Services<br />
Configuration > Servers).<br />
2 In the Minimum Number <strong>of</strong> Phrase Matches Required for Rejection <strong>of</strong><br />
Message field, specify the number <strong>of</strong> key word matches that must be found<br />
in a message before it is rejected.<br />
3 In the Total Number <strong>of</strong> Phrase Matches to Verify Before Rejection field,<br />
specify whether the filter will search the entire message for key words, or<br />
whether it will stop searching for key words if the minimum number <strong>of</strong><br />
matches is met:<br />
• Minimum—Select this option if you want the filter to stop searching and<br />
fail the message if the minimum number <strong>of</strong> key word matches is met.<br />
This is based on the number that you enter in the previous step. The<br />
filter will reject a mail message once the minimum number <strong>of</strong> key words<br />
are matched.<br />
• All—Select this option if you want the filter to continue searching the<br />
message for key words after the minimum number <strong>of</strong> key word matches<br />
is met, for auditing purposes. After searching the entire message for key<br />
word matches, the message is rejected.<br />
4 The Phrase List table provides the list <strong>of</strong> phrases that will be filtered for this<br />
Application Defense. The table contains three columns:<br />
• Before—This column indicates whether a space is required immediately<br />
before the specified phrase to match the filter. An asterisk (*) indicates<br />
that the phrase will not match unless there is a space immediately in<br />
front <strong>of</strong> the phrase.<br />
175
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
176<br />
• Phrase Text—This column lists each phrase for which the filter will<br />
search.<br />
• After—This column indicates whether a space is required immediately<br />
after the specified phrase to match the filter. An asterisk (*) indicates<br />
that the phrase will not match unless there is a space immediately<br />
following the phrase.<br />
To add a phrase, click New. To modify a phrase, highlight the appropriate<br />
row and click Modify. The Keyword Search: Phrase Edit window appears.<br />
Configuring the Keyword Search: Phrase Edit window<br />
When you click New or Modify beneath the Phrase List area, the Keyword<br />
Search Phrase Edit window appears. This window allows you to add or modify<br />
character strings (known as “key words”). Follow the steps below.<br />
1 In the Text field, type the text you want to filter. The keyword search is not<br />
case sensitive. The character string must consist <strong>of</strong> at least two characters.<br />
You can include any printable character, as well as spaces.<br />
Note: Some special characters, such as a space, will be displayed in the Key<br />
Word list using their hexadecimal equivalents.<br />
You can also define a key word entry that consists partly or entirely <strong>of</strong><br />
binary characters. The binary characters you want to search for are entered<br />
into the Key Word list using their hexadecimal equivalents. Each character<br />
must be preceded with a back slash (\). This distinguishes the character<br />
from a regular character. You can specify several characters in a row, but<br />
each character must be preceded by a back slash. You can also intermingle<br />
the binary characters with regular characters. For example, the following<br />
are valid entries in the Key Word list:<br />
– \ac\80\fe<br />
– \ff\00\fb\40secrets<br />
– password\df\01\04<br />
Valid hexadecimal characters are allowed immediately following a back<br />
slash. To use the back slash character as part <strong>of</strong> a key word entry, you must<br />
type a double back-slash (\\).<br />
Note: The exception is \0a (the new line character). The filter will not detect a<br />
key word that contains this character unless it is the first character in the key<br />
word entry or unless the character is preceded by \0d (the line feed) character<br />
(e.g., \0d\0a).<br />
2 If you want to require that there be white space directly in front <strong>of</strong> and/or<br />
after a key word, select the Require whitespace immediately before phrase<br />
and/or Require whitespace immediately after phrase check boxes,<br />
accordingly. This prevents the filter from misidentifying character strings<br />
that innocently appear as part <strong>of</strong> another word.
Figure 81: Mail<br />
(Sendmail) MIME/Virus/<br />
Spyware tab<br />
About the Mail<br />
(Sendmail) MIME/<br />
Virus/Spyware tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
For example, if you require whitespace before and after the key word “for,”<br />
words like “forest,” “formula,” “information,” and “uniform” will be allowed to<br />
pass through the filter, while the word “for” would not. If you do not require<br />
whitespace before and after the key word “for,” the “for” string within the<br />
word would match the filter and cause the message to be rejected (if the<br />
specified number <strong>of</strong> matches are found).<br />
3 To add the new or modified key word, click OK.<br />
Configuring the Mail (Sendmail) MIME/Virus/Spyware tab<br />
To configure MIME, virus, and spyware filtering options for a Mail defense,<br />
select the MIME/Virus/Spyware tab. The following window appears.<br />
The MIME/Virus/Spyware tab allows you to configure MIME, virus, and<br />
spyware filtering services. The tab contains a rule table that displays any<br />
MIME/Virus/Spyware filtering rules that have been created. It also contains<br />
various virus/spyware scanning and handling configuration options.<br />
Important: You must license and configure additional services before the MIME/<br />
Virus/Spyware filter rules you create will scan mail messages. See “Configuring<br />
virus scanning services” on page 69.<br />
To configure MIME/Virus/Spyware properties for an Application Defense, verify<br />
that the Control tab’s MIME/Virus/Spyware check box is selected and then<br />
follow the steps below.<br />
Security Alert: If you want to perform virus and spyware scanning, you must<br />
create the appropriate rules with Virus/Spyware Scan selected in the Action field.<br />
Rules that are configured only to allow or deny traffic based on rule criteria will not<br />
perform virus and spyware scanning. (See step 1 for information on configuring<br />
MIME/Virus/Spyware filter rules.)<br />
177
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
178<br />
1 Configure the appropriate MIME/Virus/Spyware filter rules in the MIME/<br />
Virus/Spyware Filter Rules table, as follows:<br />
• Create a new filter rule—To create a new filter rule, click New and see<br />
“Configuring MIME filtering rules” on page 166.<br />
• Modify an existing filter rule—To modify an existing filter rule, select the<br />
rule you want to modify, and click Modify. See “Configuring MIME<br />
filtering rules” on page 166. (If you are modifying the default MIME<br />
filtering rule, see “Configuring the Default filtering rule action” on page<br />
168.)<br />
• Delete a filter rule—To delete an existing filter rule, select the rule you<br />
want to delete and click Delete. You will be prompted to confirm your<br />
decision.<br />
2 Determine how infected files will be handled by selecting one <strong>of</strong> the<br />
following options:<br />
• Discard Infected Files—Select this option to discard infected files.<br />
• Repair Infected Files—Select this option to remove the virus from the<br />
file and then continue processing the file.<br />
3 To reject all files in the event that scanning is not available, select the<br />
Reject All Files If Scanning Is Unavailable check box. If you select this<br />
option, files will either be discarded or returned to sender as specified by<br />
the Rejected Mail Handling option selected on the Mail (Sendmail) Control<br />
tab.<br />
4 In the Scan File Size Limit (KB), specify the maximum file size that will be<br />
allowed (in KB). If a file exceeds the size specified in this field, scanning will<br />
not take place and the file will be denied.<br />
5 Select Full Scan <strong>of</strong> Entire Mail Message if you want to perform scanning on<br />
the entire mail message (that is, the message with all <strong>of</strong> its MIME types is<br />
scanned as a single entity). A mail message is scanned only if one or more<br />
<strong>of</strong> its extensions match the MIME type/subtype settings on a filter rule with<br />
Virus/Spyware Scan selected.<br />
If this check box is clear, each piece <strong>of</strong> the mail message will be scanned<br />
and handled independently.<br />
6 Select Discard mail with denied attachments if you want to discard mail<br />
once a MIME/Virus/Spyware filter rule denies its attachment(s). If you select<br />
this option, files will either be discarded silently (sender is not notified) or<br />
returned to sender, as specified by the Rejected Mail Handling option<br />
selected on the Mail (Sendmail) Control tab.<br />
If this option is not selected, the message is sent on without the denied<br />
attachment.
Configuring MIME<br />
filtering rules<br />
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
When you click New or Modify beneath the MIME/Virus/Spyware Filter Rules<br />
area, the MIME Rule Edit window appears. This window allows you to add or<br />
modify a MIME filtering rule.<br />
Important: Rules that are configured with an Allow or Deny action will allow or<br />
deny messages based on the rule criteria that is defined within the rule. Allow and<br />
deny rules do not perform virus and spyware scanning. To perform virus and<br />
spyware scanning for messages that match a rule before it is allowed, you must<br />
specify Virus/Spyware Scan in the rule’s Action field.<br />
By default, a single allow rule is contained in the filter rule table. If you choose<br />
to leave the default allow rule as the last rule in your table (that is, all mail that<br />
isn’t explicitly denied will be allowed), you will need to configure the appropriate<br />
virus /spyware scan and/or deny rules and place them in front <strong>of</strong> the default<br />
allow rule.<br />
If you configure the default rule action to deny (that is, all mail that is not<br />
explicitly allowed will be denied) you will need to configure the appropriate<br />
virus/spyware scan and/or allow rules and place them in front <strong>of</strong> the default<br />
deny rule. In this scenario, if you want to allow multi-part mixed MIME elements<br />
within a mail message (which is fairly common) you will need to create an allow<br />
rule with Multipart selected in the Type field and Mixed selected in the Subtype<br />
field. If you do not create this type <strong>of</strong> allow rule when using a default deny rule,<br />
any mail message that contains multiple MIME types will be denied.<br />
To configure MIME/Virus/Spyware Filter rules, follow the steps below.<br />
Note: Rules that specify both a MIME type/subtype and file extensions will allow or<br />
deny any traffic that matches either the MIME Type or a File Extension type. That<br />
is, the traffic does not need to match both criteria to match the rule.<br />
1 In the MIME Type drop-down list, select the MIME type for which you want<br />
to filter. If you select the asterisk (*) option, the filter rule will ignore this field<br />
when determining a match.<br />
2 In the MIME Subtype drop-down list, select a subtype for the MIME type<br />
that you selected in the previous step (the available options will vary<br />
depending on the MIME type you selected in the previous step). If you<br />
select the asterisk (*) option, the filter rule will ignore this field when<br />
determining a match.<br />
3 In the File Extensions area, specify the type <strong>of</strong> file extensions that you want<br />
to filter:<br />
• Ignore Extensions (*)—Select this option to ignore extensions when<br />
determining a match.<br />
• Archive Extensions—Select this option to match basic archive<br />
extensions (such as .tar, .zip, etc.).<br />
179
Chapter 6: Configuring Application Defenses<br />
Creating Mail (Sendmail) Application Defenses<br />
180<br />
• Standard Extensions—Select this option to match standard file<br />
extensions associated with the selected MIME type/subtype. For<br />
example, if you select text in the MIME Type field, and HTML in the<br />
MIME Subtype field, the .htm and .html file extensions will appear in the<br />
standard list.<br />
• Custom—Select this option to create a custom list <strong>of</strong> file extensions for<br />
the selected MIME type/subtype. To add a file extension to the list, click<br />
New and see “Configuring the Add New File Extension window” on page<br />
167. To delete a file extension, select the extension you want to delete<br />
and click Delete. You can use the Reset button to clear all extensions<br />
from the list, or to select a different file extension list (Archive or<br />
Standard).<br />
4 In the Action area, select one <strong>of</strong> the following options:<br />
• Allow—Select this option if you want to explicitly allow the file<br />
extensions that you specified in the previous steps. (Virus scanning will<br />
not be performed.)<br />
• Deny—Select this option if you want to explicitly deny the file extensions<br />
that you specified in the previous steps. (Virus scanning will not be<br />
performed.) A message is added, informing the user that a file was<br />
removed.<br />
• Virus/Spyware Scan—Select this option if you want to perform virus and<br />
spyware scanning on the file extensions that you specified in the<br />
previous steps. If no viruses or spyware are detected, the file will be<br />
allowed through the system.<br />
5 Click OK to save the rule.<br />
Configuring the Add New File Extension window<br />
This window allows you to customize the file extensions on which to filter. In<br />
the File Extension field, type the extension (without the leading period) that<br />
you want to add, and then click Add. The file extension is added to the Custom<br />
file extension list.<br />
When you select the Custom file extension option, all file extensions listed in<br />
the box will be allowed, denied, or filtered depending on the action you select.<br />
Configuring the Default filter rule action<br />
The default filter rule is a catch-all rule designed to occupy the last position in<br />
your rule table. To modify the default action for the default MIME filtering rule,<br />
do the followings:<br />
1 Select the default rule in the table and click Modify. The MIME Default<br />
Action window appears.
Creating Mail<br />
(SMTP proxy)<br />
Defenses<br />
Figure 82: Mail (SMTP<br />
proxy): Enforcements tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Mail (SMTP proxy) Defenses<br />
2 Select the appropriate action for this rule and then click OK.<br />
• Allow—The default rule is initially configured to allow all messages that<br />
do not match other filter rules. If you leave the default rule as an allow<br />
rule, you must create filter rules that require virus scanning or explicitly<br />
deny any MIME types that you do not want to allow, and place them in<br />
front <strong>of</strong> the default allow rule.<br />
• Deny—If you prefer the default rule to deny all data that did not match a<br />
filter rule, you must create the appropriate virus/spyware scan and allow<br />
rules, and place them in front <strong>of</strong> the default deny rule.<br />
• Virus/Spyware Scan—If you want to perform virus and spyware<br />
scanning for messages that do not match other allow or deny filter rules,<br />
select this option. You will then need to create the appropriate allow and<br />
deny rules that will not require scanning.<br />
The default behavior is changed.<br />
The Mail (SMTP proxy) Application Defense allows you to filter mail using the<br />
SMTP proxy based on destination address and determine if source routing is<br />
supported. It also allows you to limit the length <strong>of</strong> replies received from mail<br />
servers. To configure Mail (SMTP proxy) Application Defenses, in the Admin<br />
Console select Policy Configuration > Application Defenses > Defenses ><br />
Mail (SMTP proxy). The following window appears.<br />
Configuring the Mail (SMTP proxy) Enforcements tab<br />
The Mail (SMTP proxy) Enforcements tab allows you to enable destination–<br />
based mail filtering and to limit the length <strong>of</strong> replies received from mail servers.<br />
Follow the steps below.<br />
1 Select Enforce SMTP Command Filtering to configure the Command tab,<br />
which sets the list <strong>of</strong> the allowed mail commands.<br />
2 If you enabled SMTP command filtering in step 1, select Enforce<br />
Destination Address Filtering to configure the Destination Address tab,<br />
which sets the filtering parameters.<br />
181
Chapter 6: Configuring Application Defenses<br />
Creating Mail (SMTP proxy) Defenses<br />
182<br />
Figure 83: Mail (SMTP<br />
proxy): Commands tab<br />
Configuring the Mail<br />
(SMTP proxy)<br />
Commands tab<br />
3 To filter replies from mail servers, select one <strong>of</strong> these two options:<br />
• Allow any size <strong>of</strong> server replies— Select this option if you do not want a<br />
limit enforced.<br />
• Enforce limit on server reply length—Select this option to put a limit on<br />
the length <strong>of</strong> messages received from mail servers. A message is<br />
rejected if it is greater than the specified character limit. The default is<br />
256 characters. Valid values are 3–1024.<br />
Configuring the Mail (SMTP proxy) Commands tab<br />
The Commands tab allows you to specify which set <strong>of</strong> mail commands to allow<br />
through <strong>Sidewinder</strong> <strong>G2</strong>. To configure these options for a Mail (SMTP proxy)<br />
defense, select the Commands tab. The following window appears<br />
The Commands tab allows you to specify which set <strong>of</strong> commands are allowed<br />
with a mail message. Select from the following options:<br />
Note: If you allow starttls, xexch50, xexps, or xlink2state and a session includes<br />
one <strong>of</strong> those commands, <strong>Sidewinder</strong> <strong>G2</strong> will disallow any further SMTP command<br />
filtering for the rest <strong>of</strong> that session.<br />
• Basic—Select this option to allow the commands typically expected when<br />
sending mail to a generic mail server.<br />
• Exchange—Select this option to allow the commands typically expected<br />
when sending mail to a Micros<strong>of</strong>t Exchange Server.<br />
• Sendmail—Select this option to allow the commands typically expected<br />
when sending mail to a sendmail server.<br />
• Custom—Select this option to create a customized set <strong>of</strong> allowed<br />
commands. If you selected Basic, Exchange, or Sendmail and alter the<br />
commands set, the Admin Console will automatically change your selection<br />
to Custom.
Figure 84: Mail (SMTP<br />
proxy): Destination<br />
Address tab<br />
Configuring the Mail<br />
(SMTP proxy)<br />
Destination Address<br />
tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Mail (SMTP proxy) Defenses<br />
Configuring the Mail (SMTP proxy) Destination Address<br />
tab<br />
The Destination Address tab allows you to filter mail based on destination<br />
address and allow or deny source routing. To configure destination address<br />
options for a Mail (SMTP proxy) defense, select the Destination Address tab.<br />
The following window appears.<br />
The Destination Address tab allows you to configure the following options:<br />
• Allow Source Routing—Select this option to forward mail that includes<br />
source routing information in the RCPT TO: command.<br />
Note: Most mail does not contain source routing information.<br />
• Allow mail to any destination—Select this option to allow mail to any<br />
destination.<br />
However, if Allow Source Routing is not enabled, any RCPT TO: command<br />
that contains source routing will be rejected. RCPT TO: commands without<br />
source routing will be forwarded.<br />
• Only allow mail to defined destinations—Select this option to specify the<br />
domains, IP address, and IP ranges to which the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
forward mail. <strong>Sidewinder</strong> <strong>G2</strong> allows mail based on the contents <strong>of</strong> its RCPT<br />
TO: field; if the domain name portion <strong>of</strong> the rctp to: field matches a<br />
character string in the domain address list, the mail is allowed to pass.<br />
To create or change a definition, click New or Modify and the following window<br />
appears.<br />
183
Chapter 6: Configuring Application Defenses<br />
Creating Mail (SMTP proxy) Defenses<br />
184<br />
Figure 85: Destination<br />
Address: Allowed SMTP<br />
Destination window<br />
Configuring the<br />
Allowed SMTP<br />
Destination window<br />
Use this window to allow a new mail destination or modify an existing mail<br />
destination. Match the entry to the destination’s expected format in the rctp to:<br />
field. Identify an allowed SMTP destination by doing one <strong>of</strong> the following:<br />
• Specify a Fully Qualified Domain Name—Select this option to specify a fully<br />
qualified domain name (FQDN). In the Domain field, enter a FQDN, such as<br />
example.com. Check Include Subdomains to include the specified FQDN’s<br />
subdomains.<br />
Tip: This is the most reliable option, as most destinations In the RCPT TO: field<br />
are formatted as the domain name.<br />
• Specify an IP Address—Select this option to specify a single IP address. In<br />
the IP Address field, enter the destination as a valid IP address.<br />
• Specify an IP Range—Select this option to specify an address range. In the<br />
Beginning <strong>of</strong> IP Address Range and End <strong>of</strong> IP Address Range fields,<br />
specify the range <strong>of</strong> addresses that are allowed.<br />
Configuring the Mail (SMTP proxy) Connections tab<br />
The Mail (SMTP proxy) Connections tab allows you to configure timeout<br />
properties and specify whether fast path sessions will be disabled.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.
Creating Citrix<br />
Application<br />
Defenses<br />
Figure 86: Application<br />
Defenses: Citrix window<br />
Figure 87: Citrix Filters<br />
tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Citrix Application Defenses<br />
To configure Citrix Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > Citrix. The following<br />
window appears. (Figure 86 displays only the bottom portion <strong>of</strong> the windows.)<br />
Configuring the Citrix Enforcements tab<br />
The Enforcements tab allows you to enable or disable Citrix filtering. You will<br />
not be able to configure filtering on the Citrix Filter tab unless the Citrix Filters<br />
check box is selected. When this check box is selected, the values you<br />
configure in the Citrix Filters tab will be enforced. To disable Citrix filtering,<br />
deselect the Citrix Filters check box.<br />
Configuring the Citrix Filters tab<br />
To configure the Citrix Filters tab, select the tab. The following window<br />
appears.<br />
185
Chapter 6: Configuring Application Defenses<br />
Creating FTP Application Defenses<br />
About the Citrix<br />
Filters tab<br />
Creating FTP<br />
Application<br />
Defenses<br />
186<br />
Figure 88: Application<br />
Defenses: FTP window<br />
The Citrix Filters tab allows you to configure filtering properties for Citrix. To<br />
configure filters in Citrix, select the items that you want to deny. Each entry in<br />
the list represents a type <strong>of</strong> application or communication channel supported<br />
by Citrix. A check box will appear in front <strong>of</strong> types that will be denied. Deselect<br />
the check boxes for the items you want to allow in Citrix.<br />
To deny all <strong>of</strong> the types listed, click Select All. To allow everything (no filter<br />
restrictions), click Deselect All.<br />
Configuring the Citrix Connections tab<br />
The Citrix Connections tab allows you to configure timeout properties and<br />
specify whether fast path sessions will be disabled.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
To configure FTP Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > FTP. The following<br />
window appears. (Figure 88 displays only the bottom portion <strong>of</strong> the window.)
Configuring the FTP Enforcements tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating FTP Application Defenses<br />
To enable or disable FTP feature enforcement tabs, you must first select the<br />
appropriate check box in the Enforcements tab. (The Connection tab does not<br />
need to be enabled before you can configure it.) When you select the check<br />
box for a feature, that tab becomes enabled.<br />
The following tabs can be enabled:<br />
• Enforce Command Filtering—The FTP Command Filter tab allows you to<br />
specify the categories <strong>of</strong> FTP commands that you want to allow your users<br />
to issue.<br />
• Enforce Virus/Spyware Scanning—The Virus/Spyware tab allows you to<br />
set the filtering parameters, such as infected file handling, which<br />
commands to scan, and which extensions to allow or deny.<br />
Configuring the FTP Command Filter tab<br />
This tab allows you to specify the categories <strong>of</strong> FTP commands that you want<br />
to allow your users to issue. The categories available FTP commands, as well<br />
as a description <strong>of</strong> each, is included in the Allowed FTP Command Categories<br />
area. For example, selecting “GET” allows the FTP commands necessary to<br />
download files from a server.<br />
Select one <strong>of</strong> the following options:<br />
• None—Select this option if you do not want to allow any FTP commands.<br />
(None <strong>of</strong> the check boxes will be selected.)<br />
• All—Select this option if you want to allow all <strong>of</strong> the categories <strong>of</strong> FTP<br />
commands that are displayed. (All <strong>of</strong> the check boxes will be selected.)<br />
• Custom—Select this option if you want to allow only certain FTP<br />
commands. To select the categories <strong>of</strong> FTP commands that will be allowed,<br />
click the appropriate check box. A check mark appears in front <strong>of</strong><br />
commands that are allowed.<br />
Note: If you select None or All and then make modifications to the commands, the<br />
Custom option will automatically become selected.<br />
187
Chapter 6: Configuring Application Defenses<br />
Creating FTP Application Defenses<br />
188<br />
Configuring the FTP Virus/Spyware tab<br />
The FTP Virus/Spyware tab allows you to configure virus and spyware<br />
scanning services. The tab contains a rule table that displays any virus and<br />
spyware filtering rules that have been created. The tab also contains various<br />
virus and spyware scanning and handling configuration options.<br />
To configure the FTP virus and spyware scanning properties, follow the steps<br />
below.<br />
Important: You must license and configure scanning services before the Virus/<br />
Spyware filter rules you create will scan FTP traffic. See “Configuring virus<br />
scanning services” on page 69.<br />
1 Configure the appropriate virus and spyware filter rules in the Virus/<br />
Spyware Filter Rules table, as follows:<br />
• Create a new filter rule—To create a new filter rule, click New and see<br />
“Configuring Virus/Spyware filtering rules” on page 189.<br />
• Modify an existing filter rule—To modify an existing filter rule, select the<br />
rule you want to modify, and click Modify. See “Configuring Virus/<br />
Spyware filtering rules” on page 189. (If you are modifying the default<br />
filtering rule, see “Configuring the Default filtering rule action” on page<br />
190.)<br />
• Delete a filter rule—To delete an existing filter rule, select the rule you<br />
want to delete and click Delete. You will be prompted to confirm your<br />
decision.<br />
2 Determine how infected files will be handled in the Infected File Handling<br />
area as follows:<br />
• To discard infected files, select Discard Infected Files.<br />
• To remove the virus or spyware from the file and then continue<br />
processing the file, select Repair Infected Files. If the virus or spyware<br />
cannot be removed, the file will be discarded.<br />
3 To reject all files in the event that scanning is not available, select the<br />
Reject All Files If Scanning Is Unavailable check box. If you select this<br />
option, the FTP proxy will not pass any files through the <strong>Sidewinder</strong> <strong>G2</strong> until<br />
scanning is available again.<br />
4 Determine which commands to scan by selecting one <strong>of</strong> the following<br />
options:<br />
• Uploads (PUT) — Scan all files going to the FTP server.<br />
• Downloads (GET) — Scan all files coming from the FTP server.<br />
• Uploads and Downloads (PUT, GET) — Scan all files going to (put) and<br />
coming from (get) the FTP server.
Configuring Virus/Spyware filtering rules<br />
Chapter 6: Configuring Application Defenses<br />
Creating FTP Application Defenses<br />
When you click New or Modify beneath the Virus/Spyware Filter Rules area,<br />
the Virus/Spyware: Extensions Edit window appears. This window allows you<br />
to add or modify virus/spyware filtering rules.<br />
Important: Rules that are configured with an allow or deny action will allow or deny<br />
traffic based on the rule criteria that is defined for those rules. Allow and deny rules<br />
do not perform virus and spyware scanning. To perform virus and spyware<br />
scanning for traffic that matches a rule before it is allowed, you must specify Virus/<br />
Spyware Scan in the rule’s Action field.<br />
By default, a single allow rule is contained in the filter rule table. If you choose<br />
to leave the default allow rule as the last rule in your table (that is, all traffic that<br />
isn’t explicitly denied will be allowed), you will need to configure the appropriate<br />
virus/spyware scan and/or deny rules and place them in front <strong>of</strong> the default<br />
allow rule. If you configure the default rule action to deny (that is, all traffic that<br />
is not explicitly allowed will be denied) you will need to configure the<br />
appropriate virus/spyware scan and/or allow rules and place them in front <strong>of</strong><br />
the default deny rule.<br />
To create Virus/Spyware filter rules, follow the steps below.<br />
1 In the Action area, select one <strong>of</strong> the following options:<br />
• Allow—Select this option if you want to explicitly allow the file<br />
extensions that you will specify in the next step. (Virus and spyware<br />
scanning will not be performed.)<br />
• Deny—Select this option if you want to explicitly deny the file extensions<br />
that you will specify in the next step. (Virus and spyware scanning will<br />
not be performed.)<br />
• Virus/Spyware Scan—Select this option if you want to perform virus and<br />
spyware scanning on the file extensions that you will specify in the next<br />
step. If no viruses or spyware are detected, the file will be allowed<br />
through the system.<br />
2 In the File Extensions area, specify the type <strong>of</strong> file extensions that you want<br />
to filter:<br />
• Perform action on all file extensions—Select this option to perform the<br />
action specified in step 1 on all file extension.<br />
• Choose from predefined categories—Select this option to perform the<br />
action specified in step 1 on file extensions associated with a particular<br />
category, such as image, audio, video, etc.<br />
To choose the file extension, select the appropriate category from the<br />
Category drop-down list. Check the desired extensions.<br />
• Custom List—Select this option to create a custom list <strong>of</strong> file<br />
extensions. To add a file extension to the list, click New and see<br />
“Configuring the Add New File Extension window” on page 190. To<br />
delete a file extension, select the extension you want to delete and click<br />
Delete. You can use the Clear button to clear all extensions from the list.<br />
189
Chapter 6: Configuring Application Defenses<br />
Creating FTP Application Defenses<br />
190<br />
3 Click OK to save the rule.<br />
Configuring the Add New File Extension window<br />
This window allows you to specify additional file extensions on which to filter. In<br />
the File Extension field, type the extension (without the leading period) that<br />
you want to add, and then click Add. The file extension is added to the Custom<br />
file extension list.<br />
If you select the Custom file extension option, all file extensions listed in the<br />
box will be allowed, denied, or filtered, depending on the action you select.<br />
Configuring the Default filtering rule action<br />
The default filter rule is a catch-all rule designed to occupy the last position in<br />
your rule table. To modify the default action for the default virus/spyware<br />
filtering rule, do the followings:<br />
1 Select the default rule in the table and click Modify. The Default Action<br />
window appears.<br />
2 Select the appropriate action for this rule and then click OK.<br />
• Allow—The default rule is initially configured to allow all data that does<br />
not match other filter rules. If you leave the default rule as an allow rule,<br />
you must create filter rules that require virus scanning or explicitly deny<br />
any extensions that you do not want to allow, and place them in front <strong>of</strong><br />
the default allow rule.<br />
• Deny—If you prefer the default rule to deny all data that did not match a<br />
filter rule, you must create the appropriate virus scan and allow rules<br />
and place them in front <strong>of</strong> the default deny rule.<br />
• Virus/Spyware Scan—If you want to perform virus and spyware<br />
scanning for traffic that does not match any allow or deny filter rules you<br />
create, select this option. You will then need to create the appropriate<br />
allow and deny rules that will not require scanning.<br />
Configuring the FTP Connection tab<br />
The FTP Connection tab allows you to configure timeout and fast path session<br />
properties, as well as the type <strong>of</strong> connection that will be allowed (transparent,<br />
non-transparent, or both).<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Click the Save icon to save your changes when you are finished configuring an<br />
Application Defense.
Creating IIOP<br />
Application<br />
Defenses<br />
Figure 89: Application<br />
Defenses: IIOP Filter tab<br />
About the IIOP Filter<br />
tab<br />
Configuring the IIOP<br />
Connection tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating IIOP Application Defenses<br />
To configure IIOP Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > IIOP. The following<br />
window appears. (Figure 89 displays only the bottom portion <strong>of</strong> the windows.)<br />
The IIOP Filter tab allows you to configure the following options:<br />
• Allow Bi-directional GIOP—Select this option to enable support for bidirectional<br />
1.2 GIOP (General Inter-ORB Protocol).<br />
• Validate Content Format—Select this option to filter the message<br />
encapsulated in the GIOP PDU, and verify that the header content,<br />
message direction, and message length are valid for the GIOP message<br />
type identified in the GIOP header.<br />
Note: The data in the GIOP header portion <strong>of</strong> the PDU is always validated.<br />
The IIOP Connection tab allows you to configure timeout and fast path session<br />
properties, as well as the maximum allowed message size.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
191
Chapter 6: Configuring Application Defenses<br />
Creating Multimedia Application Defenses<br />
Creating<br />
Multimedia<br />
Application<br />
Defenses<br />
192<br />
Figure 90: Application<br />
Defenses: Multimedia<br />
To configure Multimedia Application Defenses, in the Admin Console select<br />
Policy Configuration > Application Defenses > Defenses > Multimedia. The<br />
following window appears. (Figure 90 displays only the bottom portion <strong>of</strong> the<br />
windows.)<br />
Configuring the Multimedia General tab<br />
This tab allows you to enable the multimedia applications you want to<br />
configure. You cannot configure the H.323 Filter or T.120 Filter tabs unless you<br />
have selected the appropriate check box on the Multimedia-General tab. The<br />
following options are available:<br />
• Enforce Permission Checking for H.323—Select this option to enable the<br />
H.323 filter. To configure H.323 properties, see “Configuring the H.323 Filter<br />
tab” on page 193.<br />
• Enforce Permission Checking for T120—Select this option to enable the<br />
T.120 filter. To configure T.120 properties, see “Configuring the T120 Filter<br />
tab” on page 194.<br />
Note: For more information on H.323 or T.120, see “T.120 and H.323 proxy<br />
considerations” on page 262.
Configuring the H.323 Filter tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Multimedia Application Defenses<br />
This tab allows you to select H.323 codecs you will allow your users to access.<br />
You can select from the following options:<br />
• Required—Select this option to allow only the codecs required by H.323 for<br />
compliance.<br />
• Required + Low Bandwidth Audio—Select this option to allow the required<br />
H.323 codecs as well as low bandwidth options.<br />
• Required + All Audio—Select this option to allow all H.323 codecs except<br />
the codecs that allow video.<br />
• Required + All Audio + Video—Select this option to allow all available<br />
H.323 codecs.<br />
• Custom—Select this option to specify which codecs you want to allow. To<br />
allow a codec, select the appropriate check box. A check mark appears in<br />
the corresponding check box when a codec is allowed.<br />
• Select All—Click this button to select all <strong>of</strong> the H.323 codecs (all codecs will<br />
be selected).<br />
• Deselect All—Click this button to deselect all <strong>of</strong> the H.323 codecs (all<br />
codecs will be deselected).<br />
Note: If you select an option other than Custom and then make modifications to<br />
the selected codecs, the Custom option will automatically become selected.<br />
The following list provide an example <strong>of</strong> codecs commonly used by Micros<strong>of</strong>t’s<br />
NetMeeting:<br />
• G.711—The G.711 codec options can transmit audio at 48, 56, and 64 kB<br />
per second (kBps). Select this codec for audio that is being passed using<br />
high speed connections.<br />
• G.723—The G.723 codec options determine which format and algorithm will<br />
be used for sending and receiving voice communications over a network.<br />
This codec transmits audio at 5.3 and 6.3 kBps, which will reduce<br />
bandwidth usage.<br />
• H.261—The H.261 codec will transmit video images at 64 kBps (VHS<br />
quality). Select this codec for video that is being passed using high speed<br />
connections.<br />
• H.263—The H.263 codec determines which format and algorithm will be<br />
used to send and receive video images over a network. This codec<br />
supports common interchange format (CIF), quarter common interchange<br />
format (QCIF), and sub-quarter common interchange format (SQCIF)<br />
picture formats. It is also a good match for Internet transmission over lowbit-rate<br />
connections (for example, a 28.8 kBps modem).<br />
193
Chapter 6: Configuring Application Defenses<br />
Creating Oracle Application Defenses<br />
Creating Oracle<br />
Application<br />
Defenses<br />
194<br />
Figure 91: Application<br />
Defenses: Oracle<br />
Enforcements window<br />
Configuring the T120 Filter tab<br />
This tab allows you to specify which T.120 services you will allow your users to<br />
access. One <strong>of</strong> the more common T.120 applications is Micros<strong>of</strong>t’s Netmeeting.<br />
You can select from the following options:<br />
• Whiteboard (T.126)<br />
• File transfer (T.127)<br />
• Base application sharing (T.128)<br />
• Legacy application sharing (T.128)<br />
• Chat (Micros<strong>of</strong>t specific)<br />
Configuring the Multimedia Connection tab<br />
The Multimedia Connections tab allows you to configure timeout properties for<br />
the T.120 and H.323 proxies. To configure the properties for one <strong>of</strong> the proxies,<br />
either double-click the entry in the table, or highlight the entry and click Modify.<br />
The Connection window appears.<br />
For information on configuring the Connections window, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
To configure Oracle Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > Oracle. The following<br />
window appears. (Figure 91 displays only the bottom portion <strong>of</strong> the windows.)
About the Service<br />
Name (SID): New<br />
Service Name<br />
window<br />
Configuring the Oracle Enforcements tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Oracle Application Defenses<br />
The Enforcements tab allows you to enable or disable Oracle service name<br />
checking. Service name checking allows you to restrict access to the SQL<br />
server by specifying which service names will be explicitly allowed. If service<br />
name checking is enabled, only sessions that match a service name specified<br />
in the Service Name (SID) tab will be allowed.<br />
You cannot configure service name checking on the Service Name (SID) tab<br />
unless the Enforce Service Name Checking check box is selected. When this<br />
check box is selected, the values you configure in the Service Name (SID) tab<br />
will be enforced. To disable service name checking, deselect the Enforce<br />
Service Name Checking check box.<br />
Configuring the Service Name (SID) tab<br />
The Service Name (SID) tab allows you to configure which service names will<br />
be allowed access to the SQL server. If you do not specify any service names,<br />
service names will not be used in determining whether a session is allowed or<br />
denied.<br />
To configure a service name, click New. See “About the Service Name (SID):<br />
New Service Name window” on page 195.<br />
To modify a service name, highlight the service name you want to modify, and<br />
click Modify. See “About the Service Name (SID): New Service Name window”<br />
on page 195.<br />
To delete a service name, highlight the service name you want to modify, and<br />
click Delete.<br />
The New Service Name window allows you to create or modify a service name.<br />
In the Service Name (SID) field, enter the service name you want to add or<br />
modify and then click OK.<br />
Important: The service name you enter in this field must be an exact match<br />
(including capitalization) <strong>of</strong> the full service name that is in the Oracle tnsnames.ora<br />
file in order for those sessions to be allowed. The use <strong>of</strong> wildcards or substrings is<br />
not supported at this time.<br />
195
Chapter 6: Configuring Application Defenses<br />
Creating MS SQL Application Defenses<br />
Creating MS SQL<br />
Application<br />
Defenses<br />
196<br />
Figure 92: MS SQL Filter<br />
tab<br />
About the MS SQL<br />
Filter tab<br />
Configuring the MS<br />
SQL Connection tab<br />
Configuring the Oracle Connection tab<br />
The Oracle Connections tab allows you to configure timeout, fast path session,<br />
and connection timeout properties.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
To configure MS SQL Application Defenses, in the Admin Console select<br />
Policy Configuration > Application Defenses > Defenses > MS SQL. The<br />
following window appears. (Figure 93 displays only the bottom portion <strong>of</strong> the<br />
window.)<br />
This tab is reserved for future use.<br />
The MS SQL Connections tab allows you to configure timeout, fast path<br />
session, and connection timeout properties.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.
Creating SOCKS<br />
Application<br />
Defenses<br />
Figure 93: Application<br />
Defenses: SOCKS5<br />
Chapter 6: Configuring Application Defenses<br />
Creating SOCKS Application Defenses<br />
To configure SOCKS Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > SOCKS. The following<br />
window appears. (Figure 93 displays only the bottom portion <strong>of</strong> the windows.)<br />
Configuring the SOCKS 5 Filter tab<br />
The SOCKS 5 Filter tab allows you to configure the type <strong>of</strong> SOCKS traffic that<br />
will be allowed when using the SOCKS5 proxy. The following options are<br />
available:<br />
• Allow TCP SOCKS traffic—Select this option to allow TCP traffic.<br />
• Allow UDP SOCKS traffic—Select this option to allow UDP traffic.<br />
• Allow Both—Select this option to allow both TCP and UDP traffic.<br />
• Enforce SOCKS 4 Filtering—Select this option if you want to support<br />
SOCKS at version 4. (If this check box is not selected, you will not be able<br />
to pass traffic using SOCKS 4.)<br />
Configuring the SOCKS Connections tab<br />
The SOCKS Connections tab allows you to configure timeout properties, fast<br />
path session properties, and which ports will be open for the SOCKS proxy.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
197
Chapter 6: Configuring Application Defenses<br />
Creating SNMP Application Defenses<br />
Creating SNMP<br />
Application<br />
Defenses<br />
198<br />
Figure 94: SNMP Filter<br />
tab<br />
To configure SNMP Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > SNMP. The following<br />
window appears. (Figure 94 displays only the bottom portion <strong>of</strong> the windows.)<br />
Configuring the SNMP Filter tab<br />
This tab allows you to specify the SNMP version you want to configure. The<br />
options that you are allowed to configure within the subsequent SNMP tabs will<br />
vary depending on which option you select. The following options are<br />
available:<br />
• Allow SNMP v1 filtering—Select this option to allow SNMP v1 traffic and<br />
configure object ID (OID) filtering. For information on configuring OID<br />
filtering for SNMP v1 traffic, see “Configuring the SNMP v1 tab” on page<br />
199.<br />
• Allow SNMP v2c traffic—Select this option to allow SNMP v2c traffic. OID<br />
filtering is not available for SNMP v2c traffic. For information on configuring<br />
OID filtering for SNMP v2 traffic, see step 2 on page 199.<br />
• Allow SNMP v1 and v2c traffic—Select this option to allow SNMP v1 and<br />
v2c traffic. OID filtering is not available when both SNMP v1 and v2c are<br />
allowed. For information on configuring connection timeout properties, see<br />
“Configuring connection properties” on page 203.
Figure 95: SNMP v1:<br />
OID Editing window<br />
Configuring the SNMP v1 tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating SNMP Application Defenses<br />
This tab allows you to configure Object ID (OID) filtering for SNMP v1 traffic.<br />
Follow the steps below.<br />
Note: Filtering is not available for SNMP v2c. If you selected Allow SNMP v2c<br />
Traffic or Allow SNMP v1 and v2c Traffic on the SNMP Filter tab, you cannot<br />
configure any options on this tab.<br />
1 In the Options area, determine the types <strong>of</strong> requests and events that the<br />
SNMP proxy will filter, as follows:<br />
• Allow Read Requests—Select this option to allow the Get and<br />
Get Next requests. (If you select SNMP v2c, this is automatically<br />
allowed.)<br />
• Allow Write Requests—Select this option to allow the Set request. (If<br />
you select SNMP v2c, this is automatically allowed.)<br />
• Allow Notify Events—Select this option to allow v1 traps. (If you select<br />
SNMP v2c, this is automatically allowed.)<br />
Note: Additional SNMP requests are not supported in SNMP v1.<br />
2 Select the Enable OIDs Filtering check box to configure object IDs (OIDs)<br />
for the SNMP proxy. OIDs are a unique, numeric representation <strong>of</strong> a device<br />
within the SNMP network.<br />
3 In the Actions field, determine whether the list <strong>of</strong> OIDs that you define will<br />
be allowed or denied, as follows:<br />
• Allow—Select this option to allow only the OIDs that you specify in the<br />
table. All other OIDs will be denied.<br />
• Deny—Select this option to deny only the OIDs that you specify in the<br />
table. All other OIDs will be allowed.<br />
To add an OID to the table, click New. To modify an existing OID, select that<br />
ID and click Modify. The OID Editing window appears. (For information on<br />
configuring a new OID, see “Configuring the SNMP v1: OID Editing window”<br />
on page 200.)<br />
4 [Conditional] To delete an existing OID, select that ID and click Delete. You<br />
will be prompted to confirm your action.<br />
199
Chapter 6: Configuring Application Defenses<br />
Creating SNMP Application Defenses<br />
200<br />
Figure 96: Example <strong>of</strong><br />
OID numbering scheme<br />
Configuring the SNMP v1: OID Editing window<br />
This window allows you to add a new object ID (OID). You can select from the<br />
list <strong>of</strong> standard OIDs, or you can create your own OID using the custom option.<br />
Follow the steps below.<br />
1 In the OID Options area, determine whether the OID will be Standard (predefined)<br />
or Custom (you determine and enter the OID manually) by<br />
selecting the appropriate radio button.<br />
2 [Conditional] If you selected Standard in step 1, select the appropriate OID<br />
from the Standardized OIDs drop-down list.<br />
3 [Conditional] If you selected Custom in step 1, type the OID number in the<br />
Customized OID field using the standard OID structure. The numbering<br />
scheme for each object is determined by the object’s management<br />
information base (MIB) location, as shown in Figure 96 below.<br />
For example, the object ID for the SCC node in the private enterprise portion<br />
<strong>of</strong> the network would be .1.3.6.1.4.1.1573.<br />
Note: The object ID will always begin with the following pattern .1.3.6.1. For<br />
assistance on obtaining object IDs, visit the Internet assigned numbers authority<br />
Web site at www.iana.org/assignments/enterprise-numbers or contact the<br />
appropriate vendor.<br />
system<br />
.1<br />
interfaces<br />
.2<br />
.2 mgmt<br />
private .4<br />
.1 mib2<br />
enterprises .1<br />
ip<br />
.4<br />
tcp<br />
.6<br />
4 Click Add or OK to add the OID to the table. Repeat these steps for each<br />
OID you want to add or modify.<br />
5 Click Close to return to the SNMP v1 tab.<br />
iso<br />
org<br />
dod<br />
internet<br />
..........<br />
.1<br />
.3<br />
.6<br />
.1<br />
UNIX<br />
.4<br />
sc<br />
.1573<br />
..........
Creating<br />
Standard<br />
Application<br />
Defenses<br />
Figure 97: Standard<br />
Application Defense:<br />
Connections tab<br />
Configuring the SNMP Connection tab<br />
Chapter 6: Configuring Application Defenses<br />
Creating Standard Application Defenses<br />
The SNMP Connections tab allows you to configure timeout properties and the<br />
maximum protocol data unit (PDU) size.<br />
Configuring connection properties is common to most Application Defenses.<br />
For information on configuring the Connections tab, see “Configuring<br />
connection properties” on page 203.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
The Standard window allows you to configure timeout and fast-path properties<br />
for proxies that are not listed elsewhere in the Application Defenses tree. You<br />
can also configure transparency properties for the Telnet proxy. To configure<br />
Standard Application Defenses, in the Admin Console select Policy<br />
Configuration > Application Defenses > Defenses > Standard. The following<br />
window appears. (Figure 97 displays only the bottom portion <strong>of</strong> the windows.)<br />
Configuring the Standard Connections tab<br />
To configure connection properties for a standard Application Defense, select<br />
the Application Defense type that you want to configure from the table, and<br />
click Modify. The Connection window appears. See “Configuring connection<br />
properties” on page 203 for information on configuring connection properties.<br />
Note: Click the Save icon to save your changes when you are finished configuring<br />
an Application Defense.<br />
201
Chapter 6: Configuring Application Defenses<br />
Configuring Application Defense groups<br />
Configuring<br />
Application<br />
Defense groups<br />
202<br />
Figure 98: Application<br />
Defense Group window<br />
Application Defense groups allow you to select a single Application Defense<br />
from each category within a single group. When you specify an Application<br />
Defense group within a rule, only the Application Defense(s) that apply to that<br />
rule’s services will be implemented in the rule. Application Defense groups can<br />
only be used when configuring rules that use service groups.<br />
Note: For more information on how Application Defense groups are used in a rule,<br />
see Chapter 4.<br />
To create an Application Defense group, in the Admin Console select Policy<br />
Configuration > Application Defenses > Groups. The following window<br />
appears.<br />
Configuring the Application Defense groups window<br />
The Application Defense Group window allows you to select a defense for<br />
each category (for example, Web, Secure Web, standard, etc.) to include in a<br />
group. A list <strong>of</strong> which defenses are included in a group are displayed in the<br />
table, with the following information:<br />
• Type—This column lists each <strong>of</strong> the Application Defense types contained.<br />
• Name—This column lists the Application Defense that is currently selected<br />
for each category.<br />
• Set—This column indicates which Application Defense is currently selected<br />
for configuration.<br />
To select an Application Defense for a particular category, select the<br />
appropriate row in the table. A list <strong>of</strong> available Application Defenses for that<br />
category appear. Select an Application Defense from the list. The table will be<br />
updated to display the new selection as the current Application Defense for<br />
that category. (To add or modify an Application Defense for a category,<br />
highlight the appropriate row and click New or Modify.)
Configuring<br />
connection<br />
properties<br />
Configuring<br />
connection<br />
properties<br />
Figure 99: Web<br />
Connection tab<br />
Chapter 6: Configuring Application Defenses<br />
Configuring connection properties<br />
You can configure connection properties for most Application Defenses. For<br />
defenses that support multiple proxies (Multimedia and Standard), the<br />
Connections tab will display a table. To configure the connection properties for<br />
Multimedia or Standard, select the proxy for which you want to configure<br />
connection properties, and click Modify. A Connection window appears. For<br />
defenses that have configurable connection properties (Web, Secure Web,<br />
Citrix, FTP, Oracle, SOCKS5, and SNMP) the configurable connection<br />
properties are displayed directly in the Connection tab. Figure 99 shows the<br />
Connection tab for a Web defense.<br />
To configure the connection properties for an Application Defense, follow the<br />
steps below. The fields that appear will vary depending on the type <strong>of</strong><br />
Application Defense you are configuring.<br />
1 In the Set Timeouts (in seconds) area, do the following:<br />
a In the TCP Connect Timeout field, specify the length <strong>of</strong> time, in seconds,<br />
that the proxy should attempt to connect to the server before the proxy<br />
stops trying.<br />
b In the TCP Idle Timeout field, specify the length <strong>of</strong> time, in seconds, that<br />
the connection can remain idle before it is closed.<br />
c [SNMP proxy only] In the Request Timeout field, specify the length <strong>of</strong><br />
time, in seconds, that the proxy will wait for a response from an SNMP<br />
agent before the connection times out. (The Get, Get Next, and Set<br />
commands request a response.)<br />
d In the UDP Idle Timeout field, specify the length <strong>of</strong> time, in seconds, that<br />
the UDP “session” can remain idle before it is closed. This field is valid<br />
for Citrix, SOCKS, and various Standard proxies.<br />
e To return the values to their default value, click Restore Defaults.<br />
203
Chapter 6: Configuring Application Defenses<br />
Configuring connection properties<br />
204<br />
2 [Conditional] If you want to disallow fast path sessions, select the Disable<br />
Fast Path Sessions check box. (In most cases, fast path sessions enhance<br />
system performance.) Fast path sessions are allowed by default for proxies<br />
that support this option. See “Improving performance using Fast Path<br />
Sessions” on page 245 for more information.<br />
Note: This option is disabled by default for the IIOP Application Defense.<br />
3 [Web/Secure Web only] To enable a proxy to communicate with a nontransparent<br />
proxy, select the Send Traffic to Upstream Proxy option, and<br />
configure the following options:<br />
Note: If you allow transparent connections when using this option, the URL will<br />
be rewritten to contain an IP address rather than a hostname. If you allow<br />
transparent connections, you must first ensure that the upstream proxy server<br />
will accept an IP address.<br />
a In the IP Address field, specify the IP address for the upstream proxy.<br />
b In the Port field, specify the port that will be used (for HTTP, this will<br />
generally be port 80.)<br />
4 [Conditional] In the Allowed Connection Types area, determine the type <strong>of</strong><br />
traffic that will be allowed for this Application Defense (this field appears if<br />
you selected Web, Secure Web, Oracle [SQL]), or Telnet. The following<br />
options are available:<br />
Note: The default connection type for Oracle is Transparent. The default for<br />
Web, Secure Web, and Telnet is Both. If you are using Non-Transparent or<br />
Both, you will need to specify which destination ports will be allowed through<br />
the proxy. See “Configuring connection ports” on page 205.<br />
• Transparent—Select this option to allow transparent connections.<br />
• Non-Transparent—Select this option to allow non-transparent<br />
connections.<br />
• Both—Select this option to allow both transparent and non-transparent<br />
connections.<br />
5 [SNMP only] In the Max PDU field, specify the maximum protocol data unit<br />
(PDU) size that will be allowed. The default is 535.<br />
Valid values are 120–1450. You may want to increase this value depending<br />
on the type <strong>of</strong> device(s) you are using. However, keep in mind that some<br />
devices cannot handle a larger value.<br />
6 [IIOP only] In the Maximum message size (PDU) field, specify the maximum<br />
protocol data unit (PDU) message size that will be allowed. The default is<br />
72000.<br />
7 [SOCKS/Web/Secure Web only] To configure ports for a defense, click New<br />
and see “Configuring connection ports” on page 205.<br />
8 [Web only] To allow non-transparent, secure Web traffic through the HTTP<br />
proxy, select the Allow non-transparent secure web traffic through the web<br />
(HTTP) proxy check box.
Configuring connection ports<br />
Chapter 6: Configuring Application Defenses<br />
Configuring connection properties<br />
The Edit a Port window allows you to configure a single port or a port range, or<br />
you can select from pre-defined ports for specific proxies by selecting one <strong>of</strong><br />
the following radio buttons:<br />
• Specify a Port—Select this option to specify a single port. In the Port field,<br />
type a port number or use the up and down arrows to display the desired<br />
port.<br />
• Specify a Port Range—Select this option to specify a port range. In the<br />
Begin Port and End Port fields, specify the range <strong>of</strong> ports that this proxy<br />
can use (you can either type the port numbers in the appropriate fields or<br />
use the up and down arrows to display the desired ports).<br />
• Use Pre-defined Ports—Select this option if you want to specify the port(s)<br />
or port range(s) that have been pre-defined for this proxy.<br />
205
Chapter 6: Configuring Application Defenses<br />
Configuring connection properties<br />
206
7 CHAPTER<br />
Configuring Network<br />
Defenses<br />
In this chapter...<br />
Viewing Network Defense information .........................................208<br />
Configuring the TCP Network Defense ........................................210<br />
Configuring the IP Network Defense ............................................212<br />
Configuring the UDP Network Defense........................................213<br />
Configuring the ICMP Network Defense ......................................215<br />
Configuring the ARP Network Defense ........................................217<br />
207
Chapter 7: Configuring Network Defenses<br />
Viewing Network Defense information<br />
Viewing Network<br />
Defense<br />
information<br />
208<br />
Network Defenses allow you to control the audit output for suspicious traffic<br />
detected by <strong>Sidewinder</strong> <strong>G2</strong>, automatically preventing that traffic from passing<br />
from one burb to another. Some traffic is stopped because a packet, or<br />
sequence <strong>of</strong> packets, resembles a known attack. Other traffic is stopped<br />
because a packet does not comply with its protocol’s standards.<br />
Options for what audit to generate include:<br />
• Audit for packets that <strong>Sidewinder</strong> <strong>G2</strong> determines to be part <strong>of</strong> an identifiable<br />
attack can be audited based on attack description (bad header length, bad<br />
redirect, etc.).<br />
• Audit for packets that are not specifically identified as a potential attack can<br />
be audited at the following levels:<br />
– All packets that do not comply with their protocol’s standards<br />
– Packets that do not comply with their protocol’s standards and have<br />
been identified as a severe or moderate risk to your network<br />
– Packets that do not comply with their protocol’s standards and have<br />
been identified as a severe risk to your network<br />
– Do not generate audit when <strong>Sidewinder</strong> <strong>G2</strong> stops a packet because it<br />
does not comply to its protocol’s standard<br />
Network Defenses represent one element <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong>’s audit<br />
capabilities. Information about additional auditing tools can be found in the<br />
following chapters:<br />
• Chapter 18, "Monitoring"<br />
• Chapter 19, "Auditing and Reporting"<br />
• Chapter 20, "IPS Attack and System Event Responses"
Figure 100: Network<br />
Defense window (TCP)<br />
Chapter 7: Configuring Network Defenses<br />
Viewing Network Defense information<br />
To view the Network Defenses windows, in the Admin Console select Policy<br />
Configuration > Network Defenses. The Network Defenses window displays<br />
with the TCP tab displayed, as shown in Figure 100. All tabs are similar in<br />
appearance and function.<br />
The Network Defenses tabs allows you to configure which audit <strong>Sidewinder</strong> <strong>G2</strong><br />
will generate for each <strong>of</strong> the specified protocols and how frequently to generate<br />
that audit.<br />
For information on configuring a specific Network Defense, see the following:<br />
• TCP (page 210)<br />
• IP (page 212)<br />
• UDP (page 213)<br />
• ICMP (page 215)<br />
• ARP (page 217)<br />
209
Chapter 7: Configuring Network Defenses<br />
Configuring the TCP Network Defense<br />
210<br />
Figure 101: Network<br />
Defenses: Restore default<br />
values window<br />
About the Restore<br />
default values<br />
window<br />
Configuring the<br />
TCP Network<br />
Defense<br />
Figure 102: Network<br />
Defenses: TCP tab<br />
If you want to return the Network Defense settings to their defaults, click<br />
Restore Defaults. The following window appears.<br />
This window allows you to restore the Network Defenses’ attack and protocol<br />
compliance issue settings to their system defaults. When the window appears,<br />
all Network Defenses are selected.<br />
• If you want to restore the defaults for all Network Defenses, click OK.<br />
• If you want to restore the defaults for selected Network Defenses, clear the<br />
check box next to the Network Defenses that need to keep their current<br />
settings. After clearing the appropriate check box(es), click OK.<br />
The selected Network Defenses now display and enforce their default settings.<br />
The TCP Network Defense allows you to customize audit output for TCP<br />
attacks and compliance issues stopped by the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the<br />
TCP Network Defense, in the Admin Console select Policy Configuration ><br />
Network Defenses > TCP. The following window appears.
About the Network<br />
Defenses: TCP tab<br />
Chapter 7: Configuring Network Defenses<br />
Configuring the TCP Network Defense<br />
This tab allows you to configure which audit to generate for TCP attack and<br />
compliance issues. <strong>Sidewinder</strong> <strong>G2</strong> automatically stops all listed attacks;<br />
selecting or clearing a check box only affects whether or not this behavior is<br />
audited.<br />
1 In the Audit the selected TCP attacks section, select the attacks for which<br />
you want <strong>Sidewinder</strong> <strong>G2</strong> to generate audit.<br />
2 In the Audit the selected TCP compliance issues area, select which level <strong>of</strong><br />
audit to generate. Options are:<br />
• All TCP compliance issues<br />
• Severe and moderate TCP compliance issues<br />
• Severe TCP compliance issues<br />
• No TCP compliance issues<br />
3 In the TCP Audit Frequency area, select how <strong>of</strong>ten to generate audit for<br />
TCP issues. Select one <strong>of</strong> the following:<br />
• Limit auditing (recommended) — Generates an audit record for the first<br />
x occurrences for every y seconds. Other occurrences <strong>of</strong> the same audit<br />
event in that window will not be recorded. An additional audit event will<br />
be generated to record how many other audit events were suppressed.<br />
For example, the audit is limited to generating an audit event for the first<br />
three (3) occurrences for every 60 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped<br />
100 SYN-ACK probes in 60 seconds, then <strong>Sidewinder</strong> <strong>G2</strong> generates<br />
three records for the first three denials, and then generates another<br />
audit record stating that 97 occurrences were suppressed in that 60<br />
second window.<br />
Limiting audit in this manner reduces system load.<br />
• Always audit — Generates an audit record for every audit event.<br />
Caution: Unlimited auditing runs the risk <strong>of</strong> overflowing the log partition<br />
and creating problems for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Options for viewing the audit output generated by these selections include:<br />
• Admin Console > Dashboard<br />
• Admin Console > Audit and Reports<br />
• <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
• Third-party reporting tools<br />
211
Chapter 7: Configuring Network Defenses<br />
Configuring the IP Network Defense<br />
Configuring the<br />
IP Network<br />
Defense<br />
212<br />
Figure 103: Network<br />
Defenses: IP tab<br />
About the Network<br />
Defenses: IP tab<br />
The IP Network Defense allows you to customize audit output for IP attacks<br />
stopped by the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the IP Network Defense, in the<br />
Admin Console select Policy Configuration > Network Defenses > IP. The<br />
following window appears.<br />
This tab allows you to configure which audit to generate for IP attack and<br />
compliance issues. <strong>Sidewinder</strong> <strong>G2</strong> automatically stops all listed attacks;<br />
selecting or clearing a check box only affects whether or not this behavior is<br />
audited.<br />
1 In the Audit the selected IP attacks section, select the attacks for which you<br />
want <strong>Sidewinder</strong> <strong>G2</strong> to generate audit.<br />
2 In the Audit the selected IP compliance issues area, select which level <strong>of</strong><br />
audit to generate. Options are:<br />
• All IP compliance issues<br />
• Severe and moderate IP compliance issues<br />
• Severe IP compliance issues<br />
• No IP compliance issues<br />
3 In the IP Audit Frequency area, select how <strong>of</strong>ten to generate audit for IP<br />
issues. Select one <strong>of</strong> the following:<br />
• Limit auditing (recommended) — Generates an audit record for the first<br />
x occurrences for every y seconds. Other occurrences <strong>of</strong> the same audit<br />
event in that window will not be recorded. An additional audit event will<br />
be generated to record how many other audit events were suppressed.
Configuring the<br />
UDP Network<br />
Defense<br />
Figure 104: Network<br />
Defenses: UDP tab<br />
Chapter 7: Configuring Network Defenses<br />
Configuring the UDP Network Defense<br />
For example, the audit is limited to generating an audit event for the first<br />
three (3) occurrences for every 60 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped<br />
100 source routed packets in 60 seconds, then <strong>Sidewinder</strong> <strong>G2</strong> generates<br />
three records for the first three denials, and then generates another<br />
audit record stating that 97 occurrences were suppressed in that 60<br />
second window.<br />
Limiting audit in this manner reduces system load.<br />
• Always audit — Generates an audit record for every audit event.<br />
Caution: Unlimited auditing runs the risk <strong>of</strong> overflowing the log partition<br />
and creating problems for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Options for viewing the audit output generated by these selections include:<br />
• Admin Console > Dashboard<br />
• Admin Console > Audit and Reports<br />
• <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
• Third-party reporting tools<br />
The UDP Network Defense allows you to customize audit output for UDP<br />
attacks stopped by the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the UDP Network<br />
Defense, in the Admin Console select Policy Configuration > Network<br />
Defenses > UDP. The following window appears.<br />
213
Chapter 7: Configuring Network Defenses<br />
Configuring the UDP Network Defense<br />
About the Network<br />
Defenses: UDP tab<br />
214<br />
This tab allows you to configure which audit to generate for UDP attack and<br />
compliance issues. <strong>Sidewinder</strong> <strong>G2</strong> automatically stops all listed attacks;<br />
selecting or clearing a check box only affects whether or not this behavior is<br />
audited.<br />
1 In the Audit the selected UDP attacks section, select the attacks for which<br />
you want <strong>Sidewinder</strong> <strong>G2</strong> to generate audit.<br />
2 In the Audit the selected UDP compliance issues area, select which level<br />
<strong>of</strong> audit to generate. Options are:<br />
• All UDP compliance issues<br />
• Severe and moderate UDP compliance issues<br />
• Severe UDP compliance issues<br />
• No UDP compliance issues<br />
3 In the UDP Audit Frequency area, select how <strong>of</strong>ten to generate audit for<br />
UDP issues. Select one <strong>of</strong> the following:<br />
• Limit auditing (recommended) — Generates an audit record for the first<br />
x occurrences for every y seconds. Other occurrences <strong>of</strong> the same audit<br />
event in that window will not be recorded. An additional audit event will<br />
be generated to record how many other audit events were suppressed.<br />
For example, the audit is limited to generating an audit event for the first<br />
three (3) occurrences for every 60 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped<br />
100 zero source port UDP attacks in 60 seconds, then <strong>Sidewinder</strong> <strong>G2</strong><br />
generates three records for the first three denials, and then generates<br />
another audit record stating that 97 occurrences were suppressed in<br />
that 60 second window.<br />
Limiting audit in this manner reduces system load.<br />
• Always audit — Generates an audit record for every audit event.<br />
Caution: Unlimited auditing runs the risk <strong>of</strong> overflowing the log partition<br />
and creating problems for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Options for viewing the audit output generated by these selections include:<br />
• Admin Console > Dashboard<br />
• Admin Console > Audit and Reports<br />
• <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
• Third-party reporting tools
Configuring the<br />
ICMP Network<br />
Defense<br />
Figure 105: Network<br />
Defenses: ICMP tab<br />
About the Network<br />
Defenses: ICMP tab<br />
Chapter 7: Configuring Network Defenses<br />
Configuring the ICMP Network Defense<br />
The ICMP Network Defense allows you to customize audit output for ICMP<br />
attacks stopped by the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the ICMP Network<br />
Defense, in the Admin Console select Policy Configuration > Network<br />
Defenses > ICMP. The following window appears.<br />
This tab allows you to configure which audit to generate for ICMP attack and<br />
compliance issues. <strong>Sidewinder</strong> <strong>G2</strong> automatically stops all listed attacks;<br />
selecting or clearing a check box only affects whether or not this behavior is<br />
audited.<br />
1 In the Audit the selected ICMP attacks section, select the attacks for which<br />
you want <strong>Sidewinder</strong> <strong>G2</strong> to generate audit.<br />
2 In the Audit the selected ICMP compliance issues area, select which level<br />
<strong>of</strong> audit to generate. Options are:<br />
• All ICMP compliance issues<br />
• Severe and moderate ICMP compliance issues<br />
• Severe ICMP compliance issues<br />
• No ICMP compliance issues<br />
3 In the ICMP Audit Frequency area, select how <strong>of</strong>ten to generate audit for<br />
ICMP issues. Select one <strong>of</strong> the following:<br />
• Limit auditing (recommended) — Generates an audit record for the first<br />
x occurrences for every y seconds. Other occurrences <strong>of</strong> the same audit<br />
event in that window will not be recorded. An additional audit event will<br />
be generated to record how many other audit events were suppressed.<br />
215
Chapter 7: Configuring Network Defenses<br />
Configuring the ICMP Network Defense<br />
216<br />
For example, the audit is limited to generating an audit event for the first<br />
three (3) occurrences for every 60 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped<br />
100 invalid redirect ICMP attacks in 60 seconds, then <strong>Sidewinder</strong> <strong>G2</strong><br />
generates three records for the first three denials, and then generates<br />
another audit record stating that 97 occurrences were suppressed in<br />
that 60 second window.<br />
Limiting audit in this manner reduces system load.<br />
• Always audit — Generates an audit record for every audit event.<br />
Caution: Unlimited auditing runs the risk <strong>of</strong> overflowing the log partition<br />
and creating problems for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Options for viewing the audit output generated by these selections include:<br />
• Admin Console > Dashboard<br />
• Admin Console > Audit and Reports<br />
• <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
• Third-party reporting tools
Configuring the<br />
ARP Network<br />
Defense<br />
Figure 106: Network<br />
Defenses: ARP tab<br />
About the Network<br />
Defenses: ARP tab<br />
Chapter 7: Configuring Network Defenses<br />
Configuring the ARP Network Defense<br />
The ARP Network Defense allows you to customize audit output for ARP<br />
attacks stopped by the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the ARP Network<br />
Defense, in the Admin Console select Policy Configuration > Network<br />
Defenses > ARP. The following window appears.<br />
This tab allows you to configure which audit to generate for ARP compliance<br />
issues. <strong>Sidewinder</strong> <strong>G2</strong> automatically stops all listed attacks; selecting or<br />
clearing a check box only affects whether or not this behavior is audited.<br />
1 In the Audit the selected ARP compliance issues area, select which level<br />
<strong>of</strong> audit to generate. Options are:<br />
• All ARP compliance issues<br />
• Severe and moderate ARP compliance issues<br />
• Severe ARP compliance issues<br />
• No ARP compliance issues<br />
2 In the ARP Audit Frequency area, select how <strong>of</strong>ten to generate audit for<br />
ARP issues. Select one <strong>of</strong> the following:<br />
• Limit auditing (recommended) — Generates an audit record for the first<br />
x occurrences for every y seconds. Other occurrences <strong>of</strong> the same audit<br />
event in that window will not be recorded. An additional audit event will<br />
be generated to record how many other audit events were suppressed.<br />
217
Chapter 7: Configuring Network Defenses<br />
Configuring the ARP Network Defense<br />
218<br />
For example, the audit is limited to generating an audit event for the first<br />
three (3) occurrences for every 60 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped<br />
100 ARP attacks in 60 seconds, then <strong>Sidewinder</strong> <strong>G2</strong> generates three<br />
records for the first three denials, and then generates another audit<br />
record stating that 97 occurrences were suppressed in that 60 second<br />
window.<br />
Limiting audit in this manner reduces system load.<br />
• Always audit — Generates an audit record for every audit event.<br />
Caution: Unlimited auditing runs the risk <strong>of</strong> overflowing the log partition<br />
and creating problems for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Options for viewing the audit output generated by these selections include:<br />
• Admin Console > Dashboard<br />
• Admin Console > Audit and Reports<br />
• <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
• Third-party reporting tools
8 CHAPTER<br />
Creating Rules and Rule<br />
Groups<br />
In this chapter...<br />
Viewing rules and rule groups ......................................................220<br />
Creating proxy rules .....................................................................222<br />
Creating IP Filter rules..................................................................228<br />
Creating and managing rule groups .............................................236<br />
Selecting your active policy rules .................................................239<br />
219
Chapter 8: Creating Rules and Rule Groups<br />
Viewing rules and rule groups<br />
Viewing rules<br />
and rule groups<br />
220<br />
Figure 107: Rules<br />
window displaying proxy<br />
rules<br />
About the Rules<br />
window<br />
To view the existing proxy and IP Filter rules currently available for use, in the<br />
Admin Console select Policy Configuration > Rules. The main Rules window<br />
appears with the Proxy Rules list displayed by default.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains two rule tables:<br />
• Proxy rules—This table contains all <strong>of</strong> the proxy rules and groups that were<br />
loaded during initial configuration as well as any rules that you have created<br />
(displayed in Figure 107).<br />
• IP Filter rules—This table contains all <strong>of</strong> the IP Filter rules and groups that<br />
have been created. Each row within a table contains a single rule or group.<br />
The components <strong>of</strong> each rule are displayed in the labeled columns.<br />
The order <strong>of</strong> rules in the main rule tables is not important. The rule tables are<br />
holding grounds for rules that you create. They may or may not be included in<br />
the active rule group that enforces your security policy. Rather, it is the order <strong>of</strong><br />
rules and nested rule groups within rule groups that is important. For<br />
information on ordering your rule groups, see “Ordering proxy rules within a<br />
rule group” on page 101.<br />
You can perform the following tasks in the Rules window:<br />
• View proxy or IP Filter rules and groups—To view a rule table, click the<br />
appropriate radio button (Proxy Rules or IP Filter Rules) in the View Option<br />
field. You can resize the columns to suit your needs by clicking and<br />
dragging the edge <strong>of</strong> a column heading. (Use the scroll bars to view all<br />
columns and entries listed in the table.)<br />
Note: If you view the proxy rule table, an Inspection column will appear in front<br />
<strong>of</strong> the Name column. A status <strong>of</strong> On indicates that all <strong>of</strong> the Application Defense<br />
properties will be actively enforced for a rule. A status <strong>of</strong> Off indicates that only<br />
the connection properties portion <strong>of</strong> the defense will be enforced for that rule.
About the Duplicate<br />
Rule Name window<br />
Chapter 8: Creating Rules and Rule Groups<br />
Viewing rules and rule groups<br />
• Filter the table to display rules or groups—To filter the table to display only<br />
rules or only groups, select Rules or Groups from the Filter drop-down list.<br />
(To display both rules and groups, select No Filter.)<br />
• Add/modify a rule—To add a new rule, select the appropriate rule view<br />
(Proxy or IP Filter) using the View Option and then click New<br />
> Rule. (To modify a rule, highlight the entry and click Modify.)<br />
– To add/modify a new proxy rule, see “Creating proxy rules” on page 222.<br />
– To add/modify a new IP Filter rule, see “Creating IP Filter rules” on page<br />
228.<br />
• Add/modify a group—To add a new rule group, select the appropriate rule<br />
view (Proxy or IP Filter) using the View Option and then click New > Group.<br />
For information on adding or modifying a rule group, see “Creating and<br />
managing rule groups” on page 236. (To modify a rule group, highlight the<br />
entry and click Modify.)<br />
• Delete a rule or group—To delete a rule or group, highlight the entry you<br />
want to delete and click Delete. You cannot delete rules or rule groups that<br />
are part <strong>of</strong> a group.<br />
• View the groups to which a rule or group belongs—To determine which<br />
groups a rule or group belongs to, highlight the entry and click the Member<br />
Of button. An information window appears listing the groups to which the<br />
rule or group belongs.<br />
• Duplicate an existing rule or rule group—To duplicate a rule or group,<br />
highlight the rule or group you want to duplicate and click Duplicate. The<br />
Duplicate Rule Name window appears.<br />
In the Duplicate Rule Name window, do the following:<br />
1 In the Name field, type a unique name for the duplicate rule or group. Valid<br />
values include alphanumeric characters, periods (.), dashes(-),<br />
underscores (_), and spaces ( ). However, the first and last character <strong>of</strong> the<br />
name must be alphanumeric. The name cannot exceed 100 characters.<br />
2 [Conditional] If you are creating a duplicate IP Filter rule <strong>of</strong> type Other,<br />
select a protocol for the new rule from the Protocol drop-down list. (The<br />
protocol does not need to be the same protocol used by the original rule.)<br />
3 Click Add.<br />
221
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
Creating proxy<br />
rules<br />
222<br />
Figure 108: Proxy Rule<br />
window: General tab<br />
Entering information<br />
on the Proxy Rule<br />
General tab<br />
This section provides information on creating proxy rules. For an overview <strong>of</strong><br />
proxy rules, see Chapter 4.<br />
To create a proxy rule, using the Admin Console select Policy Configuration ><br />
Rules. Then click New > Proxy Rule. (To modify a proxy rule, highlight the rule<br />
you want to modify and click Modify.) The Proxy Rule window appears.<br />
Note: Proxy rules that you create will not be part <strong>of</strong> the active policy unless you<br />
place them in a rule group that is part <strong>of</strong> the active policy. For information on adding<br />
a proxy to a rule group and ensuring that it is included in the active policy, see<br />
“Creating and managing rule groups” on page 236 and “Selecting your active policy<br />
rules” on page 239.<br />
The General tab in the Proxy Rule window is used to enter basic information<br />
about a proxy rule. Follow the steps below.<br />
Tip: Remember that rules’ proxies and servers must be enabled before the rules<br />
can pass traffic. Their status can be verified at Policy Configuration > Proxies and<br />
Policy Configuration > Servers.<br />
1 In the Name field, type a name that helps identify the purpose <strong>of</strong> the rule.<br />
For example, the pre-configured rule that allows synchronization between<br />
systems is called “Synchronization.” Valid values include alphanumeric<br />
characters, periods (.), dashes(-), underscores (_), and spaces ( ).<br />
However, the first and last character <strong>of</strong> the name must be alphanumeric.<br />
The name cannot exceed 100 characters.<br />
2 In the Service Type drop-down list, select one <strong>of</strong> the following:<br />
Note: The Service Type field determines the options that are available to you in<br />
the Service field in step 3.
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
• All—This option includes both proxies and servers. It does NOT include<br />
service groups.<br />
• Proxy—This option includes proxies only.<br />
• Server—This option includes servers only.<br />
• Service Group—This option includes service groups only. For<br />
information on service groups, see “Service groups” on page 108.<br />
3 In the Service drop-down list, select the type <strong>of</strong> network service this rule is<br />
allowing or denying. (The options that are displayed in this list are<br />
determined by the option you selected in the previous step.)<br />
4 In the Action drop-down list, select Allow to allow the service or Deny to<br />
deny the service when a match occurs.<br />
5 In the Control drop-down list, select Enable to enable the rule or Disable to<br />
disable the rule. This allows you to disable a rule, if necessary, without<br />
deleting it. Rules that are disabled will appear grayed out in the main Rule<br />
window.<br />
6 In the Audit Level drop-down list, select one <strong>of</strong> the following audit options<br />
for this rule:<br />
• Errors Only—Select this option to generate only error audit events for<br />
this rule. If you select this option, normal traffic will not be logged. (This<br />
option increases performance and reduces the size <strong>of</strong> audit logs.)<br />
• Traffic—Select this option to generate both normal traffic and error audit<br />
events for this rule.<br />
• Informational—Select this option to generate error audit events, normal<br />
traffic, and informational audit events for this rule.<br />
7 [Optional] In the Description field, enter any useful information for this rule<br />
(for example, a brief description <strong>of</strong> the rule).<br />
8 [Optional] If you want to disable the Application Defense associated with<br />
this rule, select the Disable Defense Inspection check box. Selecting this<br />
check box will disable all Application Defense settings other than<br />
connection properties (timeout and fast-path settings).<br />
Clear this check box if you want to start using the Application Defense<br />
again.<br />
This option will be grayed out if there is no Application Defense associated<br />
with the rule.<br />
223
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
224<br />
Figure 109: Proxy Rule:<br />
Source/Dest tab<br />
Entering source and<br />
destination<br />
information<br />
The Source/Dest tab is used to enter source and destination restrictions for a<br />
proxy rule. Follow the steps below.<br />
1 [Optional ] To create a network object to use as the source or destination <strong>of</strong><br />
this rule, do the following:<br />
a Click New. You will be prompted to select the type <strong>of</strong> object you want to<br />
create.<br />
b Select the type <strong>of</strong> network object you want to create and click OK. The<br />
New Network Object window appears.<br />
c Create the network object. When you click Add, you are returned to the<br />
Source/Dest tab in the Proxy Rule window.<br />
Note: For information on creating a Network Object, see “Creating network<br />
objects” on page 139.<br />
2 In the Source Burb drop-down list, select the source burb associated with<br />
this rule.<br />
3 In the Destination Burb drop-down list, select the destination burb<br />
associated with this rule.<br />
Note: When defining inbound address redirection for a rule, you should select<br />
the Internet (external) burb for both the Source Burb and the Destination Burb<br />
fields unless you are redirecting internally, or if you are redirecting inbound to<br />
another internal address.<br />
4 In the Source list that is displayed, select the source object to use for this<br />
rule. (If needed, you can use the Show drop-down list to filter the list to<br />
display only one type <strong>of</strong> object.)<br />
5 In the Destination list that is displayed, select the destination object to use<br />
for this rule. (If needed, you can use the Show drop-down list to filter the list<br />
to display only one type <strong>of</strong> object.)
Figure 110: Proxy Rule:<br />
Authentication tab<br />
Entering<br />
authentication<br />
information<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
6 [Conditional] In the NAT Address drop-down list, select the object (IP<br />
address or host) that will replace the original source address when it is<br />
translated.<br />
Note: Do not set the NAT Address to localhost if you are using a virtual burb as<br />
your destination burb.<br />
If you selected a netmap in the Source field, the appropriate NAT properties<br />
are automatically supplied based on the mapping configured for each IP<br />
address or subnet in that netmap. For more information on netmaps, see<br />
“Netmap objects” on page 106.<br />
7 [Conditional] In the Redirect Host drop-down list, select the host or IP<br />
address to redirect the original destination.<br />
If you selected a netmap in the Destination field, the appropriate redirection<br />
properties are automatically supplied based on the mapping configured for<br />
each IP address and subnet in that netmap. For more information on netmaps,<br />
see “Netmap objects” on page 106.<br />
8 [Conditional] In the Redirect Port field, type the port number on which the<br />
connection will be redirected.<br />
The Authentication tab is used to enter authentication information for this rule.<br />
Note: The following proxies can use authentication: FTP, HTTP, HTTPS, SOCKS,<br />
Telnet, and nt_Telnet. The following servers can use authentication: cobra, console,<br />
Telnet, sshd, SSO, and WebProxy.<br />
1 Select one <strong>of</strong> the following options:<br />
• Do not require Authentication—Select this option if you do not want to<br />
require authentication for this rule.<br />
• Authentication using SSO (Single Sign On)—Select this option if you<br />
want to allow SSO cached authentication for this rule.<br />
If the SSO server has not been configured, you will not be able to select<br />
the option. For more information, see “Configuring SSO” on page 300.<br />
225
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
226<br />
Figure 111: Proxy Rule:<br />
Time tab<br />
• Authenticate using selected Authentication Methods—Select this<br />
option to require authentication for this rule. If you select this option, you<br />
will need to specify the types <strong>of</strong> authentication that will be allowed for<br />
this rule by selecting the appropriate check boxes in the Authentication<br />
Methods area.<br />
Only methods that have been configured and enabled will be available for<br />
selection. For information on authentication methods, see “Supported<br />
authentication methods” on page 277.<br />
2 [Optional] If more than one authentication method is selected, you may<br />
specify a default method from the Default Method drop-down list. This is the<br />
authentication method that will be used by the <strong>Sidewinder</strong> <strong>G2</strong> if the user<br />
does not specify an authentication method during log in<br />
Important: The Default field is not used for administrative purposes (such as<br />
logging in to the Admin Console). The default administration authentication<br />
method is defined in the Firewall <strong>Administration</strong>> Firewall Accounts window.<br />
3 [Conditional] In the Authorization area, select one <strong>of</strong> the following options:<br />
• Allow all successfully authenticated users—Select this option if you<br />
want to allow all users who successfully authenticate.<br />
• Allow only users in the selected <strong>Sidewinder</strong> User Group—Select this<br />
option if you want to require users who belong to a particular group to be<br />
allowed to use the service(s) specified within the rule. By default All<br />
Users are authenticated.<br />
• [Conditional] Allow only users in the selected External Authorization<br />
Role—This option is active only if SafeWord or LDAP is selected and<br />
enabled. Selecting this option is similar to assigning a user group to a<br />
proxy rule, except the group (or role in this case) is defined within an<br />
external authentication program such as SafeWord PremierAccess or<br />
LDAP/Active Directory. This relieves you from having to maintain a<br />
second instance <strong>of</strong> the group (role) on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: For additional information on configuring authentication for services,<br />
see “Setting up authentication for services” on page 303.
Entering information<br />
on the Time tab<br />
Figure 112: Proxy Rule:<br />
Application Defense tab<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating proxy rules<br />
This tab allows you to determine the days and times a proxy rule is enabled.<br />
You can also specify whether a proxy rule is temporary and will expire after a<br />
specific period <strong>of</strong> time. Follow the steps below.<br />
1 In the Times/Days field, specify when to allow or deny the service(s)<br />
defined for this proxy rule. The format is fairly flexible. You must enter a day<br />
<strong>of</strong> the week (or a range <strong>of</strong> days), followed by a time range (be sure to either<br />
use military time OR include am or pm after each hour). You may<br />
abbreviate the day, but do not use periods. You can include multiple entries<br />
as long as they are separated by a comma and a space. The following are<br />
examples <strong>of</strong> valid entries:<br />
• Mon-Fri 8am-5pm<br />
• Monday-Tuesday 8am-5pm, Friday noon-Sunday 8am<br />
• Thur 1200-1500, Sat 1800<br />
• 8:00am-10:00pm Mon-Thur, 8:30am-5:30pm Fri<br />
2 In the Rule Time To Live field, you can configure a proxy rule to be<br />
temporary (that is, to expire after a specified time period). Select one <strong>of</strong> the<br />
following three options:<br />
• No Expiration—Select this option if you do NOT want the proxy rule to<br />
be temporary (that is, it will NOT expire). This is the default value.<br />
• Offset—Select this option to specify a period <strong>of</strong> time that must elapse,<br />
starting from the creation date <strong>of</strong> the rule, before the proxy rule will<br />
expire (for example, two days, one week, three years). When you select<br />
this option, the Disable Rule In field appears. Select a time period from<br />
the drop-down list (Days, Hours, Minutes, Months, Seconds, Weeks, or<br />
Years) and then specify the appropriate number in the text box.<br />
• Date/Time—Select this option to specify an exact date and time when<br />
the proxy rule will expire. When you select this option, additional fields<br />
appear. In the Month, Day, and Year drop-down lists, specify the date<br />
that you want the rule to expire. In the Time drop-down lists, specify the<br />
exact time you want the rule to expire.<br />
227
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
Entering Application<br />
Defense rule<br />
information<br />
Creating IP Filter<br />
rules<br />
228<br />
The Application Defense tab is used to determine which Application Defense<br />
(or group if you selected Service Group in the Service Type field) will be used<br />
by a rule. Select one <strong>of</strong> the following options:<br />
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt<br />
Web Traffic option enabled must have redirection configured.<br />
• Use the default Application Defense/Group—Select this option to use the<br />
current default Application Defense group. The current default Application<br />
Defense that will be used is displayed next to this option. Ensure that this is<br />
the correct Application Defense Group for this rule.<br />
• Select an Application Defense/Group—Select this option to select the<br />
Application Defense (or group if you selected a service group in the Service<br />
Type field) that you want to apply to this rule. Only Application Defenses<br />
that are applicable to the type <strong>of</strong> rule you are creating will appear in the<br />
table. For example, if you are creating an HTTP rule, you will only see Web<br />
Application Defenses in the table. To view the properties for a particular<br />
defense, select the appropriate table row and click View.<br />
To create a new Application Defense for this rule, click New. To modify one<br />
<strong>of</strong> the existing Application Defenses, highlight the appropriate table row and<br />
click Modify. (If you want to create a new defense based on an existing<br />
defense, highlight the defense and click Duplicate.) For information on creating<br />
or modifying an Application Defense, see Chapter 6.<br />
To view the other areas where an Application Defense is used, highlight<br />
that defense and click Usage.<br />
Important: If the defense you want to modify is currently being used by other<br />
rules, you will receive a pop-up window listing the areas where this defense is<br />
used and asking you whether you want to continue modifying the defense. Click<br />
Yes to modify the defense, or click No to return to the Application Defense tab<br />
without modifying the defense.<br />
This section provides information on creating IP Filter rules. For overview<br />
information on IP Filter rules, see Chapter 4.<br />
To create an IP Filter rule, follow the steps below.<br />
Important: IP Filter rules that you create will not be active until you place them in a<br />
rule group that is part <strong>of</strong> the active IP Filter rules. For information on adding an IP<br />
Filter rule to a rule group and ensuring that it is included in the active IP Filter rules,<br />
see “Creating and managing rule groups” on page 236 and “Selecting your active<br />
policy rules” on page 239.
Figure 113: IP Filter<br />
Rules window<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
1 Using the Admin Console select Policy Configuration > Rules. The Rules<br />
window appears.<br />
2 In the View Option field, select IP Filter Rules. The Rules window appears<br />
with the IP Filter rules table displayed.<br />
3 Click New > IP Filter Rule and then select the type <strong>of</strong> IP Filter rule you want<br />
to create:<br />
• TCP—Select this option to create an IP Filter rule specifically for the<br />
TCP protocol.<br />
• UDP—Select this option to create an IP Filter rule specifically for the<br />
UDP protocol.<br />
• ICMP—Select this option to create an IP Filter rule specifically for the<br />
ICMP protocol.<br />
• Other—Select this option to create an IP Filter rule for protocols other<br />
than TCP, UDP, and ICMP (such as AH).<br />
Note: ICMP control and error messages generated by TCP/UDP traffic are<br />
managed using TCP/UDP rules, as opposed to ICMP rules. For example, if you<br />
want to pass “host unreachable” error messages for a specific rule’s<br />
undelivered TCP packets through the <strong>Sidewinder</strong> <strong>G2</strong>, you would configure this<br />
option on that rule’s TCP Advanced tab.<br />
To modify an IP Filter rule, highlight the rule you want to modify, and click<br />
Modify.<br />
The IP Filter Rules window appears with the Rule tab displayed.<br />
229
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
Entering information<br />
on the Rule tab<br />
230<br />
To configure the Rules tab for an IP Filter rule, follow the steps below.<br />
1 In the Name field, specify a name for the rule. Valid values include<br />
alphanumeric characters, periods (.), underscores (_), hyphens (-), and<br />
spaces( ). The name cannot exceed 100 characters.<br />
2 In the Protocol field, select the protocol type for the rule you are creating. (If<br />
you selected TCP, UDP, or ICMP as the rule type, the Protocol field will be<br />
automatically filled in for you.)<br />
To create an IP Filter rule for a protocol that is not listed in the drop-down<br />
list, manually type the protocol number in the Protocol field.<br />
3 In the Action field, specify the action that should occur when a packet<br />
matches this rule:<br />
• Allow—The packet will be translated or redirected, as defined in the<br />
Source/Dest tab and will then continue regular kernel-level processing.<br />
• Deny—The packet will be rejected without further filtering.<br />
• Bypass IP Filter Rules —The packet will bypass IP Filter processing<br />
and go to the beginning <strong>of</strong> the proxy rule list. This option is generally<br />
used for common proxy protocols, such as HTTP, and is recommended<br />
as an optimization when you have a large number <strong>of</strong> IP Filter rules. This<br />
action is not an option for Other rules.<br />
4 In the Control field, select Enable to enable the rule or Disable to disable<br />
the rule. This allows you to temporarily disable a rule, if necessary, without<br />
deleting it. Rules that are disabled will appear grayed out in the main Rule<br />
window.<br />
5 In the Audit Level field, select the type <strong>of</strong> audit you want performed when a<br />
packet matches this rule. The options vary depending on the rule action, as<br />
follows:<br />
• If Action = Allow, then:<br />
– None—No audit information will be recorded for this rule.<br />
– Informational—Select this option to generate errors, normal traffic,<br />
and informational audit events for this rule.<br />
– Traffic—Select this option to generate normal traffic and error audit<br />
events for this rule.<br />
– Errors Only—Select this option to generate only error audit events<br />
for this rule. If you select this option, normal traffic will not be logged.<br />
(This option increases performance and reduces the size <strong>of</strong> audit<br />
logs.)<br />
• If Action = Deny or Bypass IP Filter Rules, then:<br />
– All—Select this option to generate audit events for all packets that<br />
match this rule.<br />
– Limit—Select this option to generate audit events for this rule at the<br />
frequency specified in the IP Filter Properties window’s setting. See<br />
“Viewing and modifying general IP Filter properties” on page 241 for<br />
more information.<br />
– None—No audit information will be recorded for this rule.
Figure 114: IP Filter<br />
Rules Source/Dest tab<br />
About the IP Filter<br />
Source/Dest tab<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
6 [Conditional] If you selected Informational for the audit level, in the Audit<br />
Threshold field, specify the number <strong>of</strong> packets that will be allowed by this<br />
rule before an audit record is generated. To limit auditing for this IP Filter<br />
rule to only connection or session information, set the value to zero (0).<br />
7 [Optional] In the Description field, enter any useful information about this IP<br />
Filter rule (for example, a brief description <strong>of</strong> the rule).<br />
8 To configure the source and destination information for this IP Filter rule,<br />
select the Source/Dest tab. The following window appears.<br />
The Source/Dest tab is used to specify the source and destination information,<br />
as well as NAT and redirection for this IP Filter rule. Follow the steps below.<br />
1 [Optional] If the appropriate source and destination network objects do not<br />
yet exist, do the following to create them:<br />
a Click New. You will be prompted to select the type <strong>of</strong> object you want to<br />
create.<br />
b Select the type <strong>of</strong> network object you want to create. The New Network<br />
Object window appears.<br />
c Create the network object. When you click Add, you are returned to the<br />
Source/Dest tab in the IP Filter Rule window.<br />
2 In the Direction field, specify the following:<br />
• Uni-directional: This option allows traffic to initiate only from the source<br />
address. If stateful packet inspection is enabled, selecting this option<br />
also creates a session that allows return traffic.<br />
• Bi-directional: If stateful inspection is enabled for this rule, this option<br />
allows traffic or sessions to be initiated from either source or destination<br />
addresses.<br />
Note: NAT and redirection are not allowed for bi-directional rules with<br />
stateful packet inspection enabled.<br />
231
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
232<br />
3 In the Source Burb drop-down list, select the burb through which the<br />
<strong>Sidewinder</strong> <strong>G2</strong> should route to get to the source IP address.<br />
4 In the Destination Burb drop-down list, select the burb through which the<br />
<strong>Sidewinder</strong> <strong>G2</strong> should route to get to the destination IP address.<br />
5 In the Source Show drop-down list, select the type <strong>of</strong> network object or<br />
group to use as the source object.<br />
6 In the displayed Source list, select the source object to use for this rule.<br />
7 In the Destination Show drop-down list, select the type <strong>of</strong> network object or<br />
group to use as the destination object.<br />
8 In the displayed Destination list, select the destination object to use for this<br />
rule.<br />
9 In the Source Port Range field, specify the port or range <strong>of</strong> ports (inclusive)<br />
in which connections are allowed to be made to or initiated from the<br />
corresponding address. Note the following:<br />
• Valid values are 1–65535.<br />
• To specify “any port,” leave the field blank.<br />
If configuring an ICMP or Other rule, port configuration is not an option.<br />
10 In the Destination Port Ranges field, do one <strong>of</strong> the following:<br />
• To specify “any port,” leave the field blank.<br />
• To specify one or more port or port ranges (inclusive) in which<br />
connections are allowed to be made to or initiated from the<br />
corresponding address, click New. Valid values are 1–65535. You also<br />
have the option to modify or delete existing entries.<br />
If configuring an ICMP or Other rule, port configuration is not an option.<br />
11 In the NAT Mode drop-down list, select one <strong>of</strong> the following options:<br />
• None—This option will disable NAT for this rule.<br />
• Normal—All packets that match this rule will be translated as follows:<br />
the source address will be translated to the associated NAT address,<br />
and the source port will be translated to a port within the NAT port<br />
range.<br />
• Source Port—All packets that match this rule will be translated as<br />
follows: the source address will be translated to the associated NAT<br />
address. The source port will not be translated.<br />
12 In the NAT Address drop-down list, select the object (IP address, host, or<br />
subnet) that will replace the original source address when it is translated.<br />
(To filter the type <strong>of</strong> objects that appear in the list, select an option from the<br />
Show drop-down list.)<br />
Important: If you selected Source Port NAT in the previous step, you must<br />
specify an alias IP address or a subnet that contains at least one alias IP<br />
address as the NAT Address. If you specify an interface IP address or subnet<br />
that does not contain an alias IP address, this rule will not pass traffic and audit<br />
will be generated.
Figure 115: IP Filter<br />
Time tab<br />
About the IP Filter<br />
Time tab<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
13 In the Redirection Mode field, select one <strong>of</strong> the following options:<br />
• None—Select this option if you do not want to enable redirection.<br />
• Normal—Select this option to enable redirection.<br />
14 In the Redirect Host drop-down list, select the IP address or subnet to<br />
which the original destination should be redirected. (To filter the type <strong>of</strong><br />
objects that appear in the list, select an option from the Show drop-down<br />
list.)<br />
15 To configure the days and times that the IP Filter rule is enabled, select the<br />
Time tab. The following window appears. (See “About the IP Filter Time tab”<br />
below.)<br />
This tab allows you to determine whether an IP Filter rule is temporary and will<br />
expire after a specific period <strong>of</strong> time. Follow the steps below.<br />
1 In the Rule Time To Live area, specify whether this rule will expire (become<br />
disabled). Select one <strong>of</strong> the following three options:<br />
• No Expiration—Select this option if you do NOT want the rule to expire.<br />
This is the default value.<br />
• Offset—Select this option to specify a period <strong>of</strong> time that must elapse,<br />
starting from the creation date <strong>of</strong> the rule, before the rule will expire (for<br />
example, two days, one week, three years). When you select this<br />
option, the Disable Rule In field appears. Select a time period from the<br />
drop-down list (Seconds, Minutes, Hours, Days, Weeks, Months, or<br />
Years) and then specify the appropriate number in the text box.<br />
• Date/Time—Select this option to specify an exact date and time when<br />
the rule will expire. When you select this option, additional fields appear.<br />
In the Month, Day, and Year drop-down lists, specify the date that you<br />
want the rule to expire. In the Time drop-down lists, specify the exact<br />
time you want the rule to expire.<br />
233
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
234<br />
Figure 116: IP Filter<br />
(TCP and ICMP)<br />
Advanced tabs<br />
About the IP Filter<br />
Advanced tabs<br />
2 To configure advanced configuration information for this IP Filter rule, select<br />
the Advanced tab. Depending on the rule type, different options appear.<br />
• For TCP/UDP IP Filter rules, see “Configuring the TCP/UDP Advanced<br />
tab” on page 234.<br />
• For ICMP IP Filter rules, see “Configuring the ICMP Advanced tab” on<br />
page 235.<br />
• The Advanced tab is not available if you selected Other as the IP Filter<br />
rule type.<br />
The IP Filter Advanced tab option vary depending on the initial rule type. The<br />
options change as follows:<br />
• TCP—Allows you to configure stateful packet inspection, connection and<br />
idle timeouts, connection rates, stateful session failover, and allowed<br />
control and error responses.<br />
• UDP—Allows you to configure stateful packet inspection, idle timeouts,<br />
packet rates, stateful session failover, and allowed control and error<br />
responses packets.<br />
• ICMP—Allows you to configure stateful packet inspection, request<br />
timeouts, request rates, and which message types will be allowed or<br />
denied.<br />
• Other—The Advanced tab is not available for IP Filters <strong>of</strong> type Other.<br />
Configuring the TCP/UDP Advanced tab<br />
1 To enable stateful inspection for this rule, select the Stateful Packet<br />
Inspection check box. You will not be able to configure other fields in this<br />
tab without this option selected.<br />
To disable stateful packet inspection, clear the Stateful Packet Inspection<br />
check box.<br />
2 [TCP only] In the Connection Timeout field, specify the amount <strong>of</strong> time (in<br />
seconds) that a TCP session will wait for a connection to be established<br />
once it is started. Valid values are 1–65535. (The minimum value is one<br />
second.)
Chapter 8: Creating Rules and Rule Groups<br />
Creating IP Filter rules<br />
3 In the Idle Timeout field, specify the amount <strong>of</strong> time (in seconds) that a<br />
session will remain open when there is no new traffic within an established<br />
session. Valid values are 1–65535. (The minimum value is one second.)<br />
4 [TCP only] In the Limit Connection Rate area, you can limit the number <strong>of</strong><br />
connections that will be allowed per second by selecting Yes, and entering<br />
the number <strong>of</strong> connections that you want allowed per second in the Rate<br />
field. Valid values are 0—1000000000.<br />
To disable connection rate limitations, select No.<br />
5 [UDP only] In the Limit Packet Rate area, you can limit the number <strong>of</strong><br />
packets that will be allowed per second in either direction by selecting Yes,<br />
and entering the number <strong>of</strong> packets that you want allowed per second in the<br />
Rate field. Valid values are 0—1000000000.<br />
To disable packet rate limitations, select No.<br />
6 [Conditional] In the Stateful Session Failover field, select Yes to enable<br />
stateful session sharing, or select No to disable stateful session sharing.<br />
This field can only be modified if you are connected to an HA cluster. (For<br />
more information on stateful session sharing, see “Sharing IP Filter<br />
sessions in an HA cluster” on page 128.)<br />
7 In the Allowed Control and Error Responses area, select the response<br />
types that you want to allow for this rule by selecting the check box next to<br />
each response type you want to allow. A check mark will appear next to<br />
response types that are selected. To deselect a response type, click the<br />
check box to clear it.<br />
Note: This section controls the ICMP messages generated by this rule’s TCP/<br />
UDP traffic. These messages do not need separate ICMP rules.<br />
8 Click Add to save your changes, or click Cancel to reset the fields to the<br />
values that were previously entered.<br />
9 [Conditional] If you selected Add and want this rule to begin managing<br />
traffic, add this newly configured rule to an active rule group and save the<br />
changes.<br />
Your TCP/UDP IP Filter rule is now configured.<br />
Configuring the ICMP Advanced tab<br />
1 To enable stateful inspection for this rule, select the Stateful Packet<br />
Inspection check box. You will not be able to configure other fields in this<br />
tab without this option selected.<br />
To disable stateful packet inspection, clear the Stateful Packet Inspection<br />
check box.<br />
2 In the Response Timeout field, specify the amount <strong>of</strong> time (in seconds) that<br />
a session will await responses after the final request. The minimum value is<br />
1 second.<br />
235
Chapter 8: Creating Rules and Rule Groups<br />
Creating and managing rule groups<br />
Creating and<br />
managing rule<br />
groups<br />
236<br />
3 In the Limit Request Rate area, you can limit the number <strong>of</strong> requests that<br />
will be allowed per second in either direction by selecting Yes, and entering<br />
the number <strong>of</strong> packets that you want allowed per second in the Rate field.<br />
Valid values are 0—1000000000.<br />
4 In the Message Type area, select the ICMP message types that you want to<br />
filter for this rule by selecting the check box next to each desired message<br />
type you want to allow or deny. A check mark will appear next to message<br />
types that are selected. To deselect a message type, click the check box to<br />
clear the checkmark. The following options are available:<br />
• echo—Selecting this matches echo requests and responses used by<br />
ping.<br />
• info—Selecting this matches ICMP information requests and<br />
responses.<br />
• timestamp—Selecting this matches timestamp requests and responses.<br />
5 Click Add to save your changes, or click Cancel to reset the fields to the<br />
values that were previously entered.<br />
6 [Conditional] If you selected Add and want this rule to begin managing<br />
traffic, add this newly configured rule to an active rule group and save the<br />
changes.<br />
Your ICMP IP Filter rule is now configured.<br />
This section provides information on creating and managing your rule groups.<br />
The process for creating and managing proxy groups and IP Filter groups is<br />
essentially the same.<br />
Creating a rule group<br />
To create a rule group, follow the steps below.<br />
1 Using the Admin Console, select Policy Configuration > Rules. The Rules<br />
window appears.<br />
2 Select one <strong>of</strong> the following options in the View Option field:<br />
• To create a proxy rule group, select Proxy Rules. A list <strong>of</strong> existing proxy<br />
rules and groups appears.<br />
• To create an IP Filter group, select IP Filter Rules. A list <strong>of</strong> existing IP<br />
Filter rules and groups appears.<br />
3 Click New and select Proxy Group or IP Filter Group, as appropriate. A<br />
New Rule Group window appears prompting you to enter a name for the<br />
new group.<br />
4 Enter a name that will help you identify the purpose <strong>of</strong> the rule group. For<br />
example, a default proxy rule group called <strong>Administration</strong> contains all <strong>of</strong> the<br />
rules associated with basic <strong>Sidewinder</strong> <strong>G2</strong> administration.
Figure 117: Modify<br />
Groups window<br />
Chapter 8: Creating Rules and Rule Groups<br />
Creating and managing rule groups<br />
5 Click Add to add the rule group. An empty rule group with the name you<br />
specified will appear in the appropriate rule table.<br />
6 To add rules and nested rule groups to the rule group you created, see<br />
“Managing rules and nested groups within a rule group” below.<br />
Managing rules and nested groups within a rule group<br />
When you create a new rule group, it will remain empty until you populate it<br />
with rules and/or groups. To add or remove rules and groups to an existing rule<br />
group, follow the steps below.<br />
Note: The process is essentially the same regardless <strong>of</strong> whether you are<br />
managing a proxy rule group or an IP Filter rule group.<br />
1 Using the Admin Console, select Policy Configuration > Rules. The Rules<br />
window appears.<br />
2 Select one <strong>of</strong> the following options in the View Option field:<br />
• To modify a proxy rule group, select Proxy Rules. A list <strong>of</strong> existing proxy<br />
rules and groups appears.<br />
• To modify an IP Filter group, select IP Filter Rules. A list <strong>of</strong> existing IP<br />
Filter rules and groups appears.<br />
3 Double-click the rule group that you want to modify. (You can also highlight<br />
the rule group you want to modify and click Modify.) A Modify Groups<br />
window appears.<br />
237
Chapter 8: Creating Rules and Rule Groups<br />
Creating and managing rule groups<br />
About the Modify<br />
Groups window<br />
238<br />
This window allows you to determine which rules and nested groups will be<br />
included in a particular rule group. It also allows you to determine the order in<br />
which you organize those rules and nested groups. The order <strong>of</strong> rules and<br />
nested groups within a rule group is very important. (For information on<br />
organizing your rule groups, see “Ordering proxy rules within a rule group” on<br />
page 101.)<br />
The Available Rules and Groups table contains a list <strong>of</strong> the rules and groups<br />
that are available to add to this rule group. The Assigned Rules and Groups<br />
table contains a list <strong>of</strong> the rules and groups that are currently assigned to this<br />
rule group. You can perform the following actions within the Rule Group<br />
window:<br />
• Add a rule or nested group to the selected rule group—To add a rule or<br />
nested group to a rule group, double-click the entry that you want to add in<br />
the Available Rules and Groups table (or highlight the entry and click the<br />
down arrow icon). The rule or group will be placed in the Assigned Rules<br />
and Groups table.<br />
• Remove a rule or rule group from the selected rule group—To remove a<br />
rule or group from a rule group, double-click the entry in the Assigned<br />
Rules and Groups table (or highlight the entry and click the up arrow icon).<br />
The rule or group will be removed from the Assigned Rules and Groups<br />
table and placed in the Available Rules and Groups table.<br />
• Organize the assigned rules and groups within the selected rule group—<br />
To organize the rules and groups in the Assigned Rules and Groups table,<br />
click and drag each entry to the desired location. For information on<br />
organizing your rule groups, see “Ordering proxy rules within a rule group”<br />
on page 101.<br />
• Edit the description for a rule group—To edit the description for a rule<br />
group, place your cursor in the Description field and add or modify the text<br />
as needed.<br />
• Save the changes you made to the rule group—To save your changes,<br />
click OK.
Selecting your<br />
active policy<br />
rules<br />
Figure 118: Active Rules<br />
window<br />
About the Active<br />
Rules window<br />
Chapter 8: Creating Rules and Rule Groups<br />
Selecting your active policy rules<br />
When you initially configure your <strong>Sidewinder</strong> <strong>G2</strong>, a default rule group is<br />
automatically assigned as your active policy (the rules contained in those<br />
groups will vary depending on the choices you made in the Quick Start<br />
Wizard). All rules and groups that you have created that are not part <strong>of</strong> the<br />
active rules (that is, rules that are not included in the active group, or in a rule<br />
group that is nested in the active group) will remain inactive unless you add<br />
them to the active rule group or to a group that is part <strong>of</strong> the active rule group.<br />
You can modify your existing active rule group to add or delete rules and/or<br />
nested rule groups as your security needs change. You can also re-organize<br />
the rule group entries as needed. For a more detailed overview <strong>of</strong> the active<br />
rules and how they work, see Chapter 4.<br />
Viewing the active policy<br />
To view the active rules currently configured for your <strong>Sidewinder</strong> <strong>G2</strong>, using the<br />
Admin Console select Policy Configuration > Rules and then click View Active<br />
Policy. The Active Rules window appears.<br />
This window allows you to view the active rules currently in use on your<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The active rules listed in each table consist <strong>of</strong> all <strong>of</strong> the rules<br />
(including both individual rules and rules included in nested groups) and<br />
determine the order in which traffic will be processed. Which rules appear in<br />
each table are determined by the rule group that is displayed in the Active<br />
Group field.<br />
When you select rule groups in the Active Rules window (one for proxy rules<br />
and one for IP Filter rules), they will begin actively filtering traffic coming into<br />
and leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
239
Chapter 8: Creating Rules and Rule Groups<br />
Selecting your active policy rules<br />
240<br />
Figure 119: Rule Group<br />
Select window<br />
About the Rule<br />
Group Select<br />
window<br />
In this window, you can perform the following actions:<br />
• Select a new active rule group—To select a new active rule group that will<br />
enforce traffic coming into and leaving the <strong>Sidewinder</strong> <strong>G2</strong>, see “Modifying<br />
the active rule groups” on page 240. (The window is similar for IP Filter and<br />
Proxy rule groups.)<br />
• View the IP Filter properties—To view the properties configured for the IP<br />
Filter rules contained in the active IP Filter group, click the IP Filter<br />
Properties button. The IP Filter General Properties window appears. See<br />
“About the IP Filter General Properties window” on page 241.<br />
• Determine which group a rule belongs to—Each active rule must be a<br />
member <strong>of</strong> at least one group, which is listed in the Rule Group column. If a<br />
rule belongs to more than one group, the rule is listed multiple times.<br />
Modifying the active rule groups<br />
To modify the active rule groups that are currently enforcing your policy, using<br />
the Admin Console select Policy Configuration > Rules and then click View<br />
Active Policy. Click the appropriate Set button (IP Filter or Proxy). The Rule<br />
Group Select window appears.<br />
This window allows you to select a new active policy for either IP Filter or proxy<br />
rules. Before you select a new rule group to enforce your security policy,<br />
ensure that the rule group you are specifying contains all <strong>of</strong> the necessary<br />
rules and rule groups in the correct order. When you select a new rule group in<br />
this window and save your changes, the rules contained in that rule group will<br />
be loaded into the <strong>Sidewinder</strong> <strong>G2</strong> and will begin enforcing your policy.<br />
To select a new rule group, click the rule group that you want to use to enforce<br />
your security policy and click OK. The new rules will be loaded in the kernel<br />
and the <strong>Sidewinder</strong> <strong>G2</strong> will use those rules to enforce your policy.
Figure 120: IP Filter<br />
General Properties<br />
window<br />
About the IP Filter<br />
General Properties<br />
window<br />
Chapter 8: Creating Rules and Rule Groups<br />
Selecting your active policy rules<br />
Viewing and modifying general IP Filter properties<br />
There are a number <strong>of</strong> IP Filter properties that affect all active IP Filter rules. To<br />
view or modify these properties, in the Admin Console select Policy<br />
Configuration > Rules and then click View Active Policy > IP Filter Properties.<br />
You can also access this window from the main Rules window when the IP<br />
Filter Rules view is selected. The IP Filter General Properties window appears.<br />
The IP Filter General Properties window allows you to specify basic properties<br />
that apply to all IP Filter rules contained in the IP Filter portion <strong>of</strong> the active<br />
policy. Follow the steps below.<br />
1 In the Maximum TCP Sessions field, specify the maximum number <strong>of</strong> TCP<br />
sessions allowed to use the IP Filter at one time. Valid values are<br />
0–1000000.<br />
2 In the Maximum UDP Sessions field, specify the maximum number <strong>of</strong> UDP<br />
sessions allowed to use the IP Filter at one time. Valid values are<br />
0–1000000.<br />
3 In the Start <strong>of</strong> reserved ports field, specify the starting port that IP Filter will<br />
reserve for its own use. Valid values are 1024–65533. The default is 9120.<br />
4 In the Number <strong>of</strong> ports reserved for ipfilter field, specify the number <strong>of</strong><br />
ports IP Filter will reserve for its own use. Valid values are 1–64509. The<br />
default is 875.<br />
5 In the Deny Audit Frequency area, specify how frequently <strong>Sidewinder</strong> <strong>G2</strong><br />
will generate audit records for IP Filter deny rules with the audit level set to<br />
Limit. Audit will be created for the first x occurrences in every y seconds. An<br />
additional audit event will be generated to record how many other audit<br />
events were suppressed.<br />
For example, the audit is limited to generating an audit event for the first 1<br />
occurrences for every 1 seconds. If <strong>Sidewinder</strong> <strong>G2</strong> stopped 100 netprobes<br />
in 1 second, one record would be generated for the first denial, and then<br />
another audit record stating that 99 occurrences were suppressed.<br />
6 Click OK to save your changes, or click Cancel to reset the fields to the<br />
values that were previously entered.<br />
241
Chapter 8: Creating Rules and Rule Groups<br />
Selecting your active policy rules<br />
242
9 CHAPTER<br />
Configuring Proxies<br />
In this chapter...<br />
Proxy basics.................................................................................244<br />
Redirected proxy connections ......................................................247<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies..................................................250<br />
Using other proxies on the <strong>Sidewinder</strong> <strong>G2</strong>...................................254<br />
Transparent & non-transparent proxies........................................254<br />
Notes on selected proxy configurations .......................................255<br />
Configuring proxies ......................................................................266<br />
Setting up a new proxy.................................................................270<br />
243
Chapter 9: Configuring Proxies<br />
Proxy basics<br />
Proxy basics A proxy is a program that controls communication between clients on one side<br />
<strong>of</strong> a <strong>Sidewinder</strong> <strong>G2</strong> and servers on the other side. That is, an application client<br />
and application server on opposite sides <strong>of</strong> a <strong>Sidewinder</strong> <strong>G2</strong> do not<br />
communicate directly. Instead, the client and server both “talk” to a proxy,<br />
which forwards the data back and forth.<br />
244<br />
Figure 121: Example<br />
<strong>Sidewinder</strong> <strong>G2</strong> proxy<br />
connection<br />
Network applications are typically accessed using one <strong>of</strong> two lower level<br />
communication protocols: TCP or UDP. TCP is a connection-based protocol<br />
that guarantees data is delivered in order and ensures address and data<br />
integrity. UDP is a connectionless service that delivers data with minimum<br />
overhead.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides pre-defined TCP-based proxies for a variety <strong>of</strong><br />
Internet applications including Web, Telnet, FTP, and many others. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> also supports proxies for routing UDP transmissions for<br />
applications based on protocols such as SNMP and NTP.<br />
Important: There is a security risk involved with using UDP proxies. Unlike TCP,<br />
UDP does not ensure address integrity. This makes it possible for a hacker to fake<br />
the source address for some dubious purpose.<br />
A proxy is not a server on your <strong>Sidewinder</strong> <strong>G2</strong>. Rather, a proxy controls access<br />
to a server on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. Also, a proxy can only<br />
access the kind <strong>of</strong> server that it represents. For example, as shown in Figure<br />
121, a Telnet proxy can access only Telnet servers; it cannot access a Web<br />
Proxy server (or any other kind <strong>of</strong> server).<br />
Telnet client<br />
internal<br />
network<br />
Telnet<br />
proxy<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
Telnet server<br />
Proxies can control connections between any two Type Enforced network<br />
areas, regardless <strong>of</strong> whether the areas are internal or external. The rules that<br />
you define in the active proxy rule group (see Chapter 4) determine how the<br />
networks connected to the <strong>Sidewinder</strong> <strong>G2</strong> are allowed to communicate. The<br />
most common proxy directions, internal burb-to-external burb and external<br />
burb-to-internal burb, are explained below.<br />
• internal burb-to-external burb<br />
The proxy connections you configure on the <strong>Sidewinder</strong> <strong>G2</strong> will typically be<br />
outbound (internal-to-external) connections. All data packets traveling out<br />
through your <strong>Sidewinder</strong> <strong>G2</strong> will appear to come from the external address
Chapter 9: Configuring Proxies<br />
Proxy basics<br />
<strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. That is, the address <strong>of</strong> the network in the internal<br />
burb is not seen in the packet information on the external burb.<br />
• external burb-to-internal burb<br />
A proxy can also be set up for inbound (external-to-internal) connections. In<br />
general, inbound proxies are not desirable for security reasons (see the<br />
"Important" note below). There are, however, certain configuration options<br />
you can use such as encryption, authentication, and address or port redirection<br />
that make an inbound proxy more secure. (These options are covered<br />
in more detail later in this chapter.)<br />
Important: Network attacks using “sniffer” programs to steal users’ accounts<br />
and passwords are frequent on the Internet. To prevent such intrusions, you<br />
should use a strong authentication method (such as those described in Chapter<br />
10) that prevent an attacker from gaining account information. However, attacks<br />
can still use sniffers to compromise your data. By encrypting your network<br />
transmissions and using proxy redirection, you can provide further defense<br />
against network attacks.(Strong Cryptography is a premium feature).<br />
Configuring advanced proxy parameters on a per-rule<br />
basis using Application Defenses<br />
The Proxy window allows you to configure the basic proxy properties and<br />
enable them in the appropriate burbs. Proxy rules allow you to determine<br />
whether proxy access will be allowed or denied and under what conditions. By<br />
adding Application Defenses to your rules, you can specify advanced,<br />
application-specific proxy properties (such as MIME/anti-virus filtering, SSL<br />
decryption, and timeout properties) on a per-rule basis. For information on<br />
configuring Application Defenses and rules for proxies, see Chapter 6 and<br />
Chapter 8.<br />
Improving performance using Fast Path Sessions<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports a Fast Path Sessions option that improves<br />
system performance by lessening the load placed on the system kernel when<br />
passing proxy data through the <strong>Sidewinder</strong> <strong>G2</strong>. Performance is improved on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> when the Fast Path Sessions option is enabled for<br />
protocols that use many small packets, such as Telnet.<br />
The Fast Path Session option is configured in the Application Defenses<br />
windows in the Connections area. Application Defenses can be configured in<br />
advance and added to rules later, or they can be created directly within a rule.<br />
For information on configuring Fast Path Session options, see “Configuring<br />
connection properties” on page 203.<br />
245
Chapter 9: Configuring Proxies<br />
Proxy basics<br />
246<br />
When to disable the Fast Path Sessions option<br />
In most cases, the Fast Path Sessions option enhances system performance,<br />
and in many <strong>of</strong> these cases the improvement is significant. However, there are<br />
some cases where the Fast Path Sessions option may negatively affect<br />
performance. Large data transfers on heavily loaded systems, primarily FTP or<br />
HTTP traffic, can overload a system. The <strong>Sidewinder</strong> <strong>G2</strong> will also “throttle”<br />
these connections under very heavy load conditions to prevent them from<br />
taking over the system.<br />
Proxy session limits<br />
There is an upper limit to the number <strong>of</strong> simultaneous sessions for certain<br />
proxy configurations. Table 21 provides a summary <strong>of</strong> hard limits based on perprocess<br />
resource limits.<br />
Table 21: Proxy session limits (hard limits)<br />
Proxy Session Limits<br />
FTP 4000 sessions<br />
t120 1000 sessions<br />
all other TCP 8000 sessions a<br />
UDP The number <strong>of</strong> ports plus two times the number <strong>of</strong> sessions<br />
must not exceed 16,000. (The maximum number <strong>of</strong> enabled<br />
ports for all services on all burbs must not exceed 8000.)<br />
a. A maximum <strong>of</strong> 16 Telnet sessions are allowed in the “enter destination” or<br />
“authentication” stage.<br />
Tip: Session limits for each proxy can be lowered from the hard limits by editing<br />
the simultaneous_sessions entry in the configuration file (*.conf) for each proxy.<br />
Configuring multiple instances <strong>of</strong> certain proxies<br />
Certain proxies (HTTP, HTTPS, generic TCP, and SQL) can be configured to<br />
enable multiple instances <strong>of</strong> the same proxy in order to load the traffic across<br />
the multiple instances. This is useful for hardware configurations with multiple<br />
CPUs or sites that have experienced problems due to an exceedingly large<br />
amount <strong>of</strong> concurrent connections through one <strong>of</strong> those proxies. A single proxy<br />
instance for any <strong>of</strong> these proxies can handle up to 8000 sessions (a session<br />
consists <strong>of</strong> two connections for most protocols), which is more than adequate<br />
for most sites. However, if your site is consistently recording concurrent<br />
sessions that hover around the 8000 range (or if you have experienced<br />
problems because the number <strong>of</strong> connection attempts is significantly higher)<br />
for any <strong>of</strong> these proxies, you may need to enable additional instances for that<br />
proxy.
Redirected proxy<br />
connections<br />
Chapter 9: Configuring Proxies<br />
Redirected proxy connections<br />
To monitor the number <strong>of</strong> concurrent connections for any <strong>of</strong> the proxies listed<br />
above, in the Admin Console, select the dashboard. The upper-right portion <strong>of</strong><br />
the dashboard contains a link titled Proxy Connections. Click that link to see a<br />
list <strong>of</strong> all proxies and servers that are currently running, with the current<br />
number <strong>of</strong> connections that exist for that proxy.<br />
For information on configuring the HTTP, HTTPS, or SQL proxy to enable<br />
multiple instances, see “Configuring proxies” on page 266.<br />
For typical <strong>Sidewinder</strong> <strong>G2</strong> operation, proxies are configured to permit<br />
connections from the internal network to the Internet. However, there may be<br />
circumstances in which you want to allow an external client access to hosts<br />
within your internal network (behind the <strong>Sidewinder</strong> <strong>G2</strong>). For example, you<br />
may want to provide access to an internal Telnet server or you may want a<br />
server inside your internal network to be able to receive news feeds from an<br />
Internet news feeder.<br />
You can set up proxy rules to redirect a connection between an external client<br />
and the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to a system inside your network.<br />
This rerouted connection to the internal host system hides the actual<br />
destination from the system requesting the connection. You can configure<br />
<strong>Sidewinder</strong> <strong>G2</strong> proxy rules to translate connection requests to different<br />
addresses or to different ports within the internal network.<br />
The address or port translation provided by redirection is usually needed when<br />
enabling proxying from the external network to the internal network. The<br />
following section provides examples <strong>of</strong> both address and port redirection as<br />
supported by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Important: All proxies pose a security risk. As with any external-to-internal proxy,<br />
while you can guarantee the integrity <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, you cannot guarantee<br />
the integrity <strong>of</strong> the system for which an external user will have access. For the rare<br />
occasion where you configure an inbound proxy, you should always use a strong<br />
authentication method.<br />
Address redirection<br />
If you need to configure a proxy that allows access to the internal network, but<br />
do not want to provide routes to the internal network you will need to configure<br />
the <strong>Sidewinder</strong> <strong>G2</strong> for address redirection. Address redirection is implemented<br />
in the Source/Dest tab <strong>of</strong> the Rule window on a per-rule basis. See Chapter 8<br />
for information on configuring address redirection.<br />
In the configuration shown in Figure 122, suppose you want to allow any host<br />
in the Internet to Telnet to host 172.25.5.5 on the internal network.<br />
247
Chapter 9: Configuring Proxies<br />
Redirected proxy connections<br />
248<br />
Figure 122: Address<br />
redirection for inbound<br />
proxy<br />
Telnet server<br />
172.25.5.5<br />
internal<br />
network<br />
The <strong>Sidewinder</strong> <strong>G2</strong> proxy redirects<br />
(remaps) the Telnet session to address<br />
172.25.5.5 (but the address is<br />
concealed from the external network)<br />
redirect<br />
192.55.214.24<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
Telnet client<br />
192.55.214.25<br />
The client can access the internal<br />
server, but must use the <strong>Sidewinder</strong><br />
<strong>G2</strong> external address in the Telnet<br />
request<br />
With redirection configured, the connection is proxied to an address that is<br />
different from the original destination address. In Figure 122, a connection<br />
request from Internet address 192.55.214.25 is proxied to the external side <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong> (192.55.214.24). The proxy then redirects the connection to<br />
172.25.5.5 and proxies the session to the internal host. From the external<br />
system’s point <strong>of</strong> view, the destination is 192.55.214.24, when in fact, the<br />
destination is really 172.25.5.5.<br />
Address redirection can also be applied to solve more complicated problems.<br />
Suppose you want to allow inbound Telnet connections to three different hosts<br />
on your internal network. If you configure your router to route multiple<br />
addresses to the <strong>Sidewinder</strong> <strong>G2</strong>, it can then accept the connections and proxy<br />
them through to hosts on the internal network. Redirected proxy connections<br />
provide the address translation between IP addresses which are valid and<br />
routed on the Internet and private IP addresses on the corporate network. So if<br />
you want to redirect all incoming connections to one <strong>of</strong> three hosts, then you<br />
must reserve three IP addresses for your <strong>Sidewinder</strong> <strong>G2</strong>, or use netmaps. (For<br />
information on using netmaps, see “Network objects” on page 105.)<br />
Note: To avoid using multiple <strong>Sidewinder</strong> <strong>G2</strong> addresses in this scenario, you could<br />
set up port redirection rather than address redirection (described in the following<br />
section).
Figure 123: Port<br />
redirection for inbound<br />
proxy<br />
Port redirection<br />
Chapter 9: Configuring Proxies<br />
Redirected proxy connections<br />
If you need to work around site-specific idiosyncrasies or to obscure the<br />
existence <strong>of</strong> a proxy for a given service, you can use port redirection. While<br />
such obscurity does not lessen the vulnerability resulting from something like<br />
an inbound Telnet proxy, it does reduce the number <strong>of</strong> attacks because the<br />
casual attacker might not notice it. Also, the attacker must take more<br />
conspicuous actions, like port scanning, to find the entry point. This makes it<br />
more likely that the administrator will notice the attack. Port redirection is<br />
implemented in the Source/Dest tab <strong>of</strong> the Rule window on a per-rule basis.<br />
See Chapter 8 for information on configuring port redirection.<br />
As an example, in Figure 123, suppose you want to configure a new proxy for<br />
an internal host that will provide Telnet service and accept external<br />
connections. In this configuration, a proxy connection arrives from the external<br />
network and connects to the external side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
connection arrives on the port named “hidenet” (port 5111). When this<br />
connection comes in, it will be proxied to the internal network, similar to how an<br />
address redirection is handled.<br />
Telnet server<br />
192.55.4.4<br />
Telnet port 23<br />
internal<br />
network<br />
redirect<br />
external<br />
network<br />
192.55.214.24<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
hidenet port 5111<br />
client Telnets to<br />
port 5111 on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
172.16.4.4<br />
The proxy redirects (remaps) the<br />
Telnet session to port 23 (but the<br />
port is concealed from the<br />
external network)<br />
The difference here is that the client on the external network connects to port<br />
5111 (hidenet) on the <strong>Sidewinder</strong> <strong>G2</strong> and the <strong>Sidewinder</strong> <strong>G2</strong> connects the<br />
client to port 23 (the standard Telnet port) on 192.55.4.4 host in the internal<br />
network. This permits an inbound Telnet connection to a host with a private IP<br />
address and does so on a port number that is not well-known for this service.<br />
This discourages so-called “door-knob rattlers.”<br />
249
Chapter 9: Configuring Proxies<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Standard<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
proxies<br />
Table 22: Proxies initially configured on the <strong>Sidewinder</strong> <strong>G2</strong><br />
250<br />
Proxy Name Type and Port Description<br />
aol TCP<br />
5190<br />
changepw-form TCP<br />
1999<br />
dns TCP/UDP<br />
53<br />
finger TCP<br />
79<br />
ftp TCP<br />
21<br />
gopher TCP<br />
70<br />
h.323 TCP/UDP<br />
1720<br />
http TCP<br />
80<br />
https TCP<br />
443<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a variety <strong>of</strong> pre-defined proxies to control<br />
connections to popular Internet services using the standard port numbers for<br />
those services (see /etc/services for a list <strong>of</strong> recognized protocols). Table 121<br />
shows an alphabetical listing <strong>of</strong> the proxies that are preconfigured and can be<br />
quickly enabled using the Admin Console. To set up other proxies, see “Using<br />
other proxies on the <strong>Sidewinder</strong> <strong>G2</strong>” on page 254.<br />
During system installation, if you selected Standard Internet services, the<br />
proxies listed in bold are automatically enabled for internal network-to-external<br />
network, and corresponding proxy rules are added to the default active rule<br />
group.<br />
Allows America Online (AOL) members in your network to run their AOL<br />
client s<strong>of</strong>tware and connect directly to America Online through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows users to change their network login password for Web, Telnet,<br />
and FTP sessions.<br />
Enables DNS query traffic and DNS zone file transfers to cross burb<br />
boundaries.<br />
Enables the UNIX finger command to be used across burb boundaries.<br />
Allows users on one side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> transparent or nontransparent<br />
access to FTP (File Transfer Protocol) servers on the other<br />
side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows internal users to use a Gopher client to access information on<br />
Internet Gopher servers.<br />
Allows users to use audio and video features for H.323 applications<br />
such as Micros<strong>of</strong>t’s NetMeeting application. See “T.120 and H.323 proxy<br />
considerations” on page 262.<br />
Allows internal users to use a Web client, such as Netscape or Internet<br />
Explorer, to access Web sites on the Internet via transparent or nontransparent<br />
connections. See Chapter 13 for more information.<br />
Allows Secure Socket Layer (SSL) encrypted connections to Web<br />
servers such as the Netscape Commerce Server (optional). For Web<br />
s<strong>of</strong>tware that supports SSL, such as Netscape’s browser and the<br />
Commerce Server, this proxy permits a more secure Web connection.<br />
This proxy can be configured to handle decryption.<br />
More...
Proxy Name Type and Port Description<br />
ica TCP 1494<br />
UDP 1604<br />
ident TCP<br />
113<br />
iiop TCP<br />
683<br />
imap TCP<br />
143<br />
irc TCP<br />
6667<br />
ldap TCP<br />
389<br />
lotus TCP<br />
1352<br />
msn TCP<br />
569<br />
mssql TCP<br />
1433<br />
netbios-tcp TCP<br />
139<br />
netbios-udp UDP<br />
137, 138<br />
nntp TCP<br />
119<br />
Chapter 9: Configuring Proxies<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Allows users to locate and connect to a Citrix server farm within a private<br />
address space.<br />
• If you are using Citrix XML Service, to locate the master browser you<br />
will need to enable the HTTP proxy on the port that the Citrix server<br />
is configured to use.<br />
• For information on using the altaddr feature on your Citrix server<br />
farm, refer to your Citrix documentation.<br />
Allows users to use the UNIX ident command.<br />
The Internet Inter-ORB Protocol (IIOP) is the wire protocol used by<br />
CORBA (Common Objects Request Broker Architecture) applications to<br />
interoperate in a heterogeneous network environment. The IIOP proxy<br />
allows the <strong>Sidewinder</strong> <strong>G2</strong> administrator to exercise control over the<br />
dialogue between the CORBA applications.<br />
Note: For more information on CORBA, refer to www.omg.org.<br />
Allows use <strong>of</strong> the Internet Message Access Protocol to access e-mail<br />
from a local server.<br />
Allows your users to chat with other users via the Internet Relay Chat<br />
protocol.<br />
Allows the LDAP protocol through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows use <strong>of</strong> Lotus Notes applications across burb boundaries.<br />
Allows Micros<strong>of</strong>t network members in your network to run their MSN<br />
client s<strong>of</strong>tware and connect directly to MSN through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Micros<strong>of</strong>t SQL proxy.<br />
Generic netbios TCP proxy.<br />
Generic netbios UDP proxy.<br />
Allows your internal users to access Usenet News received at your site<br />
and post information to newsgroups. See “Usenet News proxy<br />
configurations” on page 260 later in this chapter for information on<br />
Usenet News proxy configurations.<br />
More...<br />
251
Chapter 9: Configuring Proxies<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
252<br />
Proxy Name Type and Port Description<br />
nt_telnet TCP<br />
23<br />
ntp UDP<br />
123<br />
ping ICMP<br />
(na)<br />
pop TCP<br />
110<br />
printer TCP<br />
515<br />
RealMedia TCP/UDP<br />
7070<br />
rlogin TCP<br />
513<br />
rsh TCP<br />
514<br />
rtsp TCP/UDP<br />
554<br />
smtp TCP<br />
25<br />
snmp UDP<br />
161-162<br />
socks5 TCP<br />
1080<br />
sql TCP<br />
1521<br />
ssh TCP<br />
22<br />
streamworks TCP<br />
1558<br />
Allows users on one side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> non-transparent access<br />
to Telnet servers on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. See<br />
“Transparent & non-transparent proxies” on page 254 for the difference<br />
between transparent and non-transparent proxies.<br />
Allows you to send/receive Network Time Protocol (NTP) time feeds.<br />
Relays ICMP ECHO (ping) requests and ICMP Echo-REPLY messages<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows connections to Post Office Protocol (POP) remote mail servers.<br />
Allows use <strong>of</strong> the UNIX lpr command.<br />
Allows the <strong>Sidewinder</strong> <strong>G2</strong> to proxy audio and video data packet<br />
connections.<br />
Allows users on one side <strong>of</strong> your the <strong>Sidewinder</strong> <strong>G2</strong> access to rlogin<br />
servers on the other side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Supports rcp and rsh.<br />
Supports Real Media Player and Quick Time Multimedia Player<br />
protocols.<br />
Allows Simple Mail Transfer Protocol traffic to be sent across burb<br />
boundaries. (This proxy is automatically enabled if you selected<br />
transparent SMTP service during configuration.)<br />
Supports remote management using SNMP protocol.<br />
Supports the SOCKS5 protocol.<br />
Allows Structured Query Language database lookup requests across<br />
burb boundaries.<br />
Allows use <strong>of</strong> the UNIX Secure Shell command, which provides secure<br />
access to remote systems.<br />
Supports Streamworks streaming audio and video.<br />
More...
Proxy Name Type and Port Description<br />
sunrpc TCP/UDP<br />
111<br />
sybase TCP<br />
4000<br />
syslog UDP<br />
514<br />
t120 TCP<br />
1503<br />
telnet TCP<br />
23<br />
wais TCP<br />
210<br />
whois TCP<br />
43<br />
wins UDP<br />
42<br />
Xscreen0 TCP<br />
6000<br />
X500 TCP<br />
103<br />
Chapter 9: Configuring Proxies<br />
Standard <strong>Sidewinder</strong> <strong>G2</strong> proxies<br />
Relays requests from an RPC client through the <strong>Sidewinder</strong> <strong>G2</strong> to a<br />
remote server.<br />
Generic Sybase SQL proxy.<br />
Generic UNIX syslog protocol.<br />
Allows users to use T.120 applications such as Micros<strong>of</strong>t’s NetMeeting<br />
application.<br />
Allows users on one side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> transparent access to<br />
Telnet servers on the other side <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Allows users on your network with WAIS client s<strong>of</strong>tware connections to a<br />
database service called WAIS.<br />
Allows users to send the UNIX whois command from a terminal. whois<br />
looks up records in the Network Information Center.<br />
Supports Micros<strong>of</strong>t Windows Network Services.<br />
Allows UNIX-based X Windows sessions to pass through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. For instance, an X Windows process running on one<br />
terminal could send screen output through the <strong>Sidewinder</strong> <strong>G2</strong> to another<br />
window at a different terminal.<br />
While redirecting X Windows is a common practice at larger UNIX sites<br />
with X Windows environments, X Windows is not a secure application.<br />
Using this proxy strictly for sending X Windows traffic through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is not recommended for most sites. However, if the<br />
<strong>Sidewinder</strong> <strong>G2</strong> has been configured as a <strong>Sidewinder</strong> <strong>G2</strong> between two<br />
networks, both <strong>of</strong> which are within your organization (sometimes called<br />
“inter-walling”), the Xscreen0 proxy might not pose serious security<br />
hazards. This depends on the nature <strong>of</strong> the site’s two networks.<br />
Supports the X500 directory server.<br />
253
Chapter 9: Configuring Proxies<br />
Using other proxies on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Using other<br />
proxies on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Transparent &<br />
non-transparent<br />
proxies<br />
254<br />
In special cases, you may want to set up a UDP proxy or a TCP proxy service<br />
that is not preconfigured when you install the <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong><br />
<strong>G2</strong> contains a special domain called Genx that can be used for TCP proxies<br />
other than the ones that are initially set up on the <strong>Sidewinder</strong> <strong>G2</strong>. A special<br />
domain called UDPx can be used for UDP proxies.<br />
If you set up more than one <strong>of</strong> your own proxies, they will not be isolated from<br />
each other using Type Enforcement since they are all contained in one domain<br />
(Genx for TCP and UDPx for UDP). However, proxies you add are still isolated<br />
from all other domains and cannot interfere with any other <strong>Sidewinder</strong> <strong>G2</strong><br />
activity.<br />
If you set up your own proxies or reconfigure established proxies, do not use<br />
ports 9000–9010. These ports are reserved by the <strong>Sidewinder</strong> <strong>G2</strong> for<br />
administration purposes.<br />
Tip: To set up additional proxies using the Admin Console, refer to “Setting up a<br />
new proxy” on page 270.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> HTTP, HTTPS, and Telnet proxies can be configured to be<br />
transparent or non-transparent to users. Transparency for the HTTP and<br />
HTTPS proxies is configured on a per-rule basis via Application Defenses.<br />
Transparency for Telnet is determined by two distinct proxies that can be<br />
enabled and specified in your active rules (telnet and nt_telnet). When using<br />
transparent proxy settings, the user appears to connect directly to the desired<br />
network’s HTTP, HTTPS, or Telnet proxy without connecting to the <strong>Sidewinder</strong><br />
<strong>G2</strong> first.<br />
For example, to initiate an outbound Telnet session using a transparent Telnet<br />
proxy, a user would issue the following command from his or her workstation:<br />
telnet destination_IP_address<br />
With a non-transparent Telnet proxy, a user must first Telnet to the <strong>Sidewinder</strong><br />
<strong>G2</strong> and specify a destination address for the Telnet session. For example, the<br />
following shows how an internal user would initiate a Telnet session to a server<br />
in an external network using a non-transparent proxy that requires standard<br />
password authentication.<br />
>telnet internal_IP_address<br />
(connection message from the <strong>Sidewinder</strong> <strong>G2</strong> appears...)<br />
>Enter destination: destination_address<br />
>Username: username<br />
>Password: password<br />
(connection message from the destination Telnet server appears...)<br />
>login: username<br />
>Password: password
Notes on<br />
selected proxy<br />
configurations<br />
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
While non-transparent proxy configurations are not typically used, they may be<br />
useful under special circumstances. For example, if your internal network is<br />
experiencing problems resolving routes or names, non-transparent proxy<br />
configurations may be used as a temporary measure to allow HTTP, HTTPS,<br />
or Telnet sessions.<br />
You may also need to use non-transparent proxy configurations for outgoing<br />
connections if you configure the <strong>Sidewinder</strong> <strong>G2</strong> to trigger an IPS attack or<br />
system event response when external addresses are detected on the internal<br />
side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. (For information on responses, see Chapter 20.)<br />
For incoming connections, you may need to use non-transparent proxy<br />
configurations if the internal network is not visible to the external side and<br />
redirection to a single internal machine is undesirable.<br />
Note: Certain transparent and non-transparent proxy configurations can require<br />
users to authenticate before they are allowed to connect (see Chapter 10).<br />
This section provides additional configuration information on some <strong>of</strong> the more<br />
common proxy configurations that you can use at your site.<br />
• Telnet (page 255)<br />
• FTP (page 257)<br />
• HTTP/HTTPS (page 259)<br />
• ICA (page 259)<br />
• Sun RPC (page 260)<br />
• NNTP (page 260)<br />
• T.120 and H.323 (page 262)<br />
• DNS (page 266)<br />
Notes on using the Telnet proxy<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides a Telnet proxy that allows your trusted users to<br />
remotely log into Internet systems using a Telnet client. When the proxy<br />
s<strong>of</strong>tware is enabled, users can Telnet to any available Internet site, and the<br />
connections will be routed through the <strong>Sidewinder</strong> <strong>G2</strong> without users being<br />
aware <strong>of</strong> it. You can control which systems on your trusted networks can use<br />
Telnet and prohibit users from accessing specified external addresses.<br />
Systems that users log into must be running a Telnet server in order to<br />
establish the connection. To make the Telnet connection, users must run a<br />
Telnet client and specify the name <strong>of</strong> the remote system they want to access.<br />
Users accessing a Telnet server must also have accounts on that system.<br />
Once the session is established, the user is logged in on the remote system as<br />
if he or she were a local user.<br />
255
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
256<br />
Important: Using the Admin Console, you can also set up a Telnet proxy from the<br />
external burb to an internal burb on your <strong>Sidewinder</strong> <strong>G2</strong>. This is only required in<br />
specialized cases. For example, if you are using a strong authentication method to<br />
authenticate Telnet sessions, you may want to allow administrators to remotely<br />
access a server inside your network. Before setting up this type <strong>of</strong> proxy, you may<br />
want to contact Secure Computing to get assistance addressing any security issues<br />
this presents.<br />
Note: If an Internet Telnet server is not available when a trusted user tries to<br />
connect, the user will NOT receive a message stating that the connection was<br />
unsuccessful.<br />
The following steps summarize the tasks you need to perform to set up Telnet<br />
access for internal users.<br />
1 Enable the Telnet proxy for the appropriate burb(s). (See “Configuring<br />
proxies” on page 266.) The Telnet proxy runs in its own domain on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Ensure that the Internet Services proxy rule is enabled and is contained in<br />
the active rule group. The Internet Services proxy rule consists <strong>of</strong> a service<br />
group that contains Telnet as well as other Internet services. (You can also<br />
create an individual telnet_out rule if you want to configure authentication<br />
specifically for Telnet.) See “Creating proxy rules” on page 222.<br />
This rule allows users from one <strong>of</strong> your trusted burbs to Telnet to the Internet.<br />
You can use the Admin Console to disable this proxy rule or change its<br />
settings to control which internal users are allowed Telnet access and to<br />
which external systems they can connect. See “Users and user groups” on<br />
page 104 for detailed information.<br />
3 [Optional] Configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate all users requesting<br />
Telnet service before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network connection.<br />
Refer to Chapter 10 for details on the authentication methods supported by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.
Notes on using the FTP proxy<br />
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
The FTP proxy allows internal users to use an FTP client to remotely log into<br />
Internet systems. Systems that users log into must be running an FTP server in<br />
order to establish the connection. To make the FTP connection, users must run<br />
an FTP client and specify the name <strong>of</strong> the remote system they want to access.<br />
Setting up FTP using the Admin Console<br />
The following steps summarize the tasks you need to perform to set up FTP<br />
access for internal users.<br />
1 Enable the FTP proxy for the appropriate burb(s). (See “Configuring<br />
proxies” on page 266.) The FTP proxy runs in its own domain on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Ensure that the Internet Services proxy rule is enabled and is contained in<br />
the active rule group. The Internet Services proxy rule consists <strong>of</strong> a service<br />
group that contains FTP as well as other Internet services. (You can also<br />
create an individual ftp_out rule if you want to configure authentication<br />
specifically for FTP.) See “Creating proxy rules” on page 222.<br />
Once you enable the FTP proxy, this rule will allow all internal users FTP<br />
access to the Internet. You can use the Admin Console to disable this proxy<br />
rule or change its settings to control which internal users are allowed FTP<br />
access and to which external systems they can connect. See “Users and<br />
user groups” on page 104 for detailed information.<br />
3 [Optional] Create a rule that requires authentication for all users requesting<br />
FTP service before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network connection.<br />
Refer to Chapter 10 for details on the authentication methods supported by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: You can configure advanced parameters (such as FTP commands) for<br />
the FTP proxy on a per rule basis using Application Defenses. For information<br />
on creating FTP Application Defenses, see “Creating FTP Application<br />
Defenses” on page 186.<br />
257
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
258<br />
Changing the FTP server response configuration<br />
By default, <strong>Sidewinder</strong> <strong>G2</strong> restricts which FTP servers responses it will accept.<br />
Accepted FTP server response codes range from 100 to 599. To alter which<br />
codes are accepted or to turn <strong>of</strong>f server response checking, do the following:<br />
Caution: Only experienced administrators should edit configuration files.<br />
1 Log into the <strong>Sidewinder</strong> <strong>G2</strong> and enter the following command to switch to<br />
the admin role:<br />
srole<br />
2 Using a file editor, open /etc/sidewinder/proxy/pftp.conf.<br />
3 If you want to turn <strong>of</strong>f server response checking, find the following line:<br />
validate_server_response[yes]<br />
and change [yes] to [no].<br />
4 If you want to limit which FTP server responses <strong>Sidewinder</strong> <strong>G2</strong> accepts,<br />
edit the following lines:<br />
min_server_response_code[100]<br />
max_server_response_code[599]<br />
Valid values are between 000 and 999, and must be continuous.<br />
5 Save your changes.<br />
6 Restart the proxy to apply the changes by doing the following:<br />
a List the burbs in which the ftp proxy is enabled by entering the following<br />
command:<br />
cf proxy ftp q<br />
b Disable the ftp proxy in all burbs where it is enabled by entering the<br />
following command for each burb name listed in the previous step:<br />
cf proxy ftp disable protocol=tcp burb=burbname<br />
c Enable the ftp proxy in the same burbs by using the following command:<br />
cf proxy ftp enable protocol=tcp burb=burbname<br />
The FTP proxy has now been restarted and is using the updated configuration<br />
file.
HTTP/HTTPS considerations<br />
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
The HTTP and HTTPS proxies allow you to configure Web access (including<br />
authentication) for trusted and untrusted users. You can configure header<br />
filtering, URL controls, MIME/virus/spyware filtering, and types <strong>of</strong> Web content<br />
(objects) that will be denied on a per-rule basis using Application Defenses.<br />
Additionally, using HTTPS you can also configure SSL decryption and<br />
clientless VPN services. For more information on the HTTP/HTTPS proxies,<br />
see Chapter 13. For information on creating Application Defenses for the<br />
HTTP/HTTPS proxies, see “Creating Web or Secure Web Application<br />
Defenses” on page 156.<br />
Note: If your site requires caching services, you can use the Web proxy server.<br />
The Web proxy server is implemented using Squid, open source s<strong>of</strong>tware that<br />
provides proxying and caching capabilities. The Web proxy server is described in<br />
Chapter 13.<br />
ICA proxy considerations<br />
The ICA proxy allows you to use the Citrix Independent Computing<br />
Architecture (ICA) protocol to allow remote clients to access applications within<br />
a Citrix server farm. You may locate these applications either by configuring<br />
your client directly, or by pointing it to a master browser. A master browser is a<br />
Citrix server that is configured to be responsible for tracking the ICA functions<br />
that are available for clients to access, such as applications or other Citrix<br />
servers (known as member browsers).<br />
For information on configuring the ICA proxy, see “Configuring proxies” on<br />
page 266<br />
You can configure advanced parameters (such as timeout properties) for the<br />
ICA proxy on a per rule basis using Application Defenses. For information on<br />
creating Application Defenses for the ICA proxy, see “Creating Citrix<br />
Application Defenses” on page 185.<br />
Note: Refer to your Citrix documentation for information on configuring your<br />
master browser and member browsers.<br />
259
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
260<br />
Sun RPC proxy considerations<br />
The RPC proxy allows you to transfer Sun RPC traffic between a client<br />
application and an RPC server on opposite sides <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>. This<br />
proxy listens on port 111 (the portmap process) for RPC requests and forwards<br />
them to the destination server.<br />
Both TCP and UDP traffic are supported for this proxy. However, some<br />
additional configuration may be necessary for timeout processing when<br />
proxying UDP traffic. UDP sessions remain live until the idle timeout threshold<br />
is met. Therefore, a session with a timeout value <strong>of</strong> 30 seconds will remain live<br />
for 30 seconds even though the session may have only required two seconds<br />
<strong>of</strong> processing time.<br />
Connection properties for the Sun RPC proxy are configured via Standard<br />
Application Defenses. See “Creating Standard Application Defenses” on page<br />
201.<br />
Usenet News proxy configurations<br />
<strong>Sidewinder</strong> <strong>G2</strong> supports a Network News Transfer Protocol (NNTP) proxy that<br />
allows you to use a Usenet News server at your site. This allows your site to<br />
exchange news with an Internet News provider. (<strong>Sidewinder</strong> <strong>G2</strong> does not run a<br />
news server because <strong>of</strong> the large amount <strong>of</strong> disk space required.)<br />
When you set up a news server at your site, that system must run a Usenet<br />
News package such as C-News/NNTP or InterNet News (INN). You must<br />
arrange for a news “feed” from the site responsible for transferring news to/<br />
from your site. In addition, you need to provide internal users with s<strong>of</strong>tware that<br />
allows them to access the news that your site receives and post their own<br />
articles to newsgroups.<br />
Before you configure a proxy rule for Usenet News proxies, you must specify<br />
which network objects the news information can be transferred to and from.<br />
For information on network objects, see “Creating network objects” on page<br />
139.<br />
Note: You cannot use the <strong>Sidewinder</strong> <strong>G2</strong> to control which newsgroups your<br />
internal users can subscribe or post to—that must be configured in the Usenet<br />
News s<strong>of</strong>tware.<br />
Whether you need Usenet News proxies in one direction or two will depend on<br />
your server configuration, as described below. Normally you will use the NNTP<br />
proxy so that news can be transferred only to and from your feed site.
Figure 124: News server<br />
in front <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Figure 125: News server<br />
behind the <strong>Sidewinder</strong> <strong>G2</strong><br />
News server configurations<br />
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
You have several options for configuring a Usenet News server when you use<br />
the <strong>Sidewinder</strong> <strong>G2</strong> in your network. Two common configurations are listed<br />
below, along with issues to consider with each.<br />
• News server in front <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
In this configuration, your news server is placed in front <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>. The external server could be operated by your Internet service provider<br />
(ISP) or by your site. This configuration assumes that news access only via<br />
NNTP is allowed, which is typical (rather than through NFS or a local filesystem).<br />
news client<br />
<strong>Sidewinder</strong><br />
<strong>G2</strong><br />
In Figure 124:<br />
– An internal-to-external proxy is required to allow internal users access<br />
to the news server. An external-to-internal news proxy is not necessary.<br />
– Your router should be used to limit access so that only your news feed<br />
site can access the news server from the Internet.<br />
• News server behind the <strong>Sidewinder</strong> <strong>G2</strong><br />
In this configuration, your news server is behind the <strong>Sidewinder</strong> <strong>G2</strong> on your<br />
internal network.<br />
news client<br />
internal<br />
network<br />
news server<br />
news<br />
proxy<br />
internal<br />
network<br />
external<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
news server<br />
news feed<br />
261
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
262<br />
In Figure 125:<br />
– Your feed site must send news through the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> forces the connection to go to the server you designate<br />
as your internal news server.<br />
– If the NNTP daemon on your news server is compromised, an attacker<br />
may have full access to the internal network.<br />
– This configuration normally requires a news proxy for each direction as<br />
follows: An internal-to-external proxy must be enabled to allow your<br />
news server to send information to the feed site. A second proxy allows<br />
the feed site to send news to the internal server. The connection in both<br />
directions is handled through the <strong>Sidewinder</strong> <strong>G2</strong>. If your internal news<br />
server’s address was visible to the Internet, you could set up an<br />
external-to-internal proxy from your feed site to your news server. This<br />
is usually not the case, since you normally do not want internal<br />
addresses to be visible on the Internet.<br />
Note: If you set up the news feed using the NNTP “pull” model, you will only<br />
need an internal-to-external proxy. (For more information, see Managing<br />
UUCP and Usenet, published by O’Reilly & Associates, Inc.)<br />
– Instead <strong>of</strong> a standard external-to-internal proxy, you set up an externalto-internal<br />
news proxy using port or address redirection. Redirecting a<br />
proxy allows you to reroute a connection to a specific host system using<br />
the same or different port number as the original connection request.<br />
When you set up a proxy redirection for news, you allow a connection<br />
between your feed site and the <strong>Sidewinder</strong> <strong>G2</strong>, then provide the<br />
address <strong>of</strong> your internal news server to the <strong>Sidewinder</strong> <strong>G2</strong> so it will<br />
reroute the proxy to that server.<br />
Important:If your news server is behind the <strong>Sidewinder</strong> <strong>G2</strong>, refer to “Redirected<br />
proxy connections” on page 247 for additional information.<br />
T.120 and H.323 proxy considerations<br />
The T.120 and H.323 proxies can be configured to work together, allowing you<br />
to make use <strong>of</strong> both the data-sharing and audio/video features <strong>of</strong> data<br />
conferencing products, such as Micros<strong>of</strong>t NetMeeting, in a single conference.<br />
This section provides an overview <strong>of</strong> each proxy and its role in data<br />
conferencing. It also provides information on configuring the two proxies to<br />
work together to enable the complete realm <strong>of</strong> NetMeeting features.
About the T.120 proxy<br />
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
The T.120 proxy provides support for applications built using the International<br />
Telecommunication Union (ITU) T.120 recommendations. The T.120<br />
recommendations are most prevalent in data conferencing applications. T.120<br />
defines several standardized data conferencing services including application<br />
sharing, text chat, shared whiteboard, and multipoint file transfer.<br />
Micros<strong>of</strong>t’s NetMeeting is a popular example <strong>of</strong> a T.120 enabled application.<br />
The T.120 proxy enables you to use all <strong>of</strong> the standard T.120 data conferencing<br />
services, and provides you with a means to control which services are<br />
accessible. The T.120 proxy also provides support for the Micros<strong>of</strong>t<br />
NetMeeting chat and application sharing, which are non-standard T.120<br />
application services.<br />
Note: The audio, video, ILS, and ULS features <strong>of</strong> NetMeeting are not supported by<br />
the T.120 proxy. To provide support for these features, you must enable the H.323<br />
proxy. You must also add the pre-configured NetMeeting proxy rule to the active<br />
proxy rule group. This will ensure that both proxies remain in synchronization with<br />
one another. See “Synchronizing the T.120 and H.323 proxies for use with<br />
NetMeeting” on page 265 for more information.<br />
When configured, the T.120 proxy is transparent to the participants <strong>of</strong> the data<br />
conference. The T.120 proxy will come into play when a conference participant<br />
attempts to join an existing conference or attempts to invite another participant<br />
that resides in a different burb. The T.120 proxy will intercept and mediate the<br />
session between the pair <strong>of</strong> conference host machines (referred to as "nodes"<br />
in T.120 parlance).<br />
T.120 conferences are arranged into a hierarchy <strong>of</strong> nodes. The placement <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong> with respect to the nodes in the conference affects how<br />
many sessions are created through the proxy and the communication path <strong>of</strong><br />
the conference data. When a first conference participant joins a conference in<br />
a different burb, a T.120 session will be created between the participant's node<br />
and the contacted node. If a second conference participant attempts to contact<br />
the new conference node, a separate session will be created.<br />
The preconfigured NetMeeting proxy rule (when added to the active rule<br />
group) will apply to each participant’s respective node IP address. On the other<br />
hand, if the second participant contacts the first participant and asks to join the<br />
conference, the same session through the proxy will be used. The NetMeeting<br />
proxy rule, which applies to the first participant’s node will also apply to this<br />
session.<br />
The T.120 proxy is configured to use port 1503 by default. This can be changed<br />
as described in “Configuring proxies” on page 266.<br />
263
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
264<br />
About the H.323 proxy<br />
H.323 is an International Telecommunications Union (ITU) standard that<br />
provides support for audio and video conferencing across a shared medium<br />
such as the Internet. The H.323 proxy provides for safe transfer <strong>of</strong> packets<br />
between burbs, standard functions such as filtering on source and destination<br />
hosts and burbs, and NAT and redirection. The H.323 proxy is a protocolaware,<br />
application layer proxy that examines H.323 packets for correctness<br />
and adherence to site security policy. In addition to the standard filtering<br />
mentioned above, the H.323 proxy provides a mechanism for allowing or<br />
disallowing certain codecs (audio or video encoding schemes) within the H.323<br />
protocol. (See the H.323 permissions discussion in “Creating proxy rules” on<br />
page 222.)<br />
Micros<strong>of</strong>t NetMeeting is a popular implementation <strong>of</strong> the H.323 protocol. The<br />
H.323 proxy enables you to use the audio and video features <strong>of</strong> data<br />
conferencing products, such as NetMeeting.<br />
Note: The standard data conferencing features, as well as the chat and<br />
application sharing features <strong>of</strong> NetMeeting are not supported by the H.323 proxy.<br />
To provide support for these features, you must also enable the T.120 proxy. You<br />
must also add the pre-configured NetMeeting proxy rule to the active proxy rule<br />
group. This will ensure that both proxies remain in synchronization with one<br />
another. See “Synchronizing the T.120 and H.323 proxies for use with NetMeeting”<br />
on page 265 for more information.<br />
The H.323 proxy can function between two endpoints (a single client<br />
implementation such as NetMeeting), or between one or more endpoints and a<br />
Multi-point Control Unit (MCU). The MCU enables two or more endpoints to<br />
simultaneously participate in a call. Each endpoint sends its audio and video<br />
signals through the <strong>Sidewinder</strong> <strong>G2</strong> to the MCU. The MCU then combines the<br />
audio signals and selects one or more video signals to return to each endpoint.<br />
Note: The H.323 proxy does not recognize any configuration difference between<br />
an endpoint and an MCU.<br />
At this time, the H.323 proxy will not communicate with an H.323 gatekeeper. A<br />
gatekeeper is an entity, not unlike a <strong>Sidewinder</strong> <strong>G2</strong>, which sits between the<br />
source and destination endpoints, and typically provides services such as<br />
authentication, authorization, alias resolution, billing, and call routing. If there is<br />
a gatekeeper between the <strong>Sidewinder</strong> <strong>G2</strong> and the source or destination<br />
endpoint, and the endpoint is configured to use the gatekeeper, the conference<br />
will not be possible.<br />
The H.323 proxy must examine the contents <strong>of</strong> the protocol packets for<br />
encoded addresses and port numbers. Therefore, any sort <strong>of</strong> encryption <strong>of</strong><br />
H.323 sessions is not possible in conjunction with the proxy. When<br />
implementing the H.323 protocol, you must disable NetMeeting's security<br />
features, or the security features <strong>of</strong> any other endpoint or MCU you may be<br />
using. Additionally, you must not route H.323 traffic through a VPN.
Chapter 9: Configuring Proxies<br />
Notes on selected proxy configurations<br />
Also, any calls originating from the outside network and destined for a host on<br />
the internal network may be configured to use the netmaps feature. (For<br />
information on using netmaps, see “Configuring netmaps” on page 145.) This<br />
provides a form <strong>of</strong> redirection that allows you to hide a group <strong>of</strong> addresses<br />
behind the <strong>Sidewinder</strong> <strong>G2</strong> while still allowing the inbound caller to reach the<br />
proper destination machine.<br />
Synchronizing the T.120 and H.323 proxies for use with<br />
NetMeeting<br />
The T.120 and H.323 proxies can work together, allowing you to make use <strong>of</strong><br />
both the data-sharing and audio/video features <strong>of</strong> NetMeeting in a single<br />
conference as follows:<br />
• The T.120 proxy enables you to use all <strong>of</strong> the standard T.120 data<br />
conferencing services and provides you with a means to control which<br />
services are accessible. The T.120 proxy also provides support for the<br />
Micros<strong>of</strong>t NetMeeting chat and application sharing, which are non-standard<br />
T.120 application services.<br />
• The H.323 proxy provides support for the audio and video features <strong>of</strong><br />
NetMeeting.<br />
To make use <strong>of</strong> both the data-sharing and audio/video features <strong>of</strong> NetMeeting<br />
in a single conference, you must ensure that both the T.120 and H.323 proxies<br />
are enabled in the same burbs. This is necessary because for a single<br />
NetMeeting session, part <strong>of</strong> the traffic (the H.323 portion) is routed through the<br />
H.323 proxy, and part <strong>of</strong> the traffic (the T.120 portion) is routed through the<br />
T.120 proxy. If the H.323 and T.120 proxy configurations are out <strong>of</strong><br />
synchronization, it is likely that NetMeeting conferences will not function<br />
correctly or completely (for example, audio and video work, but data-sharing<br />
does not work).<br />
To prevent the two proxies from becoming out <strong>of</strong> synchronization, add the preconfigured<br />
NetMeeting proxy rule to your active rule group. The NetMeeting<br />
proxy rule allows access to both the T.120 and H.323 proxies (using the preconfigured<br />
NetMeeting Service Group), and allows access to all available<br />
NetMeeting features.<br />
You can modify the default NetMeeting proxy rule or create your own proxy<br />
rules to allow only a portion <strong>of</strong> NetMeeting’s features, such as the chat and<br />
whiteboard features. These properties are configured via the Multimedia<br />
Application Defense. For information on configuring Application Defenses for<br />
H.323/T.120, see “Configuring the IIOP Connection tab” on page 191.<br />
To appropriately restrict access for the NetMeeting proxy rule, configure<br />
network objects or other rule elements. For example, if you want to allow only<br />
administrators access to all NetMeeting features, create and specify a network<br />
object within a proxy rule that contains the IP addresses for all <strong>of</strong> your<br />
administrators. See “Rule elements” on page 103 and “Creating proxy rules” on<br />
page 222 for more details.<br />
265
Chapter 9: Configuring Proxies<br />
Configuring proxies<br />
Configuring<br />
proxies<br />
266<br />
Notes on using the DNS proxy<br />
If you have many hosts on a trusted network that point to an external DNS<br />
server, and you want these hosts to use the unbound DNS server on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> instead, you have two options:<br />
• You can modify each <strong>of</strong> the individual hosts to point to the unbound DNS<br />
server.<br />
• You can configure a DNS proxy rule on the <strong>Sidewinder</strong> <strong>G2</strong> that redirects the<br />
DNS traffic from the trusted burb in which the hosts reside to the unbound<br />
DNS server. This may be the preferred option if you have hundreds or<br />
thousands <strong>of</strong> local hosts, because you can make one change on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> rather the hundreds or thousands <strong>of</strong> individual changes.<br />
When defining the DNS proxy rule, be sure to set the following information<br />
on the Source/Dest tab in the Proxy Rule window:<br />
– Set the NAT Address field to Host: localhost.<br />
– Set the Redirect Host field to IPAddr: Firewall. The DNS proxy will not<br />
allow redirection to any other loopback addresses (127.2.0.1).<br />
Important: If your <strong>Sidewinder</strong> <strong>G2</strong> uses split DNS mode, do not create this type <strong>of</strong><br />
proxy rule on the Internet burb, because traffic will bypass the Internet DNS name<br />
server.<br />
The pre-configured <strong>Sidewinder</strong> <strong>G2</strong> proxies consist <strong>of</strong> standard settings and<br />
require very little modification. For most proxies the only configuration decision<br />
to be made is whether to enable or disable each individual proxy. However, the<br />
Admin Console also provides the capability to modify and delete existing<br />
proxies, or to create entirely new proxies.<br />
Tip: You can configure advanced properties for most proxies on a per rule basis<br />
using Application Defenses. For information on configuring Application Defenses,<br />
see Chapter 6. For an overview <strong>of</strong> Application Defenses, see “Application<br />
Defenses” on page 109.<br />
To configure properties for a proxy, start the Admin Console and select<br />
Services Configuration > Proxies. A table appears in the upper portion <strong>of</strong> the<br />
window, listing the available proxies. (Use the scroll bar to browse the entire list<br />
<strong>of</strong> proxies.)
Figure 126: Proxies<br />
window<br />
About the Proxies<br />
window<br />
Chapter 9: Configuring Proxies<br />
Configuring proxies<br />
The main proxy window consists <strong>of</strong> a proxy table that lists all <strong>of</strong> the proxies that<br />
are currently available by row. Each row displays a summary <strong>of</strong> the current<br />
configuration for that proxy, as follows:<br />
Tip: You can configure advanced properties for most proxies on a per rule basis<br />
using Application Defenses. For information on configuring Application Defenses,<br />
see Chapter 6. For an overview <strong>of</strong> Application Defenses, see “Application<br />
Defenses” on page 109.<br />
Note: To enable or disable the Web proxy server, refer to “Configuring the Web<br />
proxy server” on page 383.<br />
• Proxy Name—Displays the name <strong>of</strong> the proxy.<br />
• Attributes—Displays icons indicating the type <strong>of</strong> Application Defense<br />
associated with a proxy, as well as which protocol this proxy uses. (A “T”<br />
icon with a solid line beneath it appears for TCP proxies, and a “U” icon with<br />
a dashed line appears for UDP proxies. If a proxy uses both protocols, both<br />
icons will appear.)<br />
• Enabled in Burbs—Displays the burb(s) for which this proxy is currently<br />
enabled.<br />
• Port Definitions—Displays the port(s) that this proxy currently uses.<br />
To create a new proxy, click New beneath the proxy table. See “Setting up a<br />
new proxy” on page 270 for details on creating a new proxy.<br />
267
Chapter 9: Configuring Proxies<br />
Configuring proxies<br />
268<br />
To delete a proxy, highlight the proxy you want to delete, and click Delete in the<br />
lower left portion <strong>of</strong> the window. You cannot delete proxies that are preconfigured<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> and you cannot delete a proxy that is<br />
specified as a service in a proxy rule.<br />
When you select a proxy in the proxy table, the configuration information for<br />
that proxy appears in the Proxy Properties tab in the lower portion <strong>of</strong> the<br />
window. This tab allows you to modify the proxy information. However, you<br />
cannot modify a proxy’s name or protocol once it has been created. To change<br />
the name or protocol for a proxy, you must delete the proxy and then create a<br />
new proxy with the new name and/or protocol.<br />
To configure or modify the properties for a proxy, select the proxy in the table,<br />
and follow the steps below.<br />
Note: The fields that appear will vary depending on which proxy you select.<br />
1 In the Enabled In Burbs field, select the burb(s) for which this proxy is<br />
enabled. A check mark indicates that a burb is enabled for that proxy.<br />
Important: Be sure to deselect any burbs for which you do not want this proxy<br />
enabled. (If a burb is disabled, a check mark will not appear next to it.)<br />
2 In the Port Definitions field, specify the port(s) or range(s) <strong>of</strong> ports that the<br />
proxy will use. TCP proxies can have multiple, non-contiguous ports<br />
configured. Non-TCP proxies may only be allowed to have a single port, or<br />
a single port range configured.<br />
To add a new port or range <strong>of</strong> ports, click New. To modify an existing port or<br />
range <strong>of</strong> ports, highlight the entry and click Modify. The Port(s) Configuration<br />
window appears. For information on configuring the Port Configuration<br />
window, see “Configuring connection ports” on page 271.<br />
Important: Do not specify a port number or range that is currently being used<br />
for a server or another proxy running on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
3 (http, https, sql, and generic TCP proxies only) To specify the total number<br />
<strong>of</strong> connections expected for a proxy, select one <strong>of</strong> the following options<br />
from the Expected Connections drop-down list:<br />
Caution: Do not change the value for this field unless you have experienced<br />
performance problems for one <strong>of</strong> the proxies listed. Opening multiple instances<br />
<strong>of</strong> a single proxy can create performance problems if you enable them<br />
unnecessarily. For specific information on when to enable multiple proxy<br />
instances, see “Configuring multiple instances <strong>of</strong> certain proxies” on page 246.<br />
• 1000—Select this value to open a single instance for a proxy.<br />
• 2000—Select this value to open a single instance for a proxy.<br />
• 4000—Select this value to open two identical proxies.<br />
• 8000—Select this value to open four identical proxies.<br />
• 16000—Select this value to open eight identical proxies.
Figure 127: ica proxy<br />
Advanced tab<br />
About the ICA proxy<br />
Advanced tab<br />
Configuring the ping<br />
proxy Advanced tab<br />
Chapter 9: Configuring Proxies<br />
Configuring proxies<br />
4 Click the Save icon to save your changes, or click Cancel to revert to the<br />
previously saved data.<br />
You can configure advanced proxy parameters (such as Fast Path Sessions)<br />
and assign them on a per rule basis using Application Defenses. See Chapter<br />
6 for details.<br />
Note: The ICA and ping proxies contain an additional Advanced tab that you can<br />
configure. For information on configuring the ICA proxy Advanced tab, see<br />
“Configuring the ICA proxy Advanced tab” on page 269. For information on<br />
configuring the ping proxy Advanced tab, see “Configuring the ping proxy<br />
Advanced tab” on page 269.<br />
Configuring the ICA proxy Advanced tab<br />
To configure the Advanced tab for the ICA proxy, in the Admin Console, select<br />
Services Configuration > Proxies. The Proxies window appears. Select the ica<br />
proxy from the proxy table and select the Advanced tab. The following tab<br />
appears in the lower portion <strong>of</strong> the window.<br />
The ICA Advanced tab allows you to configure which burbs you want to enable<br />
for the master browser. Follow the steps below.<br />
Note: Refer to your Citrix documentation for information about the master browser.<br />
1 In the Browser field, select the burb(s) for which you want to enable the<br />
master browser.<br />
2 Click the Save icon in the toolbar to save your changes.<br />
Ping timeout properties cannot be configured on a per rule basis. Therefore,<br />
advanced ping properties cannot be configured via Application Defenses. To<br />
configure the timeout value for the ping proxy, do the following:<br />
1 In the Admin Console, select Services Configuration > Proxies.<br />
2 Select the ping proxy, and then select the Advanced tab.<br />
3 In the Timeout field, specify the length <strong>of</strong> time, in seconds, that the proxy<br />
should attempt to reach the server before the proxy stops trying.<br />
4 Click the Save icon to save your changes.<br />
269
Chapter 9: Configuring Proxies<br />
Setting up a new proxy<br />
Setting up a new<br />
proxy<br />
270<br />
Figure 128: New Proxy<br />
window<br />
Entering new proxy<br />
information<br />
As described earlier in this chapter, the <strong>Sidewinder</strong> <strong>G2</strong> is set up to run a variety<br />
<strong>of</strong> standard proxies. You can set up additional proxies if needed. To set up a<br />
new proxy, you will need to know the name <strong>of</strong> the service and the port<br />
number(s) on which it runs. In the Admin Console, select Services<br />
Configuration > Proxies. The Proxies window appears.<br />
This window allows you to define a new proxy. Follow the steps below.<br />
1 In the New Proxy Name field, type a descriptive name for the new proxy.<br />
You cannot modify the proxy name once it has been saved.<br />
2 In the Protocol drop-down list, select the appropriate protocol for this proxy,<br />
as follows:<br />
• TCP—Select this option to create a TCP proxy.<br />
• UDP—Select this option to create a UDP proxy.<br />
• Other—Select this option to create a new instance <strong>of</strong> an applicationaware<br />
proxy. If you select this option, a drop-down list appears. Select<br />
the appropriate service from the list.<br />
3 In the Port Range field, click New to specify the port range that the proxy<br />
will use. See “Configuring connection ports” on page 271 for more<br />
information on configuring ports.<br />
Important: Do not specify a port number or range that is currently being used<br />
for a server or another proxy running on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 Click Add to add the new proxy to the proxy table. Once you have added<br />
the proxy to the table, you may select the proxy and configure additional<br />
information such as the burbs for which it will be enabled. For information<br />
on configuring the proxy, see “Configuring proxies” on page 266.<br />
5 After configuring a new proxy, configure access restrictions to the proxy by<br />
following the procedure described in “Creating proxy rules” on page 222.
Configuring connection ports<br />
Chapter 9: Configuring Proxies<br />
Setting up a new proxy<br />
The Port Configuration window allows you to configure a single port or a port<br />
range by selecting one <strong>of</strong> the following radio buttons:<br />
• Single Port—Select this option to specify a single port. In the Port field,<br />
enter a port number.<br />
• Port Range—Select this option to specify a port range. In the Begin and<br />
End Port fields, enter the range <strong>of</strong> ports that this proxy can use.<br />
Configuring an SNMP port definition<br />
The SNMP Port window allows you to configure an alternative port the for<br />
SNMP proxy. Enter a port number that is greater than 1500. <strong>Sidewinder</strong> <strong>G2</strong><br />
automatically assigns the associated trap port to the next sequential port.<br />
For example, if you enter the 1501 in the SNMP Port field, 1502 automatically<br />
is assigned as the Trap Port.<br />
TCP maximum segment size<br />
The TCP layer uses a maximum segment size (MSS) parameter to determine<br />
how much data can fit in a single data segment. At connection time, systems<br />
negotiate how big this value can be.<br />
If you choose an MSS that is too small, all systems passing a given piece <strong>of</strong><br />
data through a network must process more IP and physical network frames.<br />
This can drastically slow down an entire network. On the other hand, an MSS<br />
value that is too large forces the IP layer to fragment and reassemble the data,<br />
overburdening the receiving system.<br />
Almost all systems on the Internet accept a TCP MSS <strong>of</strong> 536 data bytes. Most<br />
newer TCP/IP systems can effectively use a TCP MSS <strong>of</strong> 1460 bytes,<br />
improving the traffic load on the entire network. The <strong>Sidewinder</strong> <strong>G2</strong> uses this<br />
as the default MSS value. With systems that cannot accept segments <strong>of</strong> 1460<br />
bytes, the <strong>Sidewinder</strong> <strong>G2</strong> negotiates down to the MSS that can be effectively<br />
used.<br />
In a few cases, the default 1460 byte MSS size could cause a problem. Some<br />
older TCP/IP implementations do not negotiate the TCP MSS value. These<br />
older implementations also cannot perform IP reassembly. The most likely<br />
symptom will be that these systems will no longer be able to communicate<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The TCP MSS can be set to different values using the sysctl command. For<br />
example, the following command sets the TCP MSS to 536:<br />
sysctl -w net.inet.tcp.mssdflt=536<br />
Important: You must also add this line to /etc/rc.local or it will be overwritten upon<br />
reboot.<br />
271
Chapter 9: Configuring Proxies<br />
Setting up a new proxy<br />
272
10<br />
CHAPTER<br />
Setting Up<br />
Authentication<br />
In this chapter...<br />
Authentication overview ...............................................................274<br />
Supported authentication methods...............................................277<br />
Authentication process overview..................................................282<br />
Users, groups, and authentication................................................283<br />
Configuring authentication services .............................................284<br />
Configuring SSO ..........................................................................300<br />
Setting up authentication for services ..........................................303<br />
Special authentication notes.........................................................304<br />
Setting up authentication for Web sessions .................................305<br />
Setting up authentication for administrators .................................306<br />
Allowing users to change their passwords ...................................306<br />
How users can change their own password.................................308<br />
273
Chapter 10: Setting Up Authentication<br />
Authentication overview<br />
Authentication<br />
overview<br />
274<br />
In general, authentication refers to a process that validates a person’s identity<br />
before he or she is allowed to log into a network server. Depending on the<br />
authentication method used, a person must provide a user name and valid<br />
password and/or a special passcode or personal identification number (PIN)<br />
before being logged on to a server. If a user enters an invalid password,<br />
passcode, or PIN the log in request is denied.<br />
There are two basic <strong>Sidewinder</strong> <strong>G2</strong> authentication scenarios: proxy<br />
authentication and <strong>Sidewinder</strong> <strong>G2</strong> administrator authentication. The following<br />
sections describe each scenario.<br />
Proxy authentication<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate network users trying to<br />
connect from one side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to another via a Web, SOCKS5,<br />
Telnet, or FTP proxy. You can authenticate proxy use for internal-to-external,<br />
external-to-internal, and internal-to-internal connections.<br />
• Internal-to-external authentication<br />
You can authenticate internal users whenever they try to access a<br />
SOCKS5, Telnet, FTP server, or Web access through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
While internal users are generally thought to be trusted, authenticating<br />
internal-to-external proxy connections provides an extra level <strong>of</strong> security<br />
and allows you to closely track who is using each Internet service and how<br />
long they are using it. (See Chapter 20 for information on <strong>Sidewinder</strong> <strong>G2</strong><br />
reporting.) For example, you might use this information for internal accounting.<br />
Note that if you do not authenticate internal-to-external proxies, you<br />
can still track Internet usage, but the tracking is done for each machine<br />
address only (not for individual users).<br />
• External-to-internal authentication<br />
You can authenticate SOCKS5, Telnet, FTP, or Web access from the Internet<br />
to hosts on an internal network. For example, an internal network may<br />
have Telnet, FTP, or Web servers that users at another location need to<br />
access via the Internet. In most, if not all cases, your <strong>Sidewinder</strong> <strong>G2</strong> should<br />
be configured to authenticate all external-to-internal proxy connections.<br />
• Internal-to-internal authentication<br />
When your <strong>Sidewinder</strong> <strong>G2</strong> is configured with two Ethernet cards for two<br />
internal networks, you can authenticate SOCKS5, Telnet, FTP, and Web<br />
access from one internal network to a second internal network.
Administrator authentication<br />
Chapter 10: Setting Up Authentication<br />
Authentication overview<br />
When you log into the <strong>Sidewinder</strong> <strong>G2</strong>, you are authenticated using either<br />
standard UNIX password authentication or a stronger form <strong>of</strong> authentication,<br />
such as SafeWord PremierAccess. If standard UNIX password authentication<br />
is used, the password you provide is maintained in the user database, and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> checks the database to validate your password. Dynamic<br />
passwords, called passcodes, or challenge/response information generated for<br />
stronger authentication methods are not stored on the <strong>Sidewinder</strong> <strong>G2</strong>. Instead,<br />
they are located on the associated authentication server. (Strong<br />
authentication is described in the next section.) The default administrator<br />
authentication method is configured in the Firewall Accounts window. For<br />
information on configuring the default administrator authentication method, see<br />
“Setting up and maintaining administrator accounts” on page 43.<br />
Administrators can use Telnet or SSH to access a <strong>Sidewinder</strong> <strong>G2</strong> via a<br />
command line interface. By default, standard UNIX password authentication is<br />
used to validate this type <strong>of</strong> remote login attempt.<br />
Note: Secure Computing recommends using a strong authentication method for<br />
login attempts from a remote server.<br />
Weak versus strong authentication<br />
Secure Computing uses the terms “weak” and “strong” when referring to the<br />
level <strong>of</strong> security provided by an authentication method. The differences are<br />
discussed in the following section.<br />
Weak authentication<br />
A weak authentication method merely requires a user to enter the same<br />
password each time he or she logs on. The “standard” UNIX password process<br />
is considered to be a weak authentication method. If someone “sniffs” the<br />
password <strong>of</strong>f the phone line or network as it is transmitted, they can<br />
conceivably use that password to break into the system. Because your internal<br />
network is thought to be “trusted,” this type <strong>of</strong> authentication is generally used<br />
for authenticating internal-to-external proxy connections.<br />
275
Chapter 10: Setting Up Authentication<br />
Authentication overview<br />
Hardware<br />
authenticators<br />
S<strong>of</strong>tware<br />
authenticators<br />
276<br />
Strong authentication<br />
A basic premise <strong>of</strong> security is to positively identify who is accessing your<br />
networks. Strong user authentication performs this function and is generally<br />
desired for external-to-internal proxy connections. An authentication server,<br />
such as Secure Computing’s SafeWord PremierAccess, typically resides in the<br />
internal network burb. When a user attempts to log in, the authentication server<br />
displays a passcode prompt for the user.<br />
A passcode is a unique, one-time response that is generated for the user via a<br />
hardware or s<strong>of</strong>tware authenticator known as a token. Because the token<br />
generates a unique passcode for each log in attempt, they are immune to<br />
passcode sniffing or theft. Because the passcodes are generated by a<br />
cryptographic algorithm, they are essentially impossible to guess.<br />
When tokens are PIN-protected, this strong authentication method is known as<br />
two-factor authentication. That is, authentication is based on something the<br />
user knows (a PIN that allows access to the token) and something the user has<br />
(a token that generates unique passwords).<br />
The <strong>Sidewinder</strong> <strong>G2</strong> coordinates the passcode prompt and response process<br />
between the authentication server and the user. The authentication server<br />
maintains detailed information about user accounts and connection times.<br />
A hardware authenticator is a small, hand-held device that looks similar to an<br />
ordinary calculator. The hardware authenticator displays the proper log in<br />
response on a digital display. A hardware authenticator is platformindependent<br />
and can be used from any PC or workstation equipped for<br />
network communications.<br />
In contrast, a s<strong>of</strong>tware authenticator is installed directly on the user’s PC or<br />
workstation. It automates the response process, requiring the user only to<br />
enter a personal identification number (PIN). A valid PIN unlocks the s<strong>of</strong>tware<br />
authenticator, which then calculates and returns the proper log in response. An<br />
example <strong>of</strong> a supported s<strong>of</strong>tware authenticator is the SafeWord PremierAccess<br />
S<strong>of</strong>Token-II.
Supported<br />
authentication<br />
methods<br />
Chapter 10: Setting Up Authentication<br />
Supported authentication methods<br />
<strong>Sidewinder</strong> <strong>G2</strong> supports standard UNIX password authentication, Windows<br />
Domain authentication, and the following stronger authentication methods:<br />
SafeWord PremierAccess and SafeWord RemoteAccess (from Secure<br />
Computing Corporation), SecureNet Key (SNK) from Symantec Corporation,<br />
and SecurID from RSA Security, Inc. <strong>Sidewinder</strong> <strong>G2</strong> also supports the<br />
widely-used RADIUS authentication protocol and the Lightweight Directory<br />
Access Protocol (LDAP). All <strong>of</strong> these can be used to authenticate SOCKS5,<br />
Telnet, FTP, and Web connections through the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
administrator log in connections to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Table 23 provides a brief summary <strong>of</strong> the authentication methods supported by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Single Sign-On (SSO) can be used in conjunction with the authentication<br />
methods listed below to cache a user’s initial authentication, thereby allowing<br />
access to multiple services with a single authentication to the <strong>Sidewinder</strong> <strong>G2</strong>. For<br />
information on configuring SSO, see “Configuring SSO” on page 300.<br />
Table 23: Authentication methods available for the <strong>Sidewinder</strong> <strong>G2</strong><br />
Authentication<br />
Methods<br />
Security<br />
Level<br />
Recommended Usage Server Type<br />
Standard Password Weak • Internal-to-external login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
SafeWord<br />
(PremierAccess and<br />
RemoteAccess)<br />
Strong • External-to-internal login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
LDAP Weak • Internal-to-external login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
Authenticator<br />
Type<br />
Not applicable Not applicable<br />
SafeWord<br />
Authentication Server,<br />
external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
X.500 or other LDAPcompatible<br />
directory<br />
server, external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
S<strong>of</strong>tware<br />
(S<strong>of</strong>tToken II)<br />
and hardware<br />
token (Silver<br />
2000, Gold 3000,<br />
Platinum)<br />
Not applicable<br />
More...<br />
277
Chapter 10: Setting Up Authentication<br />
Supported authentication methods<br />
278<br />
Authentication<br />
Methods<br />
Windows Domain Weak • Internal-to-external login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
SecureNet Key<br />
(SNK)<br />
Security<br />
Level<br />
Recommended Usage Server Type<br />
Strong • External-to-internal login<br />
• FTP<br />
• Telnet<br />
• SSH sessions<br />
SecurID Strong • External-to-internal login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
RADIUS Strong • External-to-internal login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SSH sessions<br />
Standard Password Weak • Internal-to-external login<br />
• FTP<br />
• Telnet<br />
• Web<br />
• SOCKS5<br />
• SSH sessions<br />
Windows primary<br />
domain controller<br />
(PDC) or backup<br />
domain controller<br />
(BDC)<br />
Standard password authentication<br />
Defender Security<br />
Server (DSS), external<br />
to the <strong>Sidewinder</strong> <strong>G2</strong><br />
ACE/Server, external<br />
to the <strong>Sidewinder</strong> <strong>G2</strong><br />
RADIUS server,<br />
external to the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Authenticator<br />
Type<br />
Not applicable<br />
SecureNet Key<br />
(SNK) or<br />
Symantec<br />
Corporation<br />
hardware<br />
authenticator<br />
SecurID hardware<br />
authenticator<br />
Standard password authentication requires a user to enter the same password<br />
each time he or she logs on. This method typically is used for authenticating a<br />
user’s internal-to-external SOCKS5, Telnet, FTP, and Web connections, and<br />
local <strong>Sidewinder</strong> <strong>G2</strong> administrator log ins. Since the internal users are<br />
generally thought to be trusted, a weak authentication method is probably all<br />
that is required. You may want to authenticate internal-to-external connections<br />
not so much for security reasons but to track usage <strong>of</strong> the system.<br />
Any<br />
Not applicable Not applicable
SafeWord authentication<br />
Chapter 10: Setting Up Authentication<br />
Supported authentication methods<br />
The SafeWord family <strong>of</strong> authentication servers that interoperate with the<br />
<strong>Sidewinder</strong> <strong>G2</strong> includes SafeWord RemoteAccess and SafeWord<br />
PremierAccess. The following table provides a reference to better understand<br />
each server’s authentication capabilities when interoperating with <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
Table 24: Authentication capabilities <strong>of</strong> SafeWord servers<br />
Feature/Capability<br />
<strong>Sidewinder</strong> <strong>G2</strong> authentication<br />
methods supported<br />
SafeWord<br />
RemoteAccess<br />
When connected to the <strong>Sidewinder</strong> <strong>G2</strong> using standard RADIUS ports, the<br />
authentication method is appropriately called RADIUS. This method is<br />
available with both SafeWord RemoteAccess and SafeWord PremierAccess.<br />
(For additional information on RADIUS, see “RADIUS authentication” on page<br />
281.)<br />
SafeWord PremierAccess provides the ability to use fixed passwords or<br />
passcode authentication for Telnet and FTP sessions through the <strong>Sidewinder</strong><br />
<strong>G2</strong>, and can be used to authenticate logins and SSH logins to the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Web sessions can also be authenticated, but are limited to using either<br />
fixed passwords or passcodes without the challenge/response option. (Not all<br />
tokens support this option.)<br />
The biggest advantages <strong>of</strong> using a tightly coupled configuration such as<br />
SafeWord PremierAccess authentication are the following:<br />
• An improvement in performance over RADIUS<br />
SafeWord<br />
PremierAccess<br />
RADIUS only SafeWord & RADIUS<br />
Fixed passwords No Yes<br />
Dynamic passcodes w/o<br />
challenge<br />
Dynamic passcodes with<br />
challenge<br />
Hardware tokens<br />
only<br />
No Yes<br />
Hardware and<br />
s<strong>of</strong>tware tokens<br />
Location <strong>of</strong> user database Active Directory SafeWord<br />
Connectivity w/ <strong>Sidewinder</strong> <strong>G2</strong> RADIUS ports only RADIUS ports or port<br />
5030 (default)<br />
279
Chapter 10: Setting Up Authentication<br />
Supported authentication methods<br />
280<br />
• The ability for PremierAccess to forward role information for a user from the<br />
PremierAccess database to the <strong>Sidewinder</strong> <strong>G2</strong>. (While SafeWord<br />
PremierAccess can be connected to <strong>Sidewinder</strong> <strong>G2</strong> via standard RADIUS<br />
ports, configuration changes to the user’s role cannot be made available to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.)<br />
Note: SafeWord RemoteAccess is always connected to the <strong>Sidewinder</strong> <strong>G2</strong> via<br />
standard RADIUS ports and therefore cannot be assigned the SafeWord<br />
authentication method. Aside from the ability to return a user’s role, SafeWord<br />
RemoteAccess provides equally strong user authentication via the RADIUS<br />
interface.<br />
LDAP/Active Directory<br />
LDAP (Lightweight Directory Access Protocol)/Active Directory is a protocol<br />
that you can use to provide fixed password authentication for SOCKS5, Telnet,<br />
FTP, and Web sessions through the <strong>Sidewinder</strong> <strong>G2</strong>. It can also be used to<br />
authenticate logins and SSH logins to the <strong>Sidewinder</strong> <strong>G2</strong>. You can set up an<br />
LDAP directory server containing users and passwords. Use any valid<br />
combination <strong>of</strong> LDAP attributes and values as an optional filter string to<br />
distinguish authorized <strong>Sidewinder</strong> <strong>G2</strong> users.<br />
Windows Domain<br />
If your organization operates a Windows primary domain controller (PDC) or<br />
backup domain controller (BDC), you can use it to provide weak authentication<br />
for login, SOCKS5, Telnet, FTP, Web, and SSH sessions to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The PDC or BDC can be used to provide password authentication. Be sure the<br />
domain controller does not allow blank or default logins that can be easily<br />
guessed by outsiders.<br />
You can also use transparent browser authentication. Transparent browser<br />
authentication is controlled on a per-rule basis and is enabled on the Rule’s<br />
Authentication tab. For more information about configuring your organization’s<br />
PDC or BDC to use transparent browser authentication on <strong>Sidewinder</strong> <strong>G2</strong>, see<br />
the related application note located at<br />
:www.securecomputing.com/goto/appnotes.
Chapter 10: Setting Up Authentication<br />
Supported authentication methods<br />
SNK (SecureNet Key)/Symantec Defender authentication<br />
If your organization operates a Defender Security Server (DSS) (made by<br />
Symantec Corporation) you can use it to provide fixed password, challenge/<br />
response, or password + challenge/response authentication for SOCKS5,<br />
Telnet, and FTP sessions through <strong>Sidewinder</strong> <strong>G2</strong>. It can also be used to<br />
authenticate logins and SSH logins to <strong>Sidewinder</strong> <strong>G2</strong>. Web sessions can also<br />
be authenticated but are limited to using the password authentication method.<br />
SecurID authentication<br />
If your organization operates an ACE/Server (made by RSA Security, Inc.) you<br />
can use it to provide fixed or one-time password authentication for login,<br />
SOCKS5, Telnet, FTP, Web, and SSH sessions to the <strong>Sidewinder</strong> <strong>G2</strong>. For this<br />
authentication method, users enter a PIN and a passcode that is displayed on<br />
the user’s SecurID authenticator.<br />
RADIUS authentication<br />
If your organization operates a RADIUS server, you can use it to provide strong<br />
authentication for SOCKS5, Telnet, FTP, and Web sessions through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. It can also be used to authenticate logins and SSH logins to<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
SafeWord RemoteAccess and SafeWord PremierAccess are RADIUS servers<br />
that have been certified for full interoperability with the <strong>Sidewinder</strong> <strong>G2</strong>. As<br />
shown in Table 24, each method provides strong authentication using<br />
passcodes for SOCKS5, Telnet, and FTP sessions through the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
and for authenticating logins and SSH logins to the <strong>Sidewinder</strong> <strong>G2</strong>. Web<br />
sessions can also be authenticated, but are limited to using fixed passwords or<br />
passcodes without a challenge/response option.<br />
281
Chapter 10: Setting Up Authentication<br />
Authentication process overview<br />
Authentication<br />
process<br />
overview<br />
282<br />
Figure 129:<br />
Authentication servers<br />
supported by the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
For all authentication methods, a warder in the <strong>Sidewinder</strong> <strong>G2</strong> communicates<br />
with an authentication server to validate users. A warder provides an interface<br />
between the proxy s<strong>of</strong>tware and the various authentication services. As shown<br />
in Figure 129, there is a separate warder for each authentication method.<br />
3<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
proxy<br />
active rules<br />
Windows Domain<br />
warder<br />
LDAP warder<br />
RADIUS warder<br />
SNK warder<br />
SecurID warder<br />
SafeWord<br />
warder<br />
password warder<br />
user database<br />
2 5<br />
4<br />
6<br />
1<br />
client PC<br />
or workstation<br />
NT PDC OR BDC<br />
LDAP SERVER<br />
RADIUS SERVER<br />
DEFENDER SEC.<br />
SERVER (DSS)<br />
ACE SERVER<br />
SAFEWORD<br />
SERVER<br />
database<br />
database<br />
database<br />
database<br />
database<br />
database<br />
Note: The numbers in this<br />
figure correspond to the<br />
process overview steps<br />
listed on the next page.
Users, groups,<br />
and<br />
authentication<br />
Chapter 10: Setting Up Authentication<br />
Users, groups, and authentication<br />
The numbers in Figure 129 represent the sequence <strong>of</strong> events that occur when<br />
a remote user requests a network connection through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
These events are described below. In this scenario, the user is authenticated<br />
using SafeWord PremierAccess, which implements a challenge-response<br />
authentication process. (Note that the process is different for other<br />
authentication methods.)<br />
1 A user tries to make a network connection via Telnet or FTP.<br />
2 The <strong>Sidewinder</strong> <strong>G2</strong> checks the active rules to determine whether the<br />
connection between the source and destination addresses is allowed and<br />
to determine which warder to use.<br />
3 If the connection is allowed, the proxy contacts the appropriate warder in<br />
the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 The warder passes the log in request to the appropriate authentication<br />
server. The server checks the data base to verify the user’s log in name is<br />
registered and then generates a log in prompt.<br />
5 The log in challenge is sent to the user. Using client s<strong>of</strong>tware or a hardware<br />
authenticator, the user types in the proper response to the prompt.<br />
6 The <strong>Sidewinder</strong> <strong>G2</strong> sends the response to the authentication server. The<br />
authentication server checks the response and informs the <strong>Sidewinder</strong> <strong>G2</strong><br />
to either accept or reject the log in request.<br />
As a <strong>Sidewinder</strong> <strong>G2</strong> administrator, you are responsible for configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to work with the desired authentication server. The first step is<br />
identifying the users that will need authentication services on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. You can set up authentication on a user-by-user basis or create user<br />
groups. A user group is a mechanism that allows you to identify multiple users<br />
by a single name, making it easier to configure authentication requirements for<br />
your network.<br />
Note: The procedures to add users to the user database and set up user groups<br />
are described in Chapter 5.<br />
After defining and creating the appropriate user groups for your site, you need<br />
to configure the authentication method(s) that your site will use. The following<br />
section describes what needs to be done to configure the <strong>Sidewinder</strong> <strong>G2</strong> for<br />
authenticating users or administrators.<br />
283
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
Configuring<br />
authentication<br />
services<br />
284<br />
Figure 130:<br />
Authentication<br />
Configuration window<br />
About the<br />
Authentication<br />
Configuration<br />
window<br />
To configure authentication services for the <strong>Sidewinder</strong> <strong>G2</strong>, start the Admin<br />
Console and select Services Configuration > Authentication. The<br />
Authentication Configuration window appears.<br />
Note: You must configure an authentication method before it can be enabled.<br />
This window allows you to configure authentication services on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. You can also manage locked out administrators and users, and SSOauthenticated<br />
users. You can perform the following actions in this window:<br />
• Configure an authentication method—To configure an authentication<br />
method, click the appropriate Configure button. (If you attempt to enable an<br />
authentication method that has not yet been configured, you will be<br />
prompted to configure the method first.) The following authentication<br />
methods can be configured:<br />
– LDAP/Active Directory—To configure LDAP/Active Directory<br />
authentication, see “Setting up LDAP authentication” on page 288.<br />
– Password—To configure password authentication, see “Setting up<br />
password authentication” on page 291.<br />
– RADIUS—To configure RADIUS authentication, see “Setting up<br />
RADIUS authentication” on page 292.<br />
– SafeWord—To configure SafeWord PremierAccess authentication in a<br />
tightly coupled configuration, see “Setting up SafeWord authentication”<br />
on page 294. (SafeWord PremierAccess and SafeWord RemoteAccess<br />
can also be configured using the RADIUS interface.)<br />
– SecurID—To configure SecurID authentication, see “Setting up SecurID<br />
authentication” on page 295.
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
– SNK/Symantec Defender—To configure SecureNet (SNK)/Symantec<br />
Defender authentication, see “Setting up SecureNet Key (SNK)<br />
authentication” on page 296.<br />
– Windows Domain—To configure Windows Domain authentication, see<br />
“Setting up Windows Domain authentication” on page 298.<br />
• Enable/disable an authentication method—A check mark appears in front<br />
<strong>of</strong> authentication methods that are currently enabled. To enable an<br />
authentication method, select the appropriate check box under the Enable<br />
Warders area. To disable an authentication method, deselect the<br />
appropriate check box in the Enable Warders area.<br />
Note: If you attempt to enable an authentication method that has not yet been<br />
configured, you will be prompted to configure the method first.<br />
• Manage locked out users—To configure the <strong>Sidewinder</strong> <strong>G2</strong> to lockout a<br />
user if the number <strong>of</strong> failed authentication attempts reaches the specified<br />
lockout threshold, or to manage users who are currently locked out, click<br />
Authentication Failure Locked Out Users and see “Configuring and<br />
managing the locked out users” on page 286 for details.<br />
• View SSO Authenticated Users—To view users currently in the SSO<br />
authenticated cache, click Current SSO Authenticated Users, and see<br />
“Viewing currently authenticated SSO users” on page 287.<br />
• Configure external authorization roles—The External Authorization Roles<br />
list displays the roles defined by an external authentication program (for<br />
example, SafeWord PremierAccess or LDAP/Active Directory) that can be<br />
used within a <strong>Sidewinder</strong> <strong>G2</strong> proxy rule. Use the New, Modify, and Delete<br />
buttons to manage this list. If you click New or Modify under the External<br />
Authorization Roles field, the New (or Modify) External Authorization Roles<br />
window appears.<br />
Note: See “Creating proxy rules” on page 222 for information on how these<br />
roles are used in a proxy rule. (You may need to consult the administrator <strong>of</strong><br />
your particular authentication program for the names <strong>of</strong> the roles to add to this<br />
list.)<br />
About the New (or Modify) External Authorization Roles<br />
window<br />
The New (or Modify) External Authorization Roles window contains a single<br />
External Role field in which you specify a name for the external role. Currently,<br />
the only external authorization servers that support roles within a proxy rule are<br />
SafeWord PremierAccess and LDAP/Active Directory. The name <strong>of</strong> the<br />
external role must match the name <strong>of</strong> a group within the server (SafeWord<br />
PremierAccess or LDAP) to which the user belongs.<br />
Click Add to add the entry to the External Authorization Roles list, to add the<br />
entry and close the window.<br />
285
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
286<br />
Configuring and managing the locked out users<br />
This window allows you to configure the authentication failure lockout feature<br />
on your <strong>Sidewinder</strong> <strong>G2</strong>. The authentication failure lockout feature allows you to<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to block access to a user if the number <strong>of</strong><br />
consecutive failed authentication attempts reaches a configured number. This<br />
protects unauthorized users from multiple attempts at guessing a user’s<br />
password. Using this window, you can perform the following actions:<br />
Important: If all administrators become locked out <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>, see<br />
“Manually clearing an authentication failure lockout” on page 654.<br />
• Enable or disable the lockout feature—To enable this feature, select the<br />
Enable radio button. To disable this feature, select the Disable radio button.<br />
When this feature is enabled, any time a user account surpasses the specified<br />
authentication attempt threshold without a successful authentication,<br />
that user will be locked out until the lock is cleared by an administrator. The<br />
lock can also be cleared if the locked out administrator logs in at the<br />
<strong>Sidewinder</strong> <strong>G2</strong> using the correct login information.<br />
When authentication failure lockout is enabled, the client-side cache is<br />
emptied and authenticated allow rules will not be cached.<br />
• View locked out users—The Locked Out Users area lists any users who<br />
are currently locked out <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> due to exceeded<br />
authentication failures. It will also display the number <strong>of</strong> failed login<br />
attempts for each user.<br />
• Configure the lockout threshold—The Lockout Threshold field allows you<br />
to specify the number <strong>of</strong> failed login attempts that can occur for a single<br />
user account before that user is locked out <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: When a user is locked out, their authentication method will become<br />
invalid. They will not be notified that they are locked out.<br />
• Clear user locks—To clear the lock for a user select the user and click<br />
Clear.
Figure 131: SSO<br />
Cached Authentication<br />
Users<br />
Viewing currently authenticated SSO users<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
This window allows you to view the current SSO-authenticated (cached) users.<br />
In this window, you have the option to override the authentication cache default<br />
values and immediately expire user SSO authentication for one or more users.<br />
The Authentication Cache table allows you to view all users who are currently<br />
authenticated (cached) using SSO. The following fields are displayed in the<br />
table:<br />
Note: If you disable the SSO server, the authenticated user cache will be emptied.<br />
When the SSO server is enabled again, all users will need to authenticate before<br />
being added back into the cache.<br />
Note: For information on configuring SSO, see “Configuring SSO” on page 300.<br />
• Name—This column displays the name(s) <strong>of</strong> all users who currently have<br />
cached authentication.<br />
• External Group—This column displays the external group to which a user<br />
belongs.<br />
• Warder—This column displays the type <strong>of</strong> authentication used by a user.<br />
• IP Address—This column displays the source IP Address from which the<br />
authentication request originated.<br />
• Time <strong>of</strong> User Entering Cache—This column displays the time at which a<br />
user was initially authenticated and added to the cache.<br />
• Time Cached Data Last Accessed—This column displays the time at which<br />
a user last accessed a service that required authentication.<br />
To expire the SSO authentication cache for all users listed in the table, click<br />
Expire All Entries. To expire the SSO authentication cache for a single user or<br />
group <strong>of</strong> users, select the users you want to expire by clicking the appropriate<br />
table row(s). To select multiple users, press and hold the Ctrl key as you select<br />
users. Then click Expire Entry(s) to expire the selected users from the<br />
authentication cache.<br />
287
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
288<br />
Figure 132: LDAP/Active<br />
directory window<br />
Entering information<br />
on the LDAP<br />
Configuration<br />
window<br />
When you expire the authentication cache for a user(s), those users will be<br />
required to re-authenticate before they can again access any authenticated<br />
services.<br />
Note: Subsequent authentication requests by an expired user will be cached when<br />
they re-authenticate, allowing them to again use SSO authentication.<br />
Setting up LDAP authentication<br />
To configure LDAP authentication on the <strong>Sidewinder</strong> <strong>G2</strong>, in the Admin Console<br />
select Services Configuration > Authentication, and click Configure LDAP.<br />
The following window appears.<br />
This window is used to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with an LDAP<br />
server. The top left portion <strong>of</strong> the window displays a list <strong>of</strong> any current LDAP<br />
servers you have defined. To configure the general LDAP properties for all <strong>of</strong><br />
the defined LDAP servers, follow the steps below.<br />
1 Define and rank the LDAP/Active Directory servers to use for authentication.<br />
<strong>Sidewinder</strong> <strong>G2</strong> always uses the server ranked first, unless it is unavailable.<br />
Note: See “Configuring the Domain Controller Configuration window” on page<br />
290 for instructions on adding or modifying an LDAP server entry.<br />
• To add a new server, click New.<br />
• To modify an existing server, select the server and click Modify.<br />
• To delete an existing server, select the server and click Delete.<br />
• To change a server’s rank, select the server and use the up and down<br />
arrows.
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
2 Select which Directory User Identifier and Directory Member Identifier to<br />
use from the following options. The defaults are displayed in the Directory<br />
User Identifier and Directory Member Identifier fields.<br />
• Use Active Directory defaults—Select this option if using an Active<br />
Directory LDAP server.<br />
• Use iPlanet defaults—Select this option if using an iPlanet LDAP server.<br />
• Use Open LDAP defaults—Select this option if using an Open LDAP<br />
server.<br />
• Specify LDAP attributes—Select this option to customize the Directory<br />
User Identifier and Directory Member Identifier.<br />
3 Define the search container option by selecting one <strong>of</strong> the following:<br />
• Search in defined containers only—Select this option to limit searches<br />
to containers listed here. To add or modify a search container, see<br />
“Adding/modifying search containers” on page 290.<br />
• Search in containers and all subcontainers—Select this option to<br />
search all listed containers and their subcontainers. If this option is<br />
selected, in step 4 you must indicate what credentials the LDAP server<br />
requires to allow subcontainer searches.<br />
• Search in Active Directory domains—Select this option to search only<br />
in Active Directory domains listed here. Each domain must be listed<br />
separately.<br />
4 [Conditional] This option is only enabled if you selected Search in<br />
containers and all subcontainers in step 3. In the Define LDAP/Active<br />
Directory Servers area, select how <strong>Sidewinder</strong> <strong>G2</strong> will connect to LDAP/<br />
Active Directory servers by selecting one <strong>of</strong> the following options:<br />
• Connect to Server(s) Anonymously—Select this option if the LDAP<br />
server allows <strong>Sidewinder</strong> <strong>G2</strong> to connect and search subcontainers<br />
without providing login information.<br />
• Connect to Server(s) with Username/Password—Select this option if<br />
the LDAP server requires <strong>Sidewinder</strong> <strong>G2</strong> to submit the specified login<br />
name and password in order to connect and search subcontainers.<br />
5 Select the filtering criterion:<br />
• Do not filter searches—Select this option to disable filtering <strong>of</strong> the<br />
LDAP or Active Directory tree.<br />
• Only allow users that match the filter below—Select this option to filter<br />
users based on the pr<strong>of</strong>ile filter displayed here. Enter the filter name in<br />
the Pr<strong>of</strong>ile Filter field.<br />
6 Click Server Timeouts/Retries to configure the retry and login limits. For<br />
more information, see “Configuring the Server Timeouts/Retries window” on<br />
page 290.<br />
7 In the Configure Console and Telnet LDAP login area, click Login Options<br />
to configure the prompts presented when parameters for logging into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> require LDAP authentication. See “Configuring the Login<br />
Options window” on page 290 for more information.<br />
289
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
290<br />
Configuring the Domain Controller Configuration window<br />
The LDAP Configuration Domain Controller window allows you to configure the<br />
IP address and port for an LDAP server. Follow the steps below.<br />
1 In the IP Address field, type the IP address for the LDAP server.<br />
2 In the Port Number field, type the port that the LDAP server should use.<br />
The default port is 389.<br />
3 Click OK to add the LDAP server to the list <strong>of</strong> configured LDAP servers.<br />
4 Click the Save icon in the toolbar to save your changes.<br />
Configuring the Server Timeouts/Retries window<br />
This window allows you to configure limits on authentication retries and server<br />
timeouts.<br />
• In the Maximum Retries field, specify the number <strong>of</strong> authentication attempts<br />
that a user can make before a failure is issued. Valid values are between<br />
1—9999999. The default is 3.<br />
• In the Login Timeout in seconds field, specify the number <strong>of</strong> seconds to<br />
wait for the LDAP server to respond. Valid values are between<br />
1—9999999. The default is 60 seconds. If the server cannot be reached in<br />
that time frame, <strong>Sidewinder</strong> <strong>G2</strong> will attempt to connect to the next server in<br />
the Define LDAP/Active Directory Servers area.<br />
Configuring the Login Options window<br />
This window allows you to specify what you want to appear as prompts during<br />
the login process.<br />
• In the Login Prompt field, specify the prompt that you want to appear for<br />
the user name portion <strong>of</strong> the login process. The default is Username.<br />
• In the Password Prompt field, specify the prompt that you want to appear<br />
for the password portion <strong>of</strong> the login process. The default is Password.<br />
Adding/modifying search containers<br />
This window allows you to add or modify a search container.<br />
1 In the Edit Search Container field, enter either a single container name or a<br />
concatenated container name.<br />
Note: The search string format depends on the type <strong>of</strong> server selected.<br />
Micros<strong>of</strong>t Active Directory searches use a format similar to sales.example.com.<br />
Standard LDAP searches use a format similar to<br />
dc=sales,dc=example,dc=com.<br />
2 Click OK.
Figure 133: Password<br />
Configuration window<br />
Entering information<br />
on the Password<br />
Configuration<br />
window<br />
Setting up password authentication<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
To configure password authentication on the <strong>Sidewinder</strong> <strong>G2</strong>, in the Admin<br />
Console select Services Configuration > Authentication, and click Configure<br />
Password. The following window appears.<br />
This window is used to configure password authentication on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Follow the steps below.<br />
1 In the Login Prompt field, type the prompt text that you want to appear<br />
when the Telnet proxy service prompts a user for his or her user name.<br />
Note: The prompt you configure in this field is only used for the Telnet proxy<br />
service, and only appears after an authentication attempt <strong>of</strong> this type has failed.<br />
2 In the Password Prompt field, type the prompt text that you want to appear<br />
when the <strong>Sidewinder</strong> <strong>G2</strong> prompts a user for his or her password.<br />
3 In the Expiration Message field, type the message you want to appear<br />
when a user’s password has expired.<br />
4 In the Password Expiration Timespan field, type the number <strong>of</strong> days the<br />
password will be valid.<br />
5 In the Minimum Password Length field, specify the minimum number <strong>of</strong><br />
characters that a password must contain.<br />
6 Select one <strong>of</strong> the following:<br />
• Allow simple passwords—Select this option if you do not want to<br />
specify any other password requirements.<br />
• Require complex passwords—Select this option to configure and<br />
enforce complex password requirements.<br />
291
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
292<br />
Figure 134: RADIUS<br />
configuration window<br />
7 [Conditional] If you selected Require complex passwords in the previous<br />
step, do the following:<br />
a Specify the number <strong>of</strong> character groups that will be required for<br />
passwords. For example, if you specify 2, passwords must use<br />
characters from two <strong>of</strong> the four character groups. The character groups<br />
are:<br />
• lowercase<br />
• uppercase<br />
• numbers<br />
• special characters (includes all printable characters that can be<br />
typed from the keyboard, such as ^ % $ # @ ! . , etc.)<br />
b Specify the number <strong>of</strong> characters that will be required from each<br />
character group. For example, if you specify 3 characters from each<br />
group, and two character groups are required, passwords will need to<br />
contain three characters from two different groups, such as a13c7b.<br />
8 Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use password authentication after it is configured, you must<br />
also enable it in the Authentication Configuration window.<br />
Setting up RADIUS authentication<br />
RADIUS is a standard protocol used to authenticate users before they are<br />
allowed access to your system. To configure the <strong>Sidewinder</strong> <strong>G2</strong> to work with a<br />
RADIUS server, start the Admin Console and select Services Configuration ><br />
Authentication, and click Configure Radius. The following window appears.
Entering information<br />
on the RADIUS<br />
window<br />
Adding or modifying<br />
a RADIUS server<br />
entry<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
This window is used to configure RADIUS authentication on the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Follow the steps below.<br />
1 The Radius Servers table lists the RADIUS servers currently configured for<br />
the <strong>Sidewinder</strong> <strong>G2</strong>. The columns indicate the following:<br />
• Rank — Which server the <strong>Sidewinder</strong> <strong>G2</strong> will try first.<br />
• Host — The host (IP address) for each server entry.<br />
• Port Number — The port number for each server entry. The default port<br />
is 1812.<br />
• Shared Secret — The text string or phrase that matches the shared<br />
secret <strong>of</strong> the listed RADIUS server.<br />
To configure the Radius Servers table, do one <strong>of</strong> the following:<br />
• New—Click this button to create a new server entry. See “Adding or<br />
modifying a RADIUS server entry” on page 293 for details.<br />
• Modify—Click this button to modify the selected server entry. See<br />
“Adding or modifying a RADIUS server entry” on page 293 for details.<br />
• Delete—Click this button to remove the selected server entry.<br />
2 In the Login Prompt field, type the login prompt that you want to appear<br />
when a user authenticates using RADIUS (the default is Username:).<br />
3 In the Password Prompt field, type the password prompt that you want to<br />
appear when a user authenticates using RADIUS (the default is<br />
Password:).<br />
4 In the Failed Authentication Message field, type the message that you want<br />
to display if the user incorrectly enters their authentication information (the<br />
default is Login incorrect).<br />
5 Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use RADIUS authentication after it is configured, you must<br />
also enable it in the Authentication Configuration window.<br />
The RADIUS Configuration: Domain Controller Configuration window is used<br />
to create a new or to modify an existing server entry. Follow the steps below.<br />
1 In the IP Address field, type the IP address used by the RADIUS server.<br />
Tip: If configuring SafeWord RemoteAccess authentication, the IP address is<br />
that <strong>of</strong> the Micros<strong>of</strong>t RADIUS server running the SafeWord agent for IAS. See<br />
the SafeWord product documentation for more information.<br />
2 In the Port Number field, specify a port number used by the RADIUS<br />
server. (The default port is 1812.)<br />
3 In the Shared Secret field, type any text string or phrase. This must match<br />
the Shared Secret defined on the RADIUS server.<br />
4 Click Add to add the entry to the list <strong>of</strong> RADIUS servers, and then click<br />
Close.<br />
293
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
294<br />
Figure 135: SafeWord<br />
Configuration window<br />
About the SafeWord<br />
Configuration<br />
window<br />
Setting up SafeWord authentication<br />
This section describes how to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with a<br />
SafeWord PremierAccess authentication server for login, SOCKS5, Telnet,<br />
FTP, Web, or SSH authentication.<br />
To configure SafeWord PremierAccess authentication on the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
you must first install and configure the SafeWord PremierAccess<br />
Authentication Server. (Refer to the appropriate product documentation.)<br />
To configure SafeWord RemoteAccess authentication, use the RADIUS<br />
warder. See “Setting up RADIUS authentication” on page 292 for more<br />
information.<br />
In the Admin Console select Services Configuration > Authentication, and<br />
click Configure SafeWord. The following window appears.<br />
This window allows you to view and modify your SafeWord PremierAccess<br />
server entries. The SafeWord Configuration tab contains a table with the<br />
following fields:<br />
• Rank—This column indicates which server the <strong>Sidewinder</strong> <strong>G2</strong> will try first.<br />
• Host—This column indicates the host (IP address) for each server entry.<br />
• Port Number—This column indicates the port number for each server entry.<br />
The default port number for SafeWord PremierAccess is 5030. (If you are<br />
configuring a server entry for SafeWord, you will need to change the port to<br />
7482.)<br />
To delete an existing entry, highlight that entry and click Delete.<br />
To create a new server entry, click New. To modify an existing server entry,<br />
highlight the entry you want to modify, and click Modify. See “Adding or<br />
modifying a SafeWord server entry” on page 295 for details.<br />
Note: If you want to use SafeWord PremierAccess authentication after it is<br />
configured, you must also enable it in the Authentication Configuration window.
Adding or modifying<br />
a SafeWord server<br />
entry<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
The SafeWord Server Configuration window is used to create a new server<br />
entry or to modify an existing server entry. Follow the steps below.<br />
1 In the IP Address field, type the IP address used by the SafeWord<br />
PremierAccess Authentication Server.<br />
2 In the Port Number field, specify a port number used by the SafeWord<br />
PremierAccess Authentication Server. (The default port for SafeWord<br />
PremierAccess is 5030.)<br />
3 Click Add to add the entry to the list <strong>of</strong> SafeWord servers, and then click<br />
Close.<br />
Setting up SecurID authentication<br />
This section describes how to configure your the <strong>Sidewinder</strong> <strong>G2</strong> to work with<br />
an ACE Server for login, SOCKS5, Telnet, FTP, Web, or SSH authentication.<br />
Follow the steps below.<br />
1 Install and configure the ACE server s<strong>of</strong>tware. Be sure to add the<br />
<strong>Sidewinder</strong> <strong>G2</strong> as a client. Refer to your ACE server documentation for<br />
details.<br />
Note: If you need to reinstall <strong>Sidewinder</strong> <strong>G2</strong>, you must disable the Send Node<br />
Secret option in the Edit Client window on the ACE server. This will cause the<br />
ACE server to resend the node secret to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Import the ACE Server configuration file (sdconf.rec) to a directory (for<br />
example, the /tmp directory) on the <strong>Sidewinder</strong> <strong>G2</strong> or directly to the Admin<br />
Console system.<br />
The ACE Server configuration file is created on the ACE Server. It must be<br />
transferred to a temporary location on the <strong>Sidewinder</strong> <strong>G2</strong> or Admin Console<br />
via FTP or diskette.<br />
3 Start the Admin Console and select Services Configuration ><br />
Authentication and click Configure SecurID. The following window<br />
appears.<br />
295
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
296<br />
Figure 136: SecurID<br />
Configuration window<br />
Entering information<br />
on the SecurID<br />
Configuration<br />
window<br />
This window allows you to specify the installation configuration file location.<br />
Follow the steps below.<br />
1 In the Source field, specify whether the configuration file is stored on the<br />
Admin Console (Local File) or on the <strong>Sidewinder</strong> <strong>G2</strong> (Remote File).<br />
2 In the Install Configuration File field, type the path name <strong>of</strong> the file in which<br />
you stored the ACE Server configuration. This is the same file you imported<br />
in step 2 <strong>of</strong> “Setting up SecurID authentication” on page 295.<br />
To browse for the location <strong>of</strong> the configuration file rather than typing it<br />
directly, click Browse.<br />
3 Click OK to save your changes before returning to the Authentication<br />
Configuration window. This assigns the sdconf.rec file the proper Type<br />
Enforcement type and installs the file in the correct <strong>Sidewinder</strong> <strong>G2</strong><br />
directory.<br />
Note: If you want to use SecureID authentication after it is configured, make<br />
sure you enable it in the Authentication Configuration window.<br />
Setting up SecureNet Key (SNK) authentication<br />
To configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with Symantec Defender Security<br />
Server (DSS) for login, SOCKS5, Telnet, FTP, Web, and SSH authentication,<br />
follow the steps below.<br />
Note: Configuring SNK consists <strong>of</strong> performing some configuration tasks on the<br />
DSS and some on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
On the Defender Security System, do the following:<br />
1 Install the Defender Security Server and Defender Management (DMS)<br />
s<strong>of</strong>tware. Refer to your Defender documentation for installation information.<br />
If DSS is already installed in your network, you can skip this step.
Figure 137: SNK<br />
Configuration window<br />
Entering information<br />
on the SNK<br />
Configuration<br />
window<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
2 Register your <strong>Sidewinder</strong> <strong>G2</strong> with the DMS s<strong>of</strong>tware. Refer to your<br />
Defender documentation for registration information.<br />
Important: The Agent ID can consist <strong>of</strong> 1–16 ASCII characters. The Agent Key<br />
must consist <strong>of</strong> exactly 16 hexadecimal digits. The values used in the DMS s<strong>of</strong>tware<br />
must also be entered on your <strong>Sidewinder</strong> <strong>G2</strong> (in step 1 and step 2 on page 297.) If<br />
the values are not identical, the <strong>Sidewinder</strong> <strong>G2</strong> will not accept the login, SOCKS5,<br />
Telnet, FTP, Web, or SSH proxy connections.<br />
3 Use the DMS s<strong>of</strong>tware to create accounts for users. Refer to the DMS<br />
documentation you received from Symantec.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, do the following:<br />
4 Start the Admin Console and select Services Configuration ><br />
Authentication and click Configure SNK. The following window appears.<br />
This window is used to configure SecureNet Key (SNK) authentication on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
Note: You must configure a primary or backup defender server (or both) before<br />
you can enable SNK authentication.<br />
1 In the <strong>Sidewinder</strong> Agent ID field, type the ID you used when you registered<br />
the <strong>Sidewinder</strong> <strong>G2</strong> with the WinDMS s<strong>of</strong>tware. The ID must match the ID<br />
created in step 2 on page 297 exactly or the connection will not be<br />
accepted.<br />
2 In the <strong>Sidewinder</strong> Agent Key field, type the key you used when you<br />
registered the <strong>Sidewinder</strong> <strong>G2</strong> with the WinDMS s<strong>of</strong>tware. The key must<br />
match the key created in step 2 on page 297 exactly or the connection will<br />
not be accepted.<br />
297
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
298<br />
Figure 138: Windows<br />
Domain configuration<br />
window<br />
3 In the Primary Defender Server area, configure a Primary Defender Server,<br />
as follows:<br />
a In the IP Address field, type the IP address used by the DSS system.<br />
b In the Port Number field, type the port number used by the DSS system.<br />
This number must be larger than 1024.<br />
4 [Optional] In the Backup Defender Server area, do the following:<br />
a In the IP Address field, type the IP address for the backup DSS system.<br />
b In the Port Number field, type the port number used by the backup DSS<br />
system.<br />
5 Click OK to save your changes and return to the Authentication window.<br />
Note: If you want to use SNK authentication after it is configured, make sure<br />
you enable it in the Authentication window.<br />
Setting up Windows Domain authentication<br />
To configure Windows Domain authentication on the <strong>Sidewinder</strong> <strong>G2</strong>, in the<br />
Admin Console select Services Configuration > Authentication and click<br />
Configure Domain. The following window appears.
Entering information<br />
on the Windows<br />
Domain<br />
Configuration<br />
window<br />
Adding or modifying<br />
a Windows domain<br />
controller entry<br />
Chapter 10: Setting Up Authentication<br />
Configuring authentication services<br />
This window is used to configure your <strong>Sidewinder</strong> <strong>G2</strong> to work with a Windows<br />
primary domain controller (PDC) or backup domain controller (BDC).<br />
Using this method also permits you to allow transparent browser<br />
authentication. THis feature may be enabled on a per rule basis with any rule<br />
that uses the HTTP or HTTPS proxy (Policy Configuration > Rules > Proxy ><br />
New > Authentication tab). Windows Domain must be selected as the default<br />
method, with the Allow transparent browser authentication option enabled.<br />
Information on configuring the Windows Domain Controller to work with this<br />
option is found in the related application note at<br />
www.securecomputing.com/goto/appnotes.<br />
Note: If the user’s browser does not support transparent browser authentication,<br />
such as an older version <strong>of</strong> Netscape, the proxy will revert the traditional Windows<br />
Domain authentication method, which prompts users for their credentials.<br />
To configure Windows Domain authentication method, follow the steps below.<br />
1 The Windows Domain Controllers table lists the Windows domain<br />
controllers currently configured for the <strong>Sidewinder</strong> <strong>G2</strong>. To configure the<br />
domain controllers, do one <strong>of</strong> the following:<br />
• New—Click this button to create a new domain controller entry. See<br />
“Adding or modifying a Windows domain controller entry” on page 299<br />
for details.<br />
• Modify—Click this button to modify the selected entry. See “Adding or<br />
modifying a Windows domain controller entry” on page 299 for details.<br />
• Delete—Click this button to remove the selected entry.<br />
2 In the Login Prompt field, specify the login prompt that you want to display<br />
to users when they log in. The default is Username.<br />
3 In the Password Prompt field, specify the password prompt that you want<br />
to display to users when they log in. The default is Password.<br />
4 In the Failed Authentication Message field, specify the message that you<br />
want to display if a user’s authentication attempt fails. The default is Login<br />
incorrect.<br />
5 Click OK to save your changes before returning to the Authentication<br />
Configuration window.<br />
Note: If you want to use Windows Domain authentication after it is configured,<br />
make sure you enable it in the Authentication Configuration window.<br />
The Domain Controller Configuration window is used to add or modify a<br />
domain controller entry. Follow the steps below.<br />
1 In the IP Address field, type the IP address used by the Windows domain<br />
controller.<br />
299
Chapter 10: Setting Up Authentication<br />
Configuring SSO<br />
300<br />
The Port Number field displays the port used by the Windows domain controller.<br />
The default value is 139. This field cannot be modified.<br />
2 In the Windows Domain Controller Name field, type the name <strong>of</strong> this<br />
Windows domain controller. Type only the host or computer name, not the<br />
fully qualified name. You can determine the name by selecting My<br />
Computer > Control Panel > Network on the Windows controller.<br />
3 Click Add to add the entry to the list <strong>of</strong> Windows domain controllers.<br />
Configuring SSO Single sign-on (SSO) works in conjunction with a specified authentication<br />
method to cache a user’s initial authentication, thereby allowing access to<br />
multiple services with a single successful authentication to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Figure 139: SSO<br />
Configuration tab<br />
This is done by storing the source IP address for a successful authentication in<br />
a cache. All proxy rule services that require authentication will check that<br />
cache for successful authentication. If the source IP address exists in the<br />
cache, transparent authentication based on the initial authentication takes<br />
place and the user is allowed access without manually re-authenticating.<br />
You can configure SSO to expire cached authentications after a specified time<br />
period has passed (for example, you may choose to require each user to reauthenticate<br />
every two hours). You also have the option to require a user to reauthenticate<br />
after a specified period <strong>of</strong> idle time (for example, a user must reauthenticate<br />
if the cached authentication has not been accessed for one hour<br />
or more). You also have the option to manually expire cached authentication<br />
for a specific user(s) or for all users, at any time.<br />
To configure SSO, in the Admin Console select Services Configuration ><br />
Servers, and select the SSO server. To enable the SSO server, select the<br />
check boxes for the appropriate burbs. To configure the SSO server, select the<br />
Configuration tab. The following window appears.
Entering information<br />
on the Single Sign<br />
On Configuration<br />
tab<br />
Chapter 10: Setting Up Authentication<br />
Configuring SSO<br />
This window allows you to configure Single Sign On authentication on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1 In the Authentication Methods Used to Establish SSO Credentials, select<br />
the authentication methods that will be allowed to store cached<br />
authentication credentials using SSO.<br />
Note: Only authentication methods that have been configured and enabled will<br />
be available to select in this window. For information on the available types <strong>of</strong><br />
authentication, see “Supported authentication methods” on page 277.<br />
2 In the Default Method drop-down list, select the authentication method that<br />
will be used if multiple methods are available and the user does not specify<br />
a method to use during login.<br />
3 If you want to require that a user log in via the SSO Web interface, select<br />
the Require Web Login check box.<br />
4 In the Web Login area, do the following:<br />
a In the Port field, type the port that will be used to log in on the Web. (The<br />
default port is 8111.)<br />
b In the Edit Login Page Banner field, you can configure the Web page<br />
banner that appears when a user successfully logs in. To view the<br />
existing banner, click the corresponding View button. To modify the login<br />
page banner, click the corresponding Edit HTML button. For information<br />
on using the File Editor to configure the banner page, see “Using the<br />
Admin Console File Editor” on page 26.<br />
c In the Edit Logout Page Banner field, you can configure the Web page<br />
banner that appears when a user successfully logs out. To view the<br />
existing banner, click the corresponding View button. To modify the<br />
logout page banner, click the corresponding Edit HTML button. For<br />
information on using the File Editor to configure the banner page, see<br />
“Using the Admin Console File Editor” on page 26.<br />
5 In the Authenticate Inactive Users Every field, specify how <strong>of</strong>ten a user’s<br />
account must remain inactive before they must re-authenticate, as follows:<br />
a In the corresponding drop-down list, select the time increment you want<br />
to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,<br />
Months, and Years.<br />
b In the text box, specify the number <strong>of</strong> seconds, minutes, hours, etc.,<br />
before a user will be required to re-authenticate.<br />
6 In the Force Authentication Every fields, specify a time period in which a<br />
user must re-authenticate regardless <strong>of</strong> whether the account is inactive or<br />
being used, as follows:<br />
a In the corresponding drop-down list, select the time increment you want<br />
to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,<br />
Months, and Years.<br />
b In the corresponding text box, specify the number <strong>of</strong> seconds, minutes,<br />
hours before a user will be required to re-authenticate.<br />
301
Chapter 10: Setting Up Authentication<br />
Configuring SSO<br />
Accessing the Web<br />
login and logout<br />
pages<br />
302<br />
7 Click the Save icon in the toolbar to save your changes and return to the<br />
Authentication Configuration window.<br />
8 Ensure that the pre-configured Single Sign-On proxy rule has been<br />
included in your active rule group (Policy Configuration > Rules). The<br />
Single Sign-On proxy rule is configured to use a pre-configured Secure<br />
Web Application Defense called Single Sign-on, a Secure Web defense<br />
that uses SSL decryption to increase the security <strong>of</strong> data transactions. By<br />
default, that application defense uses the Default_SSL_Cert firewall<br />
certificate created during the initial configuration.<br />
9 Check the host name used in firewall certificate selected on the Single<br />
Sign-on Secure Web application defense. Ensure that the host name<br />
resolves to the IP address associated with the burb in which SSO is<br />
enabled. For example, if SSO is enabled in the internal burb, the host name<br />
in the associated firewall certificate should resolve to the internal burb’s IP<br />
address.<br />
Note: If you are enabling SSO in multiple burbs, you may require additional<br />
Secure Web defenses, each with a different firewall certificate to match each<br />
additional burb.<br />
10 Ensure that SSO authentication is configured for each rule for which you<br />
want to use SSO (Policy Configuration > Rules > New/Modify ><br />
Authentication tab). See “Creating proxy rules” on page 222 for more<br />
information.<br />
End users will now be able to access multiple services with a single successful<br />
authentication to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
When Web Login is configured for SSO, any time a user attempts to access the<br />
Web the login window will appear prompting them to authenticate. A user can<br />
also access the authentication login page by directing their browser to:<br />
https://<strong>Sidewinder</strong><strong>G2</strong>_address.com:8111/sidewinder/login.html<br />
If a user wants to log out <strong>of</strong> the SSO cache manually (before their SSO<br />
authentication cache expires), they can point their browser to:<br />
https://<strong>Sidewinder</strong><strong>G2</strong>_address.com:8111/sidewinder/logout.html<br />
If a browser is configured for the proxy, you will need to configure that browser<br />
to NOT proxy requests going to the <strong>Sidewinder</strong> <strong>G2</strong> on port 8111. The following<br />
steps provide an example <strong>of</strong> configuring an exception using Netscape.<br />
1 Open Netscape and select Edit > Preferences > Advanced > Proxies.<br />
2 Select Manual Proxy Configuration.<br />
3 In the No Proxy For field, type the URL for the <strong>Sidewinder</strong> <strong>G2</strong> (for example,<br />
<strong>G2</strong>name.example.com.<br />
4 Click OK to save the information and exit.
Setting up<br />
authentication<br />
for services<br />
Chapter 10: Setting Up Authentication<br />
Setting up authentication for services<br />
To require authentication for users who require any services that use<br />
authentication (for example, HTTP, Web, SOCKS5, sshd, VPN, Telnet, FTP,<br />
and the Admin Console), you will need to configure the appropriate proxy<br />
rule(s) for each service, and ensure that they are included in the active proxy<br />
rule group.<br />
You can configure a proxy rule to support multiple authentication methods if<br />
multiple methods have been configured on the <strong>Sidewinder</strong> <strong>G2</strong>. In this scenario,<br />
a user can specify the authentication method that they want the <strong>Sidewinder</strong> <strong>G2</strong><br />
to use when they reply to a login prompt. For example, the following shows<br />
how a user can specify each authentication method from the login prompt:<br />
>: login_name:password<br />
>: login_name:ldap<br />
>: login_name:msnt<br />
>: login_name:snk<br />
>: login_name:securid<br />
>: login_name:safeword<br />
>: login_name:radius<br />
Tip: You only need to enter the first three characters for the name <strong>of</strong> the<br />
authentication method. For example, the following specifies minimum characters<br />
needed for each method:<br />
lda LDAP<br />
msn Windows Domain<br />
pas password<br />
snk SNK<br />
sec SecurID<br />
saf SafeWord<br />
rad Radius<br />
Note: The Default Method drop-down list in the Authentication tab <strong>of</strong> the Rule<br />
window selects the authentication method the <strong>Sidewinder</strong> <strong>G2</strong> uses when the user<br />
does not specify an authentication method during log in.<br />
After you enable an authentication method for a specific proxy rule, users will<br />
have to enter the information required by that method whenever they try to use<br />
a service associated with that rule.<br />
Tip: For standard password authentication, you should inform those users how<br />
they can change their own log in password from their terminal or workstation using<br />
a Web browser such as Netscape or Internet Explorer. See “How users can change<br />
their own password” on page 308.<br />
303
Chapter 10: Setting Up Authentication<br />
Special authentication notes<br />
Special<br />
authentication<br />
notes<br />
304<br />
This section provides some special considerations that users should be made<br />
aware <strong>of</strong> regarding Telnet and FTP authenticated connections through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Changing user passwords and PINs for authentication methods<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports changing user passwords and PINs only<br />
under the Telnet proxy. For example, users can change their DSS password<br />
or their SafeWord PremierAccess PIN via the Telnet proxy. (Refer to the<br />
documentation for your authentication method for information on the commands<br />
used to change passwords and PINs.) Passwords and PINs cannot<br />
be changed using the FTP, Web, or SOCKS5, proxy. The user must either<br />
initiate a Telnet proxy session or they can contact their system administrator.<br />
• Switching authentication methods during a log in session<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to use multiple authentication methods for a<br />
given service (for example, users might use either SafeWord PremierAccess<br />
or SecurID for Telnet authentication). When logging on, if a user specifies<br />
the incorrect authentication method and authenticator, they cannot<br />
then specify a different authentication method. The <strong>Sidewinder</strong> <strong>G2</strong> does not<br />
support changing warders in the middle <strong>of</strong> a session, so the user must<br />
close the session with the incorrect authentication warder and start a new<br />
session specifying the correct authentication warder.<br />
• Sessions through SNK hang if a user ID is not entered before the<br />
connection times out<br />
If you are using SecureNet Key (SNK) for authentication, and a connection<br />
times out before a Telnet or FTP user enters a user ID, the challenge or<br />
password prompts are not sent and the session hangs. Users can escape<br />
from a Telnet session and get a new prompt by simultaneously pressing the<br />
Control and end bracket (]) keys. For FTP sessions, the process must be<br />
terminated.<br />
• Non-authenticated nontransparent FTP proxy prompts for<br />
authentication<br />
Administrators should instruct end users that they will be prompted to supply<br />
a user name, authentication method, and destination, even if the associated<br />
allow rule does not require authentication. This is because the nontransparent<br />
FTP proxy needs the login and destination information in order<br />
to determine which rule will allow the connection.<br />
When end users attempt to connect to the FTP server, the <strong>Sidewinder</strong> <strong>G2</strong><br />
sends them the following prompt:<br />
220-Firewall ftp proxy. You must login to the proxy first.<br />
220 Use proxy-user:auth-method@destination.<br />
Name (g2_ipaddr:proxy-user):<br />
Instruct users to respond to the Name (g2_ipaddr:username): prompt<br />
by entering the @ sign followed by the FTP server’s IP address, as shown<br />
in this example:
Setting up<br />
authentication<br />
for Web sessions<br />
Name (g2_ipaddr:proxy-user):@172.1.1.25<br />
Chapter 10: Setting Up Authentication<br />
Setting up authentication for Web sessions<br />
Users who incorrectly put a user name before the prompt are still allowed<br />
access to the FTP server through the non-transparent FTP rule that does<br />
not require authentication. The <strong>Sidewinder</strong> <strong>G2</strong> handles entries containing<br />
user names that do not match any existing FTP rule and entries without a<br />
user name in the same manner.<br />
You can require users to enter a password before they are allowed Web<br />
access. To do so requires that the user access the Web using either the Web<br />
proxy server or the HTTP proxy, both <strong>of</strong> which can authenticate using either<br />
fixed or one-time passwords, but cannot use a challenge/response form <strong>of</strong><br />
authentication.<br />
Follow these steps to set up Web authentication.<br />
1 Ensure that the authentication method you want to use is configured and<br />
enabled. See “Configuring authentication services” on page 284.<br />
2 Ensure that the Web proxy server or HTTP proxy is configured, enabled,<br />
and is using the proper authentication method.<br />
• To enable and configure the Web proxy server, see “Configuring the<br />
Web proxy server” on page 383.<br />
• To enable and configure the HTTP proxy, see “Configuring proxies” on<br />
page 266.<br />
3 Add or modify proxy rules as needed. You must create one or more rules<br />
that define Web access between two burbs on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: When using standard password authentication, you may want to allow<br />
users to change their own log in password from their terminal or workstation.<br />
See “Allowing users to change their passwords” on page 306.<br />
305
Chapter 10: Setting Up Authentication<br />
Setting up authentication for administrators<br />
Setting up<br />
authentication<br />
for<br />
administrators<br />
Allowing users<br />
to change their<br />
passwords<br />
306<br />
By default, all administrators who log into the <strong>Sidewinder</strong> <strong>G2</strong> are authenticated<br />
using standard password authentication. You can configure the <strong>Sidewinder</strong> <strong>G2</strong><br />
to require a stronger authentication for administrator log in methods. To do so,<br />
see “Setting up authentication for services” on page 303 to modify the<br />
appropriate proxy rule(s). For example, you might modify the Login Console<br />
proxy rule.<br />
When an administrator replies to a login: prompt during a console or Telnet<br />
connection request, they can chose the authentication method the <strong>Sidewinder</strong><br />
<strong>G2</strong> should use. For example:<br />
>login: login_name:-password<br />
>login: login_name:-ldap<br />
>login: login_name:-msnt<br />
>login: login_name:-snk<br />
>login: login_name:-securid<br />
>login: login_name:-safeword<br />
>login: login_name:-radius<br />
Note that this is similar to the response entered by your Telnet, FTP, SOCKS5,<br />
and Web users (see “Setting up authentication for services” on page 303),<br />
except that a dash (-) must precede the name <strong>of</strong> the authentication method.<br />
Shortcuts cannot be used; you must enter the entire name.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> changepw server allows external users to use a Web<br />
browser to change their <strong>Sidewinder</strong> <strong>G2</strong>, SafeWord PremierAccess, or LDAP<br />
login password. The changepw server runs on the firewall burb, and<br />
communicates with other burbs via a proxy. To allow this process to occur, do<br />
the following:<br />
Note: As an administrator, you should inform users how they can change their<br />
own password. See “How users can change their own password” on page 308.<br />
1 Enable the changepw server, as follows:<br />
a In the Admin Console, select Services Configuration > Servers, and<br />
select changepw from the Servers list.<br />
b Enable the changepw server by selecting the Enable radio button. (To<br />
disable the server, select the Disable radio button.)<br />
c Click the Save icon in the upper left portion <strong>of</strong> the window to save your<br />
changes.<br />
2 Create a changepw-form proxy rule and include it in the active proxy rule<br />
group. Table 25 on page 307 summarizes the key settings for this proxy<br />
rule. Refer to “Creating proxy rules” on page 222 for details on using the<br />
Admin Console to create a proxy rule.
Chapter 10: Setting Up Authentication<br />
Allowing users to change their passwords<br />
Table 25: Proxy rule settings to allow users to change their login passwords<br />
Criteria Setting<br />
Proxy Name: burbname_changeform<br />
Service Type: Proxy<br />
Service: changepw-form<br />
Action: Allow<br />
Source Burb: Desired burb (for example, internal)<br />
Destination Burb: Desired burb (for example, internal)<br />
Source: Site dependent<br />
Destination: localhost (a default host object)<br />
Redirect Host: IPAddr: Firewall (a default IP address object)<br />
User Groups: Site Dependent<br />
Authentication: None<br />
3 Enable the changepw_form proxy for the necessary burb(s).<br />
a Start the Admin Console and select Services Configuration > Proxies.<br />
The Proxies window appears.<br />
b Select the changepw_form proxy from the list <strong>of</strong> proxy names and<br />
enable it for the desired burbs.<br />
c Click the Save icon in the toolbar to save your changes.<br />
4 (Optional: Web proxy only) Update the ERR_SCC_EXPIRED_PASSWORD<br />
file on the <strong>Sidewinder</strong> <strong>G2</strong> by doing the following:<br />
a Change to the /usr/local/squid/etc/errors directory by entering the<br />
following command.<br />
cd /usr/local/squid/etc/errors<br />
b Create a backup copy <strong>of</strong> the ERR_SCC_EXPIRED_PASSWORD file.<br />
cp ERR_SCC_EXPIRED_PASSWORD ERR_SCC_EXPIRED_PASSWORD.orig<br />
c Modify the contents <strong>of</strong> the ERR_SCC_EXPIRED_PASSWORD file as<br />
instructed in the file, for example:<br />
• delete the line “Please follow the instructions your administrator has<br />
given you in order to change your Web proxy password.”<br />
• delete the “
Chapter 10: Setting Up Authentication<br />
How users can change their own password<br />
How users can<br />
change their own<br />
password<br />
308<br />
Updating the ERR_SCC_EXPIRED_PASSWORD file in this manner will<br />
cause a link to appear within the user’s browser when their password<br />
expires. The link provides a shortcut to the Password Change Request<br />
Form. If needed you can further customize this file to provide additional<br />
instructions to your users.<br />
5 (Web proxy only) Restart the Web proxy server.<br />
a From the Services Configuration > Servers and then select the<br />
WebProxy from the list <strong>of</strong> server names.<br />
b In the Control tab, select Disable and then click the Save icon.<br />
c Select Enable and then click the Save icon.<br />
Note: Active Web connections may be lost when the Web proxy server is<br />
restarted.<br />
Using standard password authentication, you can authenticate trusted and<br />
Internet users who request SOCKS5, FTP, and Telnet access via proxies, and<br />
you can authenticate trusted users who access the Web via the <strong>Sidewinder</strong> <strong>G2</strong><br />
Web proxy server. As an administrator, you should inform those users how<br />
they can change their own password from their terminal or workstation by<br />
using a Web browser. However, there are some restrictions:<br />
• User can only change their own password if using standard password,<br />
SafeWord PremierAccess, or LDAP authentication.<br />
• To allow users to change their log in passwords, you must first configure the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow this. See “Allowing users to change their<br />
passwords” on page 306.<br />
1 Start a Web browser.<br />
2 Configure your browser not to proxy requests going to the <strong>Sidewinder</strong> <strong>G2</strong><br />
on port 1999. For example, if you are using a Netscape browser do the<br />
following:<br />
a Open Netscape and select Edit > Preferences > Advanced > Proxies.<br />
b Select Manual Proxy Configuration.<br />
c In the No Proxy For field, type the URL for the <strong>Sidewinder</strong> <strong>G2</strong> (for<br />
example, <strong>G2</strong>nameexample.com.<br />
d Click OK to save the information and exit.<br />
3 Open an HTTP connection to the <strong>Sidewinder</strong> <strong>G2</strong>. For example:<br />
http://mysidewinder.example.com:1999/<br />
A pre-defined HTML change password form appears.<br />
4 Enter your user name.<br />
5 Enter your current password. This is your current password for establishing<br />
network connections.
Chapter 10: Setting Up Authentication<br />
How users can change their own password<br />
6 Enter your new password. This will be your new password for establishing<br />
network connections.<br />
7 Re-enter the new password. This confirms the spelling <strong>of</strong> the new<br />
password.<br />
8 Select one <strong>of</strong> the following password types:<br />
• If you are changing a <strong>Sidewinder</strong> <strong>G2</strong> login password, select Password.<br />
• If you are changing a SafeWord PremierAccess login password, select<br />
SafeWord.<br />
• If you are changing an LDAP password, select LDAP.<br />
9 Click Send Request.<br />
This sends the change password request to the <strong>Sidewinder</strong> <strong>G2</strong>. You will be<br />
notified if the request failed or if it is accepted. If the request is accepted,<br />
the password database is updated and the new password must be used for<br />
all future connections.<br />
309
Chapter 10: Setting Up Authentication<br />
How users can change their own password<br />
310
11<br />
CHAPTER<br />
DNS (Domain Name<br />
System)<br />
In this chapter...<br />
What is DNS?...............................................................................312<br />
About mail exchanger records......................................................314<br />
Configuring the internal network to use hosted DNS ...................315<br />
Enabling and disabling your DNS server(s) .................................316<br />
Advanced configurations ..............................................................317<br />
Managing your current DNS configuration ...................................318<br />
Configuring transparent name servers .........................................318<br />
Configuring hosted DNS servers..................................................320<br />
Reconfiguring DNS.......................................................................336<br />
Manually editing DNS configuration files......................................342<br />
DNS message logging..................................................................343<br />
311
Chapter 11: DNS (Domain Name System)<br />
What is DNS?<br />
What is DNS? The domain name system (DNS) is a service that translates host names to IP<br />
addresses, and vice versa. DNS is necessary because while computers use a<br />
numeric addressing scheme to communicate with each other, most individuals<br />
prefer to address computers by name. DNS acts as the translator, matching<br />
computer names with their IP addresses.<br />
312<br />
Much <strong>of</strong> the traffic that flows into and out <strong>of</strong> your organization must at some<br />
point reference a DNS server. In many organizations this server resides on a<br />
separate, unsecured computer. The <strong>Sidewinder</strong> <strong>G2</strong> provides the additional<br />
option to host the DNS server directly on the <strong>Sidewinder</strong> <strong>G2</strong>, eliminating the<br />
need for an additional computer.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers two main DNS configurations: Transparent DNS and<br />
<strong>Sidewinder</strong>-hosted DNS. The sections below explain each configuration<br />
method.<br />
Note: An excellent source <strong>of</strong> information on DNS is the Internet S<strong>of</strong>tware<br />
Consortium Web site at www.isc.org. Some background information is also<br />
provided in the <strong>Sidewinder</strong> <strong>G2</strong> installation documentation. The book DNS and<br />
BIND, by Albitz & Liu (O’Reilly & Associates, Inc.) is also a popular reference.<br />
About transparent DNS<br />
Transparent DNS represents a simplified DNS configuration. When transparent<br />
DNS is configured for the <strong>Sidewinder</strong> <strong>G2</strong>, DNS traffic passes transparently<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> using a proxy. The <strong>Sidewinder</strong> <strong>G2</strong> uses proxy rules<br />
that pass all DNS traffic by proxy to its appropriate burb. DNS requests are<br />
then handled by the remote servers. Other machines do not “see” the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, which means there is minimal disruption to your current DNS<br />
configurations throughout your network.<br />
Configuring transparent DNS requires specifying the IP address <strong>of</strong> one or more<br />
remote DNS servers. (Alternative server addresses may be used for<br />
redundancy.) If a customer is using NAT through the <strong>Sidewinder</strong> <strong>G2</strong>, they<br />
should also have an additional DNS server on the outside <strong>of</strong> their network. The<br />
external DNS server handles the external zones <strong>of</strong> your network and its<br />
addresses. This configuration allows you to control which addresses are visible<br />
to the outside world.<br />
Note: Transparent DNS is designed for simple DNS configurations. Complex DNS<br />
configurations may require DNS services to be hosted directly on the <strong>Sidewinder</strong><br />
<strong>G2</strong>.
About <strong>Sidewinder</strong> hosted DNS<br />
Chapter 11: DNS (Domain Name System)<br />
What is DNS?<br />
<strong>Sidewinder</strong> hosted DNS represents a more complex DNS configuration that<br />
uses the integrated <strong>Sidewinder</strong> <strong>G2</strong> DNS server. When configured for hosted<br />
services, DNS servers run directly on the <strong>Sidewinder</strong> <strong>G2</strong>. This places the DNS<br />
server(s) on a hardened operating system, preventing attacks against these<br />
servers from penetrating your network.<br />
In a hosted DNS configuration, the <strong>Sidewinder</strong> <strong>G2</strong> requires information about<br />
your DNS authority. Generally, there should be only one “master” name server<br />
for any fully-qualified domain, (such as nyc.example.com) also called a “zone”.<br />
There may be many “slave” servers, for redundancy and better performance,<br />
but they derive their information from the one master for each domain.<br />
You can configure <strong>Sidewinder</strong> hosted DNS to use a single server or split<br />
servers as follows:<br />
• Hosted single server DNS—In a <strong>Sidewinder</strong> <strong>G2</strong> hosted single server<br />
configuration, one DNS server is hosted on the <strong>Sidewinder</strong> <strong>G2</strong>. That server<br />
handles all DNS queries. The server is protected by the <strong>Sidewinder</strong> <strong>G2</strong><br />
hardened OS, preventing attacks from penetrating your network. A single<br />
server configuration is generally used when you have no concerns for<br />
keeping your internal network architecture hidden, such as when your<br />
<strong>Sidewinder</strong> <strong>G2</strong> is acting as an “intrawall” between two sets <strong>of</strong> private<br />
addresses. External hosts will need to be reconfigured to point to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> servers.<br />
• Hosted split server DNS—In a <strong>Sidewinder</strong> hosted split server configuration,<br />
two DNS servers are hosted on the <strong>Sidewinder</strong> <strong>G2</strong>: one server (the external<br />
name server) is bound to the external burb and the other server (the<br />
“unbound” name server) is available for use by all internal burbs. Both<br />
servers are protected by the <strong>Sidewinder</strong> <strong>G2</strong> hardened OS, which is able to<br />
prevent attacks against them from penetrating your network.<br />
The security benefit <strong>of</strong> using a <strong>Sidewinder</strong> split server hosted configuration<br />
is the ability to hide the DNS entries on the unbound server from those who<br />
only have access to the external burb. External hosts will need to be reconfigured<br />
to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers.<br />
Important: You must use hosted split DNS if you want the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
hide your private IP addresses (via Network Address Translation).<br />
Tip: Secure Computing recommends splitting the <strong>Sidewinder</strong> <strong>G2</strong> DNS servers<br />
when using hosted DNS.<br />
313
Chapter 11: DNS (Domain Name System)<br />
About mail exchanger records<br />
About mail<br />
exchanger<br />
records<br />
314<br />
Listed below are some additional points about running DNS on your<br />
<strong>Sidewinder</strong> <strong>G2</strong>:<br />
• <strong>Sidewinder</strong> <strong>G2</strong> uses Berkeley Internet Name Domain (BIND 9).<br />
• The boot files for the unbound and the Internet name servers are<br />
/etc/named.conf.u and /etc/named.conf.i, respectively. The boot files<br />
specify corresponding directories: /etc/namedb.u and<br />
/etc/namedb.i. When you boot your <strong>Sidewinder</strong> <strong>G2</strong>, the name server<br />
daemon (named) is started. The /etc/named.conf.u and<br />
/etc/named.conf.i files specify whether the <strong>Sidewinder</strong> <strong>G2</strong> is a master or a<br />
slave name server and list the names <strong>of</strong> the files that contain the DNS<br />
database records.<br />
• If you choose to configure the <strong>Sidewinder</strong> <strong>G2</strong> as a master name server on<br />
either the unbound (internal) or Internet (external) side, you can modify the<br />
/etc/namedb.u/domain-name.db and /etc/namedb.i/domain-name.db files<br />
(where domain-name = your site’s domain name). You can add the default<br />
information that is being advertised for these zones.<br />
• The <strong>Sidewinder</strong> <strong>G2</strong> contains a non-blocking DNS resolver to support<br />
reverse IP address look-ups in the active proxy rule group, and name-toaddress<br />
look-ups in the http proxy. The relevant resolver library calls are<br />
gethostbyname() and gethostbyaddr(). The non-blocking DNS resolver<br />
provides a small number <strong>of</strong> DNS resolver daemons (nbresd) that are<br />
handed queries to resolve on behalf <strong>of</strong> the client.<br />
When you set up <strong>Sidewinder</strong> hosted DNS services for your site, you need to<br />
create mail exchanger (MX) records. MX records advertise that you are<br />
accepting mail for a specific domain(s). If you do not create an MX record for<br />
your domain, name servers and users on the Internet will not know how to<br />
send e-mail to you. When an e-mail message is sent from a site on the<br />
Internet, a DNS query is made in order to find the correct mail exchange (MX)<br />
host for the destination domain. The sender’s mail process then sends the email<br />
to the MX host. The <strong>Sidewinder</strong> <strong>G2</strong>, through the use <strong>of</strong> mailertables, will<br />
forward the mail to the internal mail process, which in turn will forward it to the<br />
internal mail host. See “Editing the mail configuration files” on page 354 for<br />
more information on mailertables.<br />
Consider the example shown in Figure 140. Someone in the Internet, Lloyd,<br />
wants to send one <strong>of</strong> your users, Sharon, an e-mail message, but all Lloyd<br />
knows is Sharon’s e-mail address: sharon@foo.com. The mailer at Lloyd’s site<br />
uses DNS to find the MX record <strong>of</strong> foo.com. Lloyd’s message for Sharon is<br />
then sent to the mailhost listed in the MX record for Sharon’s site.
Figure 140: Mail<br />
exchanger example<br />
Configuring the<br />
internal network<br />
to use hosted<br />
DNS<br />
Lloyd<br />
(Request)<br />
MX record<br />
request for<br />
foo.com<br />
(Response)<br />
e-mail message for<br />
sharon@foo.com<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring the internal network to use hosted DNS<br />
name server for foo.com<br />
MX record*<br />
for foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
fw.foo.com<br />
* MX record for foo.com<br />
fw.foo.com<br />
A master name server stores and controls your site’s MX records. The master<br />
name server may be in the external burb <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>, or on a host<br />
outside <strong>of</strong> your network (for example, your Internet service provider). If your<br />
<strong>Sidewinder</strong> <strong>G2</strong> controls the master name server, then you can make any<br />
necessary changes to your MX records; if another host controls your master<br />
name server, then changes have to be made on that host. For more<br />
information on MX records see Chapter 5 <strong>of</strong> DNS and Bind by Albitz & Liu.<br />
For information on creating MX records using the Admin Console, see “Using<br />
the Master Zone Attributes tab” on page 329.<br />
If you are going to use transparent proxies to provide Internet services to your<br />
internal users, the internal client workstations must send their name server<br />
queries to the <strong>Sidewinder</strong> <strong>G2</strong> or to other internal name servers that forward<br />
unresolved host names to the <strong>Sidewinder</strong> <strong>G2</strong>. There are two ways to set this<br />
up:<br />
• Reference the <strong>Sidewinder</strong> <strong>G2</strong> in any name resolution configuration that the<br />
client workstation may have. For example, a UNIX system uses the /etc/<br />
resolv.conf file to list the name servers that system should query. A name<br />
server reference for the <strong>Sidewinder</strong> <strong>G2</strong> is all that is needed.<br />
• Point client workstations at one or more internal name servers. These<br />
name servers should be authoritative for the internal domain and<br />
configured as slave forwarders, with the <strong>Sidewinder</strong> <strong>G2</strong> as the forwarding<br />
destination.<br />
315
Chapter 11: DNS (Domain Name System)<br />
Enabling and disabling your DNS server(s)<br />
Enabling and<br />
disabling your<br />
DNS server(s)<br />
316<br />
This section describes how to determine the number <strong>of</strong> DNS servers currently<br />
in use. It also describes how to use the Admin Console to enable or disable the<br />
individual DNS servers.<br />
Using master and slave servers in your network<br />
Typically, a company will use two or more DNS servers to provide domain<br />
name service to their customers. This provides for load balancing and<br />
redundancy. When more than one DNS server is used, the local administrator<br />
designates one DNS server to host the “master” zone files. The other DNS<br />
servers are slave servers that merely retrieve copies <strong>of</strong> the zone files from the<br />
master server. To outside users there is no indication or need to know about<br />
which <strong>of</strong> the multiple servers is the master. They all provide equally<br />
authoritative answers to all queries. The designation <strong>of</strong> which DNS server will<br />
be the master is only significant to the DNS administrator, because changes<br />
are made only at the master DNS server and not at the individual slave<br />
servers.<br />
Important: When DNS servers in an HA cluster, Secure Computing recommends<br />
configuring the <strong>Sidewinder</strong> <strong>G2</strong> name servers as DNS slaves for authoritative zones.<br />
This allows the Master DNS servers to update both <strong>Sidewinder</strong> <strong>G2</strong>s in the HA<br />
cluster. If you do not configure the <strong>Sidewinder</strong> <strong>G2</strong> name servers as DNS slaves for<br />
authoritative zones, DNS changes will not be made to the secondary <strong>Sidewinder</strong><br />
<strong>G2</strong> unless it is rebooted.<br />
Determining the number <strong>of</strong> DNS servers defined on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
You can use the Admin Console to display the number <strong>of</strong> DNS servers<br />
currently defined on your <strong>Sidewinder</strong> <strong>G2</strong>. Select Services Configuration ><br />
Servers and view the Server Name field:<br />
• If the named-internet and named-unbound servers appear, it means there<br />
are two DNS servers (split DNS).<br />
• If only the named-unbound server appears, it means there is only one DNS<br />
server (single DNS).<br />
• If neither the named-internet nor named-unbound server appear, it means<br />
<strong>Sidewinder</strong> <strong>G2</strong> is using the DNS proxy (transparent DNS).<br />
To modify the <strong>Sidewinder</strong> <strong>G2</strong>’s DNS configuration, you must use the<br />
Reconfigure DNS window. See “Reconfiguring DNS” on page 336 for<br />
information.
Advanced<br />
configurations<br />
Enabling and disabling hosted DNS servers<br />
Chapter 11: DNS (Domain Name System)<br />
Advanced configurations<br />
When you configure <strong>Sidewinder</strong> hosted DNS services, the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
use either one or two DNS servers. The DNS server(s) start automatically<br />
when you boot the <strong>Sidewinder</strong> <strong>G2</strong>. If you need to manually enable or disable a<br />
DNS server, follow the steps in this section.<br />
Keep the following points in mind, however, if you decide to disable a<br />
<strong>Sidewinder</strong> hosted DNS server.<br />
• If you have one DNS server<br />
In this situation the server is known as an unbound DNS server. If you disable<br />
the DNS server, only connections that use IP addresses will still work;<br />
those that use host names will not.<br />
• If you have two DNS servers<br />
This situation is also known as split DNS mode. Note the following:<br />
– If you disable the Unbound DNS server, connections that use IP<br />
addresses will still work; those that use host names will not.<br />
– If you disable the Internet server, external connections that require host<br />
names will not work unless the name is already cached (saved) in the<br />
unbound name server’s database. Connections that use IP addresses<br />
will work. E-mail will be placed in a queue since IP addresses cannot be<br />
resolved.<br />
– If you disable both name servers, connections will work only if they use<br />
IP addresses rather than host names. Also, mail will not work and other<br />
errors will happen as other parts <strong>of</strong> the system attempt to access the<br />
network by name.<br />
In either case, once you disable a server the server will remain disabled<br />
until you enable it again.<br />
Note: The following information applies only if you have a DNS server configured<br />
on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your site has multiple internal domains, and there are name servers for each<br />
<strong>of</strong> these domains, the <strong>Sidewinder</strong> <strong>G2</strong> must be designated as an authoritative<br />
name server for all <strong>of</strong> the internal domains (the internal name servers also may<br />
be authoritative for one or more <strong>of</strong> the internal domains). This must occur<br />
regardless <strong>of</strong> whether the <strong>Sidewinder</strong> <strong>G2</strong> is a master or a slave name server.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> must be an authoritative name server for all internal<br />
domains so that it can resolve queries for the internal domains. The <strong>Sidewinder</strong><br />
<strong>G2</strong> will otherwise automatically forward these internal name queries to the<br />
Internet, and the query will not be resolved.<br />
317
Chapter 11: DNS (Domain Name System)<br />
Managing your current DNS configuration<br />
Managing your<br />
current DNS<br />
configuration<br />
Configuring<br />
transparent<br />
name servers<br />
318<br />
In split DNS mode, if a DNS name occurs in the database <strong>of</strong> both servers, the<br />
name will resolve differently depending on the server that is queried. This<br />
occurs when the <strong>Sidewinder</strong> <strong>G2</strong> is authoritative for the same domain both<br />
internally and externally. Because <strong>of</strong> this issue, if you try to access the Internet<br />
side <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> from an internal workstation you must use the<br />
appropriate machine name. For example, if the name <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> is<br />
“chloe,” then use the machine name “chloe-Internet.” This entry is<br />
automatically created during installation. For more information on DNS see<br />
DNS and BIND by Albitz & Liu, 3rd edition (O’Reilly).<br />
You initially configure your DNS servers during the installation process. If you<br />
want to make changes to your existing DNS configuration, you can use one <strong>of</strong><br />
two methods:<br />
• Admin Console—Using the Admin Console, you can do the following:<br />
– Configure DNS servers via Services Configuration > DNS. The DNS<br />
server window enables you to configure the basic DNS settings as well<br />
as configure many advanced options. See “Configuring transparent<br />
name servers” on page 318 for details.<br />
– Completely reconfigure your DNS settings (for example, change from<br />
transparent to <strong>Sidewinder</strong> hosted or vice versa) via Tools > Reconfigure<br />
DNS. See “Reconfiguring DNS” on page 336 for details.<br />
Note: Using the Admin Console to modify your DNS configuration will remove<br />
any comments you may have manually inserted into the DNS configuration<br />
files.<br />
• Manual—You can also manually edit the DNS configuration files. This<br />
should only be attempted by highly skilled DNS administrators. See<br />
“Manually editing DNS configuration files” on page 342 for details.<br />
The sections that follow provide information on each method.<br />
If you have configured DNS to use transparent services, you can add, modify,<br />
or delete transparent name servers. In the Admin Console, select Services<br />
Configuration > DNS. The Transparent DNS Configuration window appears.<br />
Note: If you want to completely reconfigure your existing DNS configuration (for<br />
example, change from transparent DNS to <strong>Sidewinder</strong> hosted DNS or vice versa),<br />
you must use the Reconfigure DNS window. See “Reconfiguring DNS” on page 336<br />
for details.
Figure 141: Transparent<br />
DNS Configuration<br />
window<br />
About the<br />
Transparent DNS<br />
Configuration<br />
window<br />
Figure 142: Transparent<br />
New/Modify Nameserver<br />
window<br />
About the New/<br />
Modify Nameserver<br />
window<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring transparent name servers<br />
This window allows you to configure name servers for transparent DNS<br />
services. You can specify the burb to which the name servers will be assigned<br />
from the Burb drop-down list. The order in which the servers appear indicates<br />
the order in which <strong>Sidewinder</strong> <strong>G2</strong> queries them.<br />
• To delete a name server, select the name server and click Delete.<br />
• To change the name servers’ order, select a name server and click the Up<br />
and Down buttons as appropriate.<br />
• To add a new name server to the list, click New. To modify a name server,<br />
highlight the name server and click Modify. The Transparent: New/Modify<br />
Nameserver window appears.<br />
This window allows you to add a new name server to the list <strong>of</strong> name servers<br />
configured for transparent services. Type the IP address for the name server<br />
you want to add or modify in the Nameserver IP Address field, and click OK to<br />
add the name server to the list.<br />
319
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
Configuring<br />
hosted DNS<br />
servers<br />
320<br />
Figure 143: <strong>Sidewinder</strong><br />
Hosted DNS window<br />
About the<br />
<strong>Sidewinder</strong> hosted<br />
DNS window<br />
If you have configured DNS to use <strong>Sidewinder</strong> hosted services (single or split),<br />
you can define various name server information. In the Admin Console, select<br />
Services Configuration > DNS. The DNS window contains four tabs that allow<br />
you to define specific name server information.<br />
Note: If you want to completely reconfigure your existing DNS configuration (for<br />
example, change from transparent DNS to <strong>Sidewinder</strong> hosted DNS or vice versa),<br />
you must use the Reconfigure DNS window. See “Reconfiguring DNS” on page 336<br />
for details.<br />
This window allows you to configure your <strong>Sidewinder</strong> hosted DNS server(s). It<br />
contains the following tabs.<br />
• The Server Configuration tab is used to configure general information<br />
about a name server. See “Configuring the Server Configuration tab” on<br />
page 322 for details.<br />
• The Zones tab defines each <strong>of</strong> the master and slave zones associated with<br />
the selected name server. See “Configuring the Zones tab” on page 325 for<br />
details.<br />
• The Master Zone Attributes tab is used to configure attributes for each<br />
master zone defined on the Zones tab. See “Using the Master Zone<br />
Attributes tab” on page 329 for details.<br />
• The Master Zone Contents tab defines the hosts associated with each<br />
master zone defined on the Zones tab. See “Using the Master Zone<br />
Contents tab” on page 333 for details.
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
Figure 144 illustrates the different DNS objects you can configure, how they<br />
relate to each other, and which tab is used to configure each object.<br />
Figure 144: DNS objects<br />
and the tab used to DNS Object<br />
DNS Object<br />
configure each object Name server Zones (consists <strong>of</strong><br />
forward and reverse<br />
lookups)<br />
Where Defined<br />
Where Defined<br />
DNS Object<br />
Individual hosts<br />
within each zone<br />
Where Defined<br />
Server Configuration tab Zones tab Master Zone Attributes<br />
tab and Master Zone<br />
Contents tab<br />
Name<br />
Server<br />
Zone<br />
Zone<br />
Zone<br />
Zone<br />
321
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
322<br />
Figure 145: DNS Server<br />
Configuration tab<br />
About the Server<br />
Configuration tab<br />
Configuring the Server Configuration tab<br />
The Server Configuration tab is used to define configuration settings for the<br />
selected name server. When you select the Server Configuration tab a window<br />
similar to the following appears.<br />
This window allows you to define alternate name servers that will be contacted<br />
if a query cannot be resolved by the selected name server. The alternate name<br />
servers are called forwarders. This window is also used to define advanced<br />
configuration settings for the name server. To modify the Server Configuration<br />
tab, follow the steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from<br />
<strong>Sidewinder</strong> hosted single server to split server), click Reconfigure DNS.<br />
1 In the Modify Server For field, select the name server that you want to<br />
modify.<br />
Note: The File Directory displays the name and location <strong>of</strong> the files used to<br />
store information about this server. This field cannot be modified.<br />
2 In the Do Forwarding field, specify whether the name server will forward<br />
queries it cannot answer to another name server. In a split DNS<br />
configuration, when modifying the unbound name server this field will<br />
default to Yes and will forward these unresolved queries to the Internet<br />
server (127.x.0.1, where x = the external [or Internet] burb number).<br />
Forwarding occurs only on those queries for which the server is not authoritative<br />
and does not have the answer in its cache.<br />
3 [Conditional] If you selected Yes in the previous step, configure the Forward<br />
Only field. Specify the following:
Entering information<br />
on the Forwarding<br />
IP Address window<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
• If you select Yes, the name server will forward queries it cannot answer<br />
to the name servers listed in the Forward To list only. This is the default.<br />
• If you select No, the name server forwards the query to the name<br />
servers listed in the Forward To list. If they cannot answer the query, the<br />
name server attempts to contact the root server.<br />
4 In the Forward To field, specify the alternate name servers that will be used<br />
when attempting to resolve a query. This list is consulted only if Yes is<br />
selected in the Do Forwarding field. If multiple name servers are defined,<br />
the name servers are consulted in the order listed until the query is<br />
resolved. In a split DNS configuration, when modifying the unbound name<br />
server this list will by default contain four entries for the Internet name<br />
server (127.x.0.1, where x = the external [or Internet] burb number).<br />
Important: If you are using a split DNS configuration, Secure Computing<br />
strongly recommends against defining additional alternate name servers for the<br />
unbound name server. The Internet (or external) name server should be the<br />
only alternate name server defined in this situation.<br />
5 To add another entry to the list <strong>of</strong> authorized name servers, click New under<br />
the Forward To list. See “Entering information on the Forwarding IP<br />
Address window” on page 323 for information on adding a new entry.<br />
6 To delete a name server from the Forward To list, highlight the name server<br />
you want to delete and click Delete.<br />
7 [Conditional] To modify an advanced configuration setting for the name<br />
server, click Advanced. For more information on modifying the Advanced<br />
Server Options window, see “Entering information on the Advanced Server<br />
Options window” on page 324.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
8 Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Zones tab” on page<br />
325.<br />
This window is used to add an entry to the list <strong>of</strong> alternate name servers. The<br />
alternate name servers are consulted if the primary name server cannot<br />
resolve a query. Follow the steps below.<br />
1 In the Forward to IP Address field, type the IP address <strong>of</strong> the alternate<br />
name server. Use the standard quad notation when typing the IP address<br />
(for example, 1.1.1.1).<br />
2 Click Add to save the specified IP address to the list <strong>of</strong> alternate name<br />
servers.<br />
3 When you are finished adding alternate name servers, click Close.<br />
323
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
Entering information<br />
on the Advanced<br />
Server Options<br />
window<br />
324<br />
The Advanced Server Options window is used to define some <strong>of</strong> the more<br />
advanced DNS name server options.<br />
• Do not change these options unless you are an experienced DNS system<br />
administrator.<br />
• By default, the options on this window are disabled, meaning there are no<br />
restrictions. If your organization considers this to be a security risk, you<br />
should use these options to limit the amount <strong>of</strong> interaction this name server<br />
has with other devices. Use your organization’s security policy as a guide.<br />
To modify advanced server options, follow the steps below.<br />
1 To enable the notify option, select the corresponding check box. Enabling<br />
this option allows you to specify whether the master server will notify all<br />
slave servers when a zone file changes. The notification indicates to the<br />
slaves that the contents <strong>of</strong> the master have changed and a zone transfer is<br />
necessary.<br />
If this field is not selected, the field defaults to Yes.<br />
2 To enable the allow-query option, select the corresponding check box.<br />
Selecting this option affects who is able to query this name server. The<br />
options are the following:<br />
• If not selected, all requesters are authorized to query the name server.<br />
This is the default.<br />
• If selected and contains IP addresses, only the requesters defined in the<br />
allow-query list will be authorized to query this name server. Use the<br />
New and Delete buttons to modify this list. See “Adding an IP address”<br />
on page 325 for details on using the New button.<br />
Note: If you select this option, be sure to include all IP addresses that might<br />
need to query the server, such as the heartbeat burbs’ IP addresses,<br />
loopback addresses, etc.<br />
3 To enable the allow-transfer option, select the corresponding check box.<br />
Selecting this option allows you to limit who is authorized to request zone<br />
transfers from this name server.<br />
• If not selected, all requesters are authorized to transfer zones from the<br />
name server. This is the default.<br />
• If selected and no IP addresses are added, no requesters will be<br />
authorized to transfer zones from this name server.<br />
• If selected and contains IP addresses, only the requesters defined in the<br />
allow-transfer list will be authorized to transfer zones from this name<br />
server. Use the New and Delete buttons to modify this list. See “Adding<br />
an IP address” on page 325 for details on using the New button.<br />
4 Click OK to save your changes.
Adding an IP<br />
address<br />
Figure 146: DNS Zones<br />
window<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
This window is used to add a new IP address to the selected list in the<br />
Advanced Server Options window. To add a new IP address, type the IP<br />
address <strong>of</strong> the name server you want to add in the IP Address field. Click Add<br />
and then click Close to add the specified IP address to the name server list.<br />
Configuring the Zones tab<br />
A DNS server is responsible for serving one or more zones. A zone is a distinct<br />
portion <strong>of</strong> the domain name space. A zone consists <strong>of</strong> a domain or a<br />
subdomain (for example, securecomputing.com or<br />
sales.securecomputing.com). Each zone can be configured as either a master,<br />
slave or forward zone on this name server.<br />
When you select the Zones tab, a window similar to the following appears.<br />
About the Zones tab This tab is used to define zone information about the name server. Follow the<br />
steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from<br />
<strong>Sidewinder</strong> hosted single server to split server), click Reconfigure DNS.<br />
1 In the Modify Server For field, select the name server that you want to<br />
modify.<br />
2 The Zones list defines the zones for which the name server is authoritative.<br />
This list initially contains a zone entry for each domain and each network<br />
interface defined to the <strong>Sidewinder</strong> <strong>G2</strong>. You can add or delete server<br />
entries as follows:<br />
• To add a new zone to the list, click New and see “About the Zone List<br />
window” on page 327 for details.<br />
325
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
326<br />
• To delete a zone, highlight a zone and click Delete.<br />
Secure Computing strongly recommends against deleting or modifying the<br />
following entries:<br />
• Any 127 reverse zones (for example, 0.1.127.in-addr.arpa). These<br />
zones represent local loopback addresses and are required.<br />
• The zone with 192.239 in its name. This zone provides multicast<br />
support for the <strong>Sidewinder</strong> <strong>G2</strong> failover feature.<br />
There can be two different types <strong>of</strong> entries in the Zone list:<br />
• Reverse zones (for example, 4.3.in-addr.arpa): This format indicates the<br />
entry provides reverse lookup functions for this zone.<br />
• Forward zones (for example, example.com): This format indicates the<br />
entry provides forward lookup functions for this zone.<br />
The Related Zones list displays the zones that are related to the selected<br />
zone. For example, if a forward zone is selected, the related reverse lookup<br />
zones are displayed. This list cannot be modified.<br />
3 In the Zone Type field, specify whether the selected zone is a master zone,<br />
a slave zone, or a forward zone, as follows:<br />
• Master—A master zone is a zone for which the name server is<br />
authoritative. Many organizations define a master zone for each subdomain<br />
within the network. Administrators should only make changes to<br />
zones defined as a master.<br />
Important:You should consider defining a matching reverse zone (an<br />
in-addr.arpa zone) for each master zone you configure.<br />
• Slave—A slave zone is a zone for which the name server is<br />
authoritative. Unlike a master zone, however, the slave zone’s data is<br />
periodically transferred from another name server that is also<br />
authoritative for the zone (usually, the master). If you select Slave, the<br />
Master Servers field becomes active. Be sure to use the Master Servers<br />
field to define the name server that will provide zone transfer information<br />
for this slave zone. Administrators should not make changes to zones<br />
defined as a slave.<br />
Caution:When changing a zone from slave to master, the Admin Console<br />
changes the slave file into a master file and the file becomes the lookup<br />
manager for the zone. The DNS server will have no problems understanding<br />
and using the new master file. For large zones (class A or B), however, this<br />
file may become too complex to be managed properly using the Admin<br />
Console. Secure Computing recommends either leaving large zones as<br />
slaves on the <strong>Sidewinder</strong> <strong>G2</strong> or manually modifying these files.<br />
• Forward—A forward zone allows you to specify that queries for names<br />
in the zone are forwarded to another name server.
About the Zone List<br />
window<br />
About the Advanced<br />
Zone Configuration<br />
window<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
4 In the Zone File Name field, specify the name <strong>of</strong> the file that is used to store<br />
information about this zone. The file is located in the directory specified in<br />
the File Directory field on the Server Configuration tab. Secure Computing<br />
does not recommend changing this name.<br />
5 [Conditional] When Zone Type is Forward, the Forwarders list defines one<br />
or more forwarders for a zone. You can add or delete forwarder entries as<br />
follows:<br />
• To add a new forwarder to the list, click New and see “Adding an IP<br />
address” on page 325 for details.<br />
• To delete a forwarder, select that item and click Delete.<br />
6 [Conditional] When the Zone Type is Slave, the Master Servers list defines<br />
one or more master name servers that are authorized to transfer zone files<br />
to the slave zone. You can add or delete server entries as follows:<br />
• To add a new master server to the list, click New and see “Adding an IP<br />
address” on page 325 for details.<br />
• To delete a master server, highlight a server and click Delete.<br />
7 [Conditional] To modify an advanced configuration setting for the selected<br />
zone, click Advanced. For more information on modifying the Advanced<br />
Server Options window, see “About the Advanced Zone Configuration<br />
window” on page 327.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
8 Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Zone List window” on<br />
page 327.<br />
This window is used to add a new zone entry. In the Zone Name field, type the<br />
name <strong>of</strong> the forward or reverse zone you want to add to the list. Click Add and<br />
then click Close to exit this window.<br />
The Advanced Zone Configuration window is used to define some <strong>of</strong> the more<br />
advanced zone configuration options. This window allows you to configure<br />
certain options specifically for the selected zone, overriding similar options that<br />
may be configured for the global name server (the Unbound or the Internet<br />
name server). Follow the steps below.<br />
Important: Only experienced DNS administrators should modify an advanced<br />
configuration setting.<br />
1 To enable the notify option, select the corresponding check box. Enabling<br />
this option allows you to specify whether the master server will notify all<br />
slave servers when the zone changes. The notification indicates to the<br />
slaves that the contents <strong>of</strong> the master have changed and a zone transfer is<br />
necessary. The name servers that are notified are those defined in the<br />
Zone NS Records field on the Master Zone Attributes tab.<br />
If this field is not selected, the field defaults to Yes.<br />
327
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
328<br />
2 To enable the allow-query option, select the corresponding check box.<br />
Selecting this option affects who is able to query this zone. The options are<br />
the following:<br />
• If not selected, all requesters are authorized to query the zone. This is<br />
the default.<br />
• If selected and contains IP addresses, only the requesters defined in the<br />
allow-query list will be authorized to query this zone. Use the New and<br />
Delete buttons to modify this list. See “Adding an IP address” on page<br />
325 for details on using the New button.<br />
Note: If you select this option, be sure to include all IP addresses that might<br />
need to query the zone, such as the heartbeat burbs’ IP addresses,<br />
loopback addresses, etc.<br />
3 To enable the allow-update option, select the corresponding check box.<br />
Selecting this option allows you to specify from whom the zone will accept<br />
dynamic DNS updates. If this option is selected, only the hosts in the allowupdate<br />
list are authorized to update this zone. This option is only valid for<br />
master zones. Use the New and Delete buttons to modify this list. See<br />
“Adding an IP address” on page 325 for details on using the New button.<br />
By default the allow-update option is not selected, meaning the server will<br />
deny updates from all hosts.<br />
4 To enable the allow-transfer option, select the corresponding check box.<br />
Selecting this option allows you to limit who is authorized to request zone<br />
transfers from this zone.<br />
• If not selected, all requesters are authorized to transfer this zone from<br />
the name server. This is the default.<br />
• If selected and no IP addresses are added, no requesters will be<br />
authorized to transfer this zone from the name server.<br />
• If selected and contains IP addresses, only the requesters defined in the<br />
allow-transfer list will be authorized to transfer the zone from the name<br />
server. Use the New and Delete buttons to modify this list. See “Adding<br />
an IP address” on page 325 for details on using the New button.
Figure 147: Master Zone<br />
Attributes tab<br />
About the Master<br />
Zone Attributes tab<br />
Using the Master Zone Attributes tab<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
The Master Zone Attributes tab is used to configure attributes for each master<br />
zone defined on the Zones tab. Slave zones are not included on this tab<br />
because you can only define attributes for those zones for which you are the<br />
master.<br />
When you select the Master Zone Attributes tab a window similar to the<br />
following appears.<br />
This window is used to define the attributes <strong>of</strong> each master zone defined for<br />
the selected name server. In particular, it defines the Name Server record(s)<br />
and the Start <strong>of</strong> Authority (SOA) record for each master zone. The window also<br />
enables you to define Mail Exchanger (MX) records for those entries that are<br />
forward lookup zones. Follow the steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from<br />
<strong>Sidewinder</strong> hosted single server to split server), click Reconfigure DNS.<br />
1 In the Modify Server For field, select the name server that you want to<br />
modify.<br />
The Master Zones list defines the zones for which the name server is master.<br />
A plus sign (+) will appear in front <strong>of</strong> any forward lookup zone that contains<br />
one or more sub-domains. Click the plus sign to view the subdomains.<br />
To modify an entry in the list, click the entry name. A menu <strong>of</strong> options used<br />
to characterize the selected entry is presented on the right side <strong>of</strong> the window.<br />
Note: The Forward Zone Name/Reverse Zone Name field displays the full zone<br />
name associated with the entry selected in the Master Zones list.<br />
329
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
330<br />
2 To modify the Zone SOA tab, click the tab and follow the sub-steps below.<br />
The fields on the Zone SOA tab collectively define one Start Of Authority<br />
(SOA) record. An SOA record controls how master and slave zones<br />
interoperate.<br />
The DNS Serial # field displays the revision number <strong>of</strong> this SOA record.<br />
This field will increment by one each time you modify this zone. Slave<br />
zones use this field to determine if their zone files are out-<strong>of</strong>-date. You cannot<br />
modify this field. (See sub-step b for more details.)<br />
a In the DNS Contact field, specify the name <strong>of</strong> the technical contact that<br />
can answer questions about this zone. The name must be a fullyqualified<br />
name, with the @ character replaced by a period (for example,<br />
hostmaster.domain.com).<br />
b In the Refresh (seconds) field, specify how <strong>of</strong>ten a slave will check this<br />
zone for new zone files. The slave uses the DNS Serial # value to<br />
determine if its zone files need to be updated. For example, if the<br />
slave’s DNS serial number is 4 and the master zone’s DNS serial<br />
number is 5, the slave knows that its zone files are out-<strong>of</strong>-date and it will<br />
download the updated zone files. Values must be positive integers. The<br />
default value is 3600 (1 hour).<br />
c In the Retry (seconds) field, specify how long a slave should wait to try<br />
another refresh following an unsuccessful refresh attempt. Values must<br />
be positive integers.<br />
d In the Expiration (seconds) field, specify how long a slave can go<br />
without updating its data before expiring its data. For example, assume<br />
you set this value to 604800 (one week). If the slave is unable to contact<br />
this master zone for one week, the slave’s resource records will expire.<br />
Queries to the slave will then be treated as if that DNS server is not<br />
authoritative for that domain (zone), resulting in a recursive search or<br />
forwarding, depending on how the slave is configured. Values must be<br />
positive integers.<br />
e In the TTL (seconds) field, specify the time to live (TTL) value. This<br />
value defines how long a resource record from this zone can be cached<br />
by another name server before it expires the record. The value specified<br />
here is used as the default in records that do not specify a TTL value.<br />
Values must be positive integers.<br />
f To add a sub-domain to the selected zone, click Add Sub. This button is<br />
only available if a forward lookup zone is selected in the Zones list. For<br />
information on adding a sub-domain, see “Adding a forward lookup subdomain”<br />
on page 331.<br />
g To delete a sub-domain from the selected zone, click Delete Sub. This<br />
button is only available if a forward lookup zone is selected in the Zones<br />
list. See “Deleting a forward lookup sub-domain” on page 332 for<br />
details.
Adding a forward<br />
lookup sub-domain<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
3 To modify the Zone Records tab, click the tab. This tab contains NS (Name<br />
Server) and MX (Mail Exchange) records for forward zones. This tab<br />
contains only NS Records for reverse zones.<br />
The Name Servers table contains DNS NS records that indicate what<br />
machines will act as name servers for this zone. By default the table contains<br />
an entry for the machine you are currently using. (To add or delete an<br />
entry use the New or Delete buttons, respectively. See “Adding an NS<br />
record” on page 332 for details on adding a new entry.)<br />
If this zone is configured to notify all slave servers when a zone file changes<br />
(see “About the Advanced Zone Configuration window” on page 327 for a<br />
description <strong>of</strong> the notify field), the notify commands are sent to all NS hosts<br />
specified here.<br />
The Zone MX Records list is available only if the selected zone entry is a<br />
forward lookup entry. It is used to specify entries in the Mail Exchangers<br />
table for the selected zone. The Mail Exchangers table contains DNS MX<br />
records that indicate what machines will act as mail routers (mail exchangers)<br />
for the selected domain. To add or delete an MX record entry use the<br />
New or Delete buttons, respectively. See “Adding an MX record” on page<br />
332 for details on adding a new MX record entry.<br />
The Zone A Record field is available only if the selected zone entry is a forward<br />
lookup entry. It defines a DNS A record (an Address record). A DNS A<br />
record is used to map host names to IP addresses. The address you specify<br />
must be entered using standard dotted quad notation (for example<br />
172.14.207.27).<br />
If the selected zone entry is a forward lookup entry, the TXT Record field is<br />
available. This optional field allows you to enter comments or additional<br />
information about this zone, such as sender id information.<br />
4 Click the Save icon in the toolbar to save your changes. To configure<br />
additional name server information, see “About the Master Zone Attributes<br />
tab” on page 329.<br />
This window is used to add a forward lookup sub-domain to the selected<br />
forward lookup zone. By adding a sub-domain you are delegating authority for<br />
a portion <strong>of</strong> the parent domain to the new sub-domain. Follow the steps below.<br />
1 In the Forward Sub-Domain Name field, type the name <strong>of</strong> the sub-domain.<br />
Do not type a fully qualified name. For example, assume you have a<br />
domain named example.com that contains a sub-domain named west. You<br />
would type west in this field rather than west.example.com.<br />
2 In the Sub-Domain NS Records field, specify entries in the Name Servers<br />
table for this sub-domain. The Name Servers table contains DNS NS<br />
records that indicate what machines will act as name servers for this subdomain.<br />
To add or delete an entry use the New or Delete buttons,<br />
respectively. See “Adding an NS record” on page 332 for details on adding<br />
a new entry.<br />
3 [Optional] In the Sub-Domain MX Records field, specify entries in the Mail<br />
331
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
Deleting a forward<br />
lookup sub-domain<br />
332<br />
Exchangers table for this sub-domain. The Mail Exchangers table contains<br />
DNS MX records that indicate what machines will act as mail routers (mail<br />
exchangers) for the sub-domain. To add or delete an MX record entry use<br />
the New or Delete buttons, respectively. See “Adding an MX record” on<br />
page 332 for details on adding a new MX record entry.<br />
This window is used to delete a sub-domain from a forward lookup zone. The<br />
Domains in Zone field lists the domains defined in the zone.<br />
1 To delete a domain, highlight the domain you want to delete and click<br />
Delete Domain.<br />
2 Click OK to save your changes. (Click Cancel to exit the window without<br />
saving your changes.)<br />
Adding an NS record This window is used to add a new NS record to the Name Servers table<br />
associated with the selected zone or sub-domain. Follow the steps below.<br />
Adding an MX<br />
record<br />
1 In the NS Record field, type the domain name associated with this NS<br />
record. The name must be a fully-qualified name and must end with a<br />
period. The name you specify should be a pre-existing domain name that<br />
maps to a valid IP address.<br />
2 Click Add to add the specified entry to the Name Servers table.<br />
3 Click Close to exit the window.<br />
This window is used to add a new MX record to the Name Servers table<br />
associated with the selected zone, sub-domain, or host. Follow the steps<br />
below.<br />
Note: For more information on MX records, see “About mail exchanger records”<br />
on page 314.<br />
1 In the MX record field, type the fully-qualified name <strong>of</strong> the host that will act<br />
as the mail exchange for this zone, sub-domain, or host.<br />
2 In the Priority field, type a priority level for this record. Valid values are<br />
1–65535. The lower the value, the higher the priority (for example, a value<br />
<strong>of</strong> 1 will have a higher priority than a value <strong>of</strong> 10).<br />
3 Click Add to save the new record.<br />
4 Click Close to exit the window.
Figure 148: Master Zone<br />
Contents tab<br />
About the Master<br />
Zone Contents tab<br />
Using the Master Zone Contents tab<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
The Master Zone Contents tab is used to define the hosts that are associated<br />
with each master zone.<br />
When you select the Master Zone Contents tab a window similar to the<br />
following appears.<br />
Note: If you are adding a large number <strong>of</strong> hosts (hundreds or thousands) to a<br />
master zone, you may want to consider manually adding the required host<br />
information directly to the appropriate DNS files using one <strong>of</strong> the available editors<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> to save time. However, only experienced <strong>Sidewinder</strong> <strong>G2</strong><br />
administrators should attempt this. (Using the manual method will still require you<br />
to manually define each host.)<br />
This window is used to define the hosts that are associated with each master<br />
zone. For each host you define in a forward lookup zone you should also<br />
create a matching entry in the associated reverse lookup zone. Follow the<br />
steps below.<br />
Note: To completely reconfigure your DNS settings (for example, change from<br />
<strong>Sidewinder</strong> hosted single server to split server), click Reconfigure DNS.<br />
1 In the Modify Server For field, select the name server that you want to<br />
modify.<br />
The fields that are available on this tab will vary depending on whether a<br />
zone, a host in a forward lookup zone, or a host in a reverse lookup zone is<br />
selected.<br />
333
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
334<br />
2 [Conditional] If you are modifying a zone, do the following:<br />
a In the Master Zones area, select the zone you want to modify.<br />
b To add a host to the selected zone, click Add Entry. If you are adding a<br />
host to a forward lookup zone, see “Adding a new forward lookup entry”<br />
on page 335 for details. If you are adding a host to a reverse lookup<br />
zone, see “Adding a new reverse lookup entry” on page 336.<br />
c To delete a host from the selected zone, click Delete Entry. See<br />
“Deleting a host entry from a zone” on page 336 for details.<br />
3 [Conditional] If you are modifying a host in a reverse lookup zone, the<br />
following two fields appear:<br />
• Name (Host portion <strong>of</strong> IP): This field appears only if a host is selected in<br />
the list. The field displays the host portion <strong>of</strong> either the IP address or <strong>of</strong><br />
the fully-qualified domain name <strong>of</strong> this entry. You cannot modify this<br />
field. If you need to change the host name you must delete the entry<br />
from the list, then add the entry back using the new name.<br />
• Fully-Qualified Domain Name: This field displays the domain name <strong>of</strong><br />
the host. You can modify this field by typing in a new value. Be sure to<br />
type the fully-qualified domain name <strong>of</strong> the host.<br />
Note: The Name field and the Fully-Qualified Name Entry field collectively<br />
define a PTR Record for the selected reverse lookup zone. The PTR record is<br />
used in a Reverse Addresses table and maps an IP address to a host name.<br />
4 [Conditional] If a host in a forward lookup zone is selected, the following<br />
fields appear:<br />
• Entry Name: This field defines the host portion <strong>of</strong> the fully-qualified<br />
domain name <strong>of</strong> this entry.<br />
• A Record IP: This field defines a DNS A record (an Address record),<br />
which is used to map host names to IP addresses. In this case the field<br />
displays the IP address <strong>of</strong> the selected host. You can modify this field by<br />
typing in a new value. The address you specify must be entered using<br />
standard dotted quad notation (for example 172.14.207.27).<br />
• CNAME Rec: This field defines a DNS CNAME record, which is used to<br />
map an alias to its canonical name.The field, if populated, displays the<br />
name <strong>of</strong> the Canonical Record <strong>of</strong> the selected host. You can modify this<br />
field by typing in a new name. The name you specify must be entered<br />
using the fully-qualified primary name <strong>of</strong> the domain.<br />
Important:A host in a forward lookup zone requires either an A Record or a<br />
CNAME Record.<br />
• TXT Record: This field allows you to enter comments or additional<br />
information about this zone, such as sender id information.
Adding a new<br />
forward lookup<br />
entry<br />
Chapter 11: DNS (Domain Name System)<br />
Configuring hosted DNS servers<br />
• Entry MX Records: This field is used to specify entries in the Mail<br />
Exchangers table for the selected host. The Mail Exchangers table<br />
contains DNS MX records that indicate what machines will act as mail<br />
routers (mail exchangers) for the selected host. To add or delete an MX<br />
record entry use the New or Delete buttons, respectively. See “Adding<br />
an MX record” on page 332 for details on adding a new MX record entry.<br />
• HINFO-Type: This field provides information about a host’s hardware<br />
type.<br />
• HINFO-OS: This field provides information about a host’s operating<br />
system.<br />
Important:For security reasons, many organizations elect not to use the<br />
HINFO fields.<br />
5 Click the Save icon in the toolbar to save your changes.<br />
This window is used to define a new host for a forward lookup zone. Follow the<br />
steps below.<br />
Note: The following fields collectively define an Address record.<br />
1 In the Entry Name field, specify the host portion <strong>of</strong> the fully-qualified domain<br />
name <strong>of</strong> this entry.<br />
2 In the A Record IP field, specify a DNS A record (an Address record), which<br />
is used to map host names to IP addresses. The address you specify must<br />
be entered using standard dotted quad notation (for example<br />
172.14.207.27). This field and the CNAME Rec field are mutually exclusive.<br />
3 In the CNAME Rec field, specify a DNS CNAME record, which is used to<br />
map an alias to its canonical name. The name you specify must be entered<br />
using the fully-qualified primary name <strong>of</strong> the domain. This field and the A<br />
Record IP field are mutually exclusive.<br />
4 [Optional] In the TXT Record field, enter comments or additional information<br />
about this zone, such as sender ID information.<br />
5 [Optional] The Entry MX Records field lists entries in the Mail Exchangers<br />
table for this host. The Mail Exchangers table contains DNS MX records<br />
that indicate what machines will act as mail exchangers for the host. To add<br />
or delete an MX record entry use the New or Delete buttons, respectively.<br />
See “Adding an MX record” on page 332 for details on adding a new MX<br />
record entry.<br />
6 [Conditional] The HINFO-Type: field provides information about a host’s<br />
hardware type.<br />
7 [Conditional] The HINFO-OS field provides information about a host’s<br />
operating system.<br />
Important:For security reasons, many organizations elect not to use the<br />
HINFO fields.<br />
335
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
Adding a new<br />
reverse lookup entry<br />
Deleting a host<br />
entry from a zone<br />
Reconfiguring<br />
DNS<br />
336<br />
8 For security reasons, many organizations elect not to use these fields.<br />
9 Click Add to save the new entry.<br />
10 Click Close to exit this window.<br />
This window is used to define a new host for a reverse lookup zone. Follow the<br />
steps below.<br />
1 In the Entry Name field, specify the host portion <strong>of</strong> the IP address <strong>of</strong> this<br />
entry.<br />
2 In the Fully-Qualified Name Entry field, specify the domain name <strong>of</strong> the<br />
host. Be sure to type the fully-qualified domain name <strong>of</strong> the host.<br />
Note: The Entry Name field and the Fully-Qualified Name Entry field collectively<br />
define a PTR Record for the selected reverse lookup zone. The PTR record is<br />
used in a Reverse Addresses table and maps an IP address to a host name.<br />
3 Click Add to save the new entry.<br />
4 Click Close to exit this window.<br />
This window is used to delete a host from the selected zone. The Hosts in<br />
Zone field lists all the hosts currently defined within the selected zone. To<br />
delete a host, highlight the host you want to delete and click Delete Host. You<br />
can only delete one host at a time. Click OK to save your changes and exit the<br />
window. (To cancel your changes, click Cancel.)<br />
The Reconfigure DNS window allows you to completely reconfigure DNS on<br />
your <strong>Sidewinder</strong> <strong>G2</strong>. Changes made by the DNS configuration utility take effect<br />
immediately. You do not need to reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Table 26 summarizes the available DNS configuration options. (For more<br />
detailed information on determining which DNS configuration best suits your<br />
situation, refer to the <strong>Sidewinder</strong> <strong>G2</strong> Perimeter Security Planning <strong>Guide</strong>.)<br />
Note: Any active DNS servers on the <strong>Sidewinder</strong> <strong>G2</strong> will be disabled during the<br />
reconfiguration process.<br />
Important: Any prior modifications you have made to your DNS configuration will<br />
be lost when you save your changes. You will need to re-apply the modifications.
Table 26: DNS configuration options<br />
DNS Configuration Options<br />
Transparent<br />
DNS<br />
Hosted<br />
DNS<br />
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
Single Indicates that DNS traffic will be proxied through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
This configuration is generally used when you plan to use your existing<br />
DNS server. If you are using a single internal DNS server, external<br />
users will have proxied access to your DNS server. External hosts will<br />
be unaware that the <strong>Sidewinder</strong> <strong>G2</strong> is “transparently” passing the DNS<br />
traffic. See “Reconfiguring transparent DNS” on page 338 for more<br />
information.<br />
Split Indicates that DNS traffic will be proxied through the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
with a remote DNS server connected to each interface. DNS queries will<br />
generally be handled by both your internal DNS server and your<br />
external ISP. This configuration is more secure than using a single<br />
name server because your external server can limit access to your<br />
internal naming system. External hosts will be unaware that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is “transparently” passing the DNS traffic. See<br />
“Reconfiguring transparent DNS” on page 338 for more information.<br />
Single Indicates that only one DNS server is hosted on the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
handles all DNS queries. The server is protected by the <strong>Sidewinder</strong> <strong>G2</strong><br />
hardened OS, preventing attacks against it from penetrating your<br />
network. A single server configuration is generally used when you have<br />
no concerns for keeping your internal network architecture hidden, such<br />
as when your <strong>Sidewinder</strong> <strong>G2</strong> is acting as an “intrawall” between two<br />
sets <strong>of</strong> private addresses. External hosts will need to be reconfigured to<br />
point to the <strong>Sidewinder</strong> <strong>G2</strong> servers. See “Reconfiguring single server<br />
hosted DNS” on page 339 for more information.<br />
Split Indicates that two DNS servers are hosted on the <strong>Sidewinder</strong> <strong>G2</strong>: one<br />
server (the external name server) is bound to the external burb and the<br />
other server (the “unbound” name server) is available for use by all<br />
internal burbs. Both servers are protected by the <strong>Sidewinder</strong> <strong>G2</strong><br />
hardened OS, which is able to prevent attacks against them from<br />
penetrating your network. The security benefit <strong>of</strong> this configuration is the<br />
ability to hide the DNS entries on the unbound server from those who<br />
only have access to the external burb. External hosts will need to be<br />
reconfigured to point to the <strong>Sidewinder</strong> <strong>G2</strong> servers. See “Reconfiguring<br />
split server hosted DNS” on page 340 for more information.<br />
Important: You must use hosted split DNS if you want the <strong>Sidewinder</strong><br />
<strong>G2</strong> to hide your private IP addresses when answering DNS queries.<br />
DNS responses served by the <strong>Sidewinder</strong> <strong>G2</strong>’s public name server<br />
would not display any private IP addresses.<br />
337
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
338<br />
Figure 149:<br />
Reconfigure transparent<br />
DNS window<br />
About the<br />
Reconfiguring<br />
transparent DNS<br />
window<br />
Reconfiguring transparent DNS<br />
To reconfigure DNS to use transparent services, using the Admin Console<br />
select Tools > Reconfigure DNS. The Reconfigure DNS window appears.<br />
This window allows you to reconfigure your DNS settings to use transparent<br />
DNS services. Follow the steps below.<br />
1 In the New DNS Configuration drop-down list, select Transparent.<br />
2 To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the internal name server(s), do the<br />
following:<br />
a Select the Internal Name Server check box.<br />
b In the corresponding IP Address field, type the IP address <strong>of</strong> the name<br />
server located in the internal burb (that is, your enterprise name server).<br />
c [Optional] In the Alternate IP Address field, type the IP address <strong>of</strong> an<br />
alternate name server.<br />
d In the Burb drop-down list, select your internal burb.<br />
3 To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the external (Internet) name<br />
server(s), do the following:<br />
a Select the Internet Name Server check box.<br />
b In the corresponding IP Address field, type the IP address <strong>of</strong> the name<br />
server located in the external (Internet) burb (that is, your ISP’s name<br />
server).<br />
c [Optional] In the Alternate IP Address field, type the IP address <strong>of</strong> an<br />
alternate name server.
Figure 150:<br />
Reconfiguring <strong>Sidewinder</strong><br />
Hosted (single server)<br />
DNS window<br />
About the<br />
Reconfiguring DNS:<br />
<strong>Sidewinder</strong> Hosted<br />
(single server)<br />
window<br />
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
d Click the Save icon in the toolbar to reconfigure your DNS settings. You<br />
will receive a pop-up message informing you whether the<br />
reconfiguration was successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read<br />
this message carefully before you click OK.<br />
Reconfiguring single server hosted DNS<br />
To reconfigure DNS to use single server hosted services, using the Admin<br />
Console select Tools > Reconfigure DNS. The Reconfigure DNS window<br />
appears.<br />
This window allows you to reconfigure your DNS settings to use hosted single<br />
server DNS services. Follow the steps below.<br />
1 In the New DNS Configuration drop-down list, select <strong>Sidewinder</strong> Hosted.<br />
2 Select the 1 Server radio button.<br />
3 In the Domain field, verify that the correct domain name appears.<br />
4 In the Authority field, select one <strong>of</strong> the following options:<br />
• Master: Select this option if the server you are defining will be a master<br />
name server. A master name server contains name and address<br />
information for every computer within its zone.<br />
• Slave: Select this option if the server you are defining will be a slave<br />
name server. A slave name server is similar to a master name server,<br />
339
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
340<br />
Figure 151:<br />
Reconfiguring <strong>Sidewinder</strong><br />
Hosted (split server) DNS<br />
window<br />
except that it does not maintain its own original data. Instead, it<br />
downloads data from another name server.<br />
5 [Conditional] If you selected Slave in the previous step, type the IP address<br />
<strong>of</strong> the master authority server in the Master IP field.<br />
6 Click the Save icon in the toolbar to reconfigure your DNS settings. You will<br />
receive a pop-up message informing you whether the reconfiguration was<br />
successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read<br />
this message carefully before you click OK.<br />
Reconfiguring split server hosted DNS<br />
To reconfigure DNS to use split server hosted services, using the Admin<br />
Console select Tools > Reconfigure DNS. The Reconfigure DNS window<br />
appears.
About the<br />
Reconfiguring DNS:<br />
<strong>Sidewinder</strong> Hosted<br />
(split server)<br />
window<br />
Chapter 11: DNS (Domain Name System)<br />
Reconfiguring DNS<br />
This window allows you to reconfigure your DNS settings to use hosted split<br />
server DNS services. Follow the steps below.<br />
1 In the New DNS Configuration drop-down list, select <strong>Sidewinder</strong> Hosted.<br />
2 Select the 2 Server radio button.<br />
3 To configure the Unbound server, do the following:<br />
a In the Domain field, verify that the correct domain name appears.<br />
b In the Authority field, select one <strong>of</strong> the following options:<br />
• Master: Select this option if the server you are defining will be a<br />
master name server. A master name server contains name and<br />
address information for every computer within its zone.<br />
• Slave: Select this option if the server you are defining will be a slave<br />
name server. A slave name server is similar to a master name<br />
server, except that it does not maintain its own original data. Instead,<br />
it downloads data from another name server.<br />
c [Conditional] If you selected Slave in the previous step, type the IP<br />
address <strong>of</strong> the master authority server in the Master IP field.<br />
4 To configure the Internet server, do the following:<br />
a In the Domain field, verify that the correct domain name appears.<br />
b In the Authority field, select one <strong>of</strong> the following options:<br />
• Master—Select this option if the server you are defining will be a<br />
master name server. A master name server contains name and<br />
address information for every computer within its zone.<br />
• Slave—Select this option if the server you are defining will be a slave<br />
name server. A slave name server is similar to a master name<br />
server, except that it does not maintain its own original data. Instead,<br />
it downloads data from another name server.<br />
c [Conditional] If you selected Slave in the previous step, type the IP<br />
address <strong>of</strong> the master authority server in the Master IP field.<br />
5 Click the Save icon in the toolbar to reconfigure your DNS settings. You will<br />
receive a pop-up message informing you whether the reconfiguration was<br />
successful.<br />
Important: The pop-up message that appears may contain additional<br />
information or warnings about your <strong>Sidewinder</strong> <strong>G2</strong> configuration. Please read<br />
this window carefully before you click OK.<br />
341
Chapter 11: DNS (Domain Name System)<br />
Manually editing DNS configuration files<br />
Manually editing<br />
DNS<br />
configuration<br />
files<br />
342<br />
If you prefer to edit the DNS configuration files manually, follow these steps.<br />
Note: Files with a u extension are for the unbound nameserver, and files with an<br />
i extension are for the Internet nameserver.<br />
Important: You should only edit zone files for a master name server. Never edit the<br />
slave name server files. The file names shown below are for a master name server.<br />
1 Log into the <strong>Sidewinder</strong> <strong>G2</strong> and enter the following command to switch to<br />
the admin role:<br />
srole<br />
The following two steps assume you have database files named<br />
domain.db and reverse.db in your system. Substitute your file names<br />
as required.<br />
2 Open the /etc/namedb.u/domain.db and /etc/namedb.i/domain.db files in a<br />
UNIX text editor and make the necessary changes.<br />
3 Open the /etc/namedb.u/reverse.db and /etc/namedb.i/reverse.db files in a<br />
UNIX text editor and make the necessary changes.<br />
4 Open the /etc/named.conf.u and /etc/named.conf.i files in a UNIX text editor<br />
and make the necessary changes.<br />
Note: If you use the /etc/named.conf.* files to change an existing master zone<br />
into a slave zone, you must also manually remove the old zone files in your<br />
/etc/namedb.* directories.<br />
5 If you have added new files, you must change the files to the correct Type<br />
Enforcement types.<br />
To do this, type the following command and insert the names <strong>of</strong> the file(s)<br />
you edited in steps 2, 3 and 4. For non-Internet (unbound) burbs, in place <strong>of</strong><br />
x type the identifier u. For the Internet burb, in place <strong>of</strong> x type the index<br />
number <strong>of</strong> the Internet burb. (Use the region show command to determine<br />
the index number.)<br />
chtype DNSx:conf filename<br />
6 Increment the serial number after every change to the master files.<br />
7 Enter the following command to restart DNS.<br />
ndc restart<br />
Note: Any files created by named daemons, such as zone backup files or query<br />
log files, have types <strong>of</strong> DNSu:file or DNSx:file.<br />
8 Check /var/log/daemon.log for any errors.
DNS message<br />
logging<br />
Chapter 11: DNS (Domain Name System)<br />
DNS message logging<br />
DNS messages, Type Enforcement errors and process limit errors are logged<br />
in the following locations on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• /var/log/audit.raw: Contains information in the <strong>Sidewinder</strong> <strong>G2</strong> audit format.<br />
• /var/log/daemon.log: Contains traditional syslog format messages.<br />
You can view the audit.raw file using the Audit windows in the Admin Console<br />
(See Chapter 19 for more information). The daemon.log file can be viewed<br />
using any text editor. (See Appendix A for more information on using the<br />
different text editors.)<br />
343
Chapter 11: DNS (Domain Name System)<br />
DNS message logging<br />
344
12<br />
CHAPTER<br />
Electronic Mail<br />
In this chapter...<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong> ..........................................346<br />
Administering mail on <strong>Sidewinder</strong> <strong>G2</strong> ..........................................350<br />
Managing sendmail ......................................................................353<br />
Reconfiguring mail........................................................................351<br />
Editing the mail configuration files................................................354<br />
Redirecting mail to a different destination ....................................364<br />
Other sendmail features ...............................................................365<br />
Managing mail queues .................................................................370<br />
345
Chapter 12: Electronic Mail<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
Overview <strong>of</strong><br />
e-mail on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
346<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses the sendmail message transfer agent to receive and<br />
route mail messages. When you run mail on a network protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, all messages coming into and going out from your site must be<br />
routed through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Mail server configuration options<br />
The <strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers two configuration options for handling mail:<br />
Important: A newly installed <strong>Sidewinder</strong> <strong>G2</strong> is not configured to pass mail between<br />
burbs. If you want mail to pass through <strong>Sidewinder</strong> <strong>G2</strong>, you must run Tools ><br />
Reconfigure Mail. See “Reconfiguring mail” on page 351 for more information.<br />
• Transparent—This configuration option allows you to use transparent<br />
SMTP services (without sendmail processes running directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>). Transparent SMTP service indicates that all inbound and<br />
outbound mail passes by proxy through the <strong>Sidewinder</strong> <strong>G2</strong>, just as other<br />
proxy traffic does. When you use transparent SMTP, the SMTP proxy is<br />
enabled and policy controls for mail are enforced via the active policy rules.<br />
A Mail rule group is automatically created during installation, but it does not<br />
contain any rules. Mail filtering is limited when using transparent mail<br />
services.<br />
• Secure Split SMTP Servers (hosted on <strong>Sidewinder</strong> <strong>G2</strong>)—This configuration<br />
option allows you to have two sendmail servers running directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, each supported on its own burb: the external burb and one<br />
non-Internet burb that you choose. The <strong>Sidewinder</strong> <strong>G2</strong> sendmail servers<br />
will route mail through the <strong>Sidewinder</strong> <strong>G2</strong> only for these two burbs. This<br />
configuration protects your internal mailhost from malicious attacks, and<br />
<strong>of</strong>fers a variety <strong>of</strong> additional mail-handling options. When using secure split<br />
mail services, the <strong>Sidewinder</strong> <strong>G2</strong> external sendmail server is the mail host<br />
to which all external SMTP hosts will connect. The <strong>Sidewinder</strong> <strong>G2</strong> internal<br />
sendmail server will connect with internal hosts in its same burb.<br />
Your internal mail host must run mail s<strong>of</strong>tware that can accept incoming<br />
messages from, and send outgoing messages to, the <strong>Sidewinder</strong> <strong>G2</strong>. This<br />
system might be running sendmail or some other mail package such as<br />
Micros<strong>of</strong>t Exchange or cc:Mail with a Simple Mail Transport Protocol<br />
(SMTP) gateway.
Chapter 12: Electronic Mail<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
When you configure secure split SMTP services, there are three separate<br />
sendmail servers that each have a different purpose.<br />
• Local<br />
The local server handles mail that is sent directly from the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
For example, if an administrator sends a mail message from the <strong>Sidewinder</strong><br />
<strong>G2</strong>, it is sent through the local server. This sendmail process runs in the<br />
mtac domain and forwards all mail to the internal network side <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Internal<br />
The internal server runs in a trusted burb that you specify when running<br />
Reconfigure Mail. This sendmail daemon receives mail from one <strong>of</strong> three<br />
sources:<br />
– a host on the internal network<br />
– a sendmail process transferring mail from the local sendmail server<br />
– a sendmail process transferring mail from the external sendmail server<br />
The internal server delivers mail to one <strong>of</strong> three places:<br />
– If the message is for a user local to the <strong>Sidewinder</strong> <strong>G2</strong>, such as an<br />
administrator with a mailbox on the <strong>Sidewinder</strong> <strong>G2</strong>, it delivers the<br />
message to the user’s mailbox using the mail.local program.<br />
– If the message is for a user on the internal network, it connects to the<br />
mail host on the internal network and delivers the mail there.<br />
– If the message is not for either <strong>of</strong> the above, it assumes the message is<br />
for an external user and transfers the message to the external burb for<br />
that user.<br />
• External<br />
The external server runs in the mta# domain (# is the burb index <strong>of</strong> the<br />
Internet burb). This sendmail daemon receives mail from one <strong>of</strong> two<br />
sources:<br />
– a host on the external network<br />
– a sendmail process transferring mail from the internal sendmail server<br />
The external server delivers mail to one <strong>of</strong> two places:<br />
• If the message is for an external user, it connects to an external host<br />
and delivers the mail there.<br />
• If the message is for a user local to the <strong>Sidewinder</strong> <strong>G2</strong> (such as an<br />
administrator) or for a user on the internal network, it transfers the<br />
mail to the internal burb for delivery to that user.<br />
347
Chapter 12: Electronic Mail<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
348<br />
Mail filtering services on <strong>Sidewinder</strong> <strong>G2</strong><br />
The following mail filtering services can be configured using Mail Application<br />
Defenses, and including them in the appropriate rule(s):<br />
Note: You must have Secure Split SMTP mail servers configured to use mail<br />
filtering.<br />
• MIME/Virus/Spyware filtering—MIME/Virus/Spyware filtering is a licensed<br />
service. You can configure filtering rules to specify the types <strong>of</strong> MIME<br />
elements that will be allowed or denied, configure the type <strong>of</strong> virus and<br />
spyware scanning you want to perform, configure infected file handling,<br />
specify file attachment size restrictions, and determine whether mail<br />
messages will be scanned as a whole (entire message is allowed or<br />
denied) or in segments (attachments may be dropped if they do not meet<br />
filtering criteria, but the acceptable portions <strong>of</strong> the mail message will still<br />
reach the recipient). You can also configure all mail to be rejected if<br />
scanning services become unavailable. See “Configuring the Mail<br />
(Sendmail) MIME/Virus/Spyware tab” on page 177.<br />
Important: You must license and configure additional services before the<br />
MIME/Virus/Spyware filter rules you create will scan mail messages. See<br />
“Configuring virus scanning services” on page 69.<br />
• Spam/Fraud filtering—Spam and fraud filtering is a licensed service. Once<br />
you are licensed for Anti-spam, you can enable or disable it on a per-rule<br />
basis. See “Configuring the Mail (Sendmail) Control tab” on page 172.<br />
If you enable spam and fraud filtering without licensing it, filtering will not be<br />
performed.<br />
• Key word search filtering—The Keyword Search filter allows you to filter<br />
mail messages based on the presence <strong>of</strong> defined key words (character<br />
strings). See “About the Keyword Search tab” on page 175. You must<br />
enable the kmvfilter server in the appropriate burbs before the key word<br />
search filter will function.<br />
• Configure size limitations for mail messages—The size filter performs a<br />
check on e-mail messages for the number <strong>of</strong> bytes the message contains,<br />
including the message header. Messages that equal or exceed the<br />
specified size you specify will be rejected. See “About the Mail (Sendmail)<br />
Size tab” on page 174.<br />
• Anti-relay controls—Anti-relay control uses access control to prevent your<br />
mailhost from being used by a hacker as a relay point for spam to other<br />
sites. This option is automatically enabled for all Mail defenses and cannot<br />
be disabled. See “Configuring the Mail (Sendmail) Control tab” on page<br />
172.
Sendmail differences on <strong>Sidewinder</strong> <strong>G2</strong><br />
Chapter 12: Electronic Mail<br />
Overview <strong>of</strong> e-mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
When using <strong>Sidewinder</strong>-hosted SMTP services, all mail for a user local to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> goes to the internal mta domain for delivery. Local delivery does<br />
not take place in the external mta domain or the mtac domain. Running<br />
sendmail on the <strong>Sidewinder</strong> <strong>G2</strong> works as it does in any other UNIX<br />
environment, with the following exceptions:<br />
• The <strong>Sidewinder</strong> <strong>G2</strong> runs three separate sendmail servers (as described in<br />
the previous section).<br />
• Type Enforcement restricts sendmail so that its security flaws cannot be<br />
exploited. For example, <strong>Sidewinder</strong> <strong>G2</strong> users cannot execute shell scripts<br />
or other executables through sendmail, as they could do on a standard<br />
UNIX system.<br />
• .forward files allow users to send their mail to another mailbox that may be<br />
at a different location. For example, <strong>Sidewinder</strong> <strong>G2</strong> administrators might<br />
choose to forward their mail to a mailbox located on the internal network so<br />
they receive all <strong>of</strong> their mail in one place. Administrators can use .forward<br />
files, but these files cannot contain commands to run other programs, such<br />
as program mailers (for example, procmail). For more information on<br />
.forward files, see “Redirecting mail to a different destination” on page 364.<br />
• If a server is too busy to send a message, or if the machine it is sending<br />
mail to is not responding, the messages are sent to a mail queue. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> has a separate queue for each sendmail server: /var/spool/<br />
mqueue.#, /var/spool/mqueue.#, and /var/spool/mqueue.c (# = the burb<br />
number).<br />
Important: If mail cannot be delivered on the first attempt, it is placed in a<br />
queue. By default, the system checks the queues every 30 minutes and<br />
attempts redelivery.<br />
You can check if there are messages in the mail queues by following the<br />
steps described in “Managing mail queues” on page 370.<br />
Mail is an extremely complex subject and can require a great deal <strong>of</strong> effort to<br />
configure. If you want to additional information on managing mail, the best<br />
resource is the book sendmail by Bryan Costales (O’Reilly & Associates, Inc.).<br />
349
Chapter 12: Electronic Mail<br />
Administering mail on <strong>Sidewinder</strong> <strong>G2</strong><br />
Administering<br />
mail on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
350<br />
Mail is configured on the <strong>Sidewinder</strong> <strong>G2</strong> using the Reconfigure Mail tool. The<br />
configuration process allows you to specify either transparent or secure split<br />
(<strong>Sidewinder</strong>-hosted) mail services. If you select secure split services, you<br />
specify a mail host on your internal network, and the necessary configuration<br />
files are automatically sets up for you.<br />
Once the <strong>Sidewinder</strong> <strong>G2</strong> is configured, everything you need to run the mail<br />
servers should already be set up:<br />
• The three mail domains: mtac, mtaX, and mtaY (where X = the number <strong>of</strong><br />
the external burb, and Y = the number <strong>of</strong> an internal burb), are in place.<br />
Sendmail is already configured to route mail among the three sendmail<br />
servers.<br />
• Mail addressed to users on your internal network will be forwarded to the<br />
mail host you specified during configuration.<br />
• Messages that are sent to the person administering a mail system are<br />
generally addressed to “postmaster.” During configuration, you set up an<br />
administrator’s account. Postmaster messages are automatically routed to<br />
that user.<br />
Note: You will need to configure your internal mail server to forward non-local mail<br />
to the <strong>Sidewinder</strong> <strong>G2</strong>. This procedure differs depending on the type <strong>of</strong> mail program<br />
your network runs. Refer to your mail s<strong>of</strong>tware’s documentation for details.<br />
To manually configure options for your mail servers, see “Managing sendmail”<br />
on page 353.<br />
To enable or disable the servers, see “Managing sendmail” on page 353.<br />
To configure Application Defenses for mail services, see “Creating Mail<br />
(Sendmail) Application Defenses” on page 172.<br />
Viewing administrator mail messages on <strong>Sidewinder</strong> <strong>G2</strong><br />
Administrators can receive mail as soon as an account is created on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. A mailbox will be created the first time an administrator sends<br />
or receives a mail message. Mailboxes for <strong>Sidewinder</strong> <strong>G2</strong> administrators are<br />
stored in the /var/mail directory.<br />
Important: Do not ignore the e-mail that accumulates on the <strong>Sidewinder</strong> <strong>G2</strong> as it<br />
contains important information about your network and <strong>Sidewinder</strong> <strong>G2</strong> and also<br />
uses disk space. Routinely read and delete mail sent to the <strong>Sidewinder</strong> <strong>G2</strong>, or have<br />
it redirected elsewhere. To redirect mail to another destination, see “Redirecting<br />
mail to a different destination” on page 364 or “Changing mail aliases” on page 369.
Reconfiguring<br />
mail<br />
Figure 152: Reconfigure<br />
Mail window<br />
Chapter 12: Electronic Mail<br />
Reconfiguring mail<br />
To view mail for a specific administrator account, follow the steps below.<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log into the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
your administrator user ID and password.<br />
2 Enter the following command to change to the Admn role:<br />
srole<br />
3 Enter the following command to view a list <strong>of</strong> email messages addressed to<br />
your mailbox:<br />
mail<br />
Note: Refer to the mail man page for detailed information on utilizing the mail<br />
command. If you prefer, you may use an alternate mail program, such as Elm.<br />
You can also configure your mail account to forward messages to an internal<br />
email account.<br />
The Reconfigure Mail window is used to configure mail on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
In the Admin Console, select Tools > Reconfigure Mail. (You can also access<br />
this window within the Configuration tab in the sendmail server window.) The<br />
Reconfigure Mail window appears.<br />
351
Chapter 12: Electronic Mail<br />
Reconfiguring mail<br />
About the<br />
Reconfigure Mail<br />
window<br />
352<br />
The Reconfigure Mail window allows you to set your initial mail configuration or<br />
reconfigure your existing mail configuration. Follow the steps below.<br />
Caution: If you manually edited any sendmail configuration files, changing your<br />
mail configuration in the Reconfigure Mail window will overwrite the changes you<br />
made. Also, if there is e-mail in the queue directory for a burb that will not be<br />
specified in the new mail configuration, the e-mail will be deleted.<br />
1 In the New SMTP Mode drop-down list, select the mail configuration mode<br />
you want to configure. The current mode is listed in the Current SMTP<br />
Mode field. The following options are available:<br />
• Transparent—Use this option when you want to pass mail by proxy<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>. If you select this option, only the files<br />
necessary to send administrative messages (including <strong>Sidewinder</strong> <strong>G2</strong>generated<br />
alerts, messages, and logs) will be configured. The SMTP<br />
proxy is automatically enabled.<br />
• Secure Split SMTP Servers (<strong>Sidewinder</strong>-hosted)—Use this option to<br />
use the <strong>Sidewinder</strong> <strong>G2</strong>’s hosted sendmail server(s). This configuration<br />
allows you to take advantage <strong>of</strong> additional sendmail features, including<br />
header stripping, spam and fraud control, mail routing and aliases, and<br />
masquerading. For more information on configuring these features, see<br />
“Other sendmail features” on page 365. The sendmail server is<br />
automatically enabled.<br />
2 In the Internal SMTP Burb field, select the burb in which your site’s internal<br />
SMTP server resides.<br />
3 In the Internal SMTP Mail Server field, type the fully qualified name <strong>of</strong> your<br />
site’s internal SMTP server.<br />
4 Click the Save icon in the toolbar (or click Apply if you are accessing this<br />
window from the Server window) to reconfigure your mail mode. A<br />
confirmation window will appear when the reconfiguration process is<br />
complete.<br />
5 [Conditional] If you accessed Reconfigure Mail from the Servers window,<br />
click Close to return to the sendmail server Configuration tab.<br />
6 Select Policy Configuration > Rules and create or modify the necessary<br />
proxy rules:<br />
• If you selected Transparent, use the SMTP proxy in your mail rule.<br />
• If you selected Secure Split SMTP Servers, use the SMTP server in<br />
your mail rule. Set the Destination Burb to All.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> now has a new mail configuration.
Managing<br />
sendmail<br />
Figure 153: sendmail<br />
window: Configuration tab<br />
About the sendmail<br />
Configuration tab<br />
Chapter 12: Electronic Mail<br />
Managing sendmail<br />
You can perform many <strong>of</strong> the necessary sendmail configuration functions using<br />
the Admin Console. To enable or disable the sendmail server, follow the steps<br />
below.<br />
1 In the Admin Console, select Services Configuration > Servers > and then<br />
select sendmail.<br />
2 To enable sendmail in a burb, select the corresponding check box for that<br />
burb. To disable sendmail in a burb, deselect the check box.<br />
3 Click the Save icon in the toolbar to save your changes.<br />
4 To modify your existing mail configuration, select the Configuration tab.<br />
The following window appears:<br />
The sendmail Configuration tab allows you to edit some <strong>of</strong> the more common<br />
mail configuration files, enable ACL rule checking, and also provides a shortcut<br />
to the Reconfigure Mail window. You can perform the following actions:<br />
• Edit common mail configuration files—This portion <strong>of</strong> the window displays<br />
commonly used mail configuration files for the two burbs containing mail<br />
servers. If you need to edit one <strong>of</strong> the files, select that file from the<br />
appropriate list and then click Edit File. The selected file will be opened<br />
using the File Editor. (For basic information on using the File Editor, see<br />
“Using the Admin Console File Editor” on page 26. For detailed information<br />
on editing mail configuration files, see “Editing the mail configuration files”<br />
on page 354.)<br />
• Enable ACL Rule Checking—This field is enabled by default and cannot be<br />
disabled.<br />
• Go to the Reconfigure Mail window—Click Reconfigure Mail to go directly<br />
to the Reconfigure Mail window. The Reconfigure Mail window allows you<br />
to completely reconfigure your existing mail configuration files or create a<br />
default set <strong>of</strong> SMTP server configuration files. See “Reconfiguring mail” on<br />
page 351 for more information.<br />
353
Chapter 12: Electronic Mail<br />
Editing the mail configuration files<br />
Editing the mail<br />
configuration<br />
files<br />
354<br />
Figure 154: <strong>Sidewinder</strong><br />
<strong>G2</strong> mailertables<br />
Sendmail stores its configuration information in sendmail.cf files. These files<br />
contain information such as which delivery agents to use and how to format<br />
message headers. You should change your configuration options only if you<br />
are directed to do so by Secure Computing, or if you are an experienced<br />
sendmail user and want to customize the files for your site.<br />
Sendmail allows you to create configuration files using macros written for the<br />
m4 preprocessor. Sections 19.5 and 19.6 in the UNIX System <strong>Administration</strong><br />
Handbook describe these macros. You can also refer to the book sendmail by<br />
Bryan Costales (O’Reilly & Associates, Inc.).<br />
You set up two mailertables on the <strong>Sidewinder</strong> <strong>G2</strong>: one internal and one<br />
external. The external mailertable, /etc/mail/mailertable.mta# (# = the number<br />
<strong>of</strong> the external burb), processes the mail and directs it to the internal<br />
mailertable. The internal mailertable, /etc/mail/mailertable.mta#<br />
(# = the number <strong>of</strong> a trusted burb), sorts the mail by host name, and sends the<br />
mail to the correct internal mail host. Figure 8-1 shows an example <strong>of</strong> the route<br />
along which incoming mail messages travel.<br />
Incoming e-mail<br />
charlie@foo.com <strong>Sidewinder</strong> <strong>G2</strong><br />
lucy@sales.foo.com<br />
linus@corp.foo.com<br />
sally@ads.foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong> external mailertable<br />
(/etc/mail/mailertable.mta#)<br />
foo.com burbmailer-burb:localhost<br />
.foo.com burbmailer-burb:localhost<br />
Message destination<br />
corphub<br />
linus@corp.foo.com<br />
foohub<br />
sally@ads.foo.com<br />
charlie@foo.com<br />
saleshub<br />
lucy@sales.foo.com<br />
<strong>Sidewinder</strong> <strong>G2</strong> internal mailertable<br />
(/etc/mail/mailertable.mta#)<br />
foo.com smtp:foohub<br />
.foo.com smtp:foohub<br />
corp.foo.com smtp:corphub<br />
sales.foo.com smtp:saleshub<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides several different editors that you can use when<br />
manually editing your mail files. The easiest method <strong>of</strong> modifying these files is<br />
using the Admin Console. You may also use vi, emacs, or pico if you prefer.<br />
To edit the mail configuration files using the Admin Console, follow these steps:<br />
Caution: Only experienced administrators should modify sendmail configuration<br />
files.
Chapter 12: Electronic Mail<br />
Editing the mail configuration files<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the configuration file you want to modify in the appropriate burb<br />
configuration file list. You may edit the following files for a burb:<br />
Important: If you modify any <strong>of</strong> these files, click the Save icon in the toolbar to<br />
rebuild the sendmail configuration and database files.<br />
• Access Table—This file defines anti-relaying and anti-spamming<br />
policies for the SMTP server.<br />
• Aliases File—(Available only in the internal burb.) This file defines the<br />
mail aliases that are used to redirect e-mail to another person or<br />
location.<br />
• Alternate Host Names File—This file identifies alternate host names by<br />
which the <strong>Sidewinder</strong> <strong>G2</strong> is known. E-mail addressed to any <strong>of</strong> the<br />
alternate names is treated as local mail by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Domain Table—This file provides a mapping from an old domain name<br />
to a new domain name. For example, you might modify this file if your<br />
organization’s external domain name changes.<br />
• M4 Config File—This file defines the initial sendmail configuration.<br />
Modify this file as needed to account for your site-specific requirements.<br />
• Mailer Table—This file maps a domain to a mail relay that is responsible<br />
for mail delivery in that domain.<br />
Important: Only edit mail configuration files if it is necessary for your site’s email<br />
functionality.<br />
There are separate files for each sendmail daemon running on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 Save your changes, and close the file.<br />
5 Open the appropriate mailertable file and edit as necessary.<br />
Important: Only edit mailertable files if it is necessary for your site’s e-mail<br />
functionality.<br />
6<br />
The mailertable files are named /etc/mail/mailertable.mta# (# = the appropriate<br />
burb number).<br />
Enter the correct domain, mailer, and host in the following format:<br />
domain mailer:host<br />
On the internal side <strong>of</strong> the network, the mailertable appears as:<br />
.foo.com smtp:foohub<br />
foo.com smtp:foohub<br />
corp.foo.com smtp:foohub<br />
sales.foo.com smtp:foohub<br />
355
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
Configuring<br />
advanced antispam<br />
and antifraud<br />
options<br />
356<br />
On the external side <strong>of</strong> the network, the mailertable should appear as:<br />
foo.com burbmailer-burb:localhost<br />
.foo.com burbmailer-burb:localhost<br />
where burb = the external burb number and Y = the internal (trusted) burb<br />
number.<br />
The entries that begin with a dot act as a wildcard, matching anything with<br />
that domain name. The entries that do not begin with a dot match the full<br />
domain name. See the /usr/share/sendmail/README file for more information<br />
on creating mailertables.<br />
7 Save the changes you made to file and then close the file.<br />
8 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Using the Admin Console, you can configure the following advanced anti-spam<br />
and anti-fraud areas:<br />
• Configure the Whitelist Configuration tab to specify domains, IP addresses,<br />
and headers that will be allowed to pass through unmodified regardless <strong>of</strong><br />
any rules that have been created. For information on configuring a whitelist,<br />
see “Configuring the Whitelist” on page 356.<br />
• Configure the policy.cfg file to determine the actions that will be taken by<br />
the spam filter on a per-burb basis when it encounters messages that are<br />
suspected to be spam or fraud. To configure the policy.cfg file, see<br />
“Configuring the policy.cfg file” on page 359.<br />
Caution: Modifying the authority.cfg files may prevent the spam filter from starting.<br />
Therefore, the authority.cfg file should not be modified.<br />
Configuring the Whitelist<br />
To configure a whitelist for the internal or external (Internet) burb, in the Admin<br />
Console select Services Configuration > Servers and then select Spamfilter<br />
from the list <strong>of</strong> servers. Select the Whitelist Configuration tab. The following<br />
window appears.
Figure 155: Spamfilter:<br />
Whitelist Configuration<br />
tab<br />
About the Whitelist<br />
Configuration tab<br />
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
The Whitelist Configuration tab allows you to specify domains, IP addresses,<br />
and headers that will be allowed to pass through the <strong>Sidewinder</strong> <strong>G2</strong><br />
unmodified, regardless <strong>of</strong> any rules that have been created.<br />
The Allowed Host Entries area contains a table listing all hosts that are<br />
currently allowed. The table displays the host name, the burbs for which this<br />
host is allowed, the host IP address, and a description <strong>of</strong> the host.<br />
• To add a new host, click New and go to “About the New/Modify Host<br />
Whitelist Entry window” below.<br />
• To modify an existing host, highlight the host you want to modify and click<br />
Modify and go to “About the New/Modify Host Whitelist Entry window”<br />
below.<br />
• To delete a host, highlight the host you want to delete and click Delete.<br />
The Allowed Header and Regular Expression Entries area contains a table<br />
that lists the substrings or regular expressions in a header that are currently<br />
allowed. The table displays the entry name, the burbs for which the entry is<br />
allowed, the header type (standard or custom), and a description <strong>of</strong> the entry.<br />
• To add a new entry, click New and go to “About the New/Modify Header<br />
Whitelist Entry window” below.<br />
• To modify an existing entry, highlight the entry you want to modify and click<br />
Modify and go to “About the New/Modify Header Whitelist Entry window”<br />
below.<br />
• To delete a entry, highlight the entry you want to delete and click Delete.<br />
357
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
358<br />
About the New/Modify Host Whitelist Entry window<br />
To configure a new host or modify an existing host for the whitelist, follow the<br />
steps below.<br />
1 In the Entry Name field, type a descriptive name for the host.<br />
2 In the Host field, select one <strong>of</strong> the following:<br />
• IP Address—To specify the host IP address, select this option and type<br />
the IP address in the corresponding text box. You can enter an entire IP<br />
address (for example, 172.27.1.2) or only the significant portion <strong>of</strong> the<br />
IP address (for example, 172.27).<br />
Note: If you are only entering a portion <strong>of</strong> the IP address, ensure that it is<br />
not followed by a period (.).<br />
• Host Address—To specify the host address, select this option and type<br />
the host address in the corresponding text box.<br />
3 In the Burb Restriction field, specify the burbs for which this host will be<br />
allowed:<br />
• Apply rule to all burbs—Select this option to allow this host for all<br />
burbs.<br />
• Apply rule to Internet burb—Select this option to allow this host only for<br />
the Internet burb.<br />
• Apply rule to non-internet burbs—Select this option to allow this host<br />
only for non-internet burbs.<br />
4 [Optional] In the Description field, enter any useful information about this<br />
host entry (for example, a brief description <strong>of</strong> the host).<br />
5 Click OK to save the changes and return to the Whitelist Configuration tab.<br />
About the New/Modify Header Whitelist Entry window<br />
To configure a new header or modify an existing header, follow the steps<br />
below.<br />
1 In the Entry Name field, type a descriptive name for this header.<br />
2 In the Header field, select one <strong>of</strong> the following:<br />
• Standard—Select this option to specify a standard header (for example:<br />
to, from, cc, etc.). Select the header from the drop-down list.<br />
• Custom—Select this option to specify a custom header. Enter the<br />
custom header in the corresponding text field.<br />
3 In the Burb Restriction field, specify the burbs for which this host will be<br />
allowed:<br />
• Apply rule to all burbs—Select this option to allow this host for all<br />
burbs.<br />
• Apply rule to Internet burb—Select this option to allow this host only for<br />
the Internet burb.
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
• Apply rule to non-internet burbs—Select this option to allow this host<br />
only for non-internet burbs.<br />
4 In the Regular Expression field, enter the desired expression to match in<br />
the header (for example, @.*gov, @cloudmark.com)<br />
Note: Ensure that you are familiar with regular expressions before attempting to<br />
configure this field.<br />
5 [Optional] In the Description field, enter any useful information about this<br />
host entry (for example, a brief description <strong>of</strong> the host).<br />
6 Click OK to save the changes and return to the Whitelist Configuration tab.<br />
Configuring the policy.cfg file<br />
The policy.cfg file allows you to determine the actions that will be taken by the<br />
spam filter on a per-burb basis when it encounters messages that are<br />
suspected to be spam or fraud, including identity theft and phishing messages.<br />
These configuration options are stored in the /etc/sidewinder/authority/<br />
policy.cfg file. The policy.cfg file contains a list <strong>of</strong> the actions that will be taken<br />
based on the disposition <strong>of</strong> an email message (that is, the likelihood <strong>of</strong> the<br />
message being spam).<br />
The basic structure <strong>of</strong> each action is as follows:<br />
threshold=85%; action=ADDHEADER; config=[header=<br />
[X-SPAM]; value=[%p%%]]<br />
where:<br />
• threshold—This field indicates the confidence level that is assigned to an<br />
action.<br />
– A high confidence level indicates that a message is likely to be spam.<br />
– A low confidence level indicates that a message is unlikely to be spam.<br />
– Threshold values can be any integer from 0–100, specified as a<br />
percentage.<br />
– Each action must have a unique threshold value.<br />
• action—This field specifies the action that will be taken for a message<br />
based on the threshold defined. The available actions are described in the<br />
following sections.<br />
• config—The configuration options allow you to specify additional attributes<br />
for a particular action. The available configuration options for each action<br />
are described in the following sections.<br />
359
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
360<br />
Configuring a policy configuration file<br />
This section provides steps to access the policy.cfg files. For information on<br />
modifying a particular action, refer to the sections the follow this procedure.<br />
1 Connect to the <strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console and select File<br />
Editor. The File Editor window appears.<br />
2 Click Start File Editor and select File > Open. The Open File window<br />
appears.<br />
3 Select the Firewall File radio button. The Open File window appears.<br />
Each burb on <strong>Sidewinder</strong> <strong>G2</strong> has a policy.cfgSMF file associated with it,<br />
allowing you to configure different actions for different burbs on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To distinguish among files, the corresponding burb index<br />
number is appended to each file (for example, policy.cfg.SMF1 is the configuration<br />
file for burb index 1).<br />
4 Type the following path in the File field:<br />
/etc/sidewinder/authority/policy.cfg.SMFn<br />
where n is the corresponding burb index for the burb you want to configure.<br />
5 Click OK to open the file. The policy.cfg.SMF file for the burb you selected<br />
is displayed.<br />
Actions that are commented out (that is, the first character is a # sign) are<br />
disabled. To enable an action, remove the # signs. To modify a particular<br />
action refer to the previous sections.<br />
About the ADDHEADER action<br />
The ADDHEADER action will apply a new text header line to the message. The<br />
new header can then be used as a flag to sort or discard messages that<br />
contain that header text. The following two configuration options can be used<br />
with this action:<br />
• header—This option allows you to specify the text string that will act as the<br />
name <strong>of</strong> the questionable header. The default value is X-SPAM.<br />
• value—This option allows you to include the threshold value in the header.<br />
The syntax for this option uses standard C language expansion syntax. The<br />
only syntax supported for this option is %p%%. At run time, the %p portion<br />
<strong>of</strong> this option is replaced with the specified threshold value and the %%<br />
portion is translated to a single % sign.<br />
The following is an example <strong>of</strong> a ADDHEADER action that will add a text<br />
header <strong>of</strong> “X-SPAM **%” to the message:<br />
threshold=**%;action=ADDHEADER;config=[header=X-<br />
SPAM;value=[%p%%]]
About the COPY action<br />
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
Important: If your site handles a large amount <strong>of</strong> spam messages, the disk space<br />
required to store copies can become significant. You may need to delete the copied<br />
mailboxes periodically in this case.<br />
This action will deliver the message to the recipient, as well as store a copy <strong>of</strong><br />
the message in a designated location. The message can then be examined or<br />
deleted from the mbox file by an administrator. The following options can be<br />
specified for this action:<br />
• path—The path for this value is preset as /var/spool/authority/copied. Do<br />
not modify the path value.<br />
• depth—This option indicates the depth <strong>of</strong> the file within the directory. The<br />
default value is 0.<br />
• default domain—This option allows you to specify the domain that will be<br />
used if a recipient does not have a domain specified. The default is local.<br />
• method—This option specifies whether or not a unique mailbox will be<br />
created for each user in the designated directory, as follows:<br />
– individual: Specify this method to create a unique mailbox for each<br />
recipient.<br />
– consolidated: Specify this option to create a single, central mailbox.<br />
• cycle—If a consolidated mailbox is used, this option can be used to create<br />
additional consolidated mailboxes. You can specify that a new mailbox be<br />
created each hour (hourly) or each day (daily).<br />
The following is an example <strong>of</strong> a COPY action:<br />
threshold=**%;action=COPY;config=[path=./copied;<br />
depth=0;default domain=local]<br />
About the DROP action<br />
This action deletes the message from the MTA and prevents it from being<br />
delivered to its recipient. Dropped messages cannot be recovered. There are<br />
no options that can be configured for this action.<br />
The following is an example <strong>of</strong> a DROP action that will delete the message<br />
from the MTA without delivering it to the recipient or saving a copy <strong>of</strong> the<br />
message for later handling:<br />
threshold=**%;action=DROP<br />
361
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
362<br />
About the REFUSE action<br />
This action rejects suspected spam at the gateway and allows the sender to<br />
receive a customized return message, simulating the absence <strong>of</strong> a mailbox.<br />
The following options can be specified for this action:<br />
• rcode—This option specifies the main SMTP response code. This is<br />
specified in RFC 821.<br />
• xcode—This option specifies the secondary SMTP response code. This is<br />
specified in RFC 2034.<br />
• msg—This option specifies the text that will be contained in the error<br />
message that is returned to the sender. For example, Delivery denied.<br />
Mailbox unknown.<br />
The following is an example <strong>of</strong> a REFUSE action that will cause mail<br />
suspected <strong>of</strong> being spam to be discarded at the gateway. The message<br />
“Delivery Denied.” will be returned to the sender.<br />
threshold=**%;action=REFUSE;config=[rcode=500;<br />
xcode=5.0.0;text=[Delivery Denied.]]<br />
About the SAVE action<br />
Important: If your site handles a large amount <strong>of</strong> spam messages, the disk space<br />
required to store saved messages can become significant. You may need to delete<br />
the saved mailboxes periodically in this case.<br />
This action stores the message in a designated location without delivering a<br />
copy to the recipient. The message can then be examined, deleted, or<br />
forwarded to the intended recipient by an administrator. The following options<br />
can be specified for this action:<br />
• path—The path for this value is preset as /var/spool/authority/saved. Do not<br />
modify the path value.<br />
• depth—This option indicates the depth <strong>of</strong> the file within the directory. The<br />
default is 0.<br />
• default domain—This option allows you to specify the domain that will be<br />
used if a recipient does not have a domain specified. The default is local.<br />
• method—This option specifies whether or not a unique mailbox will be<br />
created for each user in the designated directory, as follows:<br />
– individual: Specify this method to create a unique mailbox for each<br />
recipient.<br />
– consolidated: Specify this option to create a single, central mailbox.<br />
• cycle—If a consolidated mailbox is used, this option can be used to create<br />
additional consolidated mailboxes. You can specify that a new mailbox be<br />
created each hour (hourly) or each day (daily).
Chapter 12: Electronic Mail<br />
Configuring advanced anti-spam and anti-fraud options<br />
The following is an example <strong>of</strong> a SAVE action that will save all messages in the<br />
specified threshold to a single directory. A new directory will be created every<br />
hour.<br />
threshold=**%;action=SAVE;config=[path=./saved;<br />
depth=0;defaultdomain=local;method-consolidated;<br />
cycle=hourly]<br />
About the TAG action<br />
This action tags the message with a text string (such as “SPAM”) in the subject<br />
<strong>of</strong> the message, and then delivers it to the recipient. The following options can<br />
be specified for this action:<br />
• target—This option specifies where the tag will be added. Currently, the tag<br />
can only be added to the subject <strong>of</strong> a message.<br />
• action—This option determines whether the message will be added to the<br />
beginning (prefix) or end (postfix) <strong>of</strong> the message subject.<br />
• text—This option specifies the actual text that will be added to the subject.<br />
The text must be enclosed in brackets, and should consist <strong>of</strong> a short string<br />
using uppercase characters (for example, SPAM), ending with a colon.<br />
You can also include a confidence rating in the text portion <strong>of</strong> this tag. A<br />
confidence rating provides a percentage rating, indicating the likelihood that<br />
the email is spam using the Authority’s numerical spam confidence rating<br />
system. To include the confidence rating in this tag, add the string %p%%<br />
within the text brackets, following the colon (you must include a space<br />
between the colon and the string), as shown in the example below. At run<br />
time, the %p portion <strong>of</strong> this option is replaced with the specified threshold<br />
value and the %% portion is translated to a single % sign.<br />
The following is an example <strong>of</strong> a TAG action that will include the tag “SPAM” at<br />
the beginning <strong>of</strong> the subject line:<br />
threshold=**%;action=TAG;config=[target=subject;<br />
action=prefix;text=[SPAM: %p%%]]<br />
363
Chapter 12: Electronic Mail<br />
Redirecting mail to a different destination<br />
Redirecting mail<br />
to a different<br />
destination<br />
364<br />
If you want to redirect mail from your mailbox to a different destination, you<br />
need to place a .forward file either in a user’s home directory or in the /root<br />
directory <strong>of</strong> where you want the mail sent from. The following sections provide<br />
information on how to create .forward files on the <strong>Sidewinder</strong> <strong>G2</strong>. (For<br />
additional information on .forward files see Chapter 19 in the UNIX System<br />
<strong>Administration</strong> Handbook.)<br />
Creating a .forward file in a user’s home directory<br />
This section describes how to create a .forward file in a user’s home directory.<br />
Follow the steps below.<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log into the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
your administrator user ID and password.<br />
2 Enter the following command to switch to the admn role:<br />
srole<br />
3 Enter the following command to change to the /home/username directory<br />
(where username is a variable dependent on the user’s login).<br />
cd /home/username<br />
4 Use a text editor to create a new file called .forward.<br />
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the<br />
File Editor in the Admin Console as your text editor. See “Using the Admin<br />
Console File Editor” on page 26.<br />
5 Enter the address where you want to have your mail redirected.<br />
For example:<br />
lloyd@foo.com<br />
6 Save your changes.<br />
7 Use the following command to change the owner <strong>of</strong> the file (the user must<br />
also be the owner <strong>of</strong> the file):<br />
chown username /home/username/.forward<br />
8 Use the following command to set the appropriate permissions:<br />
chmod 644 /home/username/.forward<br />
9 Use the following command to change the file’s type:<br />
chtype User:frwd .forward
Other sendmail<br />
features<br />
Creating a .forward file in the root directory<br />
Chapter 12: Electronic Mail<br />
Other sendmail features<br />
To create a .forward file in the root directory, follow the steps below.<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log into the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
your administrator user ID and password.<br />
2 Enter the following command to switch to the admn role:<br />
srole<br />
3 Enter the following command to change to the /root directory.<br />
cd /root<br />
4 Use a text editor to create a new file called .forward.<br />
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the<br />
File Editor in the Admin Console as your text editor. See “Using the Admin<br />
Console File Editor” on page 26.<br />
5 Enter the address where you want to have your mail redirected.<br />
For example:<br />
chloe@foo.com<br />
6 Save your changes.<br />
7 Use the following command to change the file’s type.<br />
chtype Admn:frwd .forward<br />
The mail server is initially installed with default settings that enable basic mail<br />
services. However, sendmail provides several additional features that you may<br />
choose to configure:<br />
• Header stripping—Enables you to remove header information from a<br />
message to conceal internal host information from the outside world.<br />
Note: Header information can only be removed for outbound mail (that is, mail<br />
leaving the <strong>Sidewinder</strong> <strong>G2</strong>). Therefore, you should only enable header stripping<br />
in the destination (or external) burb for a message. If you configure header<br />
stripping in the source burb <strong>of</strong> a message, header stripping will not happen for<br />
that message.<br />
• Blackhole list—Enables you to eliminate unwanted and unsolicited e-mail.<br />
The types <strong>of</strong> spam control you might implement include use <strong>of</strong> a Realtime<br />
Blackhole list, Promiscuous Relaying, and so on.<br />
• Mail routing—Enables you to reroute e-mail from one domain name to<br />
another domain name.<br />
• Mail aliases—Enables you to redirect inbound mail to another person or<br />
location.<br />
• Masquerading—Enables you to transform a local host address in the<br />
header <strong>of</strong> an e-mail message into the address <strong>of</strong> a different host.<br />
365
Chapter 12: Electronic Mail<br />
Other sendmail features<br />
366<br />
Header stripping, the RealTime Blackhole list, and promiscuous relaying are<br />
the most popular additional sendmail features. The details for implementing<br />
these features are described in the sections that follow. For information on<br />
implementing the other sendmail features, refer to the book sendmail by Bryan<br />
Costales (O’Reilly & Associates, Inc.).<br />
Configuring sendmail to strip message headers<br />
During the normal operation <strong>of</strong> sendmail, the path a message traces is<br />
appended to the message by each host through which the mail passes. This<br />
enables internal host names and IP addresses to be allowed beyond the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
You can configure sendmail to strip (remove) or scrub (change to a different<br />
value) the following headers from messages leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Received (stripped)<br />
• X400-received (stripped)<br />
• Via (stripped)<br />
• Mail-from (stripped)<br />
• Return-path (stripped)<br />
• Message-id (scrubbed)<br />
• Resent-message-id (scrubbed)<br />
Perform the following steps to configure sendmail to strip or scrub headers.<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the M4 Config File in the external burb list and click Edit File.<br />
4 Locate the C{STRIP_DOMAINS} line in the file and append the domain<br />
name on which to perform header stripping. For example:<br />
C{STRIP_DOMAINS} domainx<br />
where domainx = the domain name on which to perform header stripping.<br />
You can define multiple domains by entering multiple domain names on one<br />
line (for example, C{STRIP_DOMAINS} abc.com xyz.com)<br />
Note: STRIP_DOMAINS contains the list <strong>of</strong> domains that will trigger header<br />
stripping. Each message processed by sendmail in the external burb will be<br />
subjected to header stripping if it is received from a domain in this list.
5 Save the changes you made to file and then close the file.<br />
Chapter 12: Electronic Mail<br />
Other sendmail features<br />
Note: Stripping the headers will not alter the To and From hosts. The To and<br />
From hosts can be eliminated using rules in the sendmail configuration file. You<br />
can also modify the To and From hosts using masquerading or by editing the<br />
domain tables.<br />
6 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Configuring sendmail to use the RealTime Blackhole list<br />
Sendmail is able to use the services <strong>of</strong> the RealTime Blackhole List. The<br />
Blackhole List, a list <strong>of</strong> known spam domain names, is maintained by an<br />
organization called MAPS (Mail Abuse Prevention System). The mail server<br />
checks each mail message against the Blackhole list. Any e-mail message<br />
originating from a domain in the list will be rejected.<br />
Note: You must subscribe to the MAPS Blackhole List in order to use it. Go to<br />
www.mail-abuse.com for details.<br />
To configure the <strong>Sidewinder</strong> <strong>G2</strong> to use the Realtime Blackhole List, follow the<br />
steps below.<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the M4 Config File in the external burb list and click Edit File.<br />
4 Add the following line to the file.<br />
FEATURE(‘dnsbl’, ‘hostname’)dnl<br />
The hostname that you enter in the above line will depend on the type <strong>of</strong><br />
service for which you have subscribed. MAPS will provide you with the correct<br />
hostname (for example, blackholes.mail-abuse.org) to use when you<br />
subscribe to their list.<br />
5 Save the changes you made to file and then close the file.<br />
6 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
367
Chapter 12: Electronic Mail<br />
Other sendmail features<br />
368<br />
Figure 156: Type <strong>of</strong><br />
relayed message typically<br />
rejected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Sendmail and promiscuous relaying<br />
Promiscuous relaying is the inappropriate use <strong>of</strong> an intermediate mail server to<br />
send mail messages. A message that is sent from client A to mail server B but<br />
that is first routed through mail server C is an example <strong>of</strong> promiscuous relaying.<br />
This technique is <strong>of</strong>ten used by hackers to send unfriendly or unwanted mail<br />
from mail servers other than their own.<br />
On the <strong>Sidewinder</strong> <strong>G2</strong>, sendmail is by default configured to BLOCK relayed<br />
mail, preventing the <strong>Sidewinder</strong> <strong>G2</strong> from inadvertently acting as a relay. This<br />
means any message not originating from or destined to the <strong>Sidewinder</strong> <strong>G2</strong><br />
domain is considered spam and will be rejected. Note that the sender <strong>of</strong> the<br />
message is not relevant (sender names can be spo<strong>of</strong>ed). Figure 156 illustrates<br />
the type <strong>of</strong> relayed message that will be rejected.<br />
bad<br />
hacker<br />
innocent<br />
victim<br />
Internet<br />
mail<br />
server<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
domain<br />
If you choose to ALLOW promiscuous relaying, perform the following steps.<br />
(The <strong>Sidewinder</strong> <strong>G2</strong> initially configures sendmail to BLOCK relayed mail.)<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the M4 Config File for the burb that is running sendmail and click<br />
Edit File.<br />
4 Add the following line to the file.<br />
FEATURE(‘promiscuous_relay’)dnl<br />
5 Save the changes you made to file and then close the file.<br />
6 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.
Allowing or denying mail on a user basis<br />
Chapter 12: Electronic Mail<br />
Other sendmail features<br />
By default sendmail will allow or deny mail on a domain basis. However, you<br />
can also instruct sendmail to allow or deny mail to/from specific users within a<br />
domain. To do this, follow the steps below:<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the Access Table file for the appropriate burb and click Edit File.<br />
4 Add user-based allow (relay) and/or deny (reject) information to the access<br />
table.<br />
For example, if you want to allow mail addressed to Lloyd and Sharon but<br />
deny mail addressed to everyone else, you would add the following lines:<br />
# Allow mail addressed to these users<br />
To:Lloyd@example.com RELAY<br />
To:Sharon@example.com RELAY<br />
# Deny mail for everyone else<br />
To:example.com REJECT<br />
5 Save the changes you made to file and then close the file.<br />
Note: For additional information, see the README file in the<br />
/usr/share/sendmail directory on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
6 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
Changing mail aliases<br />
Aliases allow you to redirect mail to another person or location. (Individual<br />
users can also use a .forward file for this purpose, see “Redirecting mail to a<br />
different destination” on page 364.) Aliases are generally used for redirecting<br />
mail addressed to system users such as “postmaster.” On the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
messages and other files are <strong>of</strong>ten e-mailed to root. By default, a root alias is<br />
created for the administrator you set up when you configured your system. For<br />
more information about mail aliases see Chapter 19 <strong>of</strong> the UNIX System<br />
<strong>Administration</strong> Handbook.<br />
Aliases are stored in the /etc/sidewinder/sendmail directory. Follow the steps<br />
below to edit this file:<br />
369
Chapter 12: Electronic Mail<br />
Managing mail queues<br />
Managing mail<br />
queues<br />
370<br />
1 Log into the Admin Console and select Services Configuration > Servers.<br />
2 Select sendmail and click the Configuration tab. Separate configuration<br />
files are maintained for each burb.<br />
3 Select the Aliases file for the burb that is running sendmail and click Edit<br />
File.<br />
To redirect messages to a different user, type the user name after the colon<br />
for the account you want to redirect. For example, if you want to direct<br />
root’s messages to user name piper, you would locate the root line in the<br />
file and edit it to look like this:<br />
root: piper<br />
4 Save the changes you made to file and then close the file.<br />
5 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
6 To deny or restrict certain SMTP connections, add an appropriate proxy<br />
rule.<br />
If a sendmail message cannot be delivered, (for example, if the destination<br />
system is down) messages are temporarily placed in queues until they can be<br />
delivered. There are separate queues for each server: /var/spool/mqueue.c<br />
(local) and /var/spool/mqueue.# for the Internet and the trusted burbs. You<br />
should check the queues periodically. If there are a lot <strong>of</strong> messages that are<br />
several days old, you may have a problem with your system or its<br />
configuration.<br />
To view the mail queue output, type the following command:<br />
mailq<br />
The output <strong>of</strong> this command will list the messages currently in the queue you<br />
chose, along with information about each message. Each message is assigned<br />
a unique identification number, which is shown in the first column.<br />
Listing the burbname Queue<br />
Mail queue is empty<br />
Listing the burbname Queue<br />
Mail queue is empty<br />
Listing the burbname Queue<br />
Mail queue is empty
Chapter 12: Electronic Mail<br />
Managing mail queues<br />
By default, undelivered e-mail messages will remain in the mail queues 30<br />
minutes before another delivery attempt is made. If you want to change the<br />
length <strong>of</strong> time e-mail messages remain in the mail queues before another<br />
delivery attempt is made, follow the steps below.<br />
1 Log into the Admin Console, and select Services Configuration > Servers.<br />
2 Select the sendmail server Configuration tab. Separate configuration files<br />
are maintained for each burb.<br />
3 Select the M4 Config File for the burb that is running sendmail, and click<br />
Edit File.<br />
4 Scroll to the Set the Queue Interval area and edit the following line:<br />
define(`confQUEUE_INTERVAL', `Xm')dnl<br />
where:<br />
X is the amount <strong>of</strong> time that the message will remain in the queue before an<br />
attempt is made to resend the message.<br />
m indicates that the time will be measured in minutes. You can also use<br />
other time measurements, such as seconds (s), hours (h), days (d), etc. if<br />
desired.<br />
Note: The default value is 30 minutes.<br />
5 Save the changes you made to file and then close the file.<br />
6 Click the Save icon to save the configuration changes and rebuild the<br />
configuration and database files. This will also automatically restart the<br />
sendmail servers.<br />
371
Chapter 12: Electronic Mail<br />
Managing mail queues<br />
372
13<br />
CHAPTER<br />
Setting Up Web<br />
Services<br />
In this chapter...<br />
An overview <strong>of</strong> Web services on <strong>Sidewinder</strong> <strong>G2</strong>..........................374<br />
Implementation options for Web access ......................................376<br />
Using the HTTP proxy ..................................................................378<br />
Using the Web proxy server .........................................................381<br />
Configuring the Web proxy server................................................383<br />
Configuring browsers for the Web proxy server ...........................389<br />
373
Chapter 13: Setting Up Web Services<br />
An overview <strong>of</strong> Web services on <strong>Sidewinder</strong> <strong>G2</strong><br />
An overview <strong>of</strong><br />
Web services on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
374<br />
Figure 157: Web access<br />
for users on your internal<br />
network<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to control connections between your internal<br />
network(s) and the World Wide Web. Using Application Defenses, you can<br />
configure the appropriate rules to protect a client (outgoing traffic), server<br />
(incoming traffic), or both behind your <strong>Sidewinder</strong> <strong>G2</strong>. You can also configure<br />
whether you will allow transparent, non-transparent, or both connections on a<br />
per-rule basis.<br />
Note: For information on configuring Application Defenses, see Chapter 6.<br />
The following two sections provide a summary <strong>of</strong> the three most common types<br />
<strong>of</strong> Web access that you can configure on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Web access for users on your internal network<br />
Your internal users can access Web servers on the Internet or on a trusted<br />
network. In either case, access can be regulated using a Web proxy (HTTP or<br />
HTTPS), the Web proxy server, or both. When internal users have access to an<br />
external Web server, it is called "outbound traffic."<br />
internal network<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
Web proxy<br />
Internet<br />
external network<br />
Web server<br />
Web site<br />
Access to your Web server by untrusted external users<br />
You can set up a Web server on a network controlled by your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Web server should be contained on an isolated burb and network.<br />
Untrusted external users will be able to access this Web server only if a Web<br />
proxy is enabled on the <strong>Sidewinder</strong> <strong>G2</strong>. You can configure a Web proxy<br />
(HTTP/HTTPS), the Web proxy server, or both to allow external users passage<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> to the Web server. When external users have<br />
access to an internal Web server, the traffic is called “inbound traffic.”
Figure 158: Access to<br />
your Web server by<br />
untrusted external users<br />
Figure 159: Access to<br />
the internal network by<br />
trusted external users<br />
internal network<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
Web proxy<br />
Chapter 13: Setting Up Web Services<br />
An overview <strong>of</strong> Web services on <strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
external network<br />
external user<br />
Access to your internal network by trusted external users<br />
You can configure clientless VPN (SSL-based VPN) services for your trusted<br />
external users. Clientless VPN enables trusted external users (for example,<br />
remote employees) to establish an SSL connection to the internal network<br />
without requiring a dedicated VPN client. Trusted external users can establish<br />
a VPN connection from any client that is capable <strong>of</strong> handling SSL (such as a<br />
standard Web browser). A common example <strong>of</strong> using clientless VPN is to allow<br />
a trusted external user access to an internal mail server, such as Micros<strong>of</strong>t<br />
Exchange ® Server, as shown in Figure 159. For information on configuring the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to allow clientless VPN for trusted remote users, see “Setting<br />
up clientless VPN access for trusted remote users” on page 379.<br />
Web server<br />
internal mail<br />
server<br />
internal network<br />
HTTPS<br />
proxy<br />
Internet<br />
external network<br />
= VPN tunnel<br />
= Data<br />
trusted<br />
clientless VPN user<br />
375
Chapter 13: Setting Up Web Services<br />
Implementation options for Web access<br />
Implementation<br />
options for Web<br />
access<br />
376<br />
Figure 160: Option 1:<br />
The HTTP proxy passes<br />
all Web traffic<br />
Web access can be controlled using a Web proxy (HTTP or HTTPS), the Web<br />
proxy server, or both. These Web options are typically used in one <strong>of</strong> three<br />
configuration options, as shown in the following examples:<br />
• Option 1: HTTP proxy regulates all Web traffic.<br />
• Option 2: Web proxy server regulates all Web traffic.<br />
• Option 3: Web proxy server regulates traffic from the trusted burbs and the<br />
HTTP proxy regulates traffic from the Internet burb.<br />
Option 1: HTTP proxy passes all Web traffic<br />
Option 1 depicts a scenario in which the HTTP (or HTTPS) proxy regulates<br />
Web traffic moving between all burbs on the <strong>Sidewinder</strong> <strong>G2</strong>. Using the<br />
appropriate Web Application Defenses within your HTTP/HTTPS proxy rules,<br />
you can configure URL properties, perform request and reply header filtering,<br />
perform MIME/anti-virus filtering, and deny certain types <strong>of</strong> Web content. You<br />
can also configure whether allowed connections can be transparent, nontransparent,<br />
or both. If you configure transparent HTTP, it will appear to a user<br />
that they are connecting directly to Web server rather than connecting to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> first. The HTTPS proxy also allows you perform SSL<br />
decryption. Figure 160 illustrates the HTTP proxy regulating all Web traffic.<br />
internal user<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
HTTP proxy<br />
Internet<br />
internal network external network<br />
Option 2: Web proxy server regulates all Web traffic<br />
external user<br />
Web server<br />
Web site<br />
In Option 2, the Web proxy server regulates Web traffic between all burbs. This<br />
option is generally used in larger companies that have security policies about<br />
how employees can use the Web. The Web proxy server is the best option if<br />
you want to provide caching services on the <strong>Sidewinder</strong> <strong>G2</strong>. In general,<br />
caching does not apply to Internet users that access a Web site on your<br />
internal network. (Option 3 illustrates a more likely scenarios for using the<br />
caching feature.)<br />
Note: For more information on using the Web proxy server, refer to “Using the<br />
Web proxy server” on page 381.
Figure 161: Option 2:<br />
The Web proxy server<br />
regulates all Web traffic<br />
Figure 162: Option 3:<br />
Web proxy server<br />
regulates traffic from the<br />
trusted burbs while HTTP<br />
proxy passes traffic from<br />
the Internet burb<br />
internal user<br />
Web server<br />
Chapter 13: Setting Up Web Services<br />
Implementation options for Web access<br />
Internet<br />
internal network external network<br />
Web server<br />
Web site<br />
Option 3: Web proxy server regulates traffic from the internal<br />
burbs and the HTTP proxy passes traffic from the Internet burb<br />
Option 3 depicts a scenario using both the HTTP proxy and the Web proxy<br />
server. In this scenario, the HTTP proxy regulates Web traffic coming from the<br />
Internet to a Web server on a trusted internal network. The Web proxy server is<br />
configured to regulate Web traffic that is initiated from an internal burb. The<br />
Web server being accessed can reside on another isolated burb, or on the<br />
external burb.<br />
internal user<br />
internal<br />
Web site<br />
DMZ burb<br />
Web proxy<br />
Server<br />
internal<br />
Web site<br />
Web server<br />
DMZ burb<br />
HTTP proxy<br />
Web proxy<br />
server<br />
Internet<br />
internal network external network<br />
external user<br />
external user<br />
Web server<br />
Web site<br />
377
Chapter 13: Setting Up Web Services<br />
Using the HTTP proxy<br />
Using the HTTP<br />
proxy<br />
378<br />
Figure 163: Standard<br />
(transparent) HTTP proxy<br />
Figure 164: Nontransparent<br />
HTTP proxy<br />
Using the appropriate Web Application Defenses, you can configure additional<br />
HTTP proxy rules that control URL properties, perform request and reply<br />
header filtering, perform MIME/anti-virus filtering, and deny certain types <strong>of</strong><br />
Web content. You can also configure whether connections will be transparent<br />
or non-transparent. If you configure transparent HTTP, it will appear to a user<br />
that they are connecting directly to the Web server rather than connecting to<br />
the <strong>Sidewinder</strong> <strong>G2</strong> first. See “Creating Web or Secure Web Application<br />
Defenses” on page 156.<br />
If using the HTTP proxy, caching is not available<br />
If you configured your <strong>Sidewinder</strong> <strong>G2</strong> to use the default Internet Services rule,<br />
your active proxy rule group includes the HTTP service. This rule allows Web<br />
access from your internal network to external networks using the HTTP proxy.<br />
Users on your internal network can connect to the Web using any Web<br />
browser; the connections will be routed through the <strong>Sidewinder</strong> <strong>G2</strong> on port 80.<br />
Figure 163 depicts access to external Web servers via an HTTP proxy rule<br />
using port 80 allowing transparent connections. Figure 164 depicts access to<br />
Web servers via non-transparent HTTP proxy rule using ports other than 80.<br />
(Transparency is configured on a per-rule basis via Application Defenses.)<br />
Note: For information on configuring the HTTP proxy, see “HTTP/HTTPS<br />
considerations” on page 259.<br />
Web<br />
browser<br />
port 80<br />
port 8080<br />
internal<br />
network<br />
internal<br />
network<br />
http<br />
proxy<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Web<br />
browser port 8080<br />
nt_http<br />
or any other<br />
port<br />
proxy<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
port 80<br />
external<br />
network<br />
port 80<br />
or any other<br />
port<br />
Internet<br />
Internet<br />
Web site<br />
Web server<br />
Web site<br />
Web server
Setting up Web access using the HTTP proxy<br />
Chapter 13: Setting Up Web Services<br />
Using the HTTP proxy<br />
The following steps provide an overview <strong>of</strong> the tasks you must do to set up<br />
Web access using the HTTP proxy on port 80.<br />
Note: During the Quick Start Wizard, you had the option to allow Internet services.<br />
If they were allowed, the Internet Services rule, and its proxies, were enabled and<br />
added to the active rule group.<br />
1 Using the Admin Console, select Services Configuration > Proxies and<br />
check the HTTP proxy’s Enabled in Burb column. If the HTTP proxy is not<br />
enabled in the burbs where you want to allow HTTP traffic to originate,<br />
enable the appropriate burbs in the Proxy Properties tab.<br />
2 Select Policy Configuration > Rules and configure the appropriate proxy<br />
rules to manage Web access. You can create HTTP proxy rules to control<br />
from which internal systems users can browse and to which external<br />
systems they can connect. You can also configure advanced HTTP<br />
properties (such as transparency and MIME/virus/spyware filtering) for a<br />
rule via Application Defenses. (See Chapter 6 for information on creating<br />
Application Defenses, and Chapter 8 for information on creating rules.)<br />
3 Place the HTTP proxy rules into the active rule group.<br />
4 Test the HTTP proxy rule(s).<br />
After you enable the proxy and place the rules in the active rule group, you<br />
should test HTTP access by starting a Web browser from one <strong>of</strong> your internal<br />
systems, and entering the address <strong>of</strong> a Web site you know is valid—for<br />
example, you could attempt to access Secure Computing at the following<br />
URL: http://www.securecomputing.com.<br />
Note: Make sure you use a system that is allowed HTTP access.<br />
Setting up clientless VPN access for trusted remote users<br />
This section provides guidance on configuring clientless VPN access for your<br />
trusted remote users. When configuring clientless VPN access, you can<br />
configure whether or not the <strong>Sidewinder</strong> <strong>G2</strong> will require proxy authentication. If<br />
you configure the <strong>Sidewinder</strong> <strong>G2</strong> to require proxy authentication, you must use<br />
SSO authentication. Follow the steps below.<br />
Note: You must have SSL Decryption and Strong Cryptography licensed to<br />
configure clientless VPN services.<br />
1 Enable the HTTPS proxy for the appropriate burbs. For information on<br />
enabling proxies, see “Configuring proxies” on page 266.<br />
379
Chapter 13: Setting Up Web Services<br />
Using the HTTP proxy<br />
380<br />
2 Create an IP address network object for the protected server to which your<br />
remote trusted users will be connecting (for example, a Micros<strong>of</strong>t Exchange<br />
Server). For information on creating an IP address network object, see<br />
“Configuring IP address objects” on page 145.<br />
3 Create a Secure Web Application Defense with the following configuration:<br />
Note: For more information on configuring a Secure Web Application Defense,<br />
see “Creating Web or Secure Web Application Defenses” on page 156.<br />
a In the Type field, select Server.<br />
b Select the Decrypt Web Traffic check box.<br />
c [Optional] If you are configuring remote access to an internal Micros<strong>of</strong>t<br />
Exchange Server, select the Rewrite Micros<strong>of</strong>t OWA HTTP check box.<br />
d Select the appropriate Firewall Certificate.<br />
e Select the Encryption/Decryption Methods you want to allow.<br />
f [Optional] Configure additional Secure Web Server Enforcements.<br />
g Click the Save icon to save the new defense.<br />
4 Create an HTTPS proxy rule to allow access. The fields listed below must<br />
be configured as specified:<br />
Note: You can configure rule fields that are not listed below as you see fit. For<br />
more information on creating proxy rules, see “Creating proxy rules” on page<br />
222.<br />
• General tab—Service Type=Proxy, Service=HTTPS, Action=Allow<br />
• Source/Dest tab—Redirect Host=IP Address network object for the<br />
protected server, Redirect Port=80<br />
• [Optional] Authentication tab—If you want to require users to<br />
authenticate via the proxy before being allowed access, you will need to<br />
select Authenticate using SSO.<br />
• [Optional] Time tab—Configure as needed.<br />
• Application Defense tab—Select the defense you created in<br />
step 3.<br />
5 Add the HTTPS proxy rule to the active proxy rule group.<br />
Once this rule is included in the active rule group, the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
ready to allow trusted remote users access to the internal network.<br />
How trusted remote users gain access to the internal network<br />
This section lists the steps required for trusted remote users to gain access to<br />
a protected internal server. The procedure will vary depending on whether you<br />
have configured the HTTPS proxy rule to require authentication.
Using the Web<br />
proxy server<br />
Figure 165: <strong>Sidewinder</strong><br />
<strong>G2</strong> Web proxy server<br />
If a user is not required to authenticate via the proxy:<br />
Chapter 13: Setting Up Web Services<br />
Using the Web proxy server<br />
1 Point your browser to the <strong>Sidewinder</strong> <strong>G2</strong> decrypting HTTPS proxy (for<br />
example, https://SW<strong>G2</strong>_address.com).Your Web browser may prompt you<br />
to approve the certificate that is presented by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 Authenticate to the server. If your server requires authentication, an<br />
authentication prompt will appear. When you successfully authenticate, you<br />
will be allowed to access that server.<br />
If a user is required to authenticate via the proxy:<br />
1 Point your browser to the <strong>Sidewinder</strong> <strong>G2</strong> SSO direct login page and<br />
authenticate.<br />
2 [Conditional] If the server you are accessing requires certificate validation,<br />
you will need to approve the certificate before you can authenticate to the<br />
server.<br />
3 Authenticate to the server. If your server requires authentication, an<br />
authentication prompt will appear. When you successfully authenticate, you<br />
will be allowed to access that server.<br />
To allow Web access from an internal burb to an external burb using the Web<br />
proxy server, you will need to set up the appropriate proxy rule and enable the<br />
Web proxy server. Once the Web proxy server is enabled, users on that<br />
internal burb can connect to the Web using a Web browser by pointing at port<br />
3128 (or whatever port you have configured to use for the Web proxy server).<br />
Figure 165 shows an example Web proxy server configuration.<br />
Web<br />
browser<br />
port 3128<br />
internal<br />
network<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
external<br />
network<br />
Internet<br />
port 80<br />
Web server<br />
Web site<br />
port 8080<br />
(or any port<br />
number you configured)<br />
By using the Web proxy server, you gain support for Web caching on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Web caching can improve performance <strong>of</strong> a user’s Web<br />
browser by caching Web documents in the <strong>Sidewinder</strong> <strong>G2</strong> cache memory.<br />
When a user accesses a Web site, each new Web page that the caching<br />
server downloads is also saved in cache memory. The next time the user<br />
requests that page, the caching server retrieves it from the cache rather than<br />
downloading it from the network a second time.<br />
If you use the Web proxy server in non-transparent mode, all Web browsers on<br />
your internal workstations must be configured to point to the <strong>Sidewinder</strong> <strong>G2</strong><br />
internal name and to whatever port you have configured for the Web proxy<br />
server. For information on what users need to do to configure their Web<br />
browser, see “Configuring browsers for the Web proxy server” on page 389.<br />
381
Chapter 13: Setting Up Web Services<br />
Using the Web proxy server<br />
382<br />
Setting up Web access using the Web proxy server<br />
The following steps provide an overview <strong>of</strong> the tasks you must do to set up<br />
Web access using the Web proxy server.<br />
1 Configure the appropriate proxy rules to restrict Web access.<br />
Once you enable the Web proxy server, you must configure one or more<br />
proxy rules to control the burbs from which users can browse, and to which<br />
burbs they can connect. See Chapter 8 for detailed information on setting<br />
up proxy rules.<br />
When configuring the proxy rule for a Web proxy server connection, be sure<br />
to specify Server in the Service Type field.<br />
2 Configure and enable the Web proxy server. See “Configuring the Web<br />
proxy server” on page 383.<br />
3 [Optional] Configure authentication Web users.<br />
You can configure the <strong>Sidewinder</strong> <strong>G2</strong> to authenticate all users requesting<br />
Web service using either a basic UNIX password or stronger authentication<br />
methods before the <strong>Sidewinder</strong> <strong>G2</strong> makes the network connection. Refer to<br />
“Configuring authentication services” on page 284 for details on the authentication<br />
methods supported by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 Inform users how to configure their Web browsers. See “Configuring<br />
browsers for the Web proxy server” on page 389.<br />
5 Test a Web connection.<br />
You can test the Web proxy server by starting a Web browser from one <strong>of</strong><br />
your internal systems, and entering the address <strong>of</strong> a Web site you know is<br />
valid—for example, you could attempt to access Secure Computing at the<br />
following URL: http://www.securecomputing.com.<br />
Note: Make sure you use a system from which you did not deny access.<br />
Error messages when using the Web proxy server<br />
If you configure a Web proxy server proxy rule to deny a particular Web<br />
connection and that connection is attempted by a user, the message Access<br />
Denied by Firewall Access Rules is sent to the user. This message is<br />
stored in the following file:<br />
/usr/local/squid/etc/cvs/errors/ERR_SCC_DENIED<br />
The message that appears can be modified by editing the file above.<br />
Note: You must be in the Admn domain to edit this file.<br />
If the file does not exist or is empty, the following message is issued to the<br />
user:<br />
Forbidden by proxy ACL check
Configuring the<br />
Web proxy<br />
server<br />
Figure 166: Web proxy<br />
server window: Control<br />
tab<br />
Configuring the Web<br />
proxy server Control<br />
tab<br />
Figure 167: Web Proxy<br />
Server window:<br />
Configuration tab<br />
To configure the Web proxy server, follow the steps below.<br />
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
1 In the Admin Console, select Services Configuration > Servers. The<br />
Servers window appears.<br />
2 Select WebProxy from the Server Name list. The Control tab for the Web<br />
proxy server appears.<br />
The Control tab allows you to enable or disable the Web proxy server. Follow<br />
the steps below.<br />
1 Select Enable to enable the Web proxy server.<br />
2 To configure the properties for the Web proxy server, click the Configuration<br />
tab. Follow the step below to configure the Configuration tab.<br />
383
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
Configuring the Web<br />
Proxy Server<br />
Configuration tab<br />
384<br />
The WebProxy Configuration tab allows you to determine how the WebProxy<br />
server will be used in your system. Follow the steps below.<br />
Note: The authentication method used by Squid is determined by the<br />
authentication method specified within the proxy rule.<br />
1 If you want to use SmartFilter to control Web access, select the Enable<br />
SmartFilter Control List check box. If SmartFilter is enabled, you must<br />
enter your SmartFilter subscription information in the SmartFilter window.<br />
Note: The Web proxy server only supports SmartFilter version 3.x. Support <strong>of</strong><br />
4.x is provided via the Web/Secure Web Application Defenses. For more<br />
information on the SmartFilter option, see Appendix E.<br />
2 If you want the client IP address to be included in the request header, select<br />
the Include Client Address in Requests check box.<br />
3 Specify the amount <strong>of</strong> time you want to allow before a timeout occurs by<br />
entering a numeral in the Timeout for HTTP Requests field, and then select<br />
a unit <strong>of</strong> measurement from the drop-down list. The default is 30 seconds.<br />
4 Configure the client connections that you want to allow. All client<br />
connections that are currently configured are displayed in the Allow Client<br />
Connections On area <strong>of</strong> the Configuration tab.<br />
Note: Do not configure more than 31 entries in this list.<br />
The following configuration options are available:<br />
• New—Click this button to add a new client connection. The<br />
Configuration: Allowed Client Connections window appears. For specific<br />
information on adding a new client connection, refer to “Adding or<br />
modifying a client connection” on page 385.<br />
• Modify—Select the client connection you want to modify and click this<br />
button to make changes to an existing client connection. The<br />
Configuration: Allowed Client Connections window appears. For specific<br />
information on changing a client connection, refer to “Adding or<br />
modifying a client connection” on page 385.<br />
• Delete—Select the client connection you want to delete and click this<br />
button to delete an existing client connection. A confirmation window<br />
appears. Click Yes to confirm the deletion. Click No to cancel the<br />
request without deleting the client connection.<br />
5 Click the save icon in the toolbar to save your changes.
Figure 168: Web Proxy<br />
Server window: Cache tab<br />
Configuring the Web<br />
Proxy Server Cache<br />
tab<br />
Adding or modifying a client connection<br />
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
To add or modify a client connection in the Configuration: Allowed Client<br />
Connections window, follow the steps below.<br />
1 Specify the burb on which you want the WebProxy server to listen from the<br />
Burb Name drop-down list.<br />
2 Specify the port number on which you want the WebProxy server to listen in<br />
the Port Number field. You can use the drop-down list to select a predefined<br />
port, or you can type a port number into the field.<br />
3 Specify the type <strong>of</strong> IP address that you want the WebProxy server to listen<br />
on from the Address drop-down list. The following options are available:<br />
• Any—Select this option if you want to allow the Web Proxy server to<br />
listen on any IP address for the burb that you selected.<br />
• Designated—Select this option if you want to specify the address on<br />
which the WebProxy server will listen. Enter the IP address in the<br />
available field. The address you specify must be located in the burb you<br />
selected in the Burb Name field.<br />
4 Click Add to add this client connection to the list <strong>of</strong> WebProxy server client<br />
connections (click OK if you are modifying the client connection).<br />
5 To add an additional client connection, repeat step 1–step 4.<br />
6 When you are finished adding or modifying client connections, click Close.<br />
Configuring caching options<br />
To configure the caching options for the Web Proxy server, select Services<br />
Configuration > Servers. The Servers window appears. Select WebProxy from<br />
the Server Name list, and then click the Cache tab. The following window<br />
appears:<br />
The WebProxy server Cache tab allows you to define disk and memory<br />
characteristics for the Web proxy server. Disk caching allows Web browsers to<br />
store information on the <strong>Sidewinder</strong> <strong>G2</strong> for frequently-used sites, so<br />
information does not have to be downloaded each time a site is accessed. To<br />
configure the WebProxy server using the Cache tab, follow the steps below.<br />
385
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
386<br />
Figure 169: Web Proxy<br />
Server window: Filtering<br />
tab<br />
1 Specify the name <strong>of</strong> the cache root directory in the Directory field. This is<br />
the name <strong>of</strong> the directory in which cached files will be stored. The default<br />
directory is /var/cache.<br />
2 Specify the maximum amount <strong>of</strong> disk space (in MB) that can be used for<br />
disk caching in the Maximum disk usage field. You should specify a value <strong>of</strong><br />
1 or greater. Note the following:<br />
• Specifying zero (0) does not turn <strong>of</strong>f caching. To disable caching, you<br />
must edit the file named squid.conf.template.<br />
• The cache limit specified here is an approximate limit. That is, the actual<br />
cached data may exceed what you specify in this field.<br />
3 Specify the maximum amount <strong>of</strong> memory that can be used for disk caching<br />
in the Maximum memory usage field.<br />
4 In the Delete unused items after field, specify how long items will remain in<br />
the cache directory before they are deleted<br />
5 Click the save icon in the toolbar to save your changes. It may take a few<br />
minutes for any changes on this window to take effect.<br />
Configuring HTTP filtering options<br />
Select Services Configuration > Servers. The Servers window appears. Select<br />
WebProxy from the Server Name list, and then click the Filtering tab. The<br />
following window appears:
Configuring Web<br />
Proxy Server HTTP<br />
filtering<br />
Figure 170: Web Proxy<br />
Server window: Advanced<br />
tab<br />
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
The WebProxy server Filtering tab allows you to define HTTP header filtering.<br />
To configure the WebProxy server filtering, select the type <strong>of</strong> HTTP header<br />
filtering you want, if any. The following options are available:<br />
• None—Select this option if you do not want to use HTTP header filtering.<br />
• Standard—Select this option if you want to deny the a basic set <strong>of</strong> headers<br />
(the headers that will be denied are automatically selected for you).<br />
• Paranoid—Select this option if you want to allow only the headers that<br />
RFC-compliant. (All other headers will be denied.)<br />
• Custom—Select this option if you want to configure which HTTP header<br />
types you will allow and deny. When you select a header in the header list,<br />
you can also determine whether to Allow or Deny the headers you select in<br />
the Filter Option field. You can also add, delete, or clear HTTP header<br />
types in the HTTP Header Types list, as follows:<br />
– To add a new HTTP header type, click New. The New Custom Header<br />
Type window appears. Enter the new header type and click OK.<br />
– To delete a custom HTTP header type, click Delete. The Select a<br />
Custom Header Type to delete window appears. This window contains a<br />
list <strong>of</strong> custom HTTP header types that have been created. To delete a<br />
custom header, select the header you want to delete and click OK. (The<br />
Delete button is grayed out if you do not have any custom headers<br />
configured.)<br />
– To clear all HTTP header types from the HTTP Header Types list, click<br />
Clear.<br />
Manually editing the configuration file<br />
Select Services Configuration > Servers. The Servers window appears. Select<br />
WebProxy from the Server Name list, and then click the Advanced tab. The<br />
following window appears:<br />
387
Chapter 13: Setting Up Web Services<br />
Configuring the Web proxy server<br />
Configuring the Web<br />
Proxy Server<br />
Advanced tab<br />
388<br />
The WebProxy server Advanced tab allows you to edit the squid.conf.template<br />
file directly rather than through the Web Proxy Server windows. The Advanced<br />
window contains only one button labelled Edit Squid Configuration. This<br />
button allows you to edit the squid.conf.template file manually using the File<br />
Editor.<br />
Important: If you manually edit the squid.conf.template file using the File Editor (or<br />
via command line) you will need to run cf www reconfigure to update squid.conf<br />
and re-read the configuration files. Only an experienced administrator should<br />
manually edit the squid.conf.template file directly.<br />
The tabbed information on the Web Proxy Server windows is a subset <strong>of</strong> the<br />
information in the squid.conf.template file. The tabs include the information<br />
most likely to be changed. When you enter or update information on any <strong>of</strong> the<br />
tabs <strong>of</strong> the Web Proxy Server window, you are actually updating the<br />
squid.conf.template file.<br />
When you enter or update information on any <strong>of</strong> the tabs, the Edit Squid<br />
Configuration button becomes inactive until you click the Save icon in the<br />
upper left portion <strong>of</strong> the window. This is to prevent the changes that you have<br />
made using the Admin Console to become overwritten by manual changes you<br />
might make to the file. When you click the Save icon, the Edit Squid<br />
Configuration button becomes active again.<br />
Changing to transparent mode<br />
The Web proxy server is in non-transparent mode when <strong>Sidewinder</strong> <strong>G2</strong> is<br />
initially installed. If you want the Web proxy server to operate in transparent<br />
mode, do the following. (For information on transparent vs. non-transparent<br />
mode, see “Transparent & non-transparent proxies” on page 254.)<br />
1 Select Services Configuration > Servers. Select WebProxy in the list <strong>of</strong><br />
server names, then click the Advanced tab.<br />
2 Click Edit Squid Configuration.<br />
Note: If desired, you can also edit this file using a text editor such as vi, pico, or<br />
emacs. The file resides in /etc/sidewinder/proxy/squid/squid.conf.template.<br />
Set the following values within the "HTTP ACCELLERATION" lines in this<br />
file.<br />
httpd_accel_host virtual<br />
httpd_accel_port 80<br />
httpd_accel_with_proxy on<br />
httpd_accel_uses_host_header on<br />
3 Save and close the file.<br />
4 Click the Configuration tab and configure the Web proxy server to listen on<br />
port 80. See “Configuring the Web Proxy Server Configuration tab” on page<br />
384 for details.<br />
5 Click the save icon in the toolbar to save your changes.
Configuring<br />
browsers for the<br />
Web proxy<br />
server<br />
Chapter 13: Setting Up Web Services<br />
Configuring browsers for the Web proxy server<br />
You should inform users on your internal network how they should configure<br />
their Web browsers to use the Web proxy server.<br />
Note: You should not need to configure your browsers if you are in transparent<br />
mode.<br />
To set up the browsers to work with the Web proxy server for Web connections,<br />
there are two basic steps:<br />
• Specify the <strong>Sidewinder</strong> <strong>G2</strong> fully qualified host name or IP address in the<br />
browser’s proxy line.<br />
• Specify port number 3128 or whatever port you configured for the Web<br />
proxy server.<br />
Below are the setup procedures for recent versions <strong>of</strong> Mozilla Firefox, Internet<br />
Explorer, and Netscape. If your users have older versions, consider providing<br />
them with the latest version. For other browsers, consult that browser’s<br />
documentation for defining an HTTP proxy server.<br />
Mozilla Firefox 1.0<br />
To configure Mozilla Firefox for the Web proxy server, do the following:<br />
1 Start the Mozilla Firefox browser and select Tools > Options.<br />
2 Click Connection Settings.<br />
3 Select the Manual Proxy Configuration radio button.<br />
4 In the HTTP Proxy field, enter the fully qualified host name or IP address <strong>of</strong><br />
your <strong>Sidewinder</strong> <strong>G2</strong>. For example, SW<strong>G2</strong>name.example.com<br />
5 In the corresponding Port field, enter 3128 or whatever port you configured<br />
for the Web proxy server.<br />
6 Click OK.<br />
Internet Explorer 4.0<br />
To configure Internet Explorer 4.0 for the Web proxy server, do the following:<br />
1 Open the Control Panel window.<br />
2 Double click the Internet icon.<br />
3 Click the Connection tab. In the Proxy Server section enable the option titled<br />
Access the Internet using a proxy server.<br />
4 Fill in the text boxes next to HTTP Proxy and Port.<br />
389
Chapter 13: Setting Up Web Services<br />
Configuring browsers for the Web proxy server<br />
390<br />
• For the HTTP Proxy field, enter the fully qualified host name or IP<br />
address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example,<br />
SW<strong>G2</strong>name.example.com<br />
• For the port field, enter 3128 or whatever port you configured for the<br />
Web proxy server.<br />
5 Click OK.<br />
Internet Explorer 5.x/6.x<br />
To configure Internet Explorer 5.x for the Web proxy server, do the following:<br />
1 Start the Internet Explorer browser and select Tools > Internet Options.<br />
2 Click the Connections tab.<br />
3 Click LAN Settings.<br />
4 Check the Use a Proxy Server box.<br />
• For the Address field, enter the fully qualified host name or IP address<br />
<strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example, SW<strong>G2</strong>name.example.com<br />
• For the Port field, enter 3128 or whatever port you configured for the<br />
Web proxy server.<br />
5 Click OK.<br />
Netscape version 6.x/7.x<br />
To configure Netscape 6.x/7.xfor the Web proxy server, do the following:<br />
Important: As an administrator, be aware that some versions <strong>of</strong> Netscape will<br />
remember the user ID and password after the browser is closed and will not reauthenticate<br />
a user after the browser is restarted. This is a security concern when<br />
multiple users share a workstation or do not lock their systems.<br />
1 Start the Netscape browser and select Edit > Preferences.<br />
2 Select the Advanced > Proxies category.<br />
3 Select Manual proxy configuration.<br />
4 Fill in the text boxes next to HTTP Proxy and Port as follows:<br />
• For the HTTP Proxy field, enter the fully qualified host name or IP<br />
address <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong>. For example,<br />
SW<strong>G2</strong>name.example.com.<br />
• For the Port field, enter 3128 (or whatever port you configured for the<br />
Web proxy server).<br />
5 Click OK.
Certain browsers on UNIX<br />
Chapter 13: Setting Up Web Services<br />
Configuring browsers for the Web proxy server<br />
For some UNIX browsers that do not have a proxy configuration screen, you<br />
must set the http_proxy environment variable to http://sidewinder.com:3128/.<br />
To do so, edit either the C shell or the Bourne shell, as follows:<br />
• Enter the following command in the C shell (CSH):<br />
setenv http_proxy http://SW<strong>G2</strong>name.example.com:3128/<br />
• Enter the following command in the Bourne shell:<br />
http_proxy="http://SW<strong>G2</strong>name.example.com:3128/"<br />
391
Chapter 13: Setting Up Web Services<br />
Configuring browsers for the Web proxy server<br />
392
14<br />
CHAPTER<br />
Configuring Virtual<br />
Private Networks<br />
In this chapter...<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview ......................................................394<br />
Configuring the ISAKMP server ...................................................402<br />
Configuring the Certificate server.................................................404<br />
Understanding virtual burbs .........................................................405<br />
Configuring client address pools ..................................................407<br />
Configuring Certificate Management............................................415<br />
Importing and exporting certificates .............................................431<br />
Configuring VPN Security Associations .......................................438<br />
Example VPN Scenarios ..............................................................450<br />
393
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
VPN overview<br />
394<br />
Figure 171:<br />
<strong>Sidewinder</strong> <strong>G2</strong>s, an IPSec<br />
or IKE remote site, or a<br />
VPN client machine<br />
The <strong>Sidewinder</strong> <strong>G2</strong> VPN solution provides secure data transmission through<br />
an encryption and decryption process. The <strong>Sidewinder</strong> <strong>G2</strong> uses the Internet<br />
Key Exchange (IKE) to support this process. The <strong>Sidewinder</strong> <strong>G2</strong> also supports<br />
the use <strong>of</strong> manually configured encryption keys.<br />
Toronto<br />
London<br />
Certificate<br />
server<br />
Internet<br />
Any IPSec<br />
remote site<br />
VPN client<br />
Sydney<br />
One <strong>of</strong> the most advanced features <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> VPN solution is the<br />
fact that VPN has been embedded into the architecture, making it an operating<br />
characteristic <strong>of</strong> the OS. This integration not only lets you apply access rules to<br />
VPNs in exactly the same way you do for physically connected networks but<br />
also means that you use the <strong>Sidewinder</strong> <strong>G2</strong> VPN solution to coordinate<br />
corporate-wide network security policies.<br />
As companies expand to new locations and employees spend more time<br />
working out <strong>of</strong> the <strong>of</strong>fice, VPN solutions are becoming more and more<br />
important to businesses. Consider the value <strong>of</strong> encrypting and authenticating<br />
data in these situations:<br />
• passing traffic from <strong>Sidewinder</strong> <strong>G2</strong> to <strong>Sidewinder</strong> <strong>G2</strong> between <strong>of</strong>fices<br />
located in different cities.<br />
• passing traffic from employees working remotely to your network.
Protecting your<br />
information<br />
What are encryption<br />
and authentication?<br />
An introduction to IPSec technology<br />
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
The Internet is a broadcast medium that is used to send information. While<br />
information is in transit, anyone can choose to monitor or intercept this<br />
information.<br />
Sending information beyond your <strong>Sidewinder</strong> <strong>G2</strong> via the Internet is like sending<br />
an unsealed envelope <strong>of</strong> important information via a courier service: you must<br />
trust that the courier will not read or steal the information.<br />
To address this danger, an organization known as IETF (Internet Engineering<br />
Task Force) developed a standard for protecting data on unprotected (or<br />
untrusted) networks such as the Internet. The standard has become known as<br />
IPSec, meaning Internet-Protocol Security. In brief, IPSec calls for encrypting<br />
the data before it leaves the local host, then decrypting it (removing its “cloak”<br />
<strong>of</strong> encryption) when it is received at the destination or remote host. Once it is<br />
decrypted, the data assumes its original form and can be read as intended. No<br />
matter how long or circuitous its route through the Internet, the data remains<br />
private by virtue <strong>of</strong> its encryption.<br />
The two main components <strong>of</strong> IPSec security are encryption and authentication.<br />
• Encryption — Encryption is the means by which plain text is “cloaked.” It<br />
ensures that the transmitted data remains private and unreadable until<br />
properly decrypted. The <strong>Sidewinder</strong> <strong>G2</strong> uses an encryption key to encipher<br />
and decipher each unit <strong>of</strong> data sent between your site and the “partner” or<br />
remote VPN site. (See “About IPSec keys” on page 396.)<br />
• Authentication — VPN authentication prevents unauthorized individuals<br />
from tampering with the contents <strong>of</strong> the data being transmitted. It also<br />
prevents them from creating messages that claim to come from a particular<br />
place but are actually sent from somewhere else (such as the hacker’s<br />
home computer). Authentication is accomplished through two methods:<br />
– Data-integrity checking, which allows the receiver to verify whether the<br />
data was modified or corrupted during transmission.<br />
– Sender identification, which allows the receiver to verify whether the<br />
data transmission originated from the source that claims to have sent it.<br />
When used together, encryption and authentication are very much like writing<br />
an encoded message, sealing it in an envelope, and then signing your name<br />
across the flap. The receiver can first verify that the signature is yours as a<br />
means <strong>of</strong> determining the origin <strong>of</strong> the message. Next, the receiver can<br />
determine if the contents have been viewed or altered by checking that the<br />
envelope seal has not been compromised. Once the receiver is assured <strong>of</strong> the<br />
authenticity <strong>of</strong> the message, they can decode the contents and “trust” that the<br />
contents are as intended.<br />
395
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
396<br />
VPN configuration options<br />
VPN involves establishing an association (or a trust relationship) between your<br />
<strong>Sidewinder</strong> <strong>G2</strong> and an IPSec-compliant remote <strong>Sidewinder</strong> <strong>G2</strong>, host, or client.<br />
(These entities are referred to as “VPN peers.”) Once this trust relationship is<br />
defined, data sent between the two ends is encrypted and then authenticated<br />
before it is transmitted. There are three important concepts that comprise the<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN:<br />
• IPSec keys, which determine how the information is encrypted and<br />
decrypted, and may be manually or automatically exchanged.<br />
• certificates, pre-shared passwords, and extended authentication, which<br />
authenticate the VPN peer.<br />
• tunnel or transport encapsulation, two methods <strong>of</strong> how header information<br />
is passed.<br />
Understanding the options associated with each concept will assist you greatly<br />
in creating your security association. Study the following information to help<br />
you determine which VPN configuration best suits your network environment.<br />
About IPSec keys<br />
A key is a number that is used to electronically sign, encrypt and authenticate<br />
data when you send it, and decrypt and authenticate your data when it is<br />
received. When a VPN is established between two sites, two keys are<br />
generated for each remote end: an encryption key and an authentication key.<br />
To prevent these keys from being guessed or calculated by a third party, a key<br />
is a large number. Encryption and authentication (or session) keys are unique<br />
to each VPN security association you create.<br />
Once generated, these keys are exchanged (either automatically or manually)<br />
between the sites, so that each end <strong>of</strong> the VPN knows the other end’s keys.<br />
To generate key pairs, the <strong>Sidewinder</strong> <strong>G2</strong> gives you two options:<br />
• Manual key generation — If the remote site is not Internet Key Exchange<br />
(IKE)-compliant, you may want to choose the manual method <strong>of</strong> key<br />
generation. With this method, the <strong>Sidewinder</strong> <strong>G2</strong> provides randomlygenerated<br />
encryption and authentication keys (or you can create your own)<br />
which you must copy and pass to the remote end <strong>of</strong> the VPN via secure email,<br />
diskette, or telephone. Repeat this process each time you generate<br />
keys. Manual keys are more labor intensive than automatic keys and rarely<br />
used.<br />
• Automatic key generation using IKE — If the remote end <strong>of</strong> your VPN uses<br />
the IKE protocol, the <strong>Sidewinder</strong> <strong>G2</strong> can manage the generation <strong>of</strong> session<br />
keys between sites automatically. This process also regularly changes the<br />
keys to avoid key-guessing attacks. Automatic keys are very common in<br />
today’s network environments.
Authenticating IKE VPNs<br />
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
If you are using manual key generation, each time you generate session keys<br />
you must communicate directly with the other end <strong>of</strong> the VPN via telephone,<br />
diskette, or e-mail. By contacting the remote end <strong>of</strong> the VPN each time you<br />
change session keys, you manually verify that the remote end is actually whom<br />
they claim to be.<br />
With automatic key generation, once you gather the initial information for the<br />
remote end <strong>of</strong> the VPN, there is no further direct contact between you and the<br />
remote end <strong>of</strong> the VPN. Session keys are automatically and continually<br />
generated and updated based on this initial identifying information. As a result,<br />
the <strong>Sidewinder</strong> <strong>G2</strong> requires a way to assure that the machine with which you<br />
are negotiating session keys is actually whom they claim to be - a way to<br />
authenticate the other end <strong>of</strong> the VPN. To allow automatic key generation, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> <strong>of</strong>fers the following authentication techniques:<br />
• a pre-shared password — When you must generate keys, the <strong>Sidewinder</strong><br />
<strong>G2</strong> and the remote end must both use the agreed upon password, defined<br />
during the initial configuration <strong>of</strong> the VPN, to authenticate each peer.<br />
• a single certificate — Single certificate authentication requires that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> generate a certificate and private key to be kept on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and a certificate and private key to be exported and installed<br />
on a client. Each certificate, once installed on its end <strong>of</strong> a VPN connection,<br />
acts as a trust point. A single certificate (also referred to as a “self-signed<br />
certificate”) differs from Certificate Authority (CA) based certificates in that<br />
no root certificate is necessary.<br />
• a Certificate Authority policy — The <strong>Sidewinder</strong> <strong>G2</strong> can be configured to<br />
trust certificates from a particular certificate authority (CA). Thus, it will trust<br />
any certificate that is signed by a particular CA and meets certain<br />
administrator-configured requirements on the identity contained within the<br />
certificate. Because <strong>of</strong> the nature <strong>of</strong> this type <strong>of</strong> policy, Secure Computing<br />
recommends that only locally administered Certificate Authorities be used<br />
in this type <strong>of</strong> policy. Certificate authorities are described further in<br />
“Configuring Certificate Management” later in this chapter.<br />
Transport mode vs. tunnel mode<br />
There are two methods for encapsulating packets in a VPN connection:<br />
transport mode and tunnel mode. The following paragraphs provide a<br />
description <strong>of</strong> each method.<br />
• Transport mode — In transport mode, only the data portion <strong>of</strong> the packet<br />
gets encrypted. This means that if a packet is intercepted, a hacker will not<br />
be able to read your information, but will be able to determine where it is<br />
going and where it has originated. This mode existed before firewalls and<br />
was designed for host-to-host communications.<br />
397
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
398<br />
• Tunnel mode — In tunnel mode, both the header information and the data<br />
is encrypted and a new packet header is attached. The encryption and new<br />
packet header act as a secure cloak or “tunnel” for the data inside. If the<br />
packet is intercepted, a hacker will not be able to determine any information<br />
about the true origin, final destination or data contained within the packet.<br />
This mode is designed to address the needs <strong>of</strong> hosts that exist behind a<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Because the packet header is encrypted, private source or<br />
destination IP addresses can remain hidden.<br />
Configuring hardware acceleration for VPN<br />
When configuring VPNs you have the option <strong>of</strong> utilizing a <strong>Sidewinder</strong> <strong>G2</strong><br />
premium feature called VPN hardware acceleration, which is implemented<br />
using a hardware accelerator. When you use a hardware accelerator,<br />
<strong>Sidewinder</strong> <strong>G2</strong> performance may improve because the VPN encryption,<br />
decryption, and authentication tasks are pushed down to the board level. This<br />
frees up the <strong>Sidewinder</strong> <strong>G2</strong> to perform other tasks and in some cases<br />
increases the throughput <strong>of</strong> your VPN traffic.<br />
Note: Hardware acceleration cannot be used for policies protected only by<br />
authentication (known as Authentication Header or AH).<br />
To implement VPN hardware acceleration you must do the following:<br />
• Install a hardware accelerator. Consult the product documentation for the<br />
accelerator and chassis.<br />
• License both the VPN and the hardware acceleration premium features.<br />
See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 55 for licensing<br />
information.<br />
• Enable the VPN hardware acceleration feature. This is accomplished in the<br />
Admin Console by selecting Firewall <strong>Administration</strong> > Interface<br />
Configuration, then enabling the Enable vpn_acceleration check box in the<br />
Hardware Capabilities area. See “Modifying the interface configuration” on<br />
page 83 for details.<br />
Important: When selecting the IPSec crypto algorithms to use with VPN traffic<br />
that will be accelerated, do not use the cast128 or AES algorithms. The current<br />
supported hardware acceleration boards do not support this algorithm. The<br />
IPSec crypto algorithms are defined on the Crypto tab <strong>of</strong> the Security<br />
Associations window.
Configuring a VPN client<br />
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
To establish an encrypted session between a laptop or desktop computer with<br />
the <strong>Sidewinder</strong> <strong>G2</strong> and gain access to a trusted network, the user needs to<br />
install a VPN client. For details on installing and configuring your VPN client,<br />
consult your product documentation.<br />
In many cases the VPN client will be S<strong>of</strong>tRemote ® . Secure Computing and<br />
SafeNet partner to make that VPN client available from Secure Computing.<br />
When you order your S<strong>of</strong>tRemote client s<strong>of</strong>tware from Secure Computing, you<br />
receive a copy <strong>of</strong> the VPN <strong>Administration</strong> <strong>Guide</strong> available. This guide is also<br />
available at www.securecomputing.com/goto/manuals. It provides detailed<br />
instructions for implementing a VPN using a <strong>Sidewinder</strong> <strong>G2</strong> and S<strong>of</strong>tRemote.<br />
Extended Authentication for VPN<br />
The Extended Authentication (XAUTH) option provides an additional level <strong>of</strong><br />
security to your VPN network. In addition to the normal authentication checks<br />
inherent during the negotiation process at the start <strong>of</strong> every VPN association,<br />
Extended Authentication goes one step further by requiring the person<br />
requesting the VPN connection to validate their identity. The Extended<br />
Authentication option is most useful if you have travelling employees that<br />
connect remotely to your network using laptop computers. If a laptop computer<br />
is stolen, without Extended Authentication it might be possible for an outsider<br />
to illegally access your network. This is because the information needed to<br />
establish the VPN connection (the self-signed certificate, etc.) is saved within<br />
the VPN client s<strong>of</strong>tware. When Extended Authentication is used, however, a<br />
connection will not be established until the user enters an additional piece <strong>of</strong><br />
authentication information that is not saved on the computer—either a onetime<br />
password, passcode, or PIN. This additional level <strong>of</strong> authentication<br />
renders the VPN capabilities <strong>of</strong> the laptop useless when in the hands <strong>of</strong> a thief.<br />
Implementing Extended Authentication on the <strong>Sidewinder</strong> <strong>G2</strong> is a simple two<br />
step process.<br />
1 Specify the authentication method(s) that are available on your <strong>Sidewinder</strong><br />
<strong>G2</strong> See “Supported authentication methods” on page 277 for information on<br />
supported methods.<br />
Do this by selecting VPN Configuration > ISAKMP Server, then enabling<br />
the desired methods in the Available Authentication Methods field. See<br />
“Configuring the ISAKMP server” on page 402 for details.<br />
399
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
Table 27: VPN Authentication options<br />
400<br />
Authentication Summary<br />
2 Enable Extended Authentication for the desired VPN security<br />
association(s).<br />
This is accomplished by selecting VPN Configuration > Security Associations<br />
and then clicking the Require Extended Authentication check box.<br />
See “Entering information on the Authentication tab” on page 442 for more<br />
details.<br />
Note: Extended Authentication must also be enabled on the remote client. See<br />
your client s<strong>of</strong>tware documentation for information on configuring and enabling<br />
Extended Authentication.<br />
What type <strong>of</strong> VPN authentication should I use?<br />
The <strong>Sidewinder</strong> <strong>G2</strong> supports four different VPN authentication methods. The<br />
characteristics <strong>of</strong> a VPN peer determine which type <strong>of</strong> authentication best fits<br />
your VPN configuration. Extended authentication may be added to any<br />
automated authentication method for increased security.<br />
Note: Extended authentication not available for <strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong><br />
configurations or any configuration that uses a manual key exchange.<br />
Manual key VPN • authenticates using a manual key exchanged over a telephone or other secure<br />
connection - keying information is cumbersome to enter and not changed <strong>of</strong>ten,<br />
which reduces security<br />
• uncommon in today’s networks, but used for resolving interoperability problems<br />
with other vendors’ IPSec products<br />
• cannot be used for dynamic IP-assigned clients or gateways<br />
• each VPN peer requires its own <strong>Sidewinder</strong> <strong>G2</strong> VPN configuration<br />
Automatic key shared<br />
password VPN<br />
• primary authentication is password sharing with the VPN peer, recommended to<br />
use with Extended Authentication<br />
• ideally suited for travelling and home users when paired with a strong extended<br />
authentication, such as SafeWord PremierAccess<br />
• may be used with dynamic IP-assigned clients, but the clients must be configured<br />
to use Aggressive Mode.<br />
• single <strong>Sidewinder</strong> <strong>G2</strong> VPN configuration can be used to administer many VPN<br />
clients<br />
More...
Authentication Summary<br />
Automatic key single<br />
certificate VPN<br />
Automatic key<br />
certificate authoritybased<br />
VPN<br />
Chapter 14: Configuring Virtual Private Networks<br />
<strong>Sidewinder</strong> <strong>G2</strong> VPN overview<br />
• authenticates using a self-signed public certificate - each VPN peer must first<br />
import the corresponding peer’s certificate<br />
• ideally used for a small number <strong>of</strong> remote clients<br />
• used with dynamic IP-assigned clients and gateways<br />
• each peer certificate requires its own <strong>Sidewinder</strong> <strong>G2</strong> security association<br />
• authenticates each VPN peer by using a certificate signed by a certificate authority<br />
trusted by the other peer<br />
• ideally suited for roving client VPN peers (such as those using laptop computers)<br />
• used with dynamic IP-assigned clients and gateways<br />
• single <strong>Sidewinder</strong> <strong>G2</strong> security association can be used to administer many VPN<br />
clients.<br />
General guidelines for selecting a VPN authentication type<br />
Here are some general guidelines to follow when you are deciding which type<br />
<strong>of</strong> VPN to use:<br />
• If the VPN peer is not a Secure Computing product, and all other types <strong>of</strong><br />
VPN methods do not work, try the manual key VPN.<br />
• For a small number <strong>of</strong> VPN peer clients with dynamically assigned IP<br />
addresses, the single certificate VPN is a cost-effective solution. A shared<br />
password VPN in conjunction with Extended Authentication is also an<br />
option.<br />
• If the VPN peer has a static IP address, the pre-shared password VPN is<br />
the easiest to configure. Extended Authentication would not be used in a<br />
gateway to gateway configuration as there is no one to provide the<br />
challenge/response.<br />
• If there is a large number <strong>of</strong> VPN peer clients with dynamically assigned-IP<br />
addresses (such as a traveling sales force), the CA-based VPN is <strong>of</strong>ten the<br />
easiest to configure and maintain. Another popular option is to use a preshared<br />
password VPN in conjunction with Extended Authentication.<br />
401
Chapter 14: Configuring Virtual Private Networks<br />
Configuring the ISAKMP server<br />
Configuring the<br />
ISAKMP server<br />
402<br />
Figure 172: ISAKMP<br />
Server window<br />
Configuring the<br />
ISAKMP Server<br />
window<br />
If you are using automatic key exchange, you will need to configure the<br />
Internet Security Association and Key Management Protocol (ISAKMP) server<br />
before using any automatic key VPNs. To configure the ISAKMP server, select<br />
VPN Configuration > ISAKMP Server. The following window appears.<br />
The ISAKMP server is used by the <strong>Sidewinder</strong> <strong>G2</strong> to generate and exchange<br />
keys for VPN sessions. To configure the ISAKMP server, follow the steps<br />
below.<br />
1 In the Burbs to Listen on box, select the burbs that will have access to the<br />
ISAKMP server. A check mark appears next to each burb that has access<br />
to the server.<br />
2 To allow ISAKMP to send and receive certificates with remote peers using<br />
the ISAKMP protocol, select the Allow Certificate Negotiation check box.<br />
(If you de-select this option, all certificates used to authenticate remote<br />
peers must either be in the local certificate database or be accessible via<br />
LDAP.)<br />
3 In the P1 Retries field, specify the number <strong>of</strong> times ISAKMP will attempt to<br />
resend a packet for which it has not received a response.<br />
4 In the P1 Retry Timeout field, specify the number <strong>of</strong> seconds ISAKMP will<br />
use for an initial timeout before resending a packet.<br />
5 In the Audit Level field, select the type <strong>of</strong> auditing that should be performed<br />
on the ISAKMP server. The options are:<br />
• Error—Logs only major errors.<br />
• Normal—Logs only major errors and informational messages.<br />
• Verbose—Logs all errors and informational messages.<br />
• Debug—Logs all errors and informational messages. Also logs all<br />
debug information.
Chapter 14: Configuring Virtual Private Networks<br />
Configuring the ISAKMP server<br />
• Trace—Logs all errors and informational messages. Also logs debug<br />
and function trace information.<br />
6 In the Available Authentication Methods field, select the authentication<br />
method(s) you want to be made available for VPN associations that use<br />
Extended Authentication. A check mark appears when an authentication<br />
button is selected. See “Extended Authentication for VPN” on page 399 for<br />
a detailed description <strong>of</strong> Extended Authentication.<br />
Note: You must configure an authentication method before it can be selected.<br />
See “Configuring authentication services” on page 284 for more information.<br />
7 If two or more authentication methods are selected, you should specify a<br />
default method from the Default drop-down list. If a default method is not<br />
selected, the first method selected in the list will be the default method.<br />
8 Click the Save icon in the toolbar to save your changes.<br />
Allowing access to the ISAKMP server<br />
An ISAKMP rule is required in order to allow access to and from the ISAKMP<br />
server. “Creating proxy rules” on page 222 describes how to define a proxy<br />
rule. The ISAKMP proxy rule must contain the following values:<br />
• Service Type = Server<br />
• Service = isakmp<br />
• Source Burb = the Internet burb<br />
• Destination Burb = the Internet burb<br />
• Source address = All Source Addresses (or addresses <strong>of</strong> remote VPN<br />
peers)<br />
• Destination address = a network object representing the IP address <strong>of</strong> the<br />
Internet burb, or a netgroup that contains a network object representing the<br />
IP address <strong>of</strong> the Internet burb<br />
This ISAKMP rule is implicitly bi-directional, meaning it enables ISAKMP traffic<br />
in both directions.<br />
Enabling/disabling the ISAKMP server<br />
Perform the following steps to enable or disable the ISAKMP server.<br />
1 In the Admin Console, select Services Configuration > Servers.<br />
2 Select isakmp from the list <strong>of</strong> server names.<br />
3 Click Enable or Disable.<br />
4 Click the Save icon in the toolbar.<br />
403
Chapter 14: Configuring Virtual Private Networks<br />
Configuring the Certificate server<br />
Configuring the<br />
Certificate server<br />
404<br />
Figure 173: Server<br />
Control window:<br />
Configuration tab<br />
About the<br />
Certificate Server<br />
Configuration tab<br />
The Certificate server performs a number <strong>of</strong> functions, including providing<br />
support for the certificate management daemon (CMD) and for an optional<br />
external LDAP server. If the LDAP function is configured, it can be used to<br />
automatically retrieve certificates and Certificate Revocation Lists (CRLs) from<br />
a Version 2 or Version 3 Lightweight Directory Access Protocol (LDAP) Server.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> will attempt to retrieve any certificates and (optionally) any<br />
CRLs that it needs to validate certificates in CA-based VPN. Note that the<br />
LDAP functionality is used only for non-Netscape Certificate Authorities (for<br />
example Baltimore, Entrust, and etc.).<br />
Note: In addition to configuring the Certificate server, a root certificate from the<br />
Certificate Authority must be imported into the Certificate Authorities tab for a<br />
certificate issued by the CA to validate.<br />
To configure the Certificate server, select Services Configuration > Servers.<br />
Select cmd in the list <strong>of</strong> server names, and then select the Configuration tab.<br />
The following window appears.<br />
The Certificate Server Configuration tab allows you to configure the Certificate<br />
Server. Follow the steps below.<br />
Important: Many <strong>of</strong> the functions you can perform on this window require the use<br />
<strong>of</strong> the CMD server. See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 55 for<br />
instructions on enabling the CMD server.<br />
1 To enable the LDAP feature, select the Use LDAP to search for Certificates<br />
and CRLs check box, and follow the sub-steps below. If enabled, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will attempt to retrieve the certificates and CRLs it needs<br />
from an LDAP server.<br />
a In the LDAP Server Address field, type the IP address <strong>of</strong> the LDAP<br />
server.<br />
b In the LDAP Server Port field, type the port number on which the LDAP<br />
server listens. The port number is typically 389, but the server can be<br />
configured to listen on different ports.
Understanding<br />
virtual burbs<br />
Chapter 14: Configuring Virtual Private Networks<br />
Understanding virtual burbs<br />
c In the LDAP Timeout field, specify the maximum time (in seconds) that<br />
CMD will wait while performing an LDAP search. The valid range is<br />
between 0 and 3600 seconds. The recommend value is between 5 and<br />
300 seconds.<br />
2 In the Maximum Validated Key Cache Size field, specify the maximum<br />
number <strong>of</strong> validated keys that will be stored in cache memory. Caching<br />
validated keys can increase system performance. Valid ranges are<br />
0–500. A value <strong>of</strong> 0 indicates that no keys will be cached. For most systems<br />
a value <strong>of</strong> 100 is sufficient.<br />
3 In the Certificate Key Cache Lifetime field, specify the maximum amount <strong>of</strong><br />
time a certificate can remain in the validated key cache before it must be revalidated.<br />
The valid range is 0–168 hours (1 week). A value <strong>of</strong> 0 indicates<br />
that the certificate keys must be re-validated with each use.<br />
4 Select the Perform CRL Checking check box to enable CRL checking. If<br />
this option is disabled, CRL lists will not be consulted when validating<br />
certificates.<br />
5 In the CRL Retrieval Interval for CAs drop-down list, specify how <strong>of</strong>ten a<br />
CA is queried in order to retrieve a new CRL.<br />
6 In the Audit Level drop-down list, select the type <strong>of</strong> auditing that should be<br />
performed on this server. The options are:<br />
• Error—Logs only major errors.<br />
• Normal—Logs only major errors and informational messages.<br />
• Verbose—Logs all errors and informational messages.<br />
• Debug—Logs all errors and informational messages. Also logs all<br />
debug information.<br />
• Trace—Logs all errors and informational messages. Logs all debug and<br />
function trace information.<br />
7 Click the Save icon in the toolbar.<br />
A virtual burb is a burb that does not contain a network interface card (NIC).<br />
The sole purpose <strong>of</strong> a virtual burb is to serve as a logical endpoint for a VPN<br />
association. Terminating a VPN association in a virtual burb accomplishes two<br />
important goals:<br />
• It separates VPN traffic from non-VPN traffic.<br />
• It enables you to enforce a security policy that applies strictly to your VPN<br />
users.<br />
Consider a VPN policy that is implemented without the use <strong>of</strong> a virtual burb.<br />
Not only will VPN traffic mix with non-VPN traffic, but there is no way to enforce<br />
a different set <strong>of</strong> rules for the VPN traffic. This is because proxies and rules are<br />
applied on burb basis, not to specific traffic within a burb. By terminating the<br />
VPN in a virtual burb you effectively isolate the VPN traffic from non-VPN<br />
traffic. Plus, you are able to configure a unique set <strong>of</strong> rules for the virtual burb<br />
405
Chapter 14: Configuring Virtual Private Networks<br />
Understanding virtual burbs<br />
406<br />
Figure 174: Virtual burb<br />
vs. a non-virtual burb VPN<br />
implementation<br />
that allow you to control precisely what your VPN users can or cannot do.<br />
Figure 174 illustrates this concept.<br />
VPN without a virtual burb<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internal<br />
network<br />
Trusted Internet<br />
burb burb<br />
Proxies<br />
VPN with a virtual burb<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internal<br />
network<br />
Trusted<br />
burb<br />
Proxies<br />
Proxies<br />
Virtual<br />
burb<br />
= VPN tunnel<br />
= Data<br />
Internet<br />
burb<br />
Internet<br />
Internet<br />
Non-VPN<br />
Client<br />
VPN<br />
Client<br />
Non-VPN<br />
Client<br />
VPN<br />
Client<br />
Note: Both VPN implementations depicted in Figure 174 represent “proxied” VPNs<br />
because proxies must be used to move VPN data between burbs. The use <strong>of</strong><br />
proxies enables you to control the resources that a VPN client has access to on<br />
your internal network.<br />
A virtual burb can support all the same services as a normal burb. If traffic<br />
coming from the virtual burb is destined to the <strong>Sidewinder</strong> <strong>G2</strong> itself (for<br />
example, DNS or SSH) the rule that allows traffic across that burb must specify<br />
a NAT address <strong>of</strong> localhost. If localhost is not specified, the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
not be able to route traffic back to the originator.<br />
You can define up to 64 physical and virtual burbs. For example, if you have<br />
two distinct types <strong>of</strong> VPN associations and you want to apply a different set <strong>of</strong><br />
rules to each type, create two virtual burbs, then configure the required proxies<br />
and rules for each virtual burb.<br />
One question that might come to mind when using a virtual burb is: “How does<br />
VPN traffic get to the virtual burb if it doesn’t have a network card?” All VPN<br />
traffic originating from the Internet initially arrives via the network interface card<br />
in the Internet burb. A VPN security association, however, can internally route<br />
and logically terminate VPN traffic in any burb on the <strong>Sidewinder</strong> <strong>G2</strong>. By<br />
defining a security association to terminate the VPN in a virtual burb, the VPN<br />
traffic is automatically routed to that virtual burb within the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Thus, the trusted network now recognizes the virtual burb as the source burb<br />
for your VPN traffic. From the virtual burb, a proxy and rule are needed to move<br />
the traffic to a trusted burb with network access.
Create the virtual<br />
burb<br />
Configure proxies<br />
and rules<br />
Terminate the<br />
desired VPN<br />
association in the<br />
virtual burb<br />
Configuring<br />
client address<br />
pools<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
Creating and using a virtual burb with a VPN<br />
This section explains how to create a virtual burb on the <strong>Sidewinder</strong> <strong>G2</strong> and<br />
how to use it in a VPN association.<br />
1 In the Admin Console, select Firewall <strong>Administration</strong> > Burb<br />
Configuration.<br />
2 Click New.<br />
a In the Burb Name field, type the name for your virtual burb.<br />
b Click OK.<br />
3 Click the Save icon.<br />
4 In the Admin Console, select Services Configuration > Proxies and enable<br />
the desired proxies in the virtual burb.<br />
5 Select Policy Configuration > Rules and define the rules that allow access<br />
to and from the virtual burb.<br />
Note: Be sure to add any rules you create to the active proxy rule group.<br />
The virtual burb should be specified as either the source or destination<br />
burb, depending on the type <strong>of</strong> rule being defined.<br />
6 Terminate the desired VPN security association(s) in the virtual burb.<br />
See “Configuring VPN Security Associations” on page 438 for information<br />
on creating or modifying a VPN association.<br />
Client address pools are used to simplify the management <strong>of</strong> VPN clients.<br />
They do so by having the <strong>Sidewinder</strong> <strong>G2</strong> manage certain configuration details<br />
on behalf <strong>of</strong> the client. All the client needs is:<br />
• Client s<strong>of</strong>tware that supports ISAKMP mode-config exchange<br />
• Authorization information (a client certificate, a password, etc.)<br />
• The address <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong><br />
Here is how it works: you create a “pool” <strong>of</strong> IP addresses that will be used by<br />
remote clients when they attempt to make a VPN connection. When a client<br />
attempts a connection, the <strong>Sidewinder</strong> <strong>G2</strong> assigns it one <strong>of</strong> the IP addresses<br />
available in the address pool. The <strong>Sidewinder</strong> <strong>G2</strong> also negotiates with the<br />
client to determine other VPN requirements, such as which DNS and/or WINS<br />
servers will be made available to the client. If the negotiation is successful, the<br />
client is connected and the VPN association is established.<br />
407
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
408<br />
Figure 175: Client<br />
Address Pools<br />
Note: To date, not all VPN client s<strong>of</strong>tware supports the negotiation <strong>of</strong> every client<br />
address pool parameter. Be sure to verify that your client(s) support the necessary<br />
features.<br />
The number <strong>of</strong> IP addresses available in the client address pool is dictated by<br />
the value defined in the Virtual Subnet field. Even though the client may have a<br />
fixed IP address, the address used within the VPN association is the address<br />
assigned to it from the address pool. The address pool works for both fixed and<br />
dynamic clients. This means that in the scenarios described at the end <strong>of</strong> this<br />
chapter, address pools could be used in scenario 2 or scenario 3.<br />
You can create multiple client address pools if desired. Grouping VPN clients<br />
into distinct pools allows you to limit the resources the clients in each group<br />
can access.<br />
The following sections explain how to configure client address pools.<br />
Configuring a new client address pool<br />
To configure a new Client Address Pool, select VPN Configuration > Client<br />
Address Pools. The following window appears.
About the Client<br />
Address Pools<br />
window<br />
About the New Pool<br />
window<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
This window allows you to create and modify client address pools. You can<br />
perform the following actions in this window:<br />
• Create a new client address pool—To create a new client address pool,<br />
click New in the Pools area. The New Pool window appears. See “About<br />
the New Pool window” on page 409.<br />
• Delete a client address pool—To delete a client address pool, highlight the<br />
pool in the Pool list and click Delete. Click Yes to confirm the deletion.<br />
• Configure a client address pool—To configure the client address pool tabs,<br />
see the following:<br />
– For information on configuring the Subnets tab, see “Configuring the<br />
Subnets tab” on page 410.<br />
– For information on configuring the Servers tab, see “Configuring the<br />
DNS and/or WINS servers” on page 411.<br />
– For information on configuring the Fixed IP Map tab, see “Configuring<br />
the fixed IP map” on page 413.<br />
The New Pool window allows you to create a new client address pool. Follow<br />
the steps below.<br />
1 In the Pool Name field, type the name <strong>of</strong> the new address pool.<br />
2 In the Virtual Subnet field, specify the network portion <strong>of</strong> the IP addresses<br />
that will be used in the client address pool, and the number <strong>of</strong> bits to use in<br />
the network mask. The network mask specifies the significant portion <strong>of</strong> the<br />
IP address.<br />
3 In the Define the Local Subnets available to remote clients area, configure<br />
the local networks that will be available to remote clients that establish a<br />
VPN association using an address from the client address pool. The<br />
following options are available:<br />
• Create a new local subnet—Click New to define a new entry in the Local<br />
Subnet List. See “Adding or modifying a subnet address” on page 411<br />
for details.<br />
• Modify a local subnet—Select the subnet you want to modify and click<br />
Modify to modify an existing entry in the Local Subnet List. See “Adding<br />
or modifying a subnet address” on page 411 for details.<br />
• Delete a local subnet—Select the subnet you want to delete and click<br />
Delete to delete an existing entry from the Local Subnet List.<br />
4 Click Add to add the new client address pool. To configure the Server tab,<br />
see “Configuring the Subnets tab” on page 410. To configure the Fixed IP<br />
Map tab, see “Configuring the DNS and/or WINS servers” on page 411.<br />
409
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
410<br />
Figure 176: Client<br />
Address Pools: Subnets<br />
tab<br />
Configuring the<br />
Subnets tab<br />
Configuring the Subnets tab<br />
To configure the virtual subnet address, select VPN Configuration > Client<br />
Address Pools and select the client address pool that you want to configure<br />
from the Pools list. The following tab appears.<br />
The Subnets tab allows you to define the virtual address subnet for this<br />
address pool. You can also specify any local networks that you want to be<br />
accessible to remote clients using this pool. Follow the steps below.<br />
1 Configure the Virtual Subnet List. This list defines the virtual subnets that<br />
define the IP address ranges that are available within this pool. The<br />
following options are available:<br />
• Create a new virtual subnet—Click New to define a new entry in the<br />
Local Subnet List. See “Adding or modifying a subnet address” for<br />
details.<br />
• Modify a virtual subnet—Select the subnet you want to modify and click<br />
Modify to modify an existing entry in the Local Subnet List. See “Adding<br />
or modifying a subnet address” on page 411 for details.<br />
• Delete a virtual subnet—Select the subnet you want to delete and click<br />
Delete to delete an existing entry from the Local Subnet List.<br />
2 Configure the Local Subnet List. This list defines the local networks<br />
available to remote clients that establish a VPN association using an<br />
address from the client address pool. The following options are available:<br />
• Create a new local subnet—Click New to define a new entry in the Local<br />
Subnet List. See “Adding or modifying a subnet address” for details.<br />
• Modify a local subnet—Select the subnet you want to modify and click<br />
Modify to modify an existing entry in the Local Subnet List. See “Adding<br />
or modifying a subnet address” on page 411 for details.
Adding or modifying<br />
a subnet address<br />
Figure 177: Client<br />
Address Pools:<br />
Servers tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
• Delete a local subnet—Select the subnet you want to delete and click<br />
Delete to delete an existing entry from the Local Subnet List.<br />
Important: The client machine’s IP address should not match the internal<br />
network’s subnet, as this configuration could cause internal routing and connectivity<br />
issues.<br />
To add or modify an IP address/netmask combination in the New/Modify<br />
Virtual/Local Subnet window, follow the steps below.<br />
1 In the Virtual/Local Subnet field, type the IP address that will be used to<br />
define:<br />
• For the Virtual Subnet field—The network portion <strong>of</strong> the IP addresses<br />
used in the client address pool.<br />
• For the Local Subnet List—The network portion <strong>of</strong> the local network<br />
that will be made available to the VPN clients.<br />
2 In the netmask field, specify the number <strong>of</strong> bits to use in the network mask.<br />
The network mask specifies the significant portion <strong>of</strong> the IP address.<br />
3 Click Add.<br />
4 Click the Save icon.<br />
Configuring the DNS and/or WINS servers<br />
To configure the DNS and/or WINS servers, select VPN Configuration > Client<br />
Address Pools. Create a new entry or select an existing one, and then select<br />
the Servers tab. The following window appears.<br />
411
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
Configuring the<br />
Servers tab<br />
Adding or modifying<br />
a server<br />
412<br />
The Servers tab is used to define the DNS server(s) and/or the WINS server(s)<br />
that will be made available to remote clients. These servers provide name and<br />
address resolution services for devices within the local network. The DNS<br />
servers you specify can reside on the <strong>Sidewinder</strong> <strong>G2</strong> or be located on another<br />
machine in a local or remote network. WINS servers are never located on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. To configure the Servers tab, follow the steps below.<br />
1 The DNS Servers box lists the DNS servers that will be made available to<br />
VPN clients that establish a connection using an address from the client<br />
address pool. The following options are available:<br />
• New—Click this button to create a new DNS server. See “Adding or<br />
modifying a server” for details.<br />
• Modify—Select a DNS server and click Modify to modify an existing<br />
DNS server. See “Adding or modifying a server” for details.<br />
• Delete—Select the DNS server and click Delete to delete an existing<br />
DNS server.<br />
2 The NBNS/WINS Servers box lists the NBNS and WINS servers that will be<br />
made available to VPN clients that establish a connection using an address<br />
from the client address pool. The following options are available:<br />
• New: Click this button to create a new NBNS/WINS server. See “Adding<br />
or modifying a server” on page 412 for details.<br />
• Modify: Select a NBNS/WINS server and click Modify to modify an<br />
existing NBNS/WINS server. See “Adding or modifying a server” on<br />
page 412 for details.<br />
• Delete: Select the NBNS/WINS server and click Delete to delete an<br />
existing NBNS/WINS server.<br />
To add or modify a server entry in the New/Modify DNS or NBNS/WINS server<br />
window, follow the steps below.<br />
1 In the DNS Server or NBNS/WINS field, type or change the IP address that<br />
specifies the location <strong>of</strong> the DNS or WINS server.<br />
2 Click Add to add the IP address to the server list.<br />
3 Repeat step 1 and step 2 for each additional IP address you want to add.<br />
4 When you are finished adding/modifying IP addresses, click Add.<br />
5 To save changes to the Servers tab, click the Save icon.
Figure 178: Client<br />
Address Pools:<br />
Fixed IP Map tab<br />
About the Fixed IP<br />
Map tab<br />
Configuring the fixed IP map<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
To configure the fixed IP map, select VPN Configuration > Client Address<br />
Pools. Create a new entry or select an existing one, and then select the Fixed<br />
IP Map tab. The following window appears.<br />
The Fixed IP Map tab is used to define fixed addresses for selected clients. It<br />
enables each <strong>of</strong> the specified clients to connect to the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
their own unique IP address. It effectively reserves a specific IP address for a<br />
specified client. The fixed addresses you specify must be within the range <strong>of</strong><br />
available IP address as defined by the client address pools.<br />
Caution: Do not use network or broadcast addresses when mapping IP addresses<br />
to client IDs. These addresses are reserved and are not considered valid values for<br />
client address mappings. For example, if your address range is 192.168.105.0/24,<br />
then 192.168.105.0 (the network address) and 192.168.105.255 (the broadcast<br />
address) should not be used in a fixed IP client mapping. The network address is<br />
that address whose masked portion is all 0s, and the broadcast address is that<br />
address whose masked portion is all 1s.<br />
One <strong>of</strong> the benefits <strong>of</strong> assigning fixed IP addresses to selected clients is that it<br />
allows you to govern what each client can do. For example, you might restrict<br />
access to certain clients, and you might grant additional privileges to other<br />
clients. You do this by creating a network object for a selected IP address and<br />
then using the network object within a rule.<br />
The Fixed IP Map tab contains a Fixed IP Client Address Mappings box that<br />
lists the current IP address/client mappings. Each unique IP address can<br />
appear in the table only once. Multiple identities representing a single client,<br />
however, can be mapped to one IP address. You can add, modify, or delete<br />
entries by using one <strong>of</strong> the buttons described below.<br />
413
Chapter 14: Configuring Virtual Private Networks<br />
Configuring client address pools<br />
Adding or modifying<br />
fixed IP entries<br />
414<br />
• New—Click this button to define a new fixed IP client address mapping.<br />
See “Adding or modifying fixed IP entries” on page 414 for details.<br />
• Modify—Select an entry and click this button to modify a fixed IP client<br />
address mapping. See “Adding or modifying fixed IP entries” on page 414<br />
for details.<br />
• Delete—Select an entry and click this button to delete a fixed IP client<br />
address mapping.<br />
The Fixed IP Map tab allow you to create a client address mapping entry or to<br />
modify an existing entry. Each entry consists <strong>of</strong> two fields: an IP address and<br />
one or more client IDs. To add or modify a fixed IP entry, follow the steps below.<br />
1 In the IP Address field, enter the fixed IP address that will be associated<br />
with this mapping. The IP address must be within the virtual subnet for this<br />
pool.<br />
2 Configure the client identification strings for this entry. All entries listed in<br />
the Client Identification Strings box will be mapped to the associated IP<br />
address. Because a client can use one <strong>of</strong> several different IDs (a<br />
distinguished name, an e-mail address, etc.) when negotiating a session,<br />
you can map multiple IDs to one IP address. However, you cannot map two<br />
separate clients to the same address.<br />
Defining all the possible IDs for a client means you will be ready regardless<br />
<strong>of</strong> which ID is presented during the negotiation. Note that if a user will be<br />
using Extended Authentication, their user name will override any other ID.<br />
Use the following buttons to configure client identification strings:<br />
Note: Each client identification string must be entered separately.<br />
• New—Click this button to add a new client identifier. See “Adding or<br />
modifying a client identification string” on page 415 for details.<br />
• Modify—Click this button to modify an existing client identifier. See<br />
“Adding or modifying a client identification string” on page 415 for<br />
details.<br />
• Delete—Click this button to delete an existing client identifier.<br />
3 When you have finished configuring the client identification strings, click<br />
Add to add the new pool entry to the list.<br />
Note: Clicking Close without clicking Add first will cancel any changes.
Adding or modifying<br />
a client<br />
identification string<br />
Configuring<br />
Certificate<br />
Management<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
To create or modify a client identifier, follow the steps below.<br />
1 Type the new client identifier in the Client ID field. You can type any <strong>of</strong> the<br />
possible identifiers:<br />
• Distinguished name<br />
• E-mail address<br />
• Domain name<br />
• IP address<br />
• XAUTH username<br />
Tip: The XAUTH username overrides all other client identification values. If the<br />
user will be using extended authentication, you should only add that user name<br />
for fixed IP mapping.<br />
2 Click Add to add the client ID to the list.<br />
3 To create additional client IDs, repeat step 1 and step 2 for each client ID.<br />
4 Click the Save icon.<br />
If you are using automatic key generation and intend to use certificates for<br />
authentication, you should configure the certificate and/or Certificate Authority<br />
(CA) server information before you set up the VPN. This eliminates the need to<br />
configure certificates and CAs during the VPN process. To configure certificate<br />
or CA information, follow these general steps.<br />
1 Review the section “Selecting a trusted source” on page 419 for details on<br />
certificates and CAs.<br />
2 Decide if you will use a public CA server, your private CA server, or selfsigned<br />
certificates generated by the <strong>Sidewinder</strong> <strong>G2</strong> (which can be used<br />
between two <strong>Sidewinder</strong> <strong>G2</strong>s or between a <strong>Sidewinder</strong> <strong>G2</strong> and a VPN<br />
client machine).<br />
3 If you are using a public or private CA server, go to “Configuring and<br />
displaying CA root certificates” on page 420. You may also want to add<br />
remote identities to be used in conjunction with a Certificate Authority<br />
policy. See “Configuring and displaying Remote Identities” on page 422.<br />
4 If you are using self-signed certificates, refer to the section titled<br />
“Configuring and displaying firewall certificates” on page 424.<br />
5 If you are configuring a VPN between the <strong>Sidewinder</strong> <strong>G2</strong> and a machine<br />
running the client version <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> VPN solution, and if you are<br />
not using a CA, you must create a remote certificate, export it, then import<br />
the certificate into the VPN client. Refer to the section titled “Exporting<br />
remote or firewall certificates” on page 435.<br />
415
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
416<br />
Understanding Distinguished Name syntax<br />
The Certificate Manager supports using distinguished names (DN) for a<br />
number <strong>of</strong> purposes, including identifying the subject <strong>of</strong> an X.509 certificate.<br />
DNs need to be entered using the proper syntax. As defined in the X.500<br />
specifications, a DN is an Abstract Syntax Notation One (ASN.1) value. Within<br />
an X.509 certificate, a DN is represented as a binary value. When it is<br />
necessary to represent a DN in a human–readable format, as when entering<br />
information into the Certificate Manager, the <strong>Sidewinder</strong> <strong>G2</strong> uses the string<br />
syntax defined by RFC 2253. This section summarizes the DN string syntax<br />
through a series <strong>of</strong> examples.<br />
Note: For more information on this string syntax, visit http://www.ietf.org/rfc.html<br />
and search for RFC 2253, “Lightweight Directory Access Protocol (v3): UTF-8<br />
String Representation <strong>of</strong> Distinguished Names.”<br />
A distinguished name (DN) consists <strong>of</strong> a sequence <strong>of</strong> identity components,<br />
each composed <strong>of</strong> a type tag and a value. The components <strong>of</strong> a DN are sets <strong>of</strong><br />
attribute type/value pairs. The attribute type indicates the type <strong>of</strong> the item, and<br />
the attribute value holds its contents. Each type/value pair consists <strong>of</strong> an X.500<br />
attribute type and attribute value, separated by an equal sign (‘=’). In the<br />
example CN=Jane Smith, “CN” is the attribute type and “Jane Smith” is the<br />
value.<br />
The attribute type/value pairs are separated by commas (‘,’). This example<br />
shows a DN made up <strong>of</strong> three components:<br />
CN=Jane Smith, OU=Sales, O=Secure Computing<br />
Plan out your organization’s certificate identification needs before creating any<br />
DNs. DNs have a hierarchical structure, reading from most specific to least<br />
specific. No preset hierarchy <strong>of</strong> attribute type exists, but the structure for a<br />
given organization need to be consistent. In this example, the organization<br />
Secure Computing has organizational units, making the organizational unit<br />
attribute type more specific than the organization attribute type.<br />
CN=Jane Smith, OU=Sales, O=Secure Computing<br />
CN=Ira Stewart, OU=Engineering, O=Secure Computing<br />
An attribute type is specified by a tag string associated with the X.500 attribute<br />
being represented. The <strong>Sidewinder</strong> <strong>G2</strong> supports the attribute tag strings<br />
displayed in Table 28, which includes the most common ones recommended<br />
by RFC 2253. The tag strings are not case sensitive.
Table 28: Supported X.500 Attribute Type Tags<br />
Tag String X.500 Attribute Name<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
The attribute value holds the actual content <strong>of</strong> the identity information, and is<br />
constrained by the associated attribute type. For the supported attribute types,<br />
Table 28 shows the corresponding string type (which limits the allowed set <strong>of</strong><br />
characters) and its maximum length. For example, given “CN=Jane Smith” as<br />
a name component, the string “Jane Smith” is <strong>of</strong> type DirectoryString, and is<br />
constrained to a maximum <strong>of</strong> 64 characters. The maximum number <strong>of</strong><br />
characters allowed in a DN (that is, the number <strong>of</strong> characters for all attribute<br />
values added together) is 1024.<br />
Table 29 defines the allowed character set for each <strong>of</strong> the character string<br />
types used in Table 28.<br />
Table 29: Character String Types<br />
Character String<br />
Type<br />
C CountryName PrintableString 2<br />
CN CommonName DirectoryString 64<br />
Email Address EmailAddress IA5String 128<br />
L LocalityName DirectoryString 128<br />
O OrganizationName DirectoryString 64<br />
OU OrganizationUnitName DirectoryString 64<br />
SN Surname DirectoryString 128<br />
ST StateName DirectoryString 128<br />
Street StreetAddress DirectoryString 128<br />
UID UserID DirectoryString 128<br />
Character String<br />
Type<br />
Allowed Characters<br />
DirectoryString All 8 bit characters without encoding<br />
All non–8 bit characters with UTF–8 encoding<br />
PrintableString A–Z, a–z, 0–9, ()+-./:=?, comma (‘,’), space (‘ ‘),<br />
apostrophe (‘’’)<br />
IA5String All 7 bit characters<br />
Max. # <strong>of</strong><br />
Characters<br />
417
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
418<br />
When representing attribute values, be careful when using special characters.<br />
The following characters have special meaning in the string syntax and must<br />
be escaped with a backslash character (‘\’):<br />
• comma (‘,’)<br />
• equal sign (‘=’)<br />
• plus sign (‘+’)<br />
• less than sign (‘’)<br />
• pound sign (‘#’)<br />
• semicolon (‘;’)<br />
• backslash (‘\’)<br />
• quotation (‘”’).<br />
All other printable ASCII characters represent themselves. Non–printable<br />
ASCII must be escaped by preceding the ordinal value <strong>of</strong> the character in twodigit<br />
hexadecimal with a backslash (for example. the BEL character, which has<br />
an ordinal value <strong>of</strong> seven, would be represented by \07). Here are some<br />
examples <strong>of</strong> the escape conventions:<br />
CN=Jane Smith\,DDS, OU=Sales, O=Secure Computing<br />
CN=\4a\61\6e\65\20Smith, OU=Sales, O=Secure Computing<br />
Attribute values may optionally be contained within double-quote characters, in<br />
which case only the backslash (‘\’), double quote (‘”’), and non–printable ASCII<br />
characters need to be escaped. Here the double-quotes eliminate the need to<br />
escape the CN’s comma:<br />
CN=”Jane Smith,DDS”, OU=Sales, O=Secure Computing<br />
Note: Entries containing backslashes or double–quotes will appear “normalized”<br />
(without extra characters or spaces) in the GUI once they are saved.<br />
Use this supported syntax when entering information on the Admin Console’s<br />
Certificate Manager tabs.<br />
Note: For additional information on DN syntax, see RFCs 2044, 2252, 2253, and<br />
2256.
Single certificate<br />
versus Certificate<br />
Authority trusted<br />
sources<br />
Public versus<br />
private Certificate<br />
Authorities<br />
Selecting a trusted source<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
If you have decided to use certificate authentication, you must choose whether<br />
to use a single certificate or Certificate Authority root certificate. In both<br />
methods, when a key is generated, the trust point (the <strong>Sidewinder</strong> <strong>G2</strong> or a<br />
trusted CA like Netscape, Baltimore, Entrust, etc.) places the key in an<br />
electronic envelope called an X.509 certificate. Every certificate contains a<br />
collection <strong>of</strong> information about the entity possessing the private key (the<br />
<strong>Sidewinder</strong> <strong>G2</strong> or VPN client). This information may include an identity, a<br />
company name, and a residency.<br />
Note: If you select Netscape as a CA server, note that only Netscape version 4.2<br />
is supported at this time.<br />
To validate this information, a certificate must be electronically verified and<br />
witnessed by a trusted source. A CA based trusted source is best designed for<br />
larger deployments and allows for greater flexibility, as both the root (general<br />
authoritative certificate from the CA) and personal certificates may be retrieved<br />
online. However, a CA configuration does require managing the Certificate<br />
Authority server or paying someone else to manage it for you. A <strong>Sidewinder</strong> <strong>G2</strong><br />
self-signed trust source is best for very small deployments, as a separate<br />
security association must be created for each client. Certificates must be<br />
exported from the <strong>Sidewinder</strong> <strong>G2</strong> and then installed on each client.<br />
If you are planning to use a specific Certificate Authority to validate certificates<br />
created on the <strong>Sidewinder</strong> <strong>G2</strong>, or as part <strong>of</strong> a group <strong>of</strong> trusted CAs from which<br />
<strong>Sidewinder</strong> <strong>G2</strong> can directly import certificates, you should set up these CAs<br />
before you begin configuring a VPN. You can use the following types <strong>of</strong> CA<br />
servers:<br />
• a private CA server — You can purchase and install your own CA server<br />
and configure this server as the trusted authority for any VPNs you<br />
establish. This is an ideal solution for companies that prefer to only allow<br />
VPNs with certificates signed by a CA server on their own protected<br />
network.<br />
Note: Before you begin, you must install the CA server and make its URL<br />
accessible to the <strong>Sidewinder</strong> <strong>G2</strong>. For details on installing and configuring a<br />
private CA server, review the manufacturer’s documentation.<br />
• a public CA server — you can choose to accept certificates signed by<br />
trusted CAs administered elsewhere. This option allows remote machines<br />
to use one certificate for VPNs with more than one corporate partner.<br />
419
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
420<br />
Figure 179:<br />
Certificate Management:<br />
Certificate Authorities tab<br />
About the<br />
Certificate<br />
Authorities tab<br />
Configuring and displaying CA root certificates<br />
This section explains how to configure the Certificate Authorities tab and<br />
display the imported signed root certificate.<br />
In the Admin Console, select Services Configuration > Certificate<br />
Management, then click the Certificate Authorities tab. The following window<br />
appears.<br />
The Certificate Authorities tab allows you to view the list <strong>of</strong> available certificate<br />
authorities (CAs). CAs are used to validate (sign) certificates that are used in a<br />
VPN connection. To display the properties <strong>of</strong> a specific certificate, select the<br />
certificate from within the Cert Authorities list. Its properties are displayed on<br />
the right portion <strong>of</strong> the window. For a description <strong>of</strong> these properties, see<br />
“Adding a Certificate Authority” on page 421.<br />
From this tab, you can perform the following actions:<br />
• Add a new certificate to the list—Click New and see “Adding a Certificate<br />
Authority” on page 421 for details.<br />
• Delete a certificate from the list—Select the certificate you want to delete<br />
and click Delete.<br />
Note: A Certificate Authority cannot be deleted if it is currently being used by<br />
one or more Security Associations (the Delete button is disabled).<br />
• Retrieve a certificate—Click Get CA Cert to query the CA and import a<br />
certificate for the selected CA. The selected CA must be either Netscape<br />
4.2 or an SCEP CA.
Adding a Certificate<br />
Authority<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
• Export a certificate—Click Export to export a CA certificate from local<br />
cache to a file and/or a screen.<br />
• Retrieve a CRL—Click Get CRL to manually retrieve a new Certificate<br />
Revocation List (CRL) for this CA. A CRL identifies certificates that have<br />
been revoked. CRLs expire on a regular basis, which is why you must<br />
periodically obtain a new CRL. You generally only need to manually get a<br />
CRL for Netscape CAs when the CA is initially added. After that CRLs are<br />
automatically updated every 15 minutes or so for Netscape 4.2 CAs.<br />
Note: If you do not have access to either a Netscape CA or have access to an<br />
LDAP directory, you should disable the Perform CRL Checking button on the<br />
Certificate Server window.<br />
The New Certificate Authority window enables you to add a new Certificate<br />
Authority to the list <strong>of</strong> CAs used when authorizing certificates in a <strong>Sidewinder</strong><br />
<strong>G2</strong> VPN connection. To add a new Certificate Authority, follow the steps below.<br />
1 In the CA Name field, type a name for this certificate authority. Only<br />
alphanumeric characters are accepted in this field.<br />
2 In the Type drop-down list, select the type <strong>of</strong> CA used by your location.<br />
Valid options are:<br />
• Manual—Indicates the necessary files are obtained and loaded by an<br />
administrator rather than by a CA.<br />
• Netscape 4.2—Indicates that a Netscape version 4.2 CA is being<br />
defined.<br />
• SCEP (Simple Certificate Enrollment Protocol)—Indicates the CA being<br />
defined supports this widely-used certificate enrollment protocol. The<br />
CA can be <strong>of</strong> any type (Netscape 4.2, Baltimore, Entrust, VeriSign, etc.)<br />
as long as it supports SCEP.<br />
3 [Conditional] In the File field, type the name and location <strong>of</strong> the root<br />
certificate for the CA, or click Browse to browse your network directories for<br />
the location <strong>of</strong> the root certificate. The root certificate is used to verify<br />
certificates issued by this CA. (This field is available only if you select<br />
Manual in the Type field.)<br />
Note: Valid file formats are .pem and .der. For information on obtaining a root<br />
certificate, see the documentation that accompanied the CA.<br />
4 [Conditional] In the URL field, type the URL address <strong>of</strong> the Netscape CA in<br />
the URL field. Certificates that need to be signed by the CA are sent to this<br />
address. (This field is available only if you select Netscape or SCEP in the<br />
Type field.)<br />
5 [Optional] In the CA Id field, type the value used to identify this specific CA.<br />
Check with your CA administrator to determine the identifier to use. Many<br />
administrators use the fully-qualified domain name <strong>of</strong> the CA as the<br />
identifier. (This field is available only if you select SCEP in the Type field.)<br />
421
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
Exporting a<br />
Certificate Authority<br />
422<br />
6 Click Add to add the CA to the Certificate Authority list. To define another<br />
certificate authority, repeat step 1–step 5.<br />
7 Click the Save icon.<br />
The Export Certificate window allows you to export the selected certificate from<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to a separate file and/or to the screen. The certificate can<br />
be written to a file on the hard drive <strong>of</strong> a workstation, or it can be written to a<br />
transportable medium such as a floppy diskette or an zip disk. You can export<br />
only the certificate, or both the certificate and the private key.<br />
1 Select the Export Certificate (Typical) radio button.<br />
2 Select the export destination:<br />
• Export Certificate To File—To export the certificate to a file, select this<br />
option and proceed to step 3.<br />
• Export Certificate To Screen—Select this option to export the certificate<br />
to the screen.<br />
3 [Conditional] If you are exporting the certificate to file, do the following:<br />
• In the File field, type the name and location <strong>of</strong> the file to which the client<br />
(or firewall) certificate will be written. If you want to overwrite an existing<br />
file, but you are not certain <strong>of</strong> the path name or the file name, click<br />
Browse.<br />
• In the Format field, select the appropriate format for the file.<br />
4 Click OK to export the certificate to the desired location.<br />
The certificate has now been exported.<br />
Configuring and displaying Remote Identities<br />
Remote Identities can be created for two purposes. If you choose to have a<br />
Certificate Authority policy defined for a VPN (whereby a group <strong>of</strong> trusted CAs<br />
is authorized to issue certificates for access to the VPN), you will also require a<br />
list <strong>of</strong> Remote Identities. Remote Identities are used as part <strong>of</strong> a Security<br />
Association to determine which remote certificates from a CA may be used to<br />
authenticate to a VPN. You may also be required to configure a remote identity<br />
to be used in a Security Association for a s<strong>of</strong>tware client, such as the SafeNet<br />
S<strong>of</strong>tRemote client, using pre-shared passwords.<br />
In the Admin Console, select Services Configuration > Certificate<br />
Management, then select the Remote Identities tab. The following window<br />
appears.
Figure 180:<br />
Remote Identities tab<br />
About the Remote<br />
Identities tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
In this tab you can view and modify the list <strong>of</strong> available remote identities.<br />
Remote identities are used to identify the authorized users who take part in a<br />
Security Association and either have been issued a certificate from a particular<br />
CA or use a VPN client configured with a pre-shared password. For example,<br />
as part <strong>of</strong> a remote identity you might define a Distinguished Name that<br />
authorizes only people from the Sales department <strong>of</strong> Bizco corporation.<br />
In this tab, you can perform the following actions:<br />
• To display the properties <strong>of</strong> a specific identity, select the identity from within<br />
the list. Its properties are displayed on the right portion <strong>of</strong> the window.<br />
• To modify an identity, make the desired changes and click the Save icon.<br />
For specific information on modifying the properties that appear for a<br />
remote identity, see “Adding or modifying a Remote Identity” on page 424.<br />
• To create a new remote identity, click New, and see “Adding or modifying a<br />
Remote Identity” on page 424 for details.<br />
• To delete an existing identity, highlight the identity you want to delete and<br />
click Delete.<br />
423
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
Adding or modifying<br />
a Remote Identity<br />
424<br />
The Create New Remote Identity window enables you to add a new remote<br />
identity. You can also modify an existing remote identity within the Remote<br />
Identities tab. To add or modify a remote identity, follow the steps below.<br />
Tip: An asterisk can be used as a wildcard when defining the fields on this window.<br />
(Other special characters are not allowed.) For example; *, O=bizco, C=us<br />
represents all users at Bizco.<br />
1 In the Identity Name field, type a name for this Remote Identity.<br />
2 In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 416 for information on<br />
the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the<br />
order listed in the certificate.<br />
3 [Optional] In the E-Mail Address field, enter the e-mail address(es) to which<br />
you want to restrict access. Enter one e-mail address per identity or use a<br />
wildcard to indicate all e-mail addresses, such as *@example.com.<br />
4 [Optional] In the Domain Name field, type the specific domain name to<br />
which you want to restrict access. Enter one domain name per identity or<br />
use a wildcard to indicate all domain names, such as *.example.com.<br />
5 [Optional] In the IP Address field, type the unique IP address or group <strong>of</strong> IP<br />
addresses to which you want to restrict access. For example: 182.19.0.0/16<br />
indicates that only users with IP addresses beginning with 182.19 (as<br />
contained in the certificate) will be authorized to use the VPN.<br />
6 Click Add to add the identity to the Identities list.<br />
7 To define additional remote IDs, repeat step 1–step 6.<br />
8 Click the Save icon.<br />
Configuring and displaying firewall certificates<br />
A firewall certificate is used to identify the <strong>Sidewinder</strong> <strong>G2</strong> to a potential peer in<br />
a VPN connection. When creating a certificate for the <strong>Sidewinder</strong> <strong>G2</strong>, you have<br />
the option to submit the certificate to a CA for validation, or have the<br />
<strong>Sidewinder</strong> <strong>G2</strong> generate a self-signed certificate. You should create these<br />
certificates before you begin configuring a VPN.<br />
In the Admin Console, select Services Configuration > Certificate<br />
Management, then select the Firewall Certificates tab. The following window<br />
appears.
Figure 181:<br />
Firewall certificates<br />
About the Firewall<br />
Certificates tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
The Firewall Certificates tab enables you to view the list <strong>of</strong> available<br />
certificates. The <strong>Sidewinder</strong> <strong>G2</strong> will use a firewall certificate to identify itself to a<br />
peer in a VPN connection. To display the properties <strong>of</strong> a specific certificate,<br />
select the certificate from within the list and its properties are displayed on the<br />
right portion <strong>of</strong> the window. For a description <strong>of</strong> these properties, see “Adding a<br />
firewall certificate” on page 426.<br />
From this tab, you can perform the following actions:<br />
Note: You cannot modify the properties <strong>of</strong> a certificate from this window. To modify<br />
a certificate you must delete it and then add it back using the new properties.<br />
• Add a firewall certificate—Click New to add a certificate to the Certificate<br />
list. See “Adding a firewall certificate” on page 426 for details.<br />
• Delete a firewall certificate—Select the certificate and click Delete to<br />
remove the selected certificate from the Certificate list.<br />
Note: A certificate cannot be deleted if it is currently used by one or more areas<br />
(for example, Security Associations, Application Defenses, etc.).<br />
• Import a firewall certificate—Click Import to import an existing certificate<br />
and its related private key file. See “Importing a firewall certificate” on page<br />
432 for more information.<br />
• Export a firewall certificate—Click Export to export the selected certificate<br />
to a file. The export function is generally used when capturing the certificate<br />
information needed by a remote partner such as a VPN client. See<br />
“Exporting remote or firewall certificates” on page 435 for more details.<br />
• Retrieve a certificate—If a certificate request has been submitted to be<br />
signed by a CA, click the Query button to query the CA to see if the<br />
certificate is approved. If yes, the Status field will change to SIGNED and<br />
the approved certificate will be retrieved.<br />
425
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
Adding a firewall<br />
certificate<br />
426<br />
If the certificate request is Manual PKCS10, click the Load button to load<br />
the signed certificate from a file supplied by the CA.<br />
Note: By default, Netscape CAs and CAs that support the Simple Certificate<br />
Enrollment Protocol (SCEP) are checked every 15 minutes for any certificates<br />
waiting to be signed.<br />
The Create New Firewall Certificate window enables you to add a certificate to<br />
the Firewall Certificate list. To add a certificate, follow the steps below.<br />
Note: The default certificate key size is 1024 bits. The default lifetime for selfsigned<br />
certificates created on the <strong>Sidewinder</strong> <strong>G2</strong> is five years.<br />
1 In the Certificate Name field, type a name for this certificate.<br />
2 In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 416 for information on<br />
the format that should be used. Note the following:<br />
• The order <strong>of</strong> the specified distinguished name fields must match the<br />
order listed in the certificate.<br />
• Some CAs will not support the optional identity types specified in step 3<br />
through step 5.<br />
3 [Optional] In the E-Mail Address field, type the email address associated<br />
with this firewall certificate.<br />
4 [Optional] In the Domain Name field, type the domain name associated with<br />
this firewall certificate.<br />
5 [Optional] In the IP Address field, type the IP address associated with this<br />
firewall certificate.<br />
6 In the Submit to CA drop-down list, select the enrollment method to which<br />
the certificate will be submitted for signing. The valid options are:<br />
• Self Signed—Indicates the new certificate will be signed by the firewall<br />
rather than by a CA.<br />
• Manual PKCS10—Indicates the certificate enrollment request will be<br />
placed in a PKCS10 envelope and exported to the file designated in the<br />
Generated PKCS10 File field.<br />
• The name <strong>of</strong> the CA to which the certificate is submitted for signing. The<br />
CA can be either private (one you own and manage) or it can be public<br />
(a trusted CA administered elsewhere).<br />
7 In the Signature Type field, select the encryption format that will be used<br />
when signing the certificate. Valid options are RSA or DSA.
Figure 182:<br />
Remote certificates<br />
defined on the <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
8 [Conditional] Depending on the method you select in the Submit to CA field,<br />
the Other Parameters area may contain additional fields, as described<br />
below:<br />
• If you selected Manual PKCS10 in the Submit to CA field, the Generated<br />
PKCS10 File field appears. Specify the name and location <strong>of</strong> the file that<br />
will contain the signed certificate, or click Browse to browse the network<br />
directories for the location <strong>of</strong> the file you want to specify. This file<br />
contains a PKCS10 “envelope” that is used to send a certificate to a CA<br />
for signing.<br />
• If you selected a method that uses SCEP, you will need to provide a<br />
password in the SCEP Password field that appears.<br />
9 [Conditional] In the Format field, select the appropriate format for your<br />
PKCS10 certificate request.<br />
10 Click Add to add the certificate to the Certificates list. To define additional<br />
certificates repeat step 1 through step 9.<br />
11 Click the Save icon.<br />
Configuring and displaying remote certificates<br />
A remote certificate identifies one or more peers that can be involved in a VPN<br />
connection with a <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong> <strong>G2</strong> can import existing<br />
certificates into its Remote Certificates database, or it can create new remote<br />
certificates. In either case, all certificates should be in place before you begin<br />
configuring a VPN.<br />
In the Admin Console, select Services Configuration > Certificate<br />
Management, then select the Remote Certificates tab. The following window<br />
appears.<br />
427
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
About the Remote<br />
Certificates tab<br />
Adding a remote<br />
certificate<br />
428<br />
The Remote Certificates tab enables you to view the list <strong>of</strong> available remote<br />
certificates. These certificates represent the potential peers with which<br />
<strong>Sidewinder</strong> <strong>G2</strong> can establish a VPN connection. To display the properties <strong>of</strong> a<br />
specific certificate, select the certificate from within the list. Its properties are<br />
displayed on the right portion <strong>of</strong> the window. For a description <strong>of</strong> these<br />
properties, see “Adding a remote certificate”.<br />
Note: You cannot modify the properties <strong>of</strong> a certificate from this window. To modify<br />
a certificate you must delete it and then add it back using the new properties.<br />
From this window, you can perform the following actions:<br />
• Add a new certificate to the Certificate list—Click New and see “Adding a<br />
remote certificate” on page 428 for details.<br />
• Delete a certificate from the list—Select the certificate you want to delete<br />
and click Delete.<br />
• Import certificates—Click Import and see “Importing a remote certificate”<br />
on page 434.<br />
• Export certificates—Click Export and see “Exporting remote or firewall<br />
certificates” on page 435.<br />
• Query the CA for Certificate status—If a certificate request has been<br />
submitted to be signed by a CA, click the Query button to query the CA to<br />
see if the certificate is approved. If yes, the Status field will change to<br />
SIGNED and the approved certificate will be retrieved.<br />
If the certificate request is Manual PKCS10, click the Load button to query<br />
and retrieve the signed certificate.<br />
Note: By default, Netscape CAs and CAs that support the Simple Certificate<br />
Enrollment Protocol (SCEP) are checked every 15 minutes for any certificates<br />
waiting to be signed.<br />
The Create New Remote Certificate window enables you to add a certificate to<br />
the Remote Certificate list. To add a remote certificate, follow the steps below.<br />
Note: The default certificate key size is 1024 bits. The default lifetime for selfsigned<br />
certificates created on the <strong>Sidewinder</strong> <strong>G2</strong> is five years.<br />
1 In the Certificate Name field, type a name for this certificate.<br />
2 In the Distinguished Name field, create a distinguished name. See<br />
“Understanding Distinguished Name syntax” on page 416 for information on<br />
the format that should be used. Note the following:<br />
• The order <strong>of</strong> the specified distinguished name fields must match the<br />
order listed in the certificate.<br />
• Some CAs will not support the optional identity types specified in step 3<br />
through step 5.
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
3 [Optional] In the E-Mail Address field, type the email address associated<br />
with this remote certificate.<br />
4 [Optional] In the Domain Name field, type the domain name associated with<br />
this remote certificate.<br />
5 [Optional] In the IP Address field, type the IP address associated with this<br />
remote certificate.<br />
6 In the Submit to CA drop-down list, select the enrollment method to which<br />
the certificate will be submitted for signing. The valid options are:<br />
• Self Signed: Indicates the new certificate will be signed by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> rather than by a CA.<br />
• Manual PKCS10: Indicates the certificate enrollment request will be<br />
placed in a PKCS10 envelope and exported to the file designated in the<br />
Generated PKCS10 File field.<br />
• The name <strong>of</strong> the CA to which the certificate is submitted for signing. The<br />
CA can be either private (one you own and manage) or it can be public<br />
(a trusted CA administered elsewhere).<br />
Note: The CA option is only available if a CA is already configured on the<br />
Certificate Authorities tab.<br />
7 In the Signature Type box, select the encryption format that will be used<br />
when signing the certificate. Valid options are RSA or DSA.<br />
8 [Conditional] In the Generated PKCS10 File field, specify the name and<br />
location <strong>of</strong> the file that will contain the signature request, or click Browse to<br />
browse the network directories for the file location.<br />
This file contains a PKCS10 “envelope” that is used to send a certificate to<br />
a CA for signing. This field is available only if Manual PKCS10 is specified in<br />
the Submit to CA field.<br />
Note: To create a new file using the Browse button, enter the name and<br />
extension (allowed file formats are binary or .pem).<br />
9 [Conditional] In the Format field, select the appropriate format for your<br />
PKCS10 certificate request.<br />
10 [Conditional] In the SCEP Password field, type a password for this<br />
certificate. You will need this password if you ever need the CA to revoke<br />
this certificate. The password may not contain spaces or single quotes. This<br />
field is available only if the Submit to CA field displays a CA <strong>of</strong> type SCEP.<br />
11 Click Add to add the certificate to the Certificates list.<br />
12 To define additional certificates, repeat step 1–11 for each certificate you<br />
want to add.<br />
13 Click the Save icon.<br />
429
Chapter 14: Configuring Virtual Private Networks<br />
Configuring Certificate Management<br />
430<br />
Figure 183: SSL<br />
Certificates tab<br />
Configuring the SSL<br />
Cert tab<br />
Assigning new certificates for Admin Console and<br />
synchronization services<br />
The default SSL certificates are unique to each <strong>Sidewinder</strong> <strong>G2</strong>. However, if you<br />
would like to change your default certificate for any reason, follow the steps in<br />
this section.<br />
Note: Keep in mind, it is the certificates on the <strong>Sidewinder</strong> <strong>G2</strong> end that you are<br />
changing, not on the client end.<br />
Before assigning a new certificate to these services you must first create the<br />
new certificates. You should create two new certificates, one for the Admin<br />
Console service and one for the synchronization server. You create the<br />
certificates from the Firewall Certificates tab. Each certificate must be:<br />
• a firewall certificate<br />
• a self-signed certificate<br />
• <strong>of</strong> type RSA/DSA<br />
See “Configuring and displaying firewall certificates” on page 424 for<br />
information on creating a firewall certificate.<br />
To assign a new certificate for the Admin Console or the synchronization<br />
server, in the Admin Console, select Services Configuration > Certificate<br />
Management, then select the SSL Certificates tab.<br />
This tab is used to assign a new SSL certificate to the Admin Console service<br />
(cobra) or the synchronization server (synchronization).<br />
The SSL Certificate tab allows you to view the proxies to which you can assign<br />
new certificates and identifies the name <strong>of</strong> the certificate currently assigned to<br />
each proxy. The certificate will either be 1) the default certificate or 2) a selfsigned,<br />
RSA/DSA firewall certificate that is defined on the Firewall Certificates<br />
tab.
Selecting a new<br />
proxy certificate<br />
Importing and<br />
exporting<br />
certificates<br />
Figure 184: Load<br />
Certificate for PKCS 10<br />
Request window<br />
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
To assign a new certificate to a selected proxy, click Modify. See “Selecting a<br />
new proxy certificate” on page 431 for details.<br />
Note: You will receive a warning message if you click Modify and there is not at<br />
least one self-signed RSA/DSA firewall certificate currently defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. See “Configuring and displaying firewall certificates” on page 424<br />
for information on defining this type <strong>of</strong> certificate.<br />
The Proxy Certificate Selection window is used to assign a new certificate to<br />
the selected proxy. To assign a certificate to a proxy, follow the steps below.<br />
1 In the Certificate drop-down list, select the new certificate to assign to this<br />
proxy (the proxy name is displayed in the Proxy Name field). Only selfsigned,<br />
RSA/DSA firewall certificates that are defined on the Firewall<br />
Certificate tab are displayed in this list.<br />
2 Click OK to save the change and to exit the window, or click Cancel to exit<br />
the window without saving the change.<br />
3 Click the Save icon.<br />
Once the certificates have been generated, they need to be exported and<br />
transferred to a VPN client such as SafeNet S<strong>of</strong>tRemote or to another<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Similarly, you may want to import certificates into the<br />
<strong>Sidewinder</strong> <strong>G2</strong> originally created on another system. This section walks you<br />
through importing and exporting certificates on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Loading manual remote or firewall certificates<br />
If you chose to create a manual certificate, you must retrieve the certificate<br />
after it is signed by the CA; the <strong>Sidewinder</strong> <strong>G2</strong> will not retrieve it automatically.<br />
For this process, the Load button appears when an unsigned requested<br />
certificate name is highlighted. Clicking this button will initiate the process to<br />
retrieve and import the certificate. After clicking Load, the following window<br />
appears.<br />
431
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
About the Load<br />
Certificate for PKCS<br />
10 Request window<br />
432<br />
The Load Certificate for PKCS 10 Request window is used to load signed<br />
certificates. It also functions to query an LDAP server for wether or not a<br />
requested certificated is signed. To load a signed certificate, follow the steps<br />
below.<br />
1 In the Certificate Source field, select the source location <strong>of</strong> the certificate.<br />
The following options are available:<br />
• File: Indicates you will manually specify the location <strong>of</strong> the certificate.<br />
• LDAP: Indicates you will access the services <strong>of</strong> an LDAP (Lightweight<br />
Directory Access Protocol) directory to locate the certificate. The LDAP<br />
server can be version 2 or version 3.<br />
• Pasted PEM Certificate: Indicates you will paste or type in the certificate<br />
from another source, such as another open application window or<br />
personal communication.<br />
2 [Conditional] In the Certificate from File field, if the certificate source is a<br />
file, type the location or Browse to the location.<br />
3 [Conditional] In the Manual (pasted) PEM Certificate field, if the certificate<br />
source is a Pasted PEM Certificate, type or paste the certificate in this field.<br />
4 Click OK to issue a query command for your requested certificate, or click<br />
Cancel cancel the certificate request.<br />
If you click OK and the certificate is available, it will automatically be<br />
imported and the status will change to SIGNED.<br />
5 Click the Save icon.<br />
Importing a firewall certificate<br />
You can import a certificate to the list <strong>of</strong> firewall certificates defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
To import a firewall certificate, in the Admin Console, select Services<br />
Configuration > Certificate Management, then select the Firewall Certificates<br />
tab and click Import. The following window appears.<br />
Note: The displayed fields will vary slightly, depending on the which import source<br />
you select.
Figure 185: Import<br />
Firewall Certificate<br />
window<br />
Configuring the<br />
Import Firewall<br />
Certificate window<br />
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
The Import Firewall Certificate window is used to import a certificate to the<br />
Firewall Certificates list. To import a certificate, follow the steps below.<br />
1 In the Import Source field, select either File or Encrypted FIle (PKCS12).<br />
Note: The available fields will vary based on the import source you select.<br />
• If you select File, you must identify the file on the Import Certificate<br />
From File field.<br />
• If you select Encrypted FIle (PKCS12), specify the certificate and key<br />
file.<br />
2 In the Certificate Name field, type a local name for the certificate you are<br />
importing.<br />
3 In the Import Certificate From File or the Import Certificate/Key field, type<br />
the name and location <strong>of</strong> the certificate file you will import. You may also<br />
click Browse to browse the network directories for the location <strong>of</strong> the file(s)<br />
you want to specify.<br />
4 [Conditional] In the Private Key File field, type the name and location <strong>of</strong> the<br />
private key file associated with this certificate, or click Browse to browse<br />
the network directories for the location <strong>of</strong> the file(s) you want to specify. The<br />
file can be in either PK1 or PK8 format. (This field is only available if the<br />
Import Source field displays File.)<br />
5 [Conditional] In the Password field, enter the password to decrypt the<br />
imported file. This password must match the password given when the file<br />
was encrypted. (This field is only available if the Import Source field<br />
displays Encrypted File(PKCS12).)<br />
433
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
434<br />
Figure 186: Import<br />
Remote Certificate<br />
window<br />
Configuring the<br />
Import Remote<br />
Certificate window<br />
Importing a remote certificate<br />
To import a certificate to the list <strong>of</strong> remote certificates defined on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, using the Admin Console select Services Configuration ><br />
Certificate Management, then select the Remote Certificates tab and click<br />
Import. The following window appears.<br />
The Import Remote Certificate window is used to import a certificate to the<br />
Remote Certificates list. To import a remote certificate, follow the steps below.<br />
1 In the Import source field, select the source location <strong>of</strong> the certificate.<br />
• File: Indicates you will manually specify the location <strong>of</strong> the certificate<br />
file.<br />
• Encrypted File: Indicates you will manually specify the locations <strong>of</strong> the<br />
certificate and private key file.<br />
• LDAP: Indicates that you will access the services <strong>of</strong> an LDAP<br />
(Lightweight Directory Access Protocol) directory to locate the<br />
certificate. The LDAP server can be version 2 or version 3.<br />
• Paste PEM Certificate: Indicates you will import the certificate by<br />
performing a cut and paste. The Distinguished Name field will change to<br />
become the Manual (pasted) PEM Certificate field. Paste the certificate<br />
into this area.<br />
2 In the Certificate Name field, type a local name for the certificate you are<br />
importing.<br />
3 [Conditional] In the Import Certificate From File field, type the name and<br />
location <strong>of</strong> the certificate file you will import, or click Browse to browse the<br />
network directories for the location. (This field is available only if the Import<br />
source field displays File.)<br />
4 [Conditional] In the Password field, enter the password to decrypt the<br />
imported file. This password must match the password given when the file<br />
was encrypted. (This field is only available if the Import Source field<br />
displays Encrypted File.)
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
5 [Conditional] In the Distinguished Name field, create a distinguished name.<br />
See “Understanding Distinguished Name syntax” on page 416 for<br />
information on the format that should be used.<br />
Note: The order <strong>of</strong> the specified distinguished name fields must match the<br />
order listed in the certificate.<br />
6 Click OK to import the remote certificate, or click Cancel to cancel the<br />
request.<br />
7 Click the Save icon.<br />
Exporting remote or firewall certificates<br />
You can export certificates from either the Remote Certificates tab or the<br />
Firewall Certificates tab. The procedure you use is very simple and is the same<br />
from either tab. The reasons you export a certificate from one tab rather than<br />
the other, however, are quite different, as described below.<br />
• Exporting a Remote Certificate—You are most likely to export a remote<br />
certificate if users in your organization use a VPN client to establish a VPN<br />
connection between their laptops or desktop PCs and the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The VPN client requires the use <strong>of</strong> a certificate to identify itself during the<br />
VPN connection negotiations. It is possible to use the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
create a self-signed certificate for the VPN client. Once it is created it may<br />
be converted to a new file format and then exported. From there it is<br />
imported to the VPN client program.<br />
• Exporting a Firewall Certificate—This is used to export the firewall<br />
certificate to a remote peer. This allows the remote peer to recognize the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. On the remote peer the firewall certificate is imported as a<br />
remote certificate.<br />
To export a certificate, in the Admin Console, select Services Configuration ><br />
Certificate Management, then select either the Remote Certificates tab or the<br />
Firewall Certificates tab. Select the certificate you wish to export and click<br />
Export. The following window appears.<br />
Note: The tab you select depends upon your reason for exporting the certificate.<br />
See the explanation in the previous paragraphs.<br />
435
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
436<br />
Figure 187: Export<br />
Firewall Certificate<br />
window<br />
Configuring the<br />
Export Certificate<br />
window<br />
The Export Certificate window allows you to export the selected certificate from<br />
the <strong>Sidewinder</strong> <strong>G2</strong> to a separate file and/or to the screen. The certificate can<br />
be written to a file on the hard drive <strong>of</strong> a workstation, or it can be written to a<br />
transportable medium such as a floppy diskette or an zip disk. You can export<br />
only the certificate, or both the certificate and the private key.<br />
Exporting only the certificate<br />
To export a certificate only, follow the steps below.<br />
1 Select the Export Certificate (Typical) radio button.<br />
2 Select the export destination:<br />
• Export Certificate To File—To export the certificate to a file, select this<br />
option and proceed to step 3.<br />
• Export Certificate To Screen—Select this option to export the certificate<br />
to the screen.<br />
3 [Conditional] If you are exporting the certificate to file, do the following:<br />
• In the File field, type the name and location <strong>of</strong> the file to which the client<br />
(or firewall) certificate will be written. If you want to overwrite an existing<br />
file, but you are not certain <strong>of</strong> the path name or the file name, click<br />
Browse.<br />
• In the Format field, select the appropriate format for the file.<br />
4 Click OK to export the certificate to the desired location.
Exporting both the certificate and private key<br />
Chapter 14: Configuring Virtual Private Networks<br />
Importing and exporting certificates<br />
To export both a certificate and private key, follow the steps below.<br />
1 Specify whether the certificate and private key will be exported as one file<br />
or two files by selecting one <strong>of</strong> the following options:<br />
• Export Certificate and Private Key as one file (PKCS12)—Select this<br />
option to export both the certificate and private key as a single file, and<br />
proceed to<br />
• Export Certificate and Private Key as two files (PKCS1, PKCS8,<br />
X.509)—Select this option to export the certificate and private key as<br />
two separate files.<br />
2 [Conditional] To export the certificate and private key as a single file, do the<br />
following:<br />
a In the File field, type the name and location <strong>of</strong> the file to which the client<br />
(or firewall) certificate will be written. If you want to overwrite an existing<br />
file but you are not certain <strong>of</strong> the path name or the file name, click<br />
Browse. (The Format displays the file format.)<br />
b In the Password field, enter the password that will be used to encrypt<br />
the certificate file.<br />
c In the Confirm Password field, re-enter the password that your entered<br />
in the Password field.<br />
d Click OK to export the certificate and private key as a single file.<br />
3 [Conditional] To export the certificate and private key as two separate files,<br />
do the following:<br />
a In the Certificate File field, type the name and location <strong>of</strong> the file to<br />
which the client or firewall certificate will be written. If you want to<br />
overwrite an existing file but you are not certain <strong>of</strong> the path name or the<br />
file name, click Browse. In the Format field, select the appropriate<br />
format for the file.<br />
b In the Private Key File field, type the name and location <strong>of</strong> the file to<br />
which the key will be written. If you want to overwrite an existing file but<br />
you are not certain <strong>of</strong> the path name or the file name, click Browse. In<br />
the Format field, select the appropriate format for the file.<br />
Important: If you use a transportable medium to store the private key file (for<br />
example .pk1, .pk8, or pk12), the medium should be destroyed or reformatted<br />
after the private key information has been imported to the appropriate VPN<br />
client.<br />
c Click OK to export the certificate and private key as separate files.<br />
437
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
Configuring VPN<br />
Security<br />
Associations<br />
438<br />
Figure 188:<br />
VPNs defined on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
To configure a new VPN, you must perform the following steps:<br />
1 Choose whether the VPN is connecting to a single machine or a gateway<br />
that provides access for multiple machines.<br />
2 Determine whether the IP address the VPN is connecting to is always the<br />
same (static) or whether it changes (dynamic). If it is static, you must<br />
provide the IP address <strong>of</strong> the machine.<br />
Important: The remote end can only be dynamic if automatic key management<br />
is chosen.<br />
3 Decide if you want to automatically manage the exchange and use <strong>of</strong> keys<br />
(using IKE) or if you want to enter the session key manually at the remote<br />
end.<br />
• For automatic key exchange, you must decide on the type <strong>of</strong><br />
authentication (either password or certificate) to be used between the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and the remote end.<br />
• For manual key exchange, you must decide on the type <strong>of</strong><br />
authentication and encryption used between the <strong>Sidewinder</strong> <strong>G2</strong> and the<br />
remote end and exchange these keys and Security Parameters Index<br />
(SPI) values with the remote end via a secure method (diskette,<br />
encrypted e-mail or telephone). You are also required to provide the<br />
authentication and encryption keys provided by the remote end.<br />
Displaying and configuring a VPN Security Association<br />
This section explains how to display and configure VPN associations. In the<br />
Admin Console, select VPN Configuration > Security Associations. The<br />
following window appears.
About the Security<br />
Associations<br />
window<br />
Figure 189: Security<br />
Associations: Active VPNs<br />
window<br />
About the Active<br />
VPNs window<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
You use the Security Associations window to view the current list <strong>of</strong> VPN<br />
associations currently defined on the <strong>Sidewinder</strong> <strong>G2</strong> and check the status <strong>of</strong><br />
VPNs. You can also add, modify, or delete VPN associations.<br />
To add or modify a VPN association, click Add or Modify and see “Defining a<br />
VPN Security Association” on page 440 for details.<br />
To delete a VPN association, select the VPN association you want to delete,<br />
and click Delete.<br />
To display which VPNs have active sessions, click Current VPN Status. The<br />
Security Associations: Active VPNs window appears.<br />
This window allows you to view the status <strong>of</strong> all configured VPNs. The various<br />
statuses include:<br />
• Idle—No active session.<br />
• Active—One or more VPNs have active sessions established for this VPN.<br />
Click Refresh to update the information. Click Close to return to the main<br />
window.<br />
439
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
440<br />
Figure 190: General tab<br />
on the VPN Properties<br />
window<br />
Defining a VPN Security Association<br />
When you click New or Modify from the Security Associations window, the VPN<br />
Properties window appears. This window is used to add or modify VPN<br />
associations. The window contains four tabs that are used to enter distinct<br />
information about a VPN association.<br />
Configuring the General tab<br />
The General tab is used to enter basic information about the VPN association.<br />
To configure the General tab, follow the steps below.<br />
1 In the Name field, type the name <strong>of</strong> this VPN.<br />
2 In the Enabled field, select Yes to enable this VPN association, or select No<br />
to disable it.<br />
3 In the Encapsulation field, select one <strong>of</strong> the following:<br />
• Tunnel—The more popular form <strong>of</strong> VPN encapsulation. Both the data<br />
and the source and destination IP addresses are encrypted within the<br />
encapsulated payload.<br />
• Transport—The native form <strong>of</strong> VPN. Transport mode encrypts the data<br />
but the source and destination IP addresses are not concealed.<br />
See “Transport mode vs. tunnel mode” on page 397 for a more detailed<br />
explanation <strong>of</strong> these terms.<br />
4 In the Burb drop-down list, select the burb to which you want to assign this<br />
VPN. The <strong>Sidewinder</strong> <strong>G2</strong> terminates each VPN in a burb so that access<br />
rules may be applied to the VPN.
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
5 In the Mode field, specify how the remote end is operating. The valid<br />
options are:<br />
• Fixed IP—Select this option if the IP address <strong>of</strong> the remote end is<br />
always the same. You must also provide the IP address <strong>of</strong> the remote<br />
end in the Remote IP field.<br />
• Dynamic IP Client—Select this option if the remote end is a device<br />
whose IP address is not fixed. Example: A salesperson that gains<br />
Internet access from a laptop.<br />
• Dynamic IP Restricted Client—Select this option if the remote end is a<br />
device whose IP address is not fixed. Example: A salesperson that<br />
gains Internet access from a laptop. The difference between this option<br />
and Dynamic IP Client is that the remote end is assigned a virtual IP<br />
address from a range specified by using either a Client Address Pool or<br />
a range <strong>of</strong> acceptable external IP addresses. You restrict the range <strong>of</strong> IP<br />
addresses available to the remote end by using either the Client<br />
Address Pool field or the Dynamic Virtual Address Range field.<br />
Important:You can only use Dynamic IP Client or Dynamic IP Restricted<br />
Client if automatic key management is used.<br />
6 [Conditional] Determine if you want remote clients to make connections<br />
using only the IP addresses contained within one <strong>of</strong> the available client<br />
address pools. If so, use the Client Address Pool drop-down list arrow to<br />
select the client address pool you want to use. With this option, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> selects an IP address from the available pool and assigns it<br />
to the client. (This field is available only if you select Fixed IP or Dynamic IP<br />
Restricted Client in the Mode field.)<br />
Note: See “Configuring client address pools” on page 407 for information on<br />
creating a client address pool.<br />
7 In the Local IP field, indicate which IP address to use as the local gateway<br />
by selecting one <strong>of</strong> the following:<br />
• Use Localhost IP—Select this option to have the <strong>Sidewinder</strong> <strong>G2</strong> assign<br />
the IP address. The <strong>Sidewinder</strong> <strong>G2</strong> uses its routing table to<br />
automatically determine which interface or alias address is associated<br />
with a route to reach the remote gateway.<br />
• Specify IP—Select this option to configure a specific IP address. This IP<br />
address should be one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s interface or alias<br />
addresses, and that interface must have a route to reach the remote<br />
gateway.<br />
Note: If configuring a VPN for an HA cluster, be sure to use the localhost option<br />
or specify an alias shared by the cluster.<br />
8 To add or modify a local network address to the Local Network/IP list (a list<br />
<strong>of</strong> network names or IP addresses the <strong>Sidewinder</strong> <strong>G2</strong> can use in a VPN<br />
association), click New or Modify, respectively. See “Adding or modifying an<br />
IP address” for details.<br />
441
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
Adding or modifying<br />
an IP address<br />
442<br />
9 [Conditional] In the Remote IP field, type the IP address <strong>of</strong> the remote<br />
client. This field is available only if you select Fixed IP in the Mode field.<br />
10 [Conditional] If you selected Fixed IP in the Mode field, to add or modify an<br />
entry to the Remote Network / IP list, click New or Modify, respectively. This<br />
lists the IP addresses with which a VPN association can be made. The<br />
addresses specified here typically represent a real network located behind<br />
the client’s <strong>Sidewinder</strong> <strong>G2</strong>. See “Adding or modifying an IP address” for<br />
details.<br />
11 [Conditional] If you selected Dynamic IP Restricted Client in the Mode field,<br />
to add or modify an entry to the Dynamic Virtual Address Range list, click<br />
New or Modify, respectively. This list defines the range <strong>of</strong> addresses a client<br />
can use when initiating a VPN connection. The addresses specified here do<br />
not represent a real network but are virtual addresses. With this option the<br />
client assigns their own IP address, although the address must be within<br />
the approved address range.<br />
12 [Optional] In the Comments field, type a short description for this VPN<br />
association.<br />
Note: You must input information from the Authentication tab before you can save<br />
this Security Association entry. See “Configuring password information on the<br />
Authentication tab” on page 443 for instructions.<br />
The Local Network List window is used to define the range <strong>of</strong> IP addresses that<br />
can be used in a VPN association. To add or modify an IP address, follow the<br />
steps below.<br />
1 In the IP Address field, type the IP address used in this VPN association.<br />
2 In the Number <strong>of</strong> bits in Netmask field, use the up/down arrows to select<br />
the number <strong>of</strong> bits that are significant in the network mask. The value<br />
specified is used to identify the network portion <strong>of</strong> the IP address.<br />
3 Click Add to add the IP address, and then click Close. To exit the window<br />
without adding the IP address, click Close without clicking Add.<br />
Entering information on the Authentication tab<br />
To prevent access to the VPN from Internet hosts masquerading as the VPN<br />
peer, various means <strong>of</strong> authenticating the peer are available. The<br />
Authentication tab defines the authentication method that will be used in this<br />
VPN association. It also defines the characteristics <strong>of</strong> the selected<br />
authentication method. You can select four different methods:<br />
• Password—Select this option if you and the remote end want to use a<br />
password to verify the key exchange. The same password must be used on<br />
both ends <strong>of</strong> this association. See “Configuring password information on<br />
the Authentication tab” on page 443 for detailed information.
Configuring<br />
password<br />
information on the<br />
Authentication tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
• Certificate + Certificate Authority—Select this option if you want to use one<br />
or more trusted CAs and Remote Identities to validate the certificate <strong>of</strong> the<br />
remote end. This method is commonly used by organizations that have<br />
many remote users who must access resources behind the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
See “Entering Certificate + Certificate Authority information on the<br />
Authentication tab” on page 445 for detailed information.<br />
• Single certificate—Select this option if you want to validate the remote end<br />
using a self-signed certificate generated by the <strong>Sidewinder</strong> <strong>G2</strong>, or using a<br />
certificate generated by a CA server. This method is commonly used by<br />
organizations that have a small number <strong>of</strong> people that travel but need<br />
secure access to your network. See “Entering Single Certificate information<br />
on the Authentication tab” on page 446 for detailed information.<br />
• Manual—Select this option if you want to exchange session keys manually<br />
(for example over the phone). See “Entering Manual information on the<br />
Authentication tab” on page 447 for detailed information.<br />
The first three methods are automatic methods, meaning the session keys are<br />
managed automatically between the <strong>Sidewinder</strong> <strong>G2</strong> and the remote end. The<br />
ISAKMP server must be enabled on the <strong>Sidewinder</strong> <strong>G2</strong> in order to<br />
automatically generate and exchange session keys. See “Configuring the<br />
ISAKMP server” on page 402 for information. The remote end <strong>of</strong> the VPN must<br />
also support ISAKMP.<br />
With the manual method, matching session keys must be entered manually at<br />
the <strong>Sidewinder</strong> <strong>G2</strong> remote end. Each <strong>of</strong> these authentication methods are<br />
described in the following sections.<br />
The password information tabs in the Authentication window are used to define<br />
password authentication for this VPN association. The password is used to<br />
authenticate both peers in a potential VPN association. To configure password<br />
information, follow the steps below.<br />
Note: Password-based authentication should only be used with fixed IPconfigured<br />
VPN or with extended authentication.<br />
On the General sub-tab<br />
1 In the Enter Password field, type the password to be used each time<br />
automatic key exchange takes place.<br />
2 In the Verify Password field, confirm the password in the field provided.<br />
3 [Conditional] Select the Require Extended Authentication check box if you<br />
want to use Extended Authentication. This check box is available only if an<br />
authentication method is configured for the ISAKMP server. See “Extended<br />
Authentication for VPN” on page 399 for more information on extended<br />
authentication.<br />
443
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
444<br />
On the Identities sub-tab<br />
The Identities sub-tab is used to define unique identities for the following:<br />
• Firewall Identity is included in the response to the remote client and<br />
confirms to the client that it has established a VPN association with the<br />
correct endpoint.<br />
• Remote Identity is used to match a client identity with a particular security<br />
association; the <strong>Sidewinder</strong> <strong>G2</strong> can then use this information to determine<br />
the password the client should be using. The remote identity is optional for<br />
Fixed IP VPN associations because the <strong>Sidewinder</strong> <strong>G2</strong> can use the IP<br />
address to determine who the client is and thus what password the client<br />
should be using.<br />
1 In the Firewall Identity Type field, select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Valid options are:<br />
• E-mail address<br />
• Fully Qualified Domain Name<br />
• IP Address<br />
Note: E-mail addresses are not recommended, as they are rarely used in the<br />
context <strong>of</strong> a security gateway.<br />
2 In the Value field, type the actual value used as the firewall identity. The<br />
value must be <strong>of</strong> the type specified in the Firewall Identity Type field (for<br />
example, if you selected IP Address in the Firewall Identity Type field, you<br />
must type an IP address in the Value field.<br />
3 Select the Gateway IP Address radio button if the <strong>Sidewinder</strong> <strong>G2</strong> should<br />
use the IP address <strong>of</strong> a Fixed IP client to determine what password the<br />
client should be using.<br />
4 Select the Remote Identities radio button if the <strong>Sidewinder</strong> <strong>G2</strong> should use a<br />
remote identity to determine the ID <strong>of</strong> the client. Valid identities for this<br />
association should be moved from the Available list to the Trusted list.<br />
5 [Optional] Click Remote Identities to go the Remote Identities window. This<br />
is useful if you want to use an identity that has yet to be created. When you<br />
add the identity and click Close, you will return to the Password<br />
Authentication Identities tab.<br />
6 Complete this tab by doing one <strong>of</strong> the following:<br />
• If you intend to change the Crypto or Advanced tab settings, go directly<br />
to the next tab without clicking Add or Close.<br />
• If you do not intend to change the Crypto or Advanced tab settings, click<br />
Add and then click Close. Click the Save icon.<br />
• If you do not want to save this Security Association entry, click Close<br />
without clicking Add.
Entering Certificate<br />
+ Certificate<br />
Authority<br />
information on the<br />
Authentication tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
The Certificate + Certificate Authority tabs in the Authentication window are<br />
used to define certificate and certificate authority authentication for this VPN<br />
association. This means each peer must be validated using certificates and<br />
remote identities before entering into this VPN association. To configure the<br />
certificate and certificate authority tabs, follow the steps below.<br />
1 Select the Firewall Credentials sub-tab.<br />
2 In the Firewall Certificate drop-down list, select the certificate that will be<br />
used to identify the <strong>Sidewinder</strong> <strong>G2</strong> to the remote peer. You can also click<br />
the Firewall Certificates button to go to the Firewall Certificates window.<br />
This is useful if you want to use a certificate that has yet to be created.<br />
3 In the Firewall Identity Type field, select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Only those identities<br />
defined within the selected firewall certificate will be available in this field<br />
Valid options are:<br />
• E-Mail<br />
• Fully Qualified Domain Name<br />
• IP Address<br />
• Distinguished Name<br />
The Value field contains the actual value used as the <strong>Sidewinder</strong> <strong>G2</strong> identity.<br />
This value is filled-in automatically using the information from the<br />
selected certificate. The field cannot be edited.<br />
4 [Conditional] Select the Require Extended Authentication check box if you<br />
want to use Extended Authentication. This check box is available only if an<br />
authentication method is configured for the ISAKMP server. See “Extended<br />
Authentication for VPN” on page 399 for more information on extended<br />
authentication.<br />
5 Select the Remote Credentials sub-tab.<br />
6 In the list <strong>of</strong> Available Certificate Authorities, select a CA you want to add<br />
as a trusted CA and click the ==>> button to add the CA to the Trusted List.<br />
You can add several trusted CAs. To select a CA that has yet to be defined,<br />
click the Cert Authorities button to go to the Certificate Authorities window.<br />
In this window you can define the needed CA, and then return here.<br />
7 In the list <strong>of</strong> Available Remote Identities, select a remote identity you want<br />
to add to the Trusted identity list and click the ==>> button. You can add<br />
several trusted remote identities. To select an identity that has yet to be<br />
defined, click Remote Identities to go to the Remote Identities window. This<br />
window allows you to define the needed identity, and then return here.<br />
8 Complete this tab by doing one <strong>of</strong> the following:<br />
• If you intend to change the Crypto or Advanced tab settings, go directly<br />
to the next tab without clicking Add or Close.<br />
• If you do not intend to change the Crypto or Advanced tab settings, click<br />
Add and then click Close. Click the Save icon to save your changes.<br />
• If you do not want to save this Security Association entry, click Close<br />
without clicking Add.<br />
445
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
Entering Single<br />
Certificate<br />
information on the<br />
Authentication tab<br />
446<br />
The Single Certificate screen in the Authentication window is used to define<br />
single certificate authentication for this VPN association. This means the<br />
remote peer must use the selected remote certificate for authentication before<br />
entering into this VPN association. To enter certificate authentication<br />
information, follow the steps below.<br />
1 In the Firewall Certificate drop-down list <strong>of</strong> available certificates, select the<br />
certificate used to authenticate the key exchange. To create or import a<br />
certificate, click the Firewall Certs button to go to the Firewall Certificates<br />
window. See “Configuring and displaying firewall certificates” on page 424<br />
and “Importing a firewall certificate” on page 432 earlier in this chapter for<br />
details.<br />
2 In the Remote Certificate drop-down list, select the certificate used on the<br />
remote end <strong>of</strong> the VPN. To create or import a certificate, click the Remote<br />
Certs button to go to the Remote Certificates window. See “Configuring and<br />
displaying remote certificates” on page 427 and “Importing a remote<br />
certificate” on page 434 for details.<br />
3 In the Firewall Identity Type field select the type <strong>of</strong> identity to use when<br />
identifying the <strong>Sidewinder</strong> <strong>G2</strong> to the remote client. Only those identities<br />
defined within the selected firewall certificate will be available in this field.<br />
Valid options are:<br />
• Distinguished Name<br />
• E-mail address<br />
• Fully Qualified Domain Name<br />
• IP Address<br />
The Value field contains the actual value used as the firewall identity. This<br />
value is filled-in automatically using the information from the selected certificate.<br />
The field cannot be edited.<br />
4 [Conditional] Select the Require Extended Authentication check box if you<br />
want to use Extended Authentication. This check box is available only if an<br />
authentication method is configured for the ISAKMP server. See “Extended<br />
Authentication for VPN” on page 399 for more information on extended<br />
authentication.<br />
5 Complete this tab by doing one <strong>of</strong> the following:<br />
• If you intend to change the Crypto or Advanced tab settings, go directly<br />
to the next tab without clicking Add or Close.<br />
• If you do not intend to change the Crypto or Advanced tab settings, click<br />
Add and then click Close. Click the Save icon to save your changes.<br />
• If you do not want to save this Security Association entry, click Close<br />
without clicking Add.
Entering Manual<br />
information on the<br />
Authentication tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
The Manual screen in the Authentication window is used to define manual<br />
authentication for this VPN association. This means that only a remote peer<br />
that has entered the exact same manual key value will have access through<br />
this VPN association. To configure manual authentication, follow the steps<br />
below.<br />
1 In the IPSEC Transformations drop-down list, select the appropriate form <strong>of</strong><br />
IPsec transformation. The valid options are:<br />
• Authentication Header (AH)—Provides authentication only.<br />
• Encapsulating Security Payload (ESP)—Provides encryption only.<br />
• Separate AH + ESP—Performs separate transformations for<br />
authentication and encryption.<br />
• Combined ESP + AH—Performs a single transformation that provides<br />
authentication and encryption.<br />
2 In the Authentication Hash drop-down list, select the type <strong>of</strong> authentication<br />
you and the remote end have chosen to use. The valid options are:<br />
• HMAC-SHA1-96<br />
• HMAC-MD5-96<br />
3 In the Encryption drop-down list, select the type <strong>of</strong> encryption you and the<br />
remote end have chosen to use. The choices are:<br />
Encryption type Key length<br />
AES256 256-bit<br />
AES128 128-bit<br />
CAST128 128-bit<br />
3DES 168-bit<br />
DES 56-bit<br />
Null 0<br />
4 To define keys and SPI index values, click Generate Keys. You can type<br />
your own unique key and SPI index, but it is not recommended.<br />
Since manually generating random keys is difficult, the <strong>Sidewinder</strong> <strong>G2</strong> provides<br />
randomly generated authentication and encryption keys and Security<br />
Parameters Index (SPI) value for you and the remote end to use. It is highly<br />
recommended that you use the default keys provided. You must send these<br />
keys and SPI values to the remote end for them to use.<br />
Note: The individual key and SPI fields listed below may become available or<br />
unavailable depending on the value selected in the IPsec Transformations field.<br />
• AH Inbound Key and SPI<br />
• AH Outbound Key and SPI<br />
447
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
448<br />
• ESP Inbound Key and SPI<br />
• ESP Outbound Key and SPI<br />
Important: Once you have chosen the keys, they must be kept a secret. You<br />
should only exchange the keys by a secure method, such as floppy disk,<br />
encrypted e-mail (such as PGP) or via the telephone. If attackers learn the key,<br />
they can decrypt all <strong>of</strong> your VPN traffic.<br />
5 To complete the manual key exchange, you must exchange these keys and<br />
Security Parameters Index (SPI) values with the remote end via a secure<br />
method (diskette, encrypted e-mail or telephone).<br />
Note: The inbound and outbound keys/SPIs are entered in the opposite fields<br />
on the remote end.<br />
• In the Authentication section, type the key and SPI used by the remote<br />
end.<br />
• In the Encryption section, type the key and SPI used by the remote end.<br />
Important: You must be sure to type the key correctly or the VPN will not work.<br />
Entering information on the Crypto tab<br />
The Crypto tab defines the cryptographic and hashing algorithms used to<br />
authenticate the peer in this VPN association. The information on this tab is<br />
only used with automatic key exchange (that is, Authentication Method =<br />
Password, Certificate + Certificate Authority, or Single Certificate on the<br />
Authentication tab). To configure the Crypto tab follow the steps below.<br />
1 In the IPSEC Crypto Algorithms area, select an algorithm from the<br />
Available list <strong>of</strong> available encryption algorithms, and click the ==>> button<br />
to move it to the Accept list. You can have multiple algorithms in the Accept<br />
list.<br />
Use the Up and Down buttons to organize the algorithms according to your<br />
preference. The first algorithm that appears in the Accept list will be used.<br />
Note: The Null option contains an encryption header but does not specify an<br />
encryption algorithm. It is generally only used during testing. Compare this to<br />
the None option, which does not contain an encryption header.<br />
2 In the IPSEC Hashing Algorithms area, select an algorithm from the<br />
Available list <strong>of</strong> available hashing algorithms, and click the ==>> button to<br />
move it to the Accept list. You can have multiple algorithms in the Accept<br />
list.<br />
Use the Up and Down buttons to organize the algorithms according to your<br />
preference. The first algorithm that appears in the Accept list will be used.
Entering information<br />
on the Advanced tab<br />
Chapter 14: Configuring Virtual Private Networks<br />
Configuring VPN Security Associations<br />
The Advanced tab defines some <strong>of</strong> the more arcane points <strong>of</strong> a VPN<br />
association. As a general rule only administrators that are highly-schooled in<br />
the nuts and bolts <strong>of</strong> VPN should modify the information on this tab. The<br />
information on this tab is only used with automatic key exchange (that is<br />
Authentication Method = Password, Certificate + Certificate Authority, or Single<br />
Certificate on the Authentication tab). The Advanced tab contains the following<br />
fields and buttons.<br />
Phase 1 (ISAKMP) Rekey data fields<br />
• Hard Limits—Indicates how <strong>of</strong>ten the system must negotiate for new<br />
ISAKMP keys and how much ISAKMP traffic this phase can protect. The<br />
defaults are 3600 seconds (1 hour) and 0 (meaning no limit to the amount<br />
<strong>of</strong> traffic).<br />
• S<strong>of</strong>t Percentage—Indicates how far in advance <strong>of</strong> the hard limit to begin<br />
negotiating for new keys. This makes sure you have some new keys on<br />
hand by the time the hard limit expires.<br />
• P1 Crypto—Specifies the crypto algorithm to use during Phase 1.<br />
• P1 Hash: Specifies the hash algorithm to use during Phase 1.<br />
• P1 Oakley—Indicates the Diffie-Hellman group to use for the PFS<br />
derivation <strong>of</strong> ISAKMP keys.<br />
• Force XAuth on Rekey—Select this option to force XAuth to be performed<br />
each time the phase 1 session is started or renegotiated.<br />
• Relax Strict Identity Matching—Select this option to relax the identity<br />
matching restrictions. If you are experiencing issues associated with<br />
identity processing with the remote VPN peer, selecting this option can<br />
improve interoperability.<br />
Phase 2 (IPSEC) Rekey data fields<br />
• Hard Lifetimes—Indicates how <strong>of</strong>ten the system must negotiate for new<br />
IPsec keys and how much traffic it can encrypt. The defaults are 700<br />
seconds and 0 (meaning no traffic limit).<br />
• S<strong>of</strong>t Percentage—Indicates how far in advance <strong>of</strong> the hard limit to begin<br />
negotiating for new keys. This makes sure you have some new keys on<br />
hand by the time the hard limit expires.<br />
• Negotiate As Single Host—If this option is enabled it indicates that every<br />
possible combination <strong>of</strong> source and destination must establish a separate<br />
VPN association. Do not use this option unless directed to do so by Secure<br />
Computing Corporation.<br />
• Forced Rekey—Forces the association to rekey when the limits are<br />
reached, even if no traffic has passed through the VPN since the last rekey.<br />
Important: SCC strongly recommends enabling the Forced Rekey option if<br />
you are using SafeNet S<strong>of</strong>tRemote and have XAUTH configured.<br />
449
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
Example VPN<br />
Scenarios<br />
450<br />
Caution: Do not enable the Forced Rekey option if you have One-To-Many<br />
configured and are using static IP addresses for your VPNs. Doing so will cause all<br />
<strong>Sidewinder</strong> <strong>G2</strong>s in the cluster to attempt to instantiate the VPN at the same time,<br />
resulting in failure.<br />
• PFS—(Perfect Forward Secrecy) If this option is enabled it ensures that the<br />
key material associated with each IPsec security association cannot be<br />
derived from the key material used to authenticate the remote peer during<br />
the ISAKMP negotiation. If a key is compromised by a hacker, the<br />
information available to that hacker is dependent on whether you select<br />
Identity or Key Only.<br />
– Identity: Indicates that a Phase 1 negotiation is performed for every<br />
Phase 2. This means the identity will not be revealed even if the key is<br />
compromised; only the data protected by that key will be accessible.<br />
The downside is that system performance may be hurt because <strong>of</strong> the<br />
many negotiations.<br />
– Key Only: Phase 1 negotiations are not performed for every Phase 2.<br />
This will increase performance but may allow access to the identity if the<br />
key is compromised.<br />
• Oakley Group: Indicates the Diffie-Hellman group to use for the PFS<br />
derivation <strong>of</strong> IPsec keys. Available only if the PFS option is enabled.<br />
The following sections describe three typical VPN scenarios. Each scenario<br />
begins by describing a particular VPN requirement. It then explains how to<br />
implement the solution using the Admin Console. These scenarios assume the<br />
following:<br />
• The CMD server is enabled on the <strong>Sidewinder</strong> <strong>G2</strong>. (This server is enabled<br />
by default.)<br />
• The ISAKMP server is enabled on the appropriate burb. See “Configuring<br />
the ISAKMP server” on page 402 for information on enabling this server. In<br />
the scenarios that follow, it is assumed the server is enabled on the Internet<br />
burb.<br />
• The proper rule(s) are defined to allow ISAKMP traffic on the proper<br />
burb(s). In the scenarios that follow it is assumed a rule has been defined<br />
that allows ISAKMP traffic on the Internet burb.<br />
Note: The values used in the following scenarios are for demonstration purposes<br />
only.
Figure 191: VPN<br />
between two corporate<br />
<strong>of</strong>fices<br />
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
Scenario 1: <strong>G2</strong>-to-<strong>G2</strong> VPN via shared password<br />
The easiest type <strong>of</strong> VPN association to configure is one that uses a shared<br />
password for authentication. A shared password is typically used to establish a<br />
VPN association between two corporate <strong>of</strong>fices that have static IP addresses.<br />
Such a situation occurs if you have a business partner that requires access to<br />
your network, or if you have one or more corporate divisions located in different<br />
cities.<br />
The following figure provides the sample configuration information used in this<br />
scenario.<br />
The requirements<br />
This VPN scenario requires the following:<br />
• A VPN connection between two corporate <strong>of</strong>fices<br />
• Shared password authentication<br />
• Static IP addresses for each peer in the VPN association<br />
How it is done<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
50.1.0.0/16 100.1.1.1<br />
fw.west.example.com<br />
The following steps show the fields on the VPN menus that must be defined in<br />
order to create this VPN association. The configuration steps are performed on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> named fw.east.example.com.<br />
In the Admin Console, select VPN Configuration > Security Associations, and<br />
then click New to configure a new association.<br />
1 On the General tab:<br />
• Name = corporate_west<br />
• Encapsulation = Tunnel<br />
• Mode = Fixed IP<br />
• Enabled = Yes<br />
• Burb = Trusted<br />
• Local IP = localhost<br />
200.1.1.1<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Internet<br />
burb<br />
Trusted<br />
burb<br />
fw.east.example.com<br />
250.1.1.0/24<br />
451
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
452<br />
• Remote IP = 100.1.1.1<br />
• Client Address Pool = <br />
• Local Network / IP = 250.1.1.0/24<br />
• Remote Network / IP = 50.1.0.0/16<br />
Note: When configuring the <strong>Sidewinder</strong> <strong>G2</strong> named fw.west.example.com, the<br />
Local Network/IP and the Remote Network/IP values are reversed and the<br />
Remote IP value is 200.1.1.1.<br />
2 On the Authentication tab:<br />
• Authentication method = password<br />
• Enter password = samplepassword<br />
• Verify password = samplepassword<br />
3 On the Crypto tab: Order the algorithms to match that <strong>of</strong> the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
4 On the Advanced tab: No changes needed.<br />
5 Click Add to save the new VPN security association.<br />
6 Click the Save icon.<br />
Summary<br />
And that is it. The VPN can be used as soon as the other <strong>Sidewinder</strong> <strong>G2</strong> is<br />
configured. The same type <strong>of</strong> information is entered at the other <strong>Sidewinder</strong><br />
<strong>G2</strong>, changing the IP addresses as appropriate.<br />
Scenario 2: Simple deployment <strong>of</strong> remote users<br />
A common reason for using a VPN is to allow your travelling employees to<br />
connect to your corporate network from a remote site. This connection is<br />
typically made between an employee’s laptop computer and your corporate<br />
<strong>Sidewinder</strong> <strong>G2</strong>. In this type <strong>of</strong> VPN association, single (also known as “selfsigned”)<br />
certificates are generated by the <strong>Sidewinder</strong> <strong>G2</strong> and distributed to<br />
each client. This type <strong>of</strong> VPN can be used with dynamic IP-assigned clients<br />
and gateways. One association must be created for each client, so this type <strong>of</strong><br />
VPN is typically used only if you have a small number <strong>of</strong> remote clients.<br />
The following figure provides the sample configuration information used in this<br />
scenario. Note that the remote end <strong>of</strong> this VPN connection (from the<br />
<strong>Sidewinder</strong> <strong>G2</strong> point <strong>of</strong> view) is a laptop that will be using a dynamic IP<br />
address.
Figure 192: One VPN<br />
association per client<br />
VPN<br />
Client A<br />
VPN<br />
Client B<br />
The assumptions<br />
This VPN scenario assumes the following:<br />
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
• A VPN connection between a remote computer and the <strong>Sidewinder</strong> <strong>G2</strong><br />
• A self-signed firewall certificate that is generated by the <strong>Sidewinder</strong> <strong>G2</strong><br />
• One or more remote certificates that is generated by the <strong>Sidewinder</strong> <strong>G2</strong><br />
and distributed to the clients<br />
• One VPN association per client<br />
• Each VPN association is terminated in the Virtual burb<br />
• VPN clients should have access to the 250.1.1.0 network but not the<br />
192.168.182.0 network<br />
• All clients make connections using a virtual IP address assigned from a<br />
client address pool<br />
• All clients use VPN client s<strong>of</strong>tware that supports mode-config<br />
Important: When determining your deployment method, consider what steps will<br />
you take to ensure the protection <strong>of</strong> your private key material. Allowing<br />
unauthorized access to your private key material could compromise your entire<br />
network.<br />
How it is done<br />
Internet<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
200.1.1.1 Internet<br />
burb<br />
Trusted<br />
burb<br />
250.1.1.0/24<br />
Host<br />
Virtual<br />
burb<br />
fw.east.example.com<br />
Router<br />
192.168.182.0<br />
The following steps show the fields on the VPN menus that must be defined in<br />
order to create this VPN association. The basic idea is to:<br />
• Create a firewall certificate that identifies the <strong>Sidewinder</strong> <strong>G2</strong>. Export this<br />
certificate to each client.<br />
• Create a remote certificate that uniquely identifies each client. Export each<br />
certificate to the respective client.<br />
• Create a client address pool.<br />
• Create a VPN association for each client.<br />
Host<br />
453
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
454<br />
1 In the Admin Console, select Services Configuration > Certificate<br />
Management, and then enter the following information on each tab:<br />
a On the Firewall Certificates tab, click New and create a firewall<br />
certificate by specify the following:<br />
• Certificate Name = MyFirewall_cert<br />
• Distinguished Name: CN=MyFirewall,O=bizco,C=US<br />
• Submit to CA = Self Signed<br />
• Signature Type = RSA<br />
• Click Add.<br />
• Click the Save icon.<br />
b [Optional] On the Firewall Certificates tab, click Export and export the<br />
firewall certificate by specify the following:<br />
• Destination = File<br />
• Export Private Key to File: Click Browse and specify where you want<br />
to save the private key. The private key is <strong>of</strong>ten saved to an<br />
accessible location (portable storage device or protected network)<br />
for distribution to the client.<br />
• Export Firewall Certificate to File: Click Browse and specify where<br />
you want to save the firewall certificate. The firewall certificate is<br />
<strong>of</strong>ten saved to an accessible location (portable storage device or<br />
protected network) for distribution to the client.<br />
• Click OK.<br />
c On the Remote Certificates tab click New and create a self-signed<br />
certificate for a client by specify the following:<br />
• Certificate Name = Sales_A<br />
• Distinguished Name: CN=Sales_A,O=bizco,C=US<br />
• Submit to CA = Self Signed<br />
• Signature Type = RSA<br />
Important:If you are using SafeNet S<strong>of</strong>tRemote as your client s<strong>of</strong>tware, you<br />
must create this file using the PKS12 extension.<br />
• Click Add.<br />
• Click the Save icon.<br />
d Repeat step 1c for each remote client.<br />
e On the Remote Certificates tab, click Export and export the remote<br />
certificate by specify the following:<br />
• Destination = File<br />
• Export Client Private Key to File: Click Browse and specify where<br />
you want to save the private key.<br />
• Export Client Certificate to File: Click Browse and specify where you<br />
want to save the client certificate.<br />
• Format: Select the appropriate format for the client private key and<br />
client certificate in the corresponding Format drop-down lists.
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
• Click OK.<br />
f Repeat step 1e for each remote client. When you are finished you<br />
should have the firewall certificate as well as either the PKCS12formatted<br />
object or the certificate/key file pair for that client saved to a<br />
location accessible by the remote client (portable storage device or<br />
network)<br />
2 In the Admin Console, select VPN Configuration > Client Address Pools,<br />
and then click New to create a new client address pool.<br />
Using a client address pool lets you define which local networks the clients<br />
can access. For this example, assume you want to permit access to the<br />
250.1.1.0 network but not the 192.168.182 network.<br />
Note: Your client s<strong>of</strong>tware must support this capability. SafeNet S<strong>of</strong>tRemote<br />
currently does not support this capability—it must be manually configured with<br />
information about the locally protected subnet.<br />
a Enter New Pool Name = SalesPool<br />
b Virtual Subnet = 10.1.1.32/27<br />
c Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click<br />
Add.<br />
d Click Add to add the new pool.<br />
Note: The Subnet and Number <strong>of</strong> Bits in Netmask fields work in concert to<br />
determine the network portion <strong>of</strong> the addresses in the pool as well as the<br />
total number <strong>of</strong> addresses in the pool. The values shown here provide 30<br />
possible addresses: 10.1.1.33 - 10.1.1.62. Modify these two values as<br />
appropriate for your situation. (For example, in this scenario you might<br />
alternatively specify IP Address = 10.1.1.16 and Netmask = 28, creating 14<br />
possible addresses: 10.1.1.17 - 10.1.1.30.)<br />
e On the Servers tab: If the client s<strong>of</strong>tware you are using supports this<br />
mode-config capability, specify your internal DNS and WINS servers<br />
here.<br />
f Click Add.<br />
3 In the Admin Console, select VPN Configuration > Security Associations,<br />
and then click New to configure a new association.<br />
a On the General tab:<br />
• Name = Sales_A<br />
• Encapsulation = Tunnel<br />
• Mode = Dynamic IP Restricted Client<br />
• Enabled = Yes<br />
• Burb = Virtual<br />
• Local IP = localhost<br />
• Client Address Pool = SalesPool<br />
455
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
456<br />
b On the Authentication tab:<br />
• Authentication method = Single Certificate<br />
• Firewall Certificate = Select the certificate you created in step 1A<br />
• Remote Certificate = Select the certificate you created in step 1C for<br />
this client<br />
c On the Crypto tab: Order the algorithms to match that <strong>of</strong> the client<br />
d On the Advanced tab: No changes needed<br />
e Click Add to save the new VPN association.<br />
f Click the Save icon to save your changes.<br />
4 Repeat step 3 for each client, changing the name in step 3A and the remote<br />
certificate in step 3B as appropriate.<br />
Summary<br />
Each individual VPN connection can be used as soon as the remote clients are<br />
configured. Each client will need the client-specific certificate and private key<br />
information you saved in steps 1B and 1C in order to configure their end <strong>of</strong> the<br />
VPN connection. If you saved this information to diskette you can either hand it<br />
to them in person, mail it to them, or perform the imports while the machine is<br />
within a trusted network. It is not safe to distribute certificate and private key<br />
information via e-mail.<br />
Note: The configuration described above restricts VPN traffic by terminating it in a<br />
virtual burb. Proxies and rule entries must be configured to specify what access the<br />
VPN clients have to the trusted network.<br />
Scenario 3: Large scale deployment <strong>of</strong> clients<br />
This scenario is similar to Scenario 2 except that instead <strong>of</strong> a small number <strong>of</strong><br />
remote clients it assumes you have hundreds or even thousands <strong>of</strong> remote<br />
clients. Because it is unreasonable to create a unique VPN association for<br />
each client, a Certificate Authority (CA) will be used. The CA, in conjunction<br />
with the remote identities you define, allows you to create one VPN that is<br />
accessible by all <strong>of</strong> the clients.<br />
The following figure provides the sample configuration information used in this<br />
scenario.
Figure 193: One VPN<br />
association for all clients<br />
VPN<br />
Client A<br />
VPN<br />
Client B<br />
VPN<br />
Client ZZZ<br />
The assumptions<br />
This VPN scenario assumes the following:<br />
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
• A VPN connection between a <strong>Sidewinder</strong> <strong>G2</strong> and many clients<br />
• A Certificate Authority-based VPN<br />
• A single VPN association for all clients with a like security policy rather than<br />
one association per client<br />
• The VPN association is terminated in a virtual burb<br />
• The clients can have dynamic or static IP addresses<br />
• VPN clients should have access to the 250.1.1.0 network but not the<br />
192.168.182.0 network<br />
• All clients make connections using a virtual IP address assigned from a<br />
client address pool<br />
• All clients are using VPN client s<strong>of</strong>tware that supports mode-config<br />
Note: It is assumed in this scenario that the clients do not have access to the CA<br />
and must rely on the <strong>Sidewinder</strong> <strong>G2</strong> to create and distribute the necessary<br />
certificates and private keys.<br />
How it is done<br />
Internet<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
200.1.1.1 Internet<br />
burb<br />
Trusted<br />
burb<br />
250.1.1.0/24<br />
Host<br />
Virtual<br />
burb<br />
fw.east.example.com<br />
Router<br />
192.168.182.0<br />
The following steps show the fields on the VPN menus that must be defined in<br />
order to create this VPN association. The basic idea is to:<br />
• Define the CA used with this VPN<br />
• Create a firewall certificate that is signed by the CA<br />
• Create one or more identities that define who is authorized to use this VPN<br />
• Create a client address pool<br />
• Create the VPN security association<br />
• Create the client certificates for each client<br />
Host<br />
457
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
458<br />
• Provide certificate information and/or files to clients as necessary<br />
Tip: Some VPN client s<strong>of</strong>tware, such as SafeNet S<strong>of</strong>tRemote, allow users to selfenroll<br />
online to obtain their personal certificates, which can greatly reduce<br />
administrative effort. See the VPN Admin <strong>Guide</strong> for more details.<br />
1 In the Admin Console, select Services Configuration > Certificate<br />
Management, and then enter the following information on each tab.<br />
a On the Certificate Authorities tab, click New and create a CA by<br />
specifying the following:<br />
• CA Name = BizcoCA<br />
• Type = SCEP (or whatever value is appropriate)<br />
• URL = http://10.18.128.8<br />
• Click Add.<br />
• Click the Save icon to save your changes.<br />
• Click Get CA Cert (Retrieves the CA Cert from the URL address.)<br />
• Click Get CRL (Retrieves the Certificate Revocation List for this CA.)<br />
b On the Firewall Certificates tab, click New and create a firewall<br />
certificate by specifying the following:<br />
• Certificate Name = BizcoFW_by_CA<br />
• Distinguished Name: CN=BizcoFW_by_CA,O=Bizco,C=US<br />
• Submit to CA = BizcoCA<br />
• Signature Type = RSA<br />
• Click Add.<br />
• Click the Save icon to save your changes.<br />
At this point the Status field for this certificate will be PENDING. This is<br />
because the request has been sent to the CA but the certificate has yet<br />
to be created. The status will remain PENDING until the CA administrator<br />
approves your request.<br />
• Click Query. This queries the CA to see if the certificate is approved.<br />
If yes, the Status field will change to SIGNED and the certificate is<br />
imported.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> automatically queries the CA every 15 minutes to<br />
see if the request has been accepted. If the request has been accepted, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will retrieve the resulting certificate.<br />
c On the Remote Identities tab, click New and create one or more<br />
identities that define who is authorized to use this VPN.<br />
• Identity Name = Sales_force<br />
• Distinguished Name: CN=*,OU=sales,O=bizco,C=us<br />
• Click Add.<br />
• Click Close.<br />
• Click the Save icon to save your changes.
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
2 In the Admin Console, VPN Configuration > Client Address Pools, and<br />
then click New to create a new client address pool.<br />
Using a client address pool lets you define which local networks the clients<br />
can access. For this example, assume you want to permit access to the<br />
250.1.1.0 network but not the 192.168.182 network.<br />
Note: Your client s<strong>of</strong>tware must support this capability. SafeNet S<strong>of</strong>tRemote<br />
currently does not support this capability—it must be manually configured with<br />
information about the locally protected subnet.<br />
a Enter New Pool Name = SalesPool<br />
b Virtual Subnet = 10.1.1.0/24<br />
c Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click<br />
Add.<br />
d Click Add to add the new pool.<br />
Note: The IP Address and Number <strong>of</strong> Bits in Netmask fields work in concert to<br />
determine the network portion <strong>of</strong> the addresses in the pool as well as the total<br />
number <strong>of</strong> addresses in the pool. The values shown here provide 254 possible<br />
addresses: 10.1.1.0–10.1.1.255. Modify these two values as appropriate for<br />
your situation.<br />
e On the Servers tab:<br />
If the client s<strong>of</strong>tware you are using supports this mode-config capability,<br />
specify your internal DNS and WINS servers here.<br />
f Click Add.<br />
g Click the Save icon to save your changes.<br />
3 In the Admin Console, VPN Configuration > Security Associations, and<br />
then click New to configure a new association.<br />
a On the General tab:<br />
• Name = Large_scale_sales<br />
• Encapsulation = Tunnel<br />
• Mode = Dynamic IP Restricted Client<br />
• Enabled = Yes<br />
• Burb = Virtual<br />
• Local IP = localhost<br />
• Client Address Pool = VPNPool<br />
b On the Authentication tab:<br />
• Authentication method = Certificate + Certificate Authority<br />
• Firewall Certificate = BizcoFW_by_CA (created in step 1B)<br />
• Certificate Authorities = BizcoCA (created in step 1A)<br />
• Remote Identities = Sales_force (created in step 1C)<br />
c On the Crypto tab: Order the algorithms to match that <strong>of</strong> the client.<br />
459
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
460<br />
d On the Advanced tab: No changes needed<br />
e Click Add to save the new VPN association.<br />
f Click the Save icon to save your changes.<br />
4 In the Admin Console, Services Configuration > Certificate Management.<br />
On the Remote Certificates tab click New and create a certificate for a<br />
client by specifying the following:<br />
Note: You can skip this step and step 5 for those clients that have online access<br />
to the CA. These clients can create and retrieve their own certificates.<br />
• Certificate Name = Sales_A<br />
• Distinguished Name: CN=Sales_A,OU=sales,O=bizco,C=US<br />
• Submit to CA = BizcoCA<br />
• Signature Type = RSA<br />
• Private Key: Click Browse and specify where you want to save the<br />
private key associated with this certificate. In this scenario it is<br />
common to save the certificate to the same location as the exported<br />
firewall certificate.<br />
• Certificate: Click Browse and specify where you want to save this<br />
certificate. In this scenario it is common to save the certificate to the<br />
same location as the private key and the exported firewall certificate.<br />
• Click Add.<br />
• Click the Save icon to save your changes.<br />
5 In the Admin Console, Services Configuration > Certificate Management.<br />
Export the CA certificate and the firewall certificate to the same location<br />
used in step 4.<br />
a On the Certificate Authorities tab, select the CA certificate you created<br />
in step 1A, then click Export and export the certificate by specifying the<br />
following:<br />
• Destination = File<br />
• Generated CA Certificate File: Click Browse and specify where you<br />
want to save the CA certificate. Add the .pem extension to the file<br />
name.<br />
• Click OK.<br />
b [Optional] On the Firewall Certificates tab, select the firewall certificate<br />
you created in step 1B, then click Export and export the certificate by<br />
specifying the following:<br />
• Destination = File<br />
• Export Firewall Certificate to File: Click Browse and specify where<br />
you want to save the firewall certificate. Add the .pem extension to<br />
the file name.<br />
• Click OK.<br />
6 Repeat steps 4 and 5 for each remote client.
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
When you are finished your storage location should have four items for<br />
each remote client: the CA certificate, the firewall certificate, the unique private<br />
key for the client, and the remote certificate for the client.<br />
Summary<br />
<strong>Sidewinder</strong> <strong>G2</strong> is ready to accept connections across this VPN as soon as the<br />
remote clients are configured. In order to configure their end <strong>of</strong> the VPN<br />
connection, each client will need the client-specific certificate and private key<br />
information you saved in step 4 as well as the firewall and CA certificates<br />
created in step 5. If you saved this information to diskette you can either<br />
distribute the information in person or mail it to them, or perform the imports<br />
while the machine is within a trusted network. It is not safe to distribute<br />
certificate and private key information via e-mail.<br />
Note: The configuration described above restricts VPN traffic by terminating the<br />
VPN association in a virtual burb. Proxies and rules must be configured to specify<br />
what access the VPN clients have to the trusted network.<br />
461
Chapter 14: Configuring Virtual Private Networks<br />
Example VPN Scenarios<br />
462
15<br />
CHAPTER<br />
Configuring the SNMP<br />
Agent<br />
In this chapter...<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong> ...........................................................464<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong> ............................467<br />
About the management station ....................................................470<br />
Communication with systems in an external network...................471<br />
463
Chapter 15: Configuring the SNMP Agent<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
SNMP and<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
464<br />
Figure 194: Managing<br />
distributed systems using<br />
SNMP<br />
This section introduces SNMP concepts and explains how to configure the<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. It also explains what needs to be done to allow<br />
<strong>Sidewinder</strong> <strong>G2</strong> to send or route messages to remote systems in an external<br />
network.<br />
<strong>Sidewinder</strong> <strong>G2</strong> supports SNMPv1 and SNMPv2c. SNMP is the industry<br />
standard for network management. You can set up SNMP agent s<strong>of</strong>tware that<br />
allows the <strong>Sidewinder</strong> <strong>G2</strong> to be monitored by SNMP compliant network<br />
management stations located on an internal or external network. You can also<br />
configure the <strong>Sidewinder</strong> <strong>G2</strong> to route SNMP messages between a<br />
management station inside the <strong>Sidewinder</strong> <strong>G2</strong> and an SNMP agent on a<br />
system in an external network.<br />
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP<br />
agent is allowed to operate on the <strong>Sidewinder</strong> <strong>G2</strong>, access through other burbs is<br />
supported using the UDP proxy. In addition, SNMP will only accept requests<br />
addressed to the first interface in a burb.<br />
SNMP basics<br />
A network that is managed using SNMP involves two primary components: a<br />
manager (management station) and a number <strong>of</strong> managed nodes. The<br />
management station is typically a PC or UNIX workstation running network<br />
management s<strong>of</strong>tware such as Hewlett-Packard’s OpenView ® Windows or<br />
Novell ManageWise. Managed nodes are networking devices such as routers<br />
or <strong>Sidewinder</strong> <strong>G2</strong>s that contain an SNMP agent. Figure 194 shows a<br />
management station communicating with SNMP nodes to obtain network<br />
configuration information.<br />
SNMP<br />
Managemen<br />
t Station<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
(managed node)<br />
R<br />
router<br />
(managed node)<br />
server<br />
(managed node)
Figure 195: Community<br />
name within an SNMP<br />
message<br />
Chapter 15: Configuring the SNMP Agent<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
The management station displays a graphical representation <strong>of</strong> a network’s<br />
topology through a Windows-based environment. In general, network<br />
managers can monitor each SNMP node (including the <strong>Sidewinder</strong> <strong>G2</strong>) by<br />
clicking an icon representing each node in the network’s topology.<br />
A management station in the internal or external network can request<br />
information from a managed node’s SNMP agent. The SNMP management<br />
station sends a managed node Get and GetNext SNMP messages to retrieve<br />
node-specific parameters and variables, called objects. The message<br />
response from the managed system provides the SNMP administrator with<br />
information on a node’s device names, status, network connections, etc.<br />
Important: SNMPv1 agents typically allow Get, GetNext, and Set requests from the<br />
management station. However, the <strong>Sidewinder</strong> <strong>G2</strong> SNMPv1 agent does not<br />
support Set requests. This prevents a management system from sending<br />
commands to change variables or parameters in the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Each managed node can send an unsolicited event notification message,<br />
called a trap, to a management station when it detects certain system events.<br />
For example, you can configure the SNMP agent in the <strong>Sidewinder</strong> <strong>G2</strong> to issue<br />
a trap whenever an unauthorized user tries to read, write, or execute a<br />
protected file on the <strong>Sidewinder</strong> <strong>G2</strong>. (Refer to “<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps” on<br />
page 579 for a list <strong>of</strong> all traps supported by <strong>Sidewinder</strong> <strong>G2</strong>.)<br />
When setting up SNMP management, a network administrator assigns the<br />
management station and the nodes it will manage a community name. As<br />
shown in Figure 195, the community name is in the authentication header in<br />
each SNMP message exchanged between a management station and a<br />
managed node.<br />
VERSION<br />
COMMUNITY<br />
NAME<br />
SNMP COMMAND: GET, GETNEXTREQUEST, ETC.<br />
The SNMP agent treats the community name like a password to validate the<br />
identity <strong>of</strong> a management station. For example, suppose a management<br />
station sends a get request to retrieve information from a managed node’s<br />
SNMP agent. If the community name within the get request is not also used by<br />
the SNMP agent, the agent will not return information to the management<br />
station.<br />
Caution: To increase security on your network, do not use common default names<br />
such as “public” or “private,” which can be easily guessed.<br />
Both the management station and the managed node also contain<br />
Management Information Bases (MIBs) that store information about the<br />
managed objects. Currently, the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong> supports<br />
465
Chapter 15: Configuring the SNMP Agent<br />
SNMP and <strong>Sidewinder</strong> <strong>G2</strong><br />
466<br />
standard MIB II objects, the Host Resources MIB (RFC1514), and the<br />
<strong>Sidewinder</strong> <strong>G2</strong>-specific MIB objects. MIBs are discussed in greater detail in<br />
“<strong>Sidewinder</strong> <strong>G2</strong> SNMP MIBs” on page 466.<br />
Note: The MIBs used for compiling the SNMP agent for the <strong>Sidewinder</strong> <strong>G2</strong> are<br />
located in /etc/sidewinder/snmp.<br />
If you need more information on SNMP, an excellent source is Managing<br />
Internetworks with SNMP by Mark A. Miller, P.E. (M&T Books).<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
An SNMP trap is an alert message that is sent as an unsolicited transmission<br />
<strong>of</strong> information from a managed node (router, <strong>Sidewinder</strong> <strong>G2</strong>, etc.) to a<br />
management station. Most management stations can be configured to either:<br />
(1) display received traps in a pop-up window, or (2) automatically dial a phone<br />
number; such as a pager number.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent supports a basic trap, called the ColdStart<br />
trap, that is sent whenever <strong>Sidewinder</strong> <strong>G2</strong>’s SNMP agent is enabled. It is also<br />
sent if the Admin Console modifies the SNMP configuration file<br />
(/etc/sidewinder/snmp/snmpd.conf). You cannot disable the ColdStart trap.<br />
You also have the option to configure <strong>Sidewinder</strong> <strong>G2</strong> to send audit alert SNMP<br />
traps when an audit event triggers a response in <strong>Sidewinder</strong> <strong>G2</strong>. Additional<br />
information about requesting and configuring SNMP traps is available in<br />
“<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps” on page 579.<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP MIBs<br />
Management Information Bases (MIBs) are associated with both the<br />
management station and the SNMP agent in the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP agent supports two MIB structures (as well as a Host<br />
MIB).<br />
• mib2—This is a standard SNMP MIB as defined in RFC-1213.<br />
• sccMibSw—This is a <strong>Sidewinder</strong> <strong>G2</strong>-specific MIB provided by Secure<br />
Computing Corporation. Figure 196 shows the location <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> MIB structures within the SNMP root hierarchy.<br />
Note: MIBs that are used to compile the SNMP agent for the <strong>Sidewinder</strong> <strong>G2</strong> are<br />
located in /etc/sidewinder/snmp.<br />
All individual objects (parameters and variables) managed by an SNMP<br />
management station are part <strong>of</strong> an object group within an MIB. For example,<br />
the swProxy group stores information about currently-defined proxies on the<br />
system. The information might include the proxy name and the current status<br />
<strong>of</strong> the proxy.
Figure 196: MIBs<br />
supported by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP<br />
agent<br />
Setting up the<br />
SNMP agent on<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Chapter 15: Configuring the SNMP Agent<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong><br />
When a management station requests information from the <strong>Sidewinder</strong> <strong>G2</strong><br />
SNMP agent, the SNMP agent may or may not associate the returned<br />
information with a specific burb.<br />
system<br />
interfaces<br />
mgmt<br />
mib2<br />
iso<br />
org<br />
dod<br />
internet<br />
ip tcp<br />
icmp udp<br />
snmp<br />
private<br />
enterprises<br />
scc<br />
sccMibs<br />
sccMibSw<br />
swProxy swBurb<br />
Note: A burb is a type enforced network area used to isolate network interfaces<br />
from each other. A burb is identified by a unique name (internal, external, etc.) as<br />
assigned during the <strong>Sidewinder</strong> <strong>G2</strong> installation process.<br />
This section explains how to use the Admin Console to configure the SNMP<br />
agent on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The SNMP agent may be enabled in any single burb that is not the Firewall<br />
burb. It cannot be enabled on multiple burbs. To allow SNMP management<br />
stations that reside in other burbs for the SNMP agent, you must create an<br />
allow rule for SNMP and enable the SNMP proxy in the appropriate burb(s).<br />
The source burb for this rule should consist <strong>of</strong> a network object group that<br />
contains only SNMP management station IP addresses. The destination burb<br />
should specify the destination IP address for the burb in which SNMP is<br />
running. For information on configuring network objects, see “Displaying<br />
network objects and netgroups” on page 139. For information on configuring an<br />
SNMP Application Defense, see “Creating SNMP Application Defenses” on<br />
page 198.<br />
Note: If you are configuring SNMP on a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA<br />
cluster, all <strong>Sidewinder</strong> <strong>G2</strong> queries must use the HA cluster address.<br />
467
Chapter 15: Configuring the SNMP Agent<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong><br />
468<br />
Figure 197: SNMP<br />
Configuration window<br />
Entering information<br />
on the SNMP Server<br />
Configuration tab<br />
To set up the SNMP agent, in the Admin Console select Services<br />
Configuration > Servers. Select snmpd in the list <strong>of</strong> server names, and then<br />
click the Configuration tab. The following window appears.<br />
This window is used to enter configuration information for the SNMP agent.<br />
Follow the steps below.<br />
1 [Optional] In the Location field, type a description <strong>of</strong> the physical location <strong>of</strong><br />
your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 [Optional] In the Contact field, type your <strong>Sidewinder</strong> <strong>G2</strong> administrator user<br />
name.<br />
3 In the Enable Authentication Failure Trap field, select Yes to enable<br />
authentication failure traps, or No to disable authentication failure traps. If<br />
you click Yes, the <strong>Sidewinder</strong> <strong>G2</strong> will send authentication failure traps to all<br />
configured management stations whenever the <strong>Sidewinder</strong> <strong>G2</strong> detects an<br />
unauthenticated Get command.<br />
4 In the Allowed Get Communities you can view all <strong>of</strong> the community names<br />
authorized to retrieve MIB information. The community name is part <strong>of</strong> the<br />
authentication header in all SNMP messages. The <strong>Sidewinder</strong> <strong>G2</strong> SNMP<br />
agent checks the community name in all SNMP messages it receives to<br />
verify the identity <strong>of</strong> a manager.<br />
To add, modify, or delete communities, use the New, Modify, and Delete<br />
buttons located directly beneath the list. See “Defining a community name”<br />
on page 469 for information on adding or modifying a community name.<br />
Note: The SNMP daemon will not start unless a community name is specified.<br />
By default, if you do not specify an Allowed Get Community name, the only<br />
Allowed Get Community is “public.”
Defining a<br />
community name<br />
Defining a trap<br />
destination<br />
Chapter 15: Configuring the SNMP Agent<br />
Setting up the SNMP agent on <strong>Sidewinder</strong> <strong>G2</strong><br />
5 In the Trap Destinations field, you can view all <strong>of</strong> the hosts that will receive<br />
traps generated by the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. To add, modify, or<br />
delete trap destinations, use the New, Modify, and Delete buttons located<br />
directly beneath the list. See “Defining a trap destination” on page 469 for<br />
information on adding a new trap destination name or IP address.<br />
Note: By default, if you do not specify a trap destination community name, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> uses the community name “public.”<br />
6 Click the Save icon in the toolbar to apply the changes. If the SNMP agent<br />
is enabled, a ColdStart trap is issued to all configured trap destinations<br />
whenever you save configuration changes.<br />
The Allowed Get Community window enables you to add or modify names in<br />
the list <strong>of</strong> authorized community names. As an SNMP agent, the <strong>Sidewinder</strong><br />
<strong>G2</strong> will only respond to requests from management stations that belong to a<br />
community in this list. Follow the steps below.<br />
1 In the Community Name field, type the name you want added to the list <strong>of</strong><br />
allowed communities.<br />
2 Click Add to add the community to the list (or OK if you are modifying a<br />
community) and return to the Configuration tab.<br />
The Trap Destination window enables you to define a new host or to modify an<br />
existing host in the Trap Destination list. The hosts in this list will receive traps<br />
issued by the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1 In the Host Name or Address field, type the name or IP address <strong>of</strong> the host<br />
you want added to the Trap Destinations list.<br />
2 [Optional] In the Community name field, type the community name<br />
associated with this host.<br />
3 Click Add to add the trap destination to the list (or OK if you are modifying a<br />
trap destination) and return to the Configuration tab.<br />
Enabling/disabling the SNMP server<br />
Perform the following steps to enable or disable the SNMP server.<br />
1 Define an allow all rule for the SNMP agent. SNMP queries will not be<br />
allowed through the <strong>Sidewinder</strong> <strong>G2</strong> until this rule is part <strong>of</strong> the active rule<br />
group. For information on creating rules, see “Creating proxy rules” on page<br />
222.<br />
2 In the Admin Console select Services Configuration > Servers.<br />
469
Chapter 15: Configuring the SNMP Agent<br />
About the management station<br />
About the<br />
management<br />
station<br />
470<br />
3 Select snmpd from the list <strong>of</strong> server names, and then click the Control tab.<br />
Select the burb for which the SNMP agent will be enabled or disabled.<br />
The SNMP agent can only be enabled for one burb, and it cannot be<br />
enabled for the Firewall burb. Enabling the SNMP server will cause the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to send a ColdStart trap to the management station(s).<br />
4 Click the Save icon.<br />
The administrator <strong>of</strong> the SNMP management station should be made aware <strong>of</strong><br />
the following in order to retrieve information from the <strong>Sidewinder</strong> <strong>G2</strong> SNMP<br />
agent:<br />
• <strong>Sidewinder</strong> <strong>G2</strong> host name or IP address<br />
This is needed to set up communication with the <strong>Sidewinder</strong> <strong>G2</strong>. Note the<br />
following:<br />
– If the burb in which the SNMP agent is running contains more than one<br />
interface, specify the address <strong>of</strong> the first interface in the burb. The<br />
SNMP agent will only respond to the first interface in the burb.<br />
– If you are using High Availability (HA), specify the shared HA common<br />
IP address or host name, not the actual interface address or host name.<br />
• Community names configured in the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent<br />
This is needed to allow the management station to retrieve MIB objects<br />
from the SNMP agent.<br />
• MIB information<br />
This may be needed to properly translate the object identifications. Be sure<br />
to inform the administrator that the <strong>Sidewinder</strong> <strong>G2</strong> supports the Host<br />
Resources MIB.<br />
Important: On the <strong>Sidewinder</strong> <strong>G2</strong>, all Secure Computing Corporation MIB files are<br />
located in the /etc/sidewinder/snmp directory. If for some reason these files cannot<br />
be accessed from the <strong>Sidewinder</strong> <strong>G2</strong>, they can be downloaded via an FTP client or<br />
Web browser. The MIB files are scc-mib and scc-sw-mib.<br />
To retrieve the files using anonymous FTP, use an FTP client and log into<br />
ftp.securecomputing.com. The directory where the files are located is /pub/mibs.<br />
To retrieve the files using a Web browser, point the browser to<br />
ftp://ftp.securecomputing.com/pub/mibs/.
Communication<br />
with systems in<br />
an external<br />
network<br />
Figure 198: <strong>Sidewinder</strong><br />
<strong>G2</strong> serving as an SNMP<br />
agent for internal or<br />
external management<br />
station<br />
Chapter 15: Configuring the SNMP Agent<br />
Communication with systems in an external network<br />
You can route (or forward) SNMP messages between a management station<br />
behind the <strong>Sidewinder</strong> <strong>G2</strong> and any SNMP managed node on the other side <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong>. You can also allow an external management station to<br />
access the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent. Both <strong>of</strong> these scenarios require the<br />
use <strong>of</strong> a UDP proxy.<br />
Important: A UDP proxy is not needed to allow the <strong>Sidewinder</strong> <strong>G2</strong> SNMP agent to<br />
communicate with a management station in an internal network (behind the<br />
<strong>Sidewinder</strong> <strong>G2</strong>).<br />
Figure 198 summarizes which SNMP configurations require you to configure a<br />
UDP proxy.<br />
internal<br />
SNMP<br />
mgmt.<br />
station<br />
(OpenView)<br />
no<br />
proxy<br />
needed<br />
internal<br />
network<br />
SNMP<br />
agent<br />
UDP<br />
proxy<br />
external<br />
network<br />
UDP<br />
proxy<br />
SNMP<br />
agent<br />
Internet<br />
The <strong>Sidewinder</strong> <strong>G2</strong> UDP proxy sends SNMP requests and messages via UDP<br />
port 161. The <strong>Sidewinder</strong> <strong>G2</strong> UDP proxy sends SNMP traps to an external<br />
management station via UDP port 162.<br />
The SNMP agent cannot run in the Firewall burb. Although only one SNMP<br />
agent is allowed to operate on the <strong>Sidewinder</strong> <strong>G2</strong>, access through other burbs<br />
is supported using the UDP proxy.<br />
Note: Refer to “Setting up a new proxy” on page 270 for information on configuring<br />
a UDP proxy.<br />
R<br />
external<br />
SNMP<br />
mgmt.<br />
station<br />
471
Chapter 15: Configuring the SNMP Agent<br />
Communication with systems in an external network<br />
472
16<br />
CHAPTER<br />
One-To-Many Clusters<br />
In this chapter...<br />
Overview ......................................................................................474<br />
Example scenario using a One-To-Many cluster..........................476<br />
Configuring One-To-Many ............................................................477<br />
Understanding the One-To-Many tree structure ...........................484<br />
473
Chapter 16: One-To-Many Clusters<br />
Overview<br />
Overview If your organization uses two or more <strong>Sidewinder</strong> <strong>G2</strong>s, the One-To-Many<br />
feature allows you to easily manage your <strong>Sidewinder</strong> <strong>G2</strong>s at one time.<br />
Changes you make in the Admin Console to your primary <strong>Sidewinder</strong> <strong>G2</strong> are<br />
automatically replicated to each secondary <strong>Sidewinder</strong> <strong>G2</strong>. The changes are<br />
made to each secondary <strong>Sidewinder</strong> <strong>G2</strong> immediately, in real time.<br />
474<br />
Figure 199: A typical<br />
One-To-Many and Cloning<br />
implementation<br />
You are most likely to use One-To-Many if you are managing several<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that are located in the same network, which is the case if you<br />
are using load balancing hardware. This scenario is depicted in Figure 199.<br />
Note: When implementing One-To-Many, the preferred setup is to configure each<br />
<strong>Sidewinder</strong> <strong>G2</strong> with a dedicated cluster burb, allowing all communication between<br />
cluster <strong>Sidewinder</strong> <strong>G2</strong>s to be contained within its own burb.<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
administrator<br />
Load<br />
balancing<br />
hardware<br />
Your local<br />
network<br />
Primary<br />
Secondary<br />
Secondary<br />
Load<br />
balancing<br />
hardware Internet<br />
The One-To-Many feature is implemented in a “clustering” scheme. Clustering<br />
is used when you introduce a load balancing tool (as shown in Figure 199) into<br />
your network. All <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s reside in the same network and are<br />
basically either backups <strong>of</strong> one another or are being used to share the network<br />
load. In this scenario, each <strong>Sidewinder</strong> <strong>G2</strong> will have the same basic<br />
configuration (excluding host names and IP addresses).<br />
Tip: If you require centralized management to handle many <strong>Sidewinder</strong> <strong>G2</strong>s<br />
across multiple networks, you may want to consider implementing the <strong>Sidewinder</strong><br />
<strong>G2</strong> Enterprise Manager INSTEAD <strong>of</strong> using One-To-Many. For information on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Enterprise Manager, go to Secure Computing’s Web site at<br />
www.securecomputing.com.
Considerations when using One-To-Many<br />
Chapter 16: One-To-Many Clusters<br />
Overview<br />
Please note the following considerations when using One-To-Many.<br />
• All <strong>Sidewinder</strong> <strong>G2</strong>s must be at the same version level.<br />
• You can define only one primary <strong>Sidewinder</strong> <strong>G2</strong> for each cluster.<br />
• A <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster cannot participate in a One-<br />
To-Many cluster.<br />
• You cannot use a <strong>G2</strong> Enterprise Manager to manage a <strong>Sidewinder</strong> <strong>G2</strong> that<br />
belongs to a One-To-Many cluster.<br />
• DNS services must be configured identically on all <strong>Sidewinder</strong> <strong>G2</strong>s that are<br />
part <strong>of</strong> the cluster.<br />
• You should not connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is designated as a<br />
secondary <strong>Sidewinder</strong> <strong>G2</strong>, unless you are configuring DNS.<br />
• See “Understanding the One-To-Many tree structure” on page 484 for<br />
details on configuring non-synchronized areas for secondary <strong>Sidewinder</strong><br />
<strong>G2</strong>s.<br />
• If you have VPNs configured, you must ensure that your load balancers are<br />
configured to send all traffic for a given VPN security association to a single<br />
<strong>Sidewinder</strong> <strong>G2</strong> within the cluster.<br />
• The burb names must be identical for each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• The corresponding burbs and NICs on each <strong>Sidewinder</strong> <strong>G2</strong> must all be on<br />
the same networks. For example:<br />
Burb Primary A Secondary B Secondary C<br />
Internet 10.1.182.15 10.1.182.25 10.1.182.35<br />
Web 192.168.183.15 192.168.183.25 192.168.183.35<br />
Cluster 192.168.184.15 192.168.184.25 192.168.184.35<br />
Using IP aliases, redirected addresses, and multiple address<br />
translation in proxy rules<br />
If you use IP aliases, redirected addresses, or multiple address translation<br />
(MAT) in any <strong>of</strong> the rules created on either the primary <strong>Sidewinder</strong> <strong>G2</strong> or on a<br />
secondary <strong>Sidewinder</strong> <strong>G2</strong>, this may cause problems in a One-To-Many cluster.<br />
This is because IP aliases, redirected addresses, and MAT define addresses<br />
that are specific to a <strong>Sidewinder</strong> <strong>G2</strong>. A <strong>Sidewinder</strong> <strong>G2</strong> that requires a unique IP<br />
address in a rule is not a good candidate for inclusion in a One-To-Many<br />
relationship.<br />
However, if a <strong>Sidewinder</strong> <strong>G2</strong> uses IP aliases or redirected addresses, you can<br />
still include it in a One-To-Many cluster by doing the following:<br />
475
Chapter 16: One-To-Many Clusters<br />
Example scenario using a One-To-Many cluster<br />
Example<br />
scenario using a<br />
One-To-Many<br />
cluster<br />
476<br />
Figure 200: Sample<br />
network configuration for<br />
One-To-Many<br />
Note: This procedure will not work with MAT.<br />
1 Define a group that contains all the alias IP addresses and redirected<br />
addresses used by your <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
2 Use the group name in the rule rather than the specific IP address.<br />
The group name will replace the unique IP alias or a redirected address in<br />
the rule.<br />
In the following example, there are three <strong>Sidewinder</strong> <strong>G2</strong>s protecting a local<br />
network. Network traffic is load balanced across the <strong>Sidewinder</strong> <strong>G2</strong>s using a<br />
load balancing tool such as Radware FirePro<strong>of</strong> or F5 Networks BIG-IP ®<br />
Controller, similar to the configuration depicted in Figure 199.<br />
Because each <strong>Sidewinder</strong> <strong>G2</strong> will be configured almost identically, the One-To-<br />
Many feature simplifies the management process. Any configuration changes<br />
you make from the primary <strong>Sidewinder</strong> <strong>G2</strong> will automatically be implemented<br />
on each <strong>of</strong> the secondary <strong>Sidewinder</strong> <strong>G2</strong>s, ensuring that all <strong>of</strong> your <strong>Sidewinder</strong><br />
<strong>G2</strong>s remain synchronized.<br />
Example scenario requirements<br />
This scenario requires the following:<br />
• Two or more <strong>Sidewinder</strong> <strong>G2</strong>s running at the same version.<br />
• A load balancing tool such as a Radware FirePro<strong>of</strong> or F5 Networks BIG-IP ®<br />
Controller.<br />
• The IP addresses used to access each <strong>Sidewinder</strong> <strong>G2</strong> must all reside in a<br />
burb <strong>of</strong> the same name. For example, in the sample network configuration<br />
shown in Figure 200, if you are accessing the <strong>Sidewinder</strong> <strong>G2</strong>s from the<br />
internal network, all IP addresses used to access the <strong>Sidewinder</strong> <strong>G2</strong> must<br />
reside in the burb named internal.<br />
External Network = 192.168.182.x<br />
Burb Name:<br />
external<br />
Burb Name:<br />
cluster<br />
Burb Name:<br />
internal<br />
A<br />
192.168.182.1<br />
10.1.183.1<br />
Internal Network = 10.1.183.x<br />
Burb Name:<br />
external<br />
Burb Name:<br />
cluster<br />
Burb Name:<br />
internal<br />
B<br />
192.168.182.2<br />
10.1.183.2<br />
Burb Name:<br />
external<br />
Burb Name:<br />
cluster<br />
Burb Name:<br />
internal<br />
C<br />
192.168.182.3<br />
10.1.0.1 10.1.0.1<br />
10.1.0.2 10.1.0.3<br />
10.1.183.3
Configuring One-<br />
To-Many<br />
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
The following steps explain how to initiate a One-To-Many relationship<br />
between multiple <strong>Sidewinder</strong> <strong>G2</strong>s. Note the following before configuring your<br />
<strong>Sidewinder</strong> <strong>G2</strong>s:<br />
• A <strong>Sidewinder</strong> <strong>G2</strong> cannot participate in a One-To-Many relationship if it is<br />
part <strong>of</strong> an HA cluster.<br />
• If a participating <strong>Sidewinder</strong> <strong>G2</strong> has rules that use an IP alias or a redirect<br />
address, see “Using IP aliases, redirected addresses, and multiple address<br />
translation in proxy rules” on page 475.<br />
Configuring a dedicated cluster burb for each <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Secure Computing recommends configuring a dedicated cluster burb when<br />
setting up One-To-Many. This should be done prior to configuring your<br />
<strong>Sidewinder</strong> <strong>G2</strong>s for One-To-Many. To add and configure the cluster burb,<br />
follow the steps below.<br />
1 Ensure that the <strong>Sidewinder</strong> <strong>G2</strong> has an interface that can be dedicated to<br />
internal One-To-Many communication.<br />
2 In the Admin Console, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and select Firewall<br />
Management > Burb Configuration and create a cluster burb. See<br />
“Modifying the burb configuration” on page 82 for more information.<br />
Important: The burb name for the cluster burb must be the same for each<br />
<strong>Sidewinder</strong> <strong>G2</strong> this will be participating in the One-To-Many cluster.<br />
3 Click the Save icon on the toolbar.<br />
4 Go to Firewall <strong>Administration</strong> > Interface Configuration to assign an<br />
address and the cluster burb to the appropriate interface. (Be sure to select<br />
Enable Interface.)See “Modifying the interface configuration” on page 83 for<br />
more information.<br />
5 Click the Save icon on the toolbar. (You do not need to reboot at this time.)<br />
6 Repeat these steps for each <strong>Sidewinder</strong> <strong>G2</strong> that will be participating in the<br />
One-To-Many cluster.<br />
477
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
478<br />
Configuring the primary in a new One-To-Many cluster<br />
This section provides instruction on configuring your primary for One-To-Many.<br />
Follow the steps below.<br />
Important: It is recommended that you perform a system backup before<br />
configuring One-To-Many. See “Backing up system files” on page 638 for details.<br />
Note: The entrelayd server will automatically become enabled in the cluster burb<br />
when you configure One-To-Many.<br />
1 Start the Admin Console, and log into the <strong>Sidewinder</strong> <strong>G2</strong> that will become<br />
the primary.<br />
2 In the tool bar, select the icon to launch the State Change Wizard. (You<br />
3<br />
can also access the State Change Wizard by clicking the <strong>Sidewinder</strong> <strong>G2</strong><br />
icon in the Admin Console tree and then clicking the Change link.) The<br />
Welcome window appears.<br />
Click Next.<br />
4 Select Not Enterprise Managed and click Next.<br />
5 Select One-To-Many Cluster and click Next.<br />
6 Select Create New Cluster and click Next.<br />
7 In the One-To-Many Communication Configuration window, do the<br />
following:<br />
a In the Cluster Burb field, select the burb that will be used for intracluster<br />
policy communication. This is generally a dedicated burb. For<br />
information on creating a dedicated cluster burb, see “Configuring a<br />
dedicated cluster burb for each <strong>Sidewinder</strong> <strong>G2</strong>” on page 477.<br />
b In the Primary IP Address field, select the IP address <strong>of</strong> the burb you<br />
selected in step a.<br />
Note: This address is required when you are joining additional <strong>Sidewinder</strong><br />
<strong>G2</strong>s to the One-To-Many cluster.<br />
8 Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
If you want to make changes to your configuration before executing, click<br />
Back to navigate to the appropriate window(s) and make the necessary<br />
changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If the<br />
transition is successful, the Success window appears displaying the new<br />
state.<br />
To add an additional cluster member, see “Adding a secondary” on page<br />
479.
Figure 201: One To<br />
Many Management<br />
window<br />
About the One To<br />
Many Management<br />
window<br />
Adding a secondary<br />
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
Once you have created a One-To-Many cluster with a primary, you can add<br />
one or more secondaries to be managed. Adding a secondary to a One-To-<br />
Many cluster creates a placeholder for that <strong>Sidewinder</strong> <strong>G2</strong> within that cluster.<br />
Once you have added the <strong>Sidewinder</strong> <strong>G2</strong>, you will need to join that <strong>Sidewinder</strong><br />
<strong>G2</strong> to the cluster before it can be managed by the primary.<br />
Using the Admin Console, connect to the primary One-To-Many cluster<br />
member, and click One To Many Management in the Admin Console tree. The<br />
One To Many Management window appears.<br />
Tip: You can also get to this window by clicking the icon in the toolbar.<br />
In this window, you can do the following:<br />
• Add a secondary—To add a secondary to your One-To-Many cluster, click<br />
New. The Add Cluster Members window appears. See “About the Add<br />
Cluster Member window” on page 480 for information on configuring this<br />
window.<br />
• View the status <strong>of</strong> a One-To-Many cluster—To view the status <strong>of</strong> a One-To-<br />
Many cluster, click Cluster Status. The Cluster Member Status window<br />
appears. For information on viewing the status <strong>of</strong> a cluster, see “Viewing<br />
the status <strong>of</strong> a One-To-Many cluster” on page 481.<br />
• Modify the primary IP address—To change the primary IP address, click<br />
Modify Primary Address. The Modify Primary Address window appears.<br />
For information on modifying the IP address to determine which <strong>Sidewinder</strong><br />
<strong>G2</strong> is the primary, see “Changing the primary in a One-To-Many cluster” on<br />
page 482.<br />
479
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
About the Add<br />
Cluster Member<br />
window<br />
480<br />
This window allows you to add a secondary to a One-To-Many cluster.<br />
Note: You will need to join the <strong>Sidewinder</strong> <strong>G2</strong> to the One-To-Many cluster once<br />
you have added the placeholder before it can participate in the One-To-Many<br />
cluster.<br />
1 In the Cluster Member Name field, type the name <strong>of</strong> the secondary.<br />
2 In the IP Address field, type the IP address in the cluster burb <strong>of</strong> the<br />
secondary.<br />
3 In the Registration Key field, create the registration key for this <strong>Sidewinder</strong><br />
<strong>G2</strong>. This is a one-time key that you will use to register the <strong>Sidewinder</strong> <strong>G2</strong> to<br />
the One-To-Many cluster.<br />
The key must be at least one character long and may consist <strong>of</strong> alphanumeric<br />
characters, hyphens (-), and underscores (_).<br />
4 Click Add to return to the One To Many Management window. The<br />
secondary will appear in the One To Many Cluster Members table.<br />
5 To register this <strong>Sidewinder</strong> <strong>G2</strong> to a One-To-Many cluster, go to “Joining a<br />
secondary to an existing One-To-Many cluster” on page 480.<br />
Joining a secondary to an existing One-To-Many cluster<br />
To join a <strong>Sidewinder</strong> <strong>G2</strong> to an existing One-To-Many cluster, follow the steps<br />
below.<br />
1 If you have not already done so, add a placeholder for the <strong>Sidewinder</strong> <strong>G2</strong> in<br />
the One-To-Many cluster. See “Adding a secondary” on page 479 for more<br />
information.<br />
2 Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will be joining the One-To-Many cluster<br />
using the Admin Console.<br />
3 In the tool bar, select the icon to launch the State Change Wizard. (You<br />
4<br />
can also access the State Change Wizard by clicking the <strong>Sidewinder</strong> <strong>G2</strong><br />
icon in the Admin Console tree and then clicking the Change link.) The<br />
Welcome window appears.<br />
Click Next.<br />
5 Select Not Enterprise Managed and click Next.<br />
6 Select One-To-Many Cluster and click Next.<br />
7 Select Join Existing Cluster and click Next.<br />
8 In the Gathering information to join cluster window, configure the following<br />
fields:<br />
a In the Primary IP Address field, type the IP address in the cluster burb<br />
<strong>of</strong> the primary to which you are registering the secondary.
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
b In the Cluster Member Name field, enter the name <strong>of</strong> the secondary that<br />
you are registering (this is the name you entered when you added the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the One-To-Many cluster).<br />
c In the Registration Key field, enter the registration key for this One-To-<br />
Many cluster (this is the unique, one-time key that you created for the<br />
secondary when you added it to the One-To-Many cluster).<br />
9 Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
If you want to make changes to your configuration before executing, click<br />
Back to navigate to the appropriate window(s) and make the necessary<br />
changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If the<br />
transition is successful the Success window appears, displaying the new<br />
state.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully joined to the One-To-Many cluster,<br />
it will reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it will be synchronized<br />
with the primary, and the One-To-Many cluster will appear in the<br />
Admin Console tree as a single <strong>Sidewinder</strong> <strong>G2</strong> icon. See “Understanding<br />
the One-To-Many tree structure” on page 484 for information on managing<br />
your One-To-Many cluster.<br />
Viewing the status <strong>of</strong> a One-To-Many cluster<br />
To view the status <strong>of</strong> a One-To-Many cluster, using the Admin Console,<br />
connect to the primary and select One to Many Management. The One to Many<br />
Management window appears. Follow the steps below.<br />
1 In the One to Many Management window, click Cluster Status. The Cluster<br />
Member Status window appears.<br />
The Cluster Member Status window consists <strong>of</strong> a table that lists each<br />
<strong>Sidewinder</strong> <strong>G2</strong> in the One-To-Many cluster by row, and provides the following<br />
information:<br />
• Member Name—This column lists the name <strong>of</strong> each <strong>Sidewinder</strong> <strong>G2</strong> that<br />
is included in the One-To-Many cluster.<br />
• Registration State—This column indicates whether the <strong>Sidewinder</strong> <strong>G2</strong><br />
is Active (synchronized and running), Unregistered (running but not<br />
registered and synchronized), or Inactive (registered, but has not yet<br />
been initially synchronized with the primary).<br />
481
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
About the Modify<br />
Primary Address<br />
window<br />
482<br />
• Communications—This column indicates whether a remote <strong>Sidewinder</strong><br />
<strong>G2</strong> is responding. A value <strong>of</strong> Up indicates that communication is<br />
available. A value <strong>of</strong> Down indicates that the <strong>Sidewinder</strong> <strong>G2</strong> is <strong>of</strong>fline or<br />
otherwise not responding.<br />
• Policy State—This column indicates whether the <strong>Sidewinder</strong> <strong>G2</strong> policy<br />
is synchronized with the primary. A value <strong>of</strong> Up to date indicates that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is synchronized with the primary configuration. A value<br />
<strong>of</strong> Not up to date indicates that the <strong>Sidewinder</strong> <strong>G2</strong> is not synchronized<br />
with the primary.<br />
Changing the primary in a One-To-Many cluster<br />
Under certain circumstances, you may need to designate a secondary as the<br />
primary (for example, if the primary will be down indefinitely). To transfer<br />
primary status to a secondary, follow the steps below.<br />
Note: When you change the primary, all <strong>of</strong> the secondaries will be rebooted.<br />
1 In the Admin Console, add a new <strong>Sidewinder</strong> <strong>G2</strong> icon for the secondary<br />
that you want to become the primary by clicking the New Firewall icon<br />
and entering the appropriate information. (This is necessary because when<br />
you register a secondary to a One-To-Many cluster, the icon for the<br />
secondary is removed by default.)<br />
Note: For information on adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see<br />
“Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 20.<br />
2 Connect directly to the secondary by clicking the secondary that you added<br />
in the previous step. You will receive a warning message stating that you<br />
should only modify information on the primary. Ignore this message.<br />
3 Select the One To Many Management option at the top <strong>of</strong> the secondary<br />
tree. The One To Many Management window appears.<br />
4 In the One To Many Cluster Member window, select Modify Primary<br />
Address. The Modify Primary Address window appears. See “About the<br />
Modify Primary Address window” on page 482.<br />
This window allows you to select a new <strong>Sidewinder</strong> <strong>G2</strong> to take over as the<br />
primary.<br />
1 In the Cluster Burb drop-down list, select the cluster burb.<br />
2 In the One to Many Primary IP Address drop-down list, select the cluster IP<br />
address for this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
3 Click OK. You will be prompted to verify your decision. Click Yes to transfer<br />
primary status to this <strong>Sidewinder</strong> <strong>G2</strong>. The secondaries that will be managed<br />
by the new primary will be rebooted at this time. When the secondaries<br />
finish rebooting, they will recognize the new primary.
Chapter 16: One-To-Many Clusters<br />
Configuring One-To-Many<br />
Removing <strong>Sidewinder</strong> <strong>G2</strong>s from a One-To-Many cluster<br />
The following procedures allow you to delete one or more <strong>Sidewinder</strong> <strong>G2</strong>s from<br />
a One-To-Many cluster. This will cause the <strong>Sidewinder</strong> <strong>G2</strong>(s) to revert to a<br />
stand-alone <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
Removing a secondary from a One-To-Many cluster<br />
To remove a secondary from a One-To-Many cluster, follow the steps below.<br />
Repeat for each secondary you want to remove.<br />
1 Using the Admin Console, connect to the primary.<br />
2 Select the One To Many Management option at the top <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong> tree. The One To Many Cluster Management window appears.<br />
3 Select the <strong>Sidewinder</strong> <strong>G2</strong> that you want to remove from the cluster, and<br />
click Delete. You will be prompted to confirm your decision. Click Yes.<br />
A pop-up window appears informing you that the secondary will be rebooted.<br />
Click OK to reboot the secondary. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it<br />
will no longer be part <strong>of</strong> the One-To-Many cluster and will be managed by<br />
making a direct connection to that <strong>Sidewinder</strong> <strong>G2</strong>. Changes will no longer<br />
be replicated to the <strong>Sidewinder</strong> <strong>G2</strong>. To make a direct connection to the<br />
stand-alone <strong>Sidewinder</strong> <strong>G2</strong>, you will need to create a new <strong>Sidewinder</strong> <strong>G2</strong><br />
icon in the Admin Console tree branch. See “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
Admin Console” on page 20.<br />
Removing the primary from a One-To-Many cluster<br />
To remove the primary from a One-To-Many cluster, follow the steps below.<br />
Note: You must remove all <strong>of</strong> the secondaries from the One-To-Many cluster<br />
before you can access the State Change Wizard to remove the primary.<br />
1 Connect to the One-To-Many cluster using the Admin Console.<br />
2 In the tool bar, select the icon to launch the State Change Wizard. (You<br />
3<br />
can also access the State Change Wizard by selecting the dashboard at the<br />
top <strong>of</strong> the Admin Console tree and then clicking the Change link.) The<br />
Welcome window appears.<br />
Click Next.<br />
4 Select Change To Standalone Firewall.<br />
5 Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If the<br />
transition is successful the Success window appears, displaying the new<br />
state.<br />
483
Chapter 16: One-To-Many Clusters<br />
Understanding the One-To-Many tree structure<br />
Understanding<br />
the One-To-Many<br />
tree structure<br />
484<br />
Figure 202: Example <strong>of</strong><br />
an individually configured<br />
area<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully removed from the One-To-Many<br />
cluster, it will reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it will<br />
be a standalone <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The Admin Console tree structure is slightly different in a One-To-Many cluster<br />
environment. When you configure One-To-Many, all <strong>Sidewinder</strong> <strong>G2</strong>s are<br />
managed within a single Admin Console connection to the primary. All<br />
secondary icons are removed from the tree.<br />
Areas within the primary connection that are synchronized (that is, areas in<br />
which the information for all <strong>Sidewinder</strong> <strong>G2</strong>s must be the same) will appear as<br />
a single tree option within the primary. When you modify information within<br />
those areas, it will automatically be applied to all <strong>Sidewinder</strong> <strong>G2</strong>s that are part<br />
<strong>of</strong> the One-To-Many cluster.<br />
Information specific to individual <strong>Sidewinder</strong> <strong>G2</strong>s within the One-To-Many<br />
cluster that cannot be synchronized between <strong>Sidewinder</strong> <strong>G2</strong>s (such as<br />
Configuration Backup and Audit) will include a sub-folder within the primary<br />
that provides an icon for each <strong>Sidewinder</strong> <strong>G2</strong> in the One-To-Many cluster. To<br />
modify these features, select the individual <strong>Sidewinder</strong> <strong>G2</strong> icon and make the<br />
changes. These changes will apply only to the <strong>Sidewinder</strong> <strong>G2</strong> that you have<br />
selected and will not be overwritten by the primary.<br />
Important: DNS is the only exception to this structure. To configure DNS settings<br />
on a secondary, you will need to add the secondary server icon and connect<br />
directly to that <strong>Sidewinder</strong> <strong>G2</strong>. All other features should be configured using the<br />
primary connection to avoid being overwritten. (For information on adding a<br />
<strong>Sidewinder</strong> <strong>G2</strong> server icon, see “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on<br />
page 20.)<br />
Figure 202 below demonstrates the difference between individually configured<br />
areas <strong>of</strong> the One-To-Many cluster (Configuration Backup and Date and Time)<br />
and a synchronized area <strong>of</strong> the One-To-Many cluster (Burb Configuration).<br />
Burb Configuration is synchronized<br />
(changes made are sent to all<br />
<strong>Sidewinder</strong> <strong>G2</strong>s within the One-To-<br />
Many cluster, and you cannot select<br />
a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Configuration Backup and Date and<br />
Time are configured on an individual<br />
<strong>Sidewinder</strong> <strong>G2</strong> basis.<br />
To modify individually configured information for a particular <strong>Sidewinder</strong> <strong>G2</strong>,<br />
simply select that icon for the <strong>Sidewinder</strong> <strong>G2</strong> and make the desired changes.<br />
Changes to an individual <strong>Sidewinder</strong> <strong>G2</strong> will be applied only to that <strong>Sidewinder</strong><br />
<strong>G2</strong> and will not be overwritten by changes made to the other <strong>Sidewinder</strong> <strong>G2</strong>.
Chapter 16: One-To-Many Clusters<br />
Understanding the One-To-Many tree structure<br />
The following tables summarize which features are synchronized and which<br />
features are configured individually in a One-To-Many cluster:<br />
Features that are synchronized in a One-To-Many cluster<br />
• Policy Configuration • SmartFilter<br />
• Proxies • VPN Configuration<br />
• Servers (excludes<br />
sendmail configuration<br />
files)<br />
• IPS Attack Responses<br />
• Static Routing • Burb Configuration<br />
• Authentication • System Responses<br />
• Certificate<br />
Management<br />
• UI Access Control<br />
• Scanner • Firewall Accounts<br />
Features that are configured individually in a One-To-Many cluster<br />
• Dashboard • Firewall License<br />
• Servers: Sendmail only • Interface Configuration<br />
• DNSa • Routing (Dynamic and<br />
Routed)<br />
• S<strong>of</strong>tware Management<br />
• System Shutdown<br />
• Audit Viewing • Reconfigure DNS<br />
• Reports • Reconfigure Mail<br />
• Configuration Backup • File Editor<br />
• Date and Time<br />
a. DNS must be configured by connecting directly to the secondary. All other features<br />
listed in this table are configured using the primary connection. To connect<br />
directly to the secondary, you will need to create a new <strong>Sidewinder</strong> <strong>G2</strong> icon for the<br />
secondary and then connect to the <strong>Sidewinder</strong> <strong>G2</strong> using that <strong>Sidewinder</strong> <strong>G2</strong> icon.<br />
(This is because the icon for the secondary is removed from the Admin Console tree<br />
branch when it is successfully added to a cluster.) For information on adding a<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin<br />
Console” on page 20.<br />
485
Chapter 16: One-To-Many Clusters<br />
Understanding the One-To-Many tree structure<br />
486
17<br />
CHAPTER<br />
High Availability<br />
In this chapter...<br />
How High Availability works .........................................................488<br />
HA configuration options ..............................................................489<br />
Configuring HA.............................................................................492<br />
Understanding the HA cluster tree structure ................................502<br />
Managing an HA cluster ...............................................................503<br />
487
Chapter 17: High Availability<br />
How High Availability works<br />
How High<br />
Availability<br />
works<br />
488<br />
Figure 203: Basic HA configuration<br />
*In a load sharing HA cluster, the internal<br />
and external cluster common IP addresses<br />
are shared between <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
In a failover HA cluster, they are assigned<br />
to the primary.<br />
High Availability requires two <strong>Sidewinder</strong> <strong>G2</strong>s that can be configured either for<br />
load sharing (both the primary and secondary <strong>Sidewinder</strong> <strong>G2</strong>s actively process<br />
traffic), or with one <strong>Sidewinder</strong> <strong>G2</strong> acting as a standby <strong>Sidewinder</strong> <strong>G2</strong> that<br />
does not process traffic unless it is called upon to take over for the primary in<br />
the event that the current primary becomes unavailable. A cluster <strong>of</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong>s configured and registered for HA are known as an HA cluster.<br />
As shown in Figure 203, configuring an HA cluster requires at least three burbs<br />
for each <strong>Sidewinder</strong> <strong>G2</strong>: an internal burb, an external burb, and a heartbeat<br />
burb. Creating a separate heartbeat burb allows all HA cluster traffic (including<br />
the heartbeat message as well as any stateful session IP Filter traffic) to pass<br />
between the HA cluster <strong>Sidewinder</strong> <strong>G2</strong>s in its own burb, and does not impact<br />
regular network traffic. HA cluster <strong>Sidewinder</strong> <strong>G2</strong>s must reside on the same<br />
network. The heartbeat burbs <strong>of</strong> the HA pair must be physically connected<br />
using one <strong>of</strong> the following:<br />
• A crossover cable (recommended)<br />
• A straight cable, if using em interfaces<br />
• A standard network connection using a switch<br />
aaa.aaa.aaa.1<br />
aaa.aaa.aaa.5*<br />
cluster common<br />
IP address<br />
aaa.aaa.aaa.3<br />
primary <strong>Sidewinder</strong> <strong>G2</strong><br />
internal burb external burb<br />
heartbeat burb<br />
ccc.ccc.ccc.1<br />
ccc.ccc.ccc.5<br />
cluster common<br />
IP address<br />
ccc.ccc.ccc.3<br />
heartbeat burb<br />
secondary/standby<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
bbb.bbb.bbb.1<br />
bbb.bbb.bbb.5*<br />
cluster common<br />
IP address<br />
bbb.bbb.bbb.3<br />
Internet
HA configuration<br />
options<br />
Chapter 17: High Availability<br />
HA configuration options<br />
To implement an HA cluster in your network, you will need one additional<br />
“cluster common” IP address for each network. The HA cluster will use these<br />
addresses as IP alias addresses. The table below summarizes the IP<br />
addresses needed for this HA configuration.<br />
In this example, all users in the internal or external network must use the<br />
cluster address (aaa.aaa.aaa.5 or bbb.bbb.bbb.5, respectively). Only system<br />
administrators should know about the other IP addresses. The same concept<br />
applies for DNS names.<br />
Tip: When configuring an existing single <strong>Sidewinder</strong> <strong>G2</strong> configuration to become<br />
an HA cluster, consider using the existing interface addresses as the cluster<br />
addresses and getting new IP addresses for the actual NICs. This lessens the<br />
impact on your users, who will not have to change their perception <strong>of</strong> the<br />
“<strong>Sidewinder</strong> <strong>G2</strong>” address.<br />
You can configure HA to perform load sharing (with both <strong>Sidewinder</strong> <strong>G2</strong>s<br />
actively processing traffic) or failover (with one <strong>Sidewinder</strong> <strong>G2</strong> processing<br />
traffic and the other <strong>Sidewinder</strong> <strong>G2</strong> standing by as a hot backup). The following<br />
sections discuss each HA configuration option.<br />
Load sharing HA<br />
internal burb external burb heartbeat burb<br />
primary IP aaa.aaa.aaa.1 bbb.bbb.bbb.1 ccc.ccc.ccc.1<br />
secondary/standby<br />
IP<br />
cluster common IP aaa.aaa.aaa.5 a<br />
aaa.aaa.aaa.3 bbb.bbb.bbb.3 ccc.ccc.ccc.3<br />
bbb.bbb.bbb.5 a<br />
ccc.ccc.ccc.5<br />
a. In a load sharing HA cluster, the internal and external cluster common IP<br />
addresses are shared between <strong>Sidewinder</strong> <strong>G2</strong>s. In a failover HA cluster, they are<br />
assigned to the primary.<br />
Load sharing HA, also referred to as active-active HA, consists <strong>of</strong> two<br />
<strong>Sidewinder</strong> <strong>G2</strong>s that actively process traffic in a load sharing capacity. When a<br />
secondary is registered to an HA cluster, synchronized areas will be<br />
overwritten by the HA cluster configuration to match the primary. (To determine<br />
which areas are synchronized, see “Managing an HA cluster” on page 503.)<br />
Each <strong>Sidewinder</strong> <strong>G2</strong> maintains its own private (individual) address, the cluster<br />
common address for each interface (excluding the heartbeat interface), and<br />
any other alias addresses. The <strong>Sidewinder</strong> <strong>G2</strong>s are then able to coordinate<br />
traffic processing on a single shared IP address using a multicast Ethernet<br />
address to ensure that each connection (and the packets associated with that<br />
connection) is handled by the same <strong>Sidewinder</strong> <strong>G2</strong>. To configure load sharing<br />
HA, both <strong>Sidewinder</strong> <strong>G2</strong>s must have the same hardware configuration (e.g.,<br />
CPU speed, memory, active NICs).<br />
489
Chapter 17: High Availability<br />
HA configuration options<br />
490<br />
In a load sharing HA configuration, the primary is assigned the cluster address<br />
for the heartbeat burb as an alias, allowing it to communicate with the<br />
secondary. When the secondary or standby is brought online, it activates its<br />
interface IP addresses. The primary will then begin to “multicast” a heartbeat<br />
message. The heartbeat uses IPSec authentication (AH) to ensure that the<br />
messages are correct. The secondary “listens” for this heartbeat and sends an<br />
acknowledgement to the primary. If one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s become<br />
unavailable (that is, a heartbeat message or acknowledgement is not received<br />
by a <strong>Sidewinder</strong> <strong>G2</strong> for the specified amount <strong>of</strong> time), the remaining<br />
<strong>Sidewinder</strong> <strong>G2</strong> takes over and assumes responsibility for processing all traffic.<br />
If one <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>s unexpectedly becomes unavailable and the<br />
remaining <strong>Sidewinder</strong> <strong>G2</strong> takes over processing all traffic, any active proxy<br />
sessions and non-stateful IP filter sessions that were assigned to the<br />
unavailable <strong>Sidewinder</strong> <strong>G2</strong> will be lost. IP Filter sessions that are configured for<br />
stateful session failover will not be lost.<br />
If you know in advance that a <strong>Sidewinder</strong> <strong>G2</strong> will need to be shut down, you<br />
can reduce the number <strong>of</strong> lost connections by scheduling the shutdown (rather<br />
than shutting down immediately). When a shutdown is scheduled for a later<br />
time, a s<strong>of</strong>t shutdown will be performed to reduce the number <strong>of</strong> sessions that<br />
are lost. For information on s<strong>of</strong>t shutdown, see “Scheduling a s<strong>of</strong>t shutdown for<br />
an HA cluster <strong>Sidewinder</strong> <strong>G2</strong>” on page 510.<br />
Certain connections in a load sharing HA cluster will be assigned to the<br />
primary. For example, connections that are used for <strong>Sidewinder</strong> <strong>G2</strong><br />
management purposes (Admin Console, telnet, SSH) that are addressed to the<br />
shared cluster address will be assigned to the primary. In the event that the<br />
primary becomes unavailable, new connections will be assigned to the new<br />
primary, and existing connections will remain in tact. SNMP connections that<br />
are addressed to the shared address will also be assigned to the primary.<br />
Connections that are specifically addressed to an individual <strong>Sidewinder</strong> <strong>G2</strong><br />
address, will be assigned to the specified <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Failover HA<br />
Failover HA consists <strong>of</strong> one <strong>Sidewinder</strong> <strong>G2</strong> (the primary) actively processing<br />
traffic with the standby acting as a hot backup. When a standby <strong>Sidewinder</strong> <strong>G2</strong><br />
is registered to an HA cluster, synchronized areas will be overwritten by the HA<br />
cluster configuration. (To determine which areas are synchronized, see<br />
“Managing an HA cluster” on page 503.) Once registered, the standby monitors<br />
the primary through an Ethernet-based “heartbeat” mechanism that functions<br />
between <strong>Sidewinder</strong> <strong>G2</strong>s. If the standby determines that the primary is<br />
unavailable, the standby takes over and assumes the role <strong>of</strong> the primary. When<br />
a standby takes over networking functions, any active proxy sessions through<br />
the primary are lost. IP Filter sessions that are configured for stateful session<br />
failover will not be lost.
You can configure failover HA in one <strong>of</strong> two ways:<br />
Chapter 17: High Availability<br />
HA configuration options<br />
• primary-standby—In a primary-standby configuration, if the primary<br />
becomes unavailable, the standby takes over as the acting primary only<br />
until the primary becomes available again. (This option is generally used if<br />
you have <strong>Sidewinder</strong> <strong>G2</strong>s that do not share the same hardware<br />
configuration.)<br />
• peer-to-peer— In a peer-to-peer configuration, both <strong>Sidewinder</strong> <strong>G2</strong>s are<br />
configured as standbys with the same takeover time setting. This allows<br />
whichever <strong>Sidewinder</strong> <strong>G2</strong> boots up first to act as the primary. If the primary<br />
becomes unavailable, the peer <strong>Sidewinder</strong> <strong>G2</strong> (acting as the standby) will<br />
take over as the primary and will remain as the acting primary until it<br />
becomes unavailable, at which time the peer will again take over as the<br />
acting primary. This is the recommended failover HA configuration.<br />
However, to configure peer-to-peer HA, both <strong>Sidewinder</strong> <strong>G2</strong>s must have<br />
similar hardware configurations.<br />
When the primary is brought online, it activates both the cluster and interface<br />
IP addresses. (Remember, you must inform all users that the cluster address is<br />
the <strong>Sidewinder</strong> <strong>G2</strong> address, so all traffic still passes through the primary.)<br />
When the secondary or standby is brought online, it activates its interface IP<br />
addresses. The primary will then begin to “multicast” a heartbeat message.<br />
The heartbeat uses IPSec authentication (AH) to ensure that the messages<br />
are correct. The secondary or standby “listens” for this heartbeat.<br />
Suppose the primary is accidentally powered <strong>of</strong>f for a period <strong>of</strong> time. When the<br />
standby does not receive a heartbeat signal for a number <strong>of</strong> seconds (based<br />
on the takeover setting <strong>of</strong> the standby), it sets the cluster common IP<br />
addresses on its interfaces. In the process, the standby clears its address<br />
resolution protocol (ARP) cache and attempts to generate a “gratuitous ARP.”<br />
Most systems will immediately determine that the standby is now responsible<br />
for the addresses by which the primary is known, and new connections will be<br />
established through the new acting primary.<br />
Note: Unfortunately, there may be a number <strong>of</strong> reasons why the gratuitous ARP is<br />
not received: a remote system may not recognize the message, the message may<br />
be blocked by certain switches, it may fail due to timing issues, etc. Often this can<br />
be resolved by flushing the ARP caches in the remote system. Many <strong>of</strong> these<br />
remote systems have ways to shorten the time that entries stay in the ARP cache;<br />
these should be set to time periods in the three to five minute range.<br />
If you configured a primary-standby configuration, when the <strong>Sidewinder</strong> <strong>G2</strong><br />
that is configured as the primary is powered on or reactivated, it will begin<br />
sending a heartbeat message. When the standby (temporarily acting as the<br />
primary) receives the heartbeat message, it immediately drops the cluster<br />
common IP addresses so the primary can again assume responsibility.<br />
Established connections through the standby will continue to run for a period <strong>of</strong><br />
time, but eventually all traffic will again pass through the primary. (In a peer-to-<br />
491
Chapter 17: High Availability<br />
Configuring HA<br />
492<br />
peer configuration, the <strong>Sidewinder</strong> <strong>G2</strong> that takes over as the acting primary will<br />
remain as the primary until it becomes unavailable.)<br />
Note: When a takeover event occurs, there can be a number <strong>of</strong> netprobe events<br />
detected when connections take time to detect the switch <strong>of</strong> systems.<br />
Configuring HA This section provides the basic information you need to configure an HA<br />
cluster. Before you begin, sketch a diagram showing your planned<br />
configuration (similar to the diagram in Figure 203) for reference. Include the<br />
following items on your diagram:<br />
• interfaces<br />
• IP addresses<br />
• HA cluster common IP addresses<br />
• burb names<br />
Before you configure HA, the following conditions must be met:<br />
• Both <strong>Sidewinder</strong> <strong>G2</strong>s must be at the same version.<br />
• A dedicated heartbeat burb and interface must be configured on each<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: For load sharing HA, the interface used for the heartbeat burb must be at<br />
least as fast as the fastest load sharing interfaces on your <strong>Sidewinder</strong> <strong>G2</strong>. For<br />
information on configuring the heartbeat burb, see “Configuring the heartbeat<br />
burbs” on page 493.<br />
• If planning to use VLANs, for best results configure the VLANs before<br />
creating the HA cluster.<br />
• You can only assign one interface per burb when configuring load-sharing<br />
HA. (This includes VLANs.)<br />
• The following areas must be configured identically on both <strong>Sidewinder</strong> <strong>G2</strong>s<br />
before you configure HA:<br />
– number and types <strong>of</strong> interfaces<br />
– number <strong>of</strong> burbs<br />
– burb names (burb names are case-sensitive)<br />
– burb indices<br />
– DNS configuration (For example, if the primary is configured to use<br />
transparent DNS, the secondary must also be configured to use<br />
transparent DNS. If the DNS configuration types are not the same, DNS<br />
will not work on the secondary once HA is configured.)<br />
Note: All other configuration information will be overwritten on the secondary/<br />
standby when HA is configured.
Configuring the heartbeat burbs<br />
Chapter 17: High Availability<br />
Configuring HA<br />
You must configure a dedicated heartbeat burb and interface on each<br />
<strong>Sidewinder</strong> <strong>G2</strong> before configuring an HA cluster. Follow the steps below for<br />
each <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1 Ensure that the <strong>Sidewinder</strong> <strong>G2</strong> has an interface that can be dedicated to<br />
HA traffic.<br />
Note: For load sharing, the interface used for the heartbeat burb must be at<br />
least as fast as the fastest load sharing interfaces on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the Admin Console, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and create a<br />
heartbeat burb (select Firewall <strong>Administration</strong> > Burb Configuration). For<br />
troubleshooting purposes, select the Respond to ICMP echo and<br />
timestamp check box. See “Modifying the burb configuration” on page 82<br />
for detailed information on creating a new burb.<br />
3 Click the Save icon in the toolbar.<br />
4 Go to Firewall <strong>Administration</strong> > Interface Configuration and assign the<br />
heartbeat burb and IP address to the appropriate interface. (Be sure to<br />
enable the interface.) See “Modifying the interface configuration” on page<br />
83 for detailed information on configuring a new interface.<br />
5 Click the Save icon in the toolbar. (You do not need to reboot at this time.)<br />
6 Repeat these steps for each <strong>Sidewinder</strong> <strong>G2</strong> that will be participating in the<br />
HA cluster.<br />
7 When you have configured a heartbeat burb and interface for each<br />
<strong>Sidewinder</strong> <strong>G2</strong>, be sure to test the network connectivity between the two<br />
<strong>Sidewinder</strong> <strong>G2</strong>s for the heartbeat interface.<br />
Important: Network connectivity must exist between the <strong>Sidewinder</strong> <strong>G2</strong>s’<br />
heartbeat burbs to successfully configure HA.<br />
Configuring <strong>Sidewinder</strong> <strong>G2</strong> for HA<br />
Once you have configured a heartbeat burb for each <strong>Sidewinder</strong> <strong>G2</strong> and have<br />
verified network connectivity between the <strong>Sidewinder</strong> <strong>G2</strong>s on the heartbeat<br />
interface, you can configure the <strong>Sidewinder</strong> <strong>G2</strong>s for HA. Follow the steps<br />
below.<br />
Important: It is recommended that you perform a system backup before<br />
configuring HA. See “Backing up system files” on page 638 for details.<br />
493
Chapter 17: High Availability<br />
Configuring HA<br />
494<br />
Configuring the first <strong>Sidewinder</strong> <strong>G2</strong> in a new HA cluster<br />
To configure the first <strong>Sidewinder</strong> <strong>G2</strong> in a new HA cluster, follow the steps<br />
below.<br />
1 Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will become the primary using the Admin<br />
Console.<br />
Note: If you are planning to configure a load sharing or peer-to-peer HA cluster,<br />
it does not matter which <strong>Sidewinder</strong> <strong>G2</strong> you configure first.<br />
2 Configure all functions and features other than HA.<br />
3 Verify that you have a dedicated heartbeat burb and interface configured for<br />
HA on this <strong>Sidewinder</strong> <strong>G2</strong>. See “Configuring the heartbeat burbs” on page<br />
493 for instructions.<br />
4 In the tool bar, click to launch the State Change Wizard. (You can also<br />
5<br />
access the State Change Wizard by selecting the dashboard and then<br />
clicking the Change link.) The Welcome window appears. Read the<br />
Welcome window and then click Next.<br />
Select Not Enterprise Managed and then click Next.<br />
6 Select HA Cluster and then click Next.<br />
7 Select Create New Cluster and then click Next.<br />
8 Select the HA configuration that you want to create, and then click Next.<br />
Note: To configure peer-to-peer HA or load sharing HA, both <strong>Sidewinder</strong> <strong>G2</strong>s<br />
must have the same hardware configuration.<br />
• Peer-To-Peer HA—Both <strong>Sidewinder</strong> <strong>G2</strong>s are configured as standbys<br />
with the same takeover time setting. Whichever <strong>Sidewinder</strong> <strong>G2</strong> boots up<br />
first will act as the primary. If the primary becomes unavailable, the peer<br />
(acting as the standby) will take over as the primary and will remain as<br />
the acting primary until it becomes unavailable, at which time the peer<br />
will again take over as the acting primary. This is the recommended<br />
failover HA configuration.<br />
• Load-Sharing HA—Load sharing HA consists <strong>of</strong> two <strong>Sidewinder</strong> <strong>G2</strong>s<br />
that actively process traffic in a load sharing capacity. For more<br />
information on load sharing HA, see “Load sharing HA” on page 489.<br />
• Primary-Standby HA—If the primary becomes unavailable, the standby<br />
takes over as the acting primary only until the primary becomes<br />
available again. (This option is generally used if you have <strong>Sidewinder</strong><br />
<strong>G2</strong>s that do not share the same hardware configuration.) For more<br />
information on primary-standby HA, see “Failover HA” on page 490.<br />
9 [Conditional] In the High Availability Takeover Time window, specify the<br />
number <strong>of</strong> seconds that the primary must be unavailable before the<br />
secondary/standby will begin the takeover process. The default value is 13<br />
seconds.
Chapter 17: High Availability<br />
Configuring HA<br />
Note: This window does not appear if you selected the primary-secondary HA<br />
option. For primary-secondary HA, the takeover time is 3 seconds for the<br />
primary and 13 seconds for the secondary by default and cannot be modified in<br />
the State Change Wizard.<br />
Click Next. The High Availability Cluster Common Addresses window<br />
appears.<br />
10 The High Availability Cluster Common Addresses window allows you to<br />
configure the cluster common addresses for the interfaces in your HA<br />
cluster. It also allows you to specify the heartbeat burb, which is responsible<br />
for sending and receiving heartbeats. Do the following, and then click Next:<br />
a Select the interface row that you want to configure, and click Configure.<br />
The High Availability Aliases window appears.<br />
b In the Cluster Common IP Address field, type the common IP address<br />
for the interface that will be shared between <strong>Sidewinder</strong> <strong>G2</strong>s within the<br />
HA cluster.<br />
Note: The cluster address is the address most systems should use to<br />
communicate with or through the <strong>Sidewinder</strong> <strong>G2</strong>, meaning that DNS, default<br />
routes, etc. need to be aware <strong>of</strong> this address.<br />
c Click OK.<br />
d Repeat step a through step c for each interface that will use HA.<br />
e In the Heartbeat Burb drop-down list, select the burb that HA will use to<br />
send or receive heartbeats. (A heartbeat is a short message that is sent<br />
out at specific intervals to verify whether a <strong>Sidewinder</strong> <strong>G2</strong> is<br />
operational.) This must be a dedicated burb.<br />
f [Optional] If you want to skip the advanced configuration windows and<br />
use the default values, select the Use default advanced High<br />
Availability properties and skip advanced screens check box.<br />
If you select this check box, the following configuration options will be<br />
made automatically:<br />
• IPSec authentication password and authentication type will be<br />
automatically selected.<br />
• HA identification cluster ID and multicast address will be<br />
automatically assigned.<br />
• Remote test configuration options will not be configured.<br />
If you want to modify or configure any <strong>of</strong> these properties, deselect the<br />
Use default advanced High Availability properties and skip advanced<br />
screens check box and click Next to access the Advanced General<br />
Properties and Advanced Network Properties windows.<br />
11 [Conditional] The High Availability Advanced General Properties window<br />
allows you to configure IPSec Authentication values and High Availability<br />
identification values. Modify any <strong>of</strong> the following values:<br />
495
Chapter 17: High Availability<br />
Configuring HA<br />
496<br />
Note: This window does not appear if you selected the Use default advanced<br />
High Availability properties and skip advanced screens check box in the High<br />
Availability Cluster Common Addresses window.<br />
• High Availability Password—Type the password to be used to generate<br />
the authentication key for IPSec. This password must be the same for<br />
both <strong>Sidewinder</strong> <strong>G2</strong>s because they share the same virtual firewall ID.<br />
• Authentication Type—Select one <strong>of</strong> the following:<br />
– SHA1: Select this option if using HMAC-SHA1 authentication.<br />
– MD5: Select this option if using HMAC-MD5 authentication.<br />
• Cluster ID—Select an ID that will be assigned to the HA cluster. This<br />
allows you to distinguish between and manage multiple HA clusters, if<br />
needed. Each <strong>Sidewinder</strong> <strong>G2</strong> with an HA cluster must be assigned the<br />
same cluster ID. Valid values are 1–255.<br />
• Multicast Address—This field displays the address <strong>of</strong> the multicast<br />
group used for HA purposes in the heartbeat burb. The default address<br />
is 239.192.0.1. To modify the address, click Edit Address.<br />
When you have finished configuring this window, click Next.<br />
12 [Conditional] The High Availability Advanced Network Properties window<br />
allows you to configure interface testing and force ARP reset properties. To<br />
configure interface testing and/or ARP reset properties, do the following<br />
and then click Next.<br />
This window does not appear if you selected the Use default advanced<br />
High Availability properties and skip advanced screens check box in the<br />
High Availability Cluster Common Addresses window.<br />
Note: For more information on interface testing with HA, see “Interface<br />
configuration issues with HA” on page 666.<br />
a In the Interface Test area, configure any remote test IP addresses for<br />
networks that you want to periodically ping, as follows:<br />
Note: If you specify 255.255.255.255 in this field, HA will only test the status<br />
<strong>of</strong> the interface rather than send data to verify that the interface is up. This<br />
functionality is not intended for use in the heartbeat burb.<br />
• Select the network row that you want to modify, and click Modify.<br />
The Remote Test window appears.<br />
• In the Remote Test IP field, enter the IP address that the <strong>Sidewinder</strong><br />
<strong>G2</strong> will periodically ping. The remote address must be a highly<br />
reliable system that is directly attached to the <strong>Sidewinder</strong> <strong>G2</strong><br />
network, but does not belong to either cluster member.<br />
For example, if you use a VRRP (Virtual Router Redundancy Protocol)<br />
cluster, you can specify the VRRP address <strong>of</strong> the router as your<br />
remote ping address. (However, some VRRP routing clusters will<br />
only respond to pings if the configured primary router is currently acting<br />
as the primary. If you are using this type <strong>of</strong> VRRP routing cluster,<br />
you should use an alternative remote address.)
Chapter 17: High Availability<br />
Configuring HA<br />
For load sharing HA, if remote ping fails on one <strong>of</strong> the two cluster<br />
members, that member will become unavailable until the remote<br />
interface is again detected. If there is only one active cluster member<br />
and a remote ping failure is detected, that member will audit the failure<br />
and remain in the cluster until another member joins the cluster<br />
(without a ping failure), or until the remote system is detected.<br />
• Click OK to return to the High Availability Advanced Network<br />
Properties window.<br />
b In the Ping the Remote Test IP field, specify how <strong>of</strong>ten (in seconds) the<br />
HA cluster will ping the remote address to ensure that an interface and<br />
path are operational.<br />
c In the Consecutive ping failures before takeover field, specify the<br />
number <strong>of</strong> failed ping attempts that must occur before a secondary/<br />
standby takes over as the primary.<br />
If the primary becomes unavailable immediately after a ping attempt has<br />
been issued, the time it takes for a secondary/standby to take over will<br />
be slightly longer (this is because it will take close to an entire test interval<br />
before the first failure is detected).<br />
d [Conditional] The Force ARP Reset area lists the IP address and burb <strong>of</strong><br />
each system that you determine needs to update its ARP cache with the<br />
new cluster alias IP. Use this area to list all systems that are known to<br />
ignore gratuitous ARPs, but that need to know the new cluster alias.<br />
Note: This area is not available if you are configuring Load Sharing HA.<br />
To define a system to be included in the Force ARP Reset list, click<br />
New. The Force ARP Reset window appears. Enter the IP Address and<br />
select the burb for the system, and then click OK.<br />
To modify an entry, select the appropriate entry and click Modify.<br />
To delete an IP address from the list, select the address and click<br />
Delete.<br />
13 The State Change Summary window displays a list <strong>of</strong> the actions that will<br />
be performed when you click Execute.<br />
Important: The <strong>Sidewinder</strong> <strong>G2</strong> will be automatically rebooted after the<br />
transition process is complete. Carefully review the changes before you click<br />
Execute, as changes you make after initially executing the state change will<br />
require an additional reboot.<br />
If you want to make changes to your configuration before executing, click<br />
Back to navigate to the appropriate window(s) and make the necessary<br />
changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If the<br />
transition is successful the Success window appears, displaying the new<br />
state, and the <strong>Sidewinder</strong> <strong>G2</strong> will automatically reboot. Click Finish.<br />
497
Chapter 17: High Availability<br />
Configuring HA<br />
498<br />
To add an additional cluster member, see “Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an<br />
existing HA cluster” on page 498.<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster, requires two steps:<br />
• Add a placeholder in the HA cluster for that <strong>Sidewinder</strong> <strong>G2</strong> in the High<br />
Availability Common Parameters window. See “Adding a placeholder in the<br />
HA cluster” on page 498.<br />
• Join the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster using the State Change Wizard.<br />
See “Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster” on page 499.<br />
Note: You must have a dedicated heartbeat burb configured on each <strong>Sidewinder</strong><br />
<strong>G2</strong> that you register to an HA cluster. See “Configuring the heartbeat burbs” on<br />
page 493 for instructions.<br />
Adding a placeholder in the HA cluster<br />
Adding a <strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster creates a placeholder for that<br />
<strong>Sidewinder</strong> <strong>G2</strong> within that HA cluster. Once you have added the <strong>Sidewinder</strong> <strong>G2</strong><br />
to the HA cluster, you will need to join the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster<br />
using the State Change Wizard.<br />
To add a placeholder for the new <strong>Sidewinder</strong> <strong>G2</strong> in the existing HA cluster, do<br />
the following:<br />
1 Connect to the HA cluster using the Admin Console, and select High<br />
Availability in the Admin Console tree. The High Availability Common<br />
Parameters tab appears.<br />
2 In the Pair Members area, click New. The Add New Firewall window<br />
appears.<br />
3 In the Name field, enter the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> you are adding the<br />
HA cluster.<br />
4 [Conditional] If you selected the Primary/Standby HA mode, in the Takeover<br />
Time field, select the number <strong>of</strong> seconds that the primary must be<br />
unavailable before the secondary/standby will begin the takeover process.<br />
The default value is 13 seconds.<br />
Note: This field does not appear if you selected peer-to-peer HA or loadsharing<br />
HA.<br />
5 In the IP Address in Heartbeat Burb field, enter the individual IP address (in<br />
the heartbeat burb) <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> that you are adding to the HA<br />
cluster.
Chapter 17: High Availability<br />
Configuring HA<br />
6 In the Registration Key field, create the registration key for this HA cluster.<br />
The key must be at least one character long and may consist <strong>of</strong><br />
alphanumeric characters, hyphens (-), and underscores (_).<br />
Important: You will need the registration key when you join the <strong>Sidewinder</strong> <strong>G2</strong><br />
to the HA cluster using the State Change Wizard.<br />
7 Click Add to add the <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster. You can now join the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster using the State Change Wizard. See<br />
“Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster” on page 499.<br />
Joining a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster<br />
To join a <strong>Sidewinder</strong> <strong>G2</strong> to an existing HA cluster, follow the steps below.<br />
Note: You must add a placeholder for the <strong>Sidewinder</strong> <strong>G2</strong> in the HA cluster before<br />
you will be able to join the HA cluster. See “Adding a placeholder in the HA cluster”<br />
on page 498.<br />
1 Connect to the <strong>Sidewinder</strong> <strong>G2</strong> that will be joining the HA cluster using the<br />
Admin Console.<br />
2 In the toolbar, click to launch the State Change Wizard. (You can also<br />
3<br />
access the State Change Wizard by selecting the dashboard and then<br />
clicking the Change link.) The Welcome window appears.<br />
Click Next.<br />
4 Select Not Enterprise Managed and click Next.<br />
5 Select HA Cluster and click Next.<br />
6 Select Join Existing HA Cluster and click Next.<br />
7 In the Gathering information to join cluster window, configure the following<br />
fields:<br />
• Partner’s Heartbeat Burb IP Address—Enter the heartbeat IP address<br />
<strong>of</strong> the HA partner.<br />
Important:This is the actual heartbeat IP address for the HA partner, not the<br />
cluster common heartbeat IP address.<br />
• Cluster Member Name—Enter the name <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> that you<br />
are joining to the HA cluster (the name you entered when you added<br />
this <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster).<br />
• Registration Key—Enter the registration key for the HA cluster (the key<br />
that you created when you added this <strong>Sidewinder</strong> <strong>G2</strong> to the HA cluster<br />
in step 6 on page 499).<br />
8 Click Next. The State Change Summary window displays a list <strong>of</strong> the<br />
actions that will be performed when you click Execute.<br />
Important: The <strong>Sidewinder</strong> <strong>G2</strong> will be rebooted after the transition process is<br />
complete. Carefully review the changes before you click Execute, as changes<br />
you make after executing the state change will require an additional reboot.<br />
499
Chapter 17: High Availability<br />
Configuring HA<br />
500<br />
If you want to make changes to your configuration before executing, click<br />
Back to navigate to the appropriate window(s) and make the necessary<br />
changes.<br />
When you are satisfied with the summary <strong>of</strong> changes, click Execute. A<br />
progress bar will appear while the configuration changes are made. If the<br />
transition is successful the Success window appears, displaying the new<br />
state.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is successfully joined to the HA cluster, it will<br />
reboot automatically. When the <strong>Sidewinder</strong> <strong>G2</strong> reboots, it will be synchronized<br />
with the primary, and the HA cluster will appear in the Admin Console<br />
tree as a single <strong>Sidewinder</strong> <strong>G2</strong> icon. See “Managing an HA cluster” on<br />
page 503 for information on managing your HA cluster.<br />
Enabling and disabling load sharing for an HA cluster<br />
If you have an HA cluster configured and want to enable or disable load<br />
sharing, follow the steps below.<br />
Note: For more information on load sharing HA, see “Load sharing HA” on page<br />
489.<br />
1 In the Admin Console, connect to the HA cluster and select<br />
High Availability.<br />
2 Click the plus sign (+) in front <strong>of</strong> the High Availability branch to display the<br />
individual icons for each <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA cluster.<br />
3 Select the primary icon. The Local Parameters tab appears.<br />
To determine which <strong>Sidewinder</strong> <strong>G2</strong> is the primary, select High Availability,<br />
and then select the Common Parameters tab and click Cluster Status.<br />
4 In the Cluster Mode area, enable or disable load sharing by selecting the<br />
appropriate cluster mode as follows:<br />
• Designate as part <strong>of</strong> a Load Sharing High Availability Cluster—Select<br />
this option if you want to enable load sharing for the HA cluster (both<br />
<strong>Sidewinder</strong> <strong>G2</strong>s actively process traffic).<br />
• Designate as part <strong>of</strong> a Primary/Standby High Availability Cluster—<br />
Select this option if you want to disable load sharing HA and convert the<br />
HA cluster to a failover HA cluster (only one <strong>Sidewinder</strong> <strong>G2</strong> processes<br />
traffic, with the other <strong>Sidewinder</strong> <strong>G2</strong> acting as a hot backup).
Removing a<br />
secondary/standby<br />
from an HA cluster<br />
Removing the<br />
primary from an HA<br />
cluster<br />
5 Click the Save icon in the toolbar.<br />
Chapter 17: High Availability<br />
Configuring HA<br />
6 Wait 60 seconds to allow the <strong>Sidewinder</strong> <strong>G2</strong>s to synchronize, and then<br />
reboot each <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA cluster. It is important that<br />
the second <strong>Sidewinder</strong> <strong>G2</strong> be rebooted before the primary is finished<br />
rebooting.<br />
Important: If you do not begin the reboot process for the second <strong>Sidewinder</strong><br />
<strong>G2</strong> before the primary finishes rebooting, it will detect that the second<br />
<strong>Sidewinder</strong> <strong>G2</strong> is configured for a different cluster mode, and the HA cluster will<br />
not function properly. If this happens, you will need to reboot each <strong>Sidewinder</strong><br />
<strong>G2</strong> to synchronize the HA cluster.<br />
Removing a <strong>Sidewinder</strong> <strong>G2</strong> from an HA cluster<br />
To remove a secondary/standby from an HA cluster, follow the steps below.<br />
1 Connect to the HA cluster and select High Availability in the Admin<br />
Console tree. The Common Parameters window appears.<br />
2 In the Pair Members table, highlight the secondary/standby and then click<br />
Delete.<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> is removed from the HA cluster, it will automatically<br />
reboot and become a functioning stand-alone <strong>Sidewinder</strong> <strong>G2</strong>.<br />
You must remove the secondary/standby from the HA cluster before you can<br />
remove the primary from the HA cluster. Once you have removed the<br />
secondary/standby from an HA cluster, follow the steps below to remove the<br />
primary from the HA cluster:<br />
1 Connect to the HA cluster.<br />
2 Access the State Change Wizard by selecting the dashboard at the top <strong>of</strong><br />
the Admin Console tree and then clicking the Change link. The Welcome<br />
window appears.<br />
3 Click Next.<br />
4 Select Change To Standalone State, and then click Next.<br />
5 The State Change Summary window appears listing the actions that will be<br />
performed when you click Execute. To remove the primary from the HA<br />
cluster and return it to the standalone state, click Execute. The <strong>Sidewinder</strong><br />
<strong>G2</strong> will automatically reboot. Once the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted, it will<br />
become a functioning standalone <strong>Sidewinder</strong> <strong>G2</strong>.<br />
To cancel the wizard without making any changes, click Cancel.<br />
Important: Once the <strong>Sidewinder</strong> <strong>G2</strong> has finished rebooting, the IP address in<br />
the Admin Console Connection window will still display the cluster common IP<br />
address. Before connecting to the standalone <strong>Sidewinder</strong> <strong>G2</strong>, you will need to<br />
manually change the IP address back to the <strong>Sidewinder</strong> <strong>G2</strong>’s individual<br />
address.<br />
501
Chapter 17: High Availability<br />
Understanding the HA cluster tree structure<br />
Understanding<br />
the HA cluster<br />
tree structure<br />
502<br />
Figure 204: Example <strong>of</strong><br />
an individually configured<br />
area<br />
Figure 205: Special HA<br />
and Interface<br />
Configuration options<br />
The Admin Console tree structure is slightly different for an HA cluster. As<br />
explained above, when you configure an HA cluster, both <strong>Sidewinder</strong> <strong>G2</strong>s are<br />
managed within a single Admin Console connection.<br />
Areas <strong>of</strong> the HA cluster that are synchronized (that is, areas in which the<br />
information for both <strong>Sidewinder</strong> <strong>G2</strong>s must be the same and remains in sync via<br />
the synchronization server) will appear with a single tree option. When you<br />
modify information within those areas, the information will automatically be<br />
updated for both <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
Information specific to individual <strong>Sidewinder</strong> <strong>G2</strong>s within the HA cluster (such as<br />
configuration backup and restore) will include a sub-folder (indicated by a plus<br />
[+] sign) that contains an icon for each <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> the HA<br />
cluster. To modify information within these areas, expand the tree branch,<br />
select the appropriate <strong>Sidewinder</strong> <strong>G2</strong>, and make the desired changes. Nonsynchronized<br />
modifications to an individual <strong>Sidewinder</strong> <strong>G2</strong> will be applied only<br />
to that <strong>Sidewinder</strong> <strong>G2</strong> and will not be overwritten by changes made to the other<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Figure 204 below demonstrates the difference between an individually<br />
configured area <strong>of</strong> the HA cluster (Reports) and a synchronized area <strong>of</strong> the HA<br />
cluster (Burb Configuration).<br />
Reporting is configured on an individual<br />
<strong>Sidewinder</strong> <strong>G2</strong> basis.<br />
Burb Configuration is synchronized, and does<br />
not allow you to select a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The High Availability and Interface Configuration areas within the HA cluster<br />
tree include some areas that are synchronized and some areas that are<br />
configured on an individual <strong>Sidewinder</strong> <strong>G2</strong> basis, as shown in Figure 205<br />
below.<br />
Synchronized HA information is configured by<br />
selecting the main HA option.<br />
HA information specific to a single <strong>Sidewinder</strong> <strong>G2</strong><br />
is configured by selecting a <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Synchronized information is configured by<br />
selecting the main Interface Configuration option<br />
Interface information specific to a single<br />
<strong>Sidewinder</strong> <strong>G2</strong> is configured by selecting<br />
that <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The following lists summarize the features that are synchronized and the<br />
features that are configured individually in an HA cluster.
Managing an HA<br />
cluster<br />
Features that are synchronized within an HA cluster<br />
• Policy Configuration • VPN<br />
• Proxies • IPS Attack Responses<br />
Features that are configured individually within an HA cluster<br />
Chapter 17: High Availability<br />
Managing an HA cluster<br />
• Servers • High Availability (Common Parameters)<br />
• Routing • Burb Configuration<br />
• Authentication • Firewall Accounts<br />
• Certificate Management • Interface Alias IP addresses<br />
• Scanner • System Responses<br />
• SmartFilter • UI Access Control<br />
• Dashboard • Firewall License<br />
• DNS a<br />
• Interface Configuration<br />
• Audit • S<strong>of</strong>tware Management<br />
• Reports • System Shutdown<br />
• High Availability (Local Parameters) • Reconfigure DNS<br />
• Configuration Backup • Reconfigure Mail<br />
• Date and Time • File Editor<br />
a. DNS must be configured by connecting directly to the secondary/standby. All other<br />
features listed in this table are configured using the HA cluster connection. To connect<br />
directly to the secondary/standby, you will need to add a new <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
Admin Console using the <strong>Sidewinder</strong> <strong>G2</strong>’s actual IP address, and then connect to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> directly. (This is because the secondary/standby is removed from the<br />
Admin Console tree branch when it is successfully added to the HA cluster.) For information<br />
on adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console, see “Connecting directly to a<br />
secondary/standby” on page 511.<br />
Once you have configured an HA cluster, the HA cluster will be represented in<br />
the Admin Console tree by a single <strong>Sidewinder</strong> <strong>G2</strong> icon. When you connect to<br />
the HA cluster, you will use the HA cluster common IP address that you<br />
created when you configured HA. This allows you to manage both <strong>Sidewinder</strong><br />
<strong>G2</strong>s by connecting to the HA cluster.<br />
Important: If you connect directly to a single <strong>Sidewinder</strong> <strong>G2</strong> outside <strong>of</strong> the HA<br />
cluster, changes you make to synchronized areas for that <strong>Sidewinder</strong> <strong>G2</strong> will be<br />
overwritten by the HA cluster configuration. For information on when and how to<br />
connect directly to a single <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, see<br />
“Connecting directly to a secondary/standby” on page 511.<br />
503
Chapter 17: High Availability<br />
Managing an HA cluster<br />
504<br />
Figure 206: Common<br />
Parameters tab<br />
About the Common<br />
Parameters tab<br />
Caution: If you modify your hardware interface configuration, HA will not function<br />
until the <strong>Sidewinder</strong> <strong>G2</strong> is rebooted.<br />
Modifying HA common parameters<br />
The Common Parameters tab allows you to configure properties that are<br />
common to the HA cluster. To configure common HA parameters, connect to<br />
the HA cluster using the Admin Console and select High Availability. The<br />
following window appears:<br />
The Common Parameters tab specifies the parameters that will affect all<br />
<strong>Sidewinder</strong> <strong>G2</strong>s in your HA configuration. Follow the steps below.<br />
1 In the High Availability Identification area, do the following:<br />
a In the Cluster ID field, select an ID that is assigned to the HA cluster.<br />
This allows you to distinguish between and manage multiple HA<br />
clusters, if needed. Each <strong>Sidewinder</strong> <strong>G2</strong> with an HA cluster must be<br />
assigned the same cluster ID. Valid values are 1–255.<br />
b The Multicast Group Address field displays the address <strong>of</strong> the multicast<br />
group used for HA purposes on the heartbeat burb. The default address<br />
is 239.192.0.1. To modify the address, click Edit address. See<br />
“Changing the multicast address” on page 507 for details on modifying<br />
the multicast group address.<br />
c In the Heartbeat Burb drop-down list, select the burb that HA will use to<br />
send or receive a heartbeat. A heartbeat is a short message that is sent<br />
out at specific intervals to verify whether a <strong>Sidewinder</strong> <strong>G2</strong> is operational.<br />
The heartbeat, session information, and configuration information are<br />
also transferred between the heartbeat burbs
Chapter 17: High Availability<br />
Managing an HA cluster<br />
This must be a dedicated heartbeat burb. For information on configuring<br />
a dedicated heartbeat burb, see “Configuring the heartbeat burbs” on<br />
page 493.<br />
d In the Heartbeat Verification Burb drop-down list, select the burb that<br />
HA will use to send or receive a mini-heartbeat. This should be a burb<br />
that regularly passes traffic, such as the internal burb.<br />
This mini-heartbeat helps protect against false failover events by doing<br />
the following:<br />
• If the <strong>Sidewinder</strong> <strong>G2</strong> does not detect the heartbeat but does detect<br />
the mini-heartbeat, the HA cluster does not fail over. An audit<br />
message is generated, alerting the administrator to check the<br />
heartbeat burbs’ connectivity.<br />
Important: Loss <strong>of</strong> communications on the heartbeat burb causes<br />
diminished HA services. For load sharing, the active secondary no longer<br />
shares the session load; it goes to a standby state. For non-load sharing,<br />
the standby cannot receive updated information about new ipfilter sessions<br />
established on the primary. Maintain high availability service to your network<br />
by troubleshooting the heartbeat burbs’ communication problems as soon<br />
as possible.<br />
• If the <strong>Sidewinder</strong> <strong>G2</strong> does not detect either the heartbeat or the miniheartbeat,<br />
the HA cluster fails over.<br />
Additional information on heartbeat verification is available in knowledge<br />
base article 3848.<br />
2 In the IPSec Authentication area, do the following:<br />
• In the Authentication Type field, select the type <strong>of</strong> IPSec authentication<br />
to use for HA:<br />
—SHA1: Select this option if using HMAC-SHA1 authentication.<br />
—MD5: Select this option if using HMAC-MD5 authentication<br />
e In the Password field, type the password that will be used to generate<br />
the authentication key for IPSec. This password must be the same for<br />
both <strong>Sidewinder</strong> <strong>G2</strong>s because they share the same virtual firewall ID.<br />
3 [Conditional] The Pair Members table lists the <strong>Sidewinder</strong> <strong>G2</strong>s that have<br />
been added to the HA cluster. To add a <strong>Sidewinder</strong> <strong>G2</strong> to the Pair Members<br />
table, see “Adding a placeholder in the HA cluster” on page 498. To view<br />
the status <strong>of</strong> the cluster, click Cluster Status. A pop-up window will appear<br />
displaying the status <strong>of</strong> each <strong>Sidewinder</strong> <strong>G2</strong>. To close the status information<br />
window, click Close.<br />
This table is not available until you successfully promote a primary. Once<br />
the primary has been promoted, you can add a second <strong>Sidewinder</strong> <strong>G2</strong> to<br />
the HA cluster. However, you must join the second <strong>Sidewinder</strong> <strong>G2</strong> before it<br />
will become functional within the HA cluster. See “Joining a <strong>Sidewinder</strong> <strong>G2</strong><br />
to an existing HA cluster” on page 499 for information on registering a<br />
<strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster.<br />
505
Chapter 17: High Availability<br />
Managing an HA cluster<br />
506<br />
4 [Conditional] To define a system that requires ARP cache updates, in the<br />
Force ARP Reset area, click New and see “Configuring an entry in the<br />
Force ARP Reset area” on page 507. (This option is not used for load<br />
sharing HA.)<br />
The Force ARP Reset area lists the IP address and burb <strong>of</strong> each system<br />
that you determine needs to update its ARP cache with the new cluster<br />
alias IP. Use this area to list all systems that are known to ignore gratuitous<br />
ARPs, but that need to know the new cluster alias. (To delete an IP address<br />
from the list, highlight the address and click Delete.)<br />
5 In the Interface Test area, do the following:<br />
a In the Time Between Tests field, specify how <strong>of</strong>ten (in seconds) the HA<br />
cluster will ping the remote address to ensure that an interface and path<br />
are operational.<br />
b In the Consecutive Failures field, specify the number <strong>of</strong> failed ping<br />
attempts that must occur before a secondary/standby takes over as the<br />
primary.<br />
Note: If the primary becomes unavailable immediately after a ping attempt has<br />
been issued, the time it takes for a secondary/standby to take over will be<br />
slightly longer (this is because it will take close to an entire test interval before<br />
the first failure is detected).<br />
6 The Interfaces table identifies the burb, HA cluster address, network<br />
address, remote test IP address, and cluster MAC address for each<br />
interface.<br />
The Cluster MAC column is a read-only column that displays the MAC<br />
address for each cluster interface that is defined. Depending on the type <strong>of</strong><br />
router you are using, this address may be required to configure the router if<br />
you have load sharing HA configured. The Cluster MAC is used for all<br />
shared cluster addresses and aliases on that interface.<br />
You must define a shared address for each interface being backed up via<br />
HA. To define a new interface, click New. To modify an HA common IP<br />
address, highlight the interface you want to modify, and click Modify. See<br />
“Configuring an entry in the Interfaces table” on page 507 for details. To<br />
delete an interface, highlight the interface and click Delete.<br />
Important: If multiple IP addresses are desired on a single NIC and HA is<br />
configured on the <strong>Sidewinder</strong> <strong>G2</strong>, only the HA common IP address is defined<br />
here. All non-HA alias IP addresses are defined in the Interface Configuration<br />
window.<br />
7 When you are finished configuring the HA parameters for this <strong>Sidewinder</strong><br />
<strong>G2</strong>, click the Save icon to save your changes.<br />
8 Select Firewall <strong>Administration</strong> > System Shutdown and reboot to the<br />
operational kernel. Your changes will not take effect until the reboot<br />
completes.
Changing the multicast address<br />
Chapter 17: High Availability<br />
Managing an HA cluster<br />
The Edit Multicast Group window allows you to specify different multicast<br />
addresses for an HA cluster. Do not specify an address that conflicts with other<br />
multicast groups on the heartbeat burb. Addresses in the range <strong>of</strong> 239.192.0.0<br />
to 239.251.255.255 have been reserved by RFC 2365 for locally administered<br />
multicast addresses. Boundary routers should be configured to not pass your<br />
selected address if such a feature exists.<br />
To restore the default address (239.192.0.1), click Restore Default.<br />
Important: If the default is not used, you should change the reverse lookup files in<br />
DNS to allow DNS reverse resolution <strong>of</strong> the multicast address. Refer to the<br />
/etc/namedb.u/failover.rev file.<br />
Configuring an entry in the Force ARP Reset area<br />
The Force ARP Reset window allows you to specify the IP address and its<br />
associated burb for each system that would ignore the gratuitous ARP<br />
containing the new cluster alias. To add this information, follow the steps<br />
below.<br />
Note: The Force ARP Reset area is not used for load sharing HA.<br />
1 In the IP Address field, enter the system’s IP address.<br />
2 In the Burb field, select the burb that connects to that system’s network.<br />
3 Click OK to save the information, or click Close to close the window without<br />
saving your changes.<br />
Configuring an entry in the Interfaces table<br />
The Common IP window allows you to specify the cluster common IP address<br />
for your interfaces. You will need to configure a common IP address for each<br />
interface that uses HA. Follow the steps below.<br />
Note: Be sure to add the common IP address and the associated domain name to<br />
your DNS service.<br />
1 In the Burb drop-down list, select the appropriate burb.<br />
Note: The Network Address field displays the local IP address for this<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
2 In the Common IP Address field, type the common IP address for the<br />
interface that is shared between the primary and secondaries when they<br />
become active.<br />
The cluster address is the address most systems should use to communicate<br />
with or through the <strong>Sidewinder</strong> <strong>G2</strong>, meaning that DNS, default routes,<br />
etc. need to know this address.<br />
507
Chapter 17: High Availability<br />
Managing an HA cluster<br />
508<br />
Figure 207: Local<br />
Parameters tab<br />
3 [Optional] In the Remote Test IP field, specify the address that the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will periodically ping.<br />
The remote address must be a highly reliable system that is directly<br />
attached to the <strong>Sidewinder</strong> <strong>G2</strong> network. For example, if you use a VRRP<br />
(Virtual Router Redundancy Protocol) cluster, you can specify the VRRP<br />
address <strong>of</strong> the router as your remote ping address. (However, some VRRP<br />
routing clusters will only respond to pings if the configured primary router is<br />
currently acting as the primary. If you are using this type <strong>of</strong> VRRP routing<br />
cluster, you should use an alternative remote address.)<br />
For load sharing HA, if remote ping fails on one <strong>of</strong> the two cluster members,<br />
that member will become unavailable until the remote interface is again<br />
detected. If there is only one active cluster member and a remote ping failure<br />
is detected, that member will audit the failure and remain in the cluster<br />
until another member joins the cluster (without a ping failure), or until the<br />
remote system is detected.<br />
Note: If you specify 255.255.255.255 in this field, HA will only test the status <strong>of</strong><br />
the interface rather than send data to verify that the interface is up.<br />
4 Click OK to save the cluster address information and return to the Local<br />
Parameters tab. (To exit the window without saving your changes, click<br />
Cancel.)<br />
Modifying HA local parameters<br />
To configure local HA parameters, connect to the <strong>Sidewinder</strong> <strong>G2</strong> using the<br />
Admin Console and select Firewall <strong>Administration</strong> > High Availability. (If you<br />
have already configured HA, the High Availability option will appear directly<br />
beneath the <strong>Sidewinder</strong> <strong>G2</strong> icon.) Select the Local Parameters tab. The<br />
following window appears:
About the Local<br />
Parameters tab<br />
Chapter 17: High Availability<br />
Managing an HA cluster<br />
The Local Parameters tab specifies the parameters that are unique to a<br />
particular <strong>Sidewinder</strong> <strong>G2</strong> in your HA configuration. Follow the steps below.<br />
1 In the Cluster Mode area, select one <strong>of</strong> the following options:<br />
• Designate as part <strong>of</strong> a Load Sharing High Availability Cluster—Select<br />
this option if you want to configure load sharing HA (both <strong>Sidewinder</strong><br />
<strong>G2</strong>s actively process traffic).<br />
• Designate as part <strong>of</strong> a Primary/Standby High Availability Cluster—<br />
Select this option if you want to configure failover HA (only one<br />
<strong>Sidewinder</strong> <strong>G2</strong> processes traffic, with the other <strong>Sidewinder</strong> <strong>G2</strong> acting as<br />
a hot backup).<br />
Note: To configure load sharing HA or peer-to-peer failover HA, the <strong>Sidewinder</strong><br />
<strong>G2</strong>s must have the same hardware configuration. For more information on each<br />
HA configuration option, see “HA configuration options” on page 489.<br />
2 [Conditional] If you selected Primary-Standby in the previous step, select<br />
one <strong>of</strong> the following options in the Cluster Mode area:<br />
• Primary—Select this option if this will be the primary in your network.<br />
(This option is only used for the dedicated primary-standby HA<br />
configuration.)<br />
• Standby—Select this option if this <strong>Sidewinder</strong> <strong>G2</strong> is a standby in your<br />
network, or if you are configuring peer-to-peer HA.<br />
Note: For peer-to-peer HA, you must configure each <strong>Sidewinder</strong> <strong>G2</strong> as a<br />
standby.<br />
3 In the Control field, select Enabled to enable HA for this <strong>Sidewinder</strong> <strong>G2</strong>. (To<br />
disable HA, select Disabled.)<br />
Note: You must reboot before the HA configuration will take effect.<br />
4 [Conditional] In the Takeover Time field specify the number <strong>of</strong> seconds that<br />
the primary must be unavailable before the secondary/standby will begin<br />
the takeover process.<br />
Note: If the primary in an HA cluster goes into failure mode and the secondary/<br />
standby is not available, the primary will remain as the primary, but the<br />
Takeover Time value for that <strong>Sidewinder</strong> <strong>G2</strong> will change to one, ensuring that if<br />
a secondary/standby becomes available, it can take over as the primary.<br />
The secondary/standby Takeover Time value will differ depending on the<br />
type <strong>of</strong> HA configuration you are using:<br />
• Load sharing Takeover Time—The takeover time for load sharing HA<br />
cluster <strong>Sidewinder</strong> <strong>G2</strong>s must be the same for EACH <strong>Sidewinder</strong> <strong>G2</strong> that<br />
is participating in the HA configuration. The default value is 13 seconds<br />
for load sharing configurations.<br />
509
Chapter 17: High Availability<br />
Managing an HA cluster<br />
510<br />
• Primary-standby Takeover Time—The takeover time for the primary is 3<br />
seconds by default and cannot be modified. This value ensures that the<br />
designated primary will become the actual primary when it is activated.<br />
The default for the standby is 13.<br />
Note: If you assign a standby Takeover Time value that is too close to 3<br />
seconds, the standby may attempt to take over as the primary during<br />
periods when the primary is too busy processing data traffic to send the<br />
heartbeat.<br />
• Peer-to-peer Takeover Time—The takeover time for load sharing HA<br />
cluster <strong>Sidewinder</strong> <strong>G2</strong>s must be the same for EACH <strong>Sidewinder</strong> <strong>G2</strong> that<br />
is participating in the HA configuration. The default value is 13 seconds<br />
for load sharing configurations.<br />
Scheduling a s<strong>of</strong>t shutdown for an HA cluster <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
When a <strong>Sidewinder</strong> <strong>G2</strong> that belongs to an HA cluster is shutdown by an<br />
administrator (for example, to perform scheduled maintenance), a s<strong>of</strong>t<br />
shutdown will automatically occur (assuming the shutdown time is not<br />
immediate). A s<strong>of</strong>t shutdown provides a buffer period before the actual<br />
shutdown occurs, allowing the <strong>Sidewinder</strong> <strong>G2</strong> to stop accepting new<br />
connections, while allowing most existing connections to complete before the<br />
<strong>Sidewinder</strong> <strong>G2</strong> actually shuts down. IP filter processing is also transferred to<br />
the remaining <strong>Sidewinder</strong> <strong>G2</strong>.<br />
By default, the s<strong>of</strong>t shutdown process will begin 30 minutes prior to a<br />
scheduled shutdown. If the shutdown is scheduled to occur in less than 30<br />
minutes, the s<strong>of</strong>t shutdown process will begin immediately and will remain in<br />
effect until the actual shutdown time occurs. You can also manually increase or<br />
decrease the length <strong>of</strong> the s<strong>of</strong>t shutdown period.<br />
For example, suppose you configure the <strong>Sidewinder</strong> <strong>G2</strong> to shutdown in two<br />
hours using the default s<strong>of</strong>t shutdown <strong>of</strong> 30 minutes. The <strong>Sidewinder</strong> <strong>G2</strong> will<br />
continue to accept and process connections for 1.5 hours. When the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is 30 minutes from the shutdown time, it will stop accepting new<br />
connections and existing connections will have 30 minutes to complete. After<br />
the s<strong>of</strong>t shutdown period completes, the <strong>Sidewinder</strong> <strong>G2</strong> will shutdown and will<br />
be unavailable until it is rebooted.<br />
The s<strong>of</strong>t shutdown feature is specified via command line. If you schedule a<br />
shutdown using the Admin Console, the default s<strong>of</strong>t shutdown time will be<br />
applied. The following bullets provide examples <strong>of</strong> configuring an HA cluster<br />
<strong>Sidewinder</strong> <strong>G2</strong> for shutdown:
Chapter 17: High Availability<br />
Managing an HA cluster<br />
• If you want the s<strong>of</strong>t shutdown process to begin immediately, use the<br />
following command (the <strong>Sidewinder</strong> <strong>G2</strong> must be shutdown or manually<br />
rebooted once the s<strong>of</strong>t shutdown process is complete):<br />
cf failover s<strong>of</strong>tshutdown<br />
• To configure s<strong>of</strong>t shutdown to occur for a specific amount <strong>of</strong> time, as<br />
follows:<br />
shutdown -s [s<strong>of</strong>t_shutdown_time] [shutdown_time]<br />
The s<strong>of</strong>t_shutdown_time specifies that amount <strong>of</strong> time that s<strong>of</strong>t shutdown<br />
will occur. The shutdown_time specifies the time at which the<br />
actual shutdown will occur. Each variable can be specified either as a number<br />
<strong>of</strong> minutes or as an exact date and time. If you are specifying the number<br />
<strong>of</strong> minutes, you must include a plus (+) sign in front <strong>of</strong> the minutes.<br />
For example, if you want the <strong>Sidewinder</strong> <strong>G2</strong> to shutdown on Saturday, June<br />
12, 2004 at 11:00 am with a 15 minute s<strong>of</strong>t shutdown period, you would<br />
enter the following command:<br />
shutdown -s +15 0406121100<br />
In this case, the s<strong>of</strong>t shutdown process would begin at 10:45 am, and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> would shutdown at 11:00 am on the specified day.<br />
If you want the <strong>Sidewinder</strong> <strong>G2</strong> to begin the s<strong>of</strong>t shutdown at 6:00 am with<br />
an actual shutdown at 6:20 am, you would enter the following command:<br />
shutdown -s 0600 0620<br />
Note: For a complete listing <strong>of</strong> shutdown options, refer to the shutdown man<br />
page.<br />
You can cancel a scheduled shutdown at anytime prior to the final 30 minute<br />
period by entering the shutdown -c command. However, once the <strong>Sidewinder</strong><br />
<strong>G2</strong> has entered s<strong>of</strong>t shutdown mode, this command will no longer cancel the<br />
s<strong>of</strong>t shutdown process. When the s<strong>of</strong>t shutdown process is complete, you will<br />
need to reboot the <strong>Sidewinder</strong> <strong>G2</strong> before it will properly function as part <strong>of</strong> the<br />
HA cluster.<br />
Connecting directly to a secondary/standby<br />
When you have an HA cluster configured, most areas for each <strong>Sidewinder</strong> <strong>G2</strong><br />
are managed by connecting to the HA cluster address. However, if your<br />
<strong>Sidewinder</strong> <strong>G2</strong>s are configured for secure split SMTP mail and/or hosted DNS,<br />
you will need to connect directly to the secondary/standby to manage those<br />
areas. (You can still manage the primary for these areas by connecting to the<br />
HA cluster.)<br />
To connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, do the<br />
following:<br />
511
Chapter 17: High Availability<br />
Managing an HA cluster<br />
512<br />
1 In the Admin Console, add the <strong>Sidewinder</strong> <strong>G2</strong> to which you want to<br />
connect. See “Adding a <strong>Sidewinder</strong> <strong>G2</strong> to the Admin Console” on page 20.<br />
Be sure to use the <strong>Sidewinder</strong> <strong>G2</strong>’s actual IP address, not the common IP<br />
address.<br />
2 Connect directly to that <strong>Sidewinder</strong> <strong>G2</strong>, and make the necessary changes.<br />
When you connect directly to a <strong>Sidewinder</strong> <strong>G2</strong> that is part <strong>of</strong> an HA cluster, a<br />
warning message will appear explaining that any changes you make may be<br />
overwritten by the cluster configuration. Modifications made to the SMTP and/<br />
or DNS areas will not be overwritten if you have configured secure split SMTP<br />
mail and/or hosted DNS.
18<br />
CHAPTER<br />
Monitoring<br />
In this chapter...<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the dashboard................514<br />
Viewing device information...........................................................515<br />
Viewing network traffic information...............................................518<br />
Viewing IPS attack and system event summaries........................521<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line ..........525<br />
513
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the dashboard<br />
Monitoring<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
status using the<br />
dashboard<br />
514<br />
Figure 208: The<br />
dashboard<br />
The Admin Console allows you to monitor status information on your<br />
<strong>Sidewinder</strong> <strong>G2</strong> using its dashboard. The monitord server records data about<br />
the system and traffic status. Auditbots detect packets and traffic patterns that<br />
may be <strong>of</strong> interest to administrators. The dashboard gathers this data from<br />
those and other <strong>Sidewinder</strong> <strong>G2</strong> components and provides a centralized view <strong>of</strong><br />
important system and audit data. This window displays summary data and<br />
specific audit events.<br />
For additional audit information, see Chapter 19.<br />
The dashboard allows you to monitor the following <strong>Sidewinder</strong> <strong>G2</strong> areas:<br />
• Device information (version, uptime, configuration state, etc.)<br />
• Network traffic (active VPN and proxy sessions, interface status, etc.)<br />
• Recently detected attack activity<br />
• System events (hardware and s<strong>of</strong>tware failures, log overflows, etc.)<br />
You can set this information to refresh automatically or on demand.<br />
When you log into the Admin Console, the dashboard displays. To view the<br />
dashboard at any other time, click the top node <strong>of</strong> the tree labeled<br />
sidewinderg2 Dashboard. A window similar to the following appears.
About the<br />
dashboard<br />
Viewing device<br />
information<br />
Figure 209: Dashboard:<br />
Device Information area<br />
Chapter 18: Monitoring<br />
Viewing device information<br />
The dashboard allows you to monitor various <strong>Sidewinder</strong> <strong>G2</strong> areas. It displays<br />
statistics recorded since the last reboot. From the dashboard, you can:<br />
• Monitor <strong>Sidewinder</strong> <strong>G2</strong>’s status — Monitor general system information,<br />
what traffic is passing through the <strong>Sidewinder</strong> <strong>G2</strong>, and system and attack<br />
events. For more information on each area, see the following sections:<br />
– “Viewing device information” on page 515<br />
– “Viewing network traffic information” on page 518<br />
– “Viewing IPS attack and system event summaries” on page 521<br />
• View additional information — Learn more about any given area by<br />
clicking the appropriate link or magnifying glass .<br />
• Change the refresh rate — Indicate how <strong>of</strong>ten the dashboard will refresh by<br />
using the Refresh Rate field. Valid values range from 30 seconds to 30<br />
minutes. There is also a Manual Refresh option. The default is 5 minutes.<br />
When you modify the refresh rate, the change will not take effect until the<br />
next scheduled refresh time. To make the change take effect immediately,<br />
change the refresh value and click the Refresh icon.<br />
• Launch the State Change Wizard — Start the State Change Wizard by<br />
clicking the Change link.<br />
• Disconnect — Disconnect the current Admin Console session by clicking<br />
the Disconnect button.<br />
The dashboard’s Device Information area, shown in Figure 209, displays basic<br />
system information. The device information that this area monitors includes:<br />
the <strong>Sidewinder</strong> <strong>G2</strong>’s host name, the amount <strong>of</strong> time since the last reboot, the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s date and time, the current <strong>Sidewinder</strong> <strong>G2</strong> version, the serial<br />
number, and basic system resource date for the whole system, with the option<br />
to view process-specific data as well.<br />
515
Chapter 18: Monitoring<br />
Viewing device information<br />
516<br />
Figure 210: System<br />
Resources: Process Use<br />
tab<br />
About the System<br />
Resources: Process<br />
Use tab<br />
In this area, you can do the following:<br />
• Click Change to change this <strong>Sidewinder</strong> <strong>G2</strong>’s state. This starts the State<br />
Change Wizard. Use the wizard to create a cluster, join an existing cluster,<br />
or join an enterprise (also known as registering to a <strong>G2</strong> Enterprise<br />
Manager).<br />
Tip: Before using the State Change Wizard, determine if your <strong>Sidewinder</strong> <strong>G2</strong> is<br />
prepared to change its state. Refer to the ”One-To-Many Clusters” chapter and<br />
the “High Availability” chapter in the <strong>Sidewinder</strong> <strong>G2</strong> <strong>Administration</strong> <strong>Guide</strong>, and<br />
the “Managing Registered <strong>Sidewinder</strong> <strong>G2</strong>s” chapter in the <strong>G2</strong> Enterprise<br />
Manager <strong>Administration</strong> <strong>Guide</strong> for more information.<br />
• Click System Resources to view process use and disk use information.<br />
Both tabs appear in a separate pop-up window.<br />
• Receive feedback that a system resource may be experiencing trouble. If<br />
the value turns red, the memory or disk may be getting too full and requires<br />
attention. Click System Resources to view more information.<br />
This tab displays the status <strong>of</strong> each process that is currently running on this<br />
<strong>Sidewinder</strong> <strong>G2</strong>. It provides the following details for each process:<br />
• Process — This column displays the name <strong>of</strong> each running process.<br />
• CPU — This column displays the percentage <strong>of</strong> CPU currently being used.<br />
• Process Size — This column displays the amount <strong>of</strong> memory a process is<br />
using.<br />
• Resident Memory — This column displays the amount <strong>of</strong> physical memory<br />
a process is using.<br />
On this window, you can do the following:<br />
• Click Refresh to update this tab’s data.<br />
• Click the Disk Use tab to view a disk usage snapshot. The window shown in<br />
Figure 211 appears.<br />
• Click Close to close this window.
Figure 211: System<br />
information: Disk Use tab<br />
About the System<br />
Information: Disk<br />
Use tab<br />
Chapter 18: Monitoring<br />
Viewing device information<br />
This tab displays how much <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s hard disk space is currently<br />
being used. It provides the following details for each disk partition:<br />
• Mounted On — This column displays the name <strong>of</strong> each disk partition.<br />
• Percent Used — The column displays the percent <strong>of</strong> that partition being<br />
used.<br />
• Used — This column displays the amount <strong>of</strong> a given partition being used.<br />
• Available — This column displays the amount <strong>of</strong> disk space available for<br />
use in the given partition.<br />
• Description — This column displays a description <strong>of</strong> the disk partition.<br />
On this window, you can do the following:<br />
• Click Refresh to update this tab’s data.<br />
• Click the Process Use tab to view a process usage snapshot. The window<br />
shown in Figure 210 appears.<br />
• Click Close to close this window.<br />
517
Chapter 18: Monitoring<br />
Viewing network traffic information<br />
Viewing network<br />
traffic<br />
information<br />
518<br />
Figure 212: Dashboard:<br />
Network Traffic area<br />
The dashboard’s Network Traffic area, shown in Figure 212, displays<br />
information on network traffic passing through the <strong>Sidewinder</strong> <strong>G2</strong>. View<br />
information such as number <strong>of</strong> interfaces up and receiving traffic, number <strong>of</strong><br />
active IP Filter rules, number <strong>of</strong> active VPN sessions, and number <strong>of</strong> active<br />
proxy connections.<br />
Use this area <strong>of</strong> the dashboard to monitor the following:<br />
• Interface Status — Displays the status <strong>of</strong> all physical and VLAN interfaces<br />
in the <strong>Sidewinder</strong> <strong>G2</strong> and the total number <strong>of</strong> inbound/outbound bytes<br />
processed since startup.<br />
Click Interface Status to view additional information about each interface.<br />
See “About the Network Traffic: Interface Status window” on page 519 for<br />
more information.<br />
• IP Filter Sessions — Displays the number <strong>of</strong> IP Filter sessions that are<br />
currently open on this <strong>Sidewinder</strong> <strong>G2</strong>. An IP Filter rule must have Stateful<br />
Packet Inspection enabled to create a session.<br />
• VPN Sessions — Click VPN Sessions to view additional information about<br />
configured VPNs. See “About the Network Traffic: Active VPNs window” on<br />
page 519 for more information.<br />
• Proxy Connections — This area lists each proxy that is currently passing<br />
traffic and the number <strong>of</strong> instances.<br />
Click Proxy Connections to view additional information about current proxy<br />
connections. See “About the Network Traffic: Proxy Connections window”<br />
on page 520 for more information.
Figure 213: Network<br />
Traffic: Interface Status<br />
window<br />
About the Network<br />
Traffic: Interface<br />
Status window<br />
Figure 214: Network<br />
Traffic: Active VPNs<br />
window<br />
About the Network<br />
Traffic: Active VPNs<br />
window<br />
Chapter 18: Monitoring<br />
Viewing network traffic information<br />
This window provides traffic information for each <strong>of</strong> the physical and VLAN<br />
network interfaces on this <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• Interface — Displays the name <strong>of</strong> the interface<br />
• IP Address — Displays the IP address assigned to that interface<br />
• Status — Displays if the interface’s status is up (ready for an active network<br />
connection) or down (will not accept an active network connection)<br />
• Connected — Displays Connected if <strong>Sidewinder</strong> <strong>G2</strong> detects an active<br />
network connection and Disconnected if it does not<br />
You can also view this information at a command line interface by typing<br />
netstat -is.<br />
When you are finished viewing the status, click Close.<br />
This window allows you to monitor the status <strong>of</strong> all configured VPNs. The<br />
statuses include:<br />
• Idle — No active session.<br />
• Active — One or more VPNs have active sessions established for this<br />
VPN.<br />
Click Refresh to update the information. Click Close to return to the main<br />
window.<br />
519
Chapter 18: Monitoring<br />
Viewing network traffic information<br />
520<br />
Figure 215: Network<br />
Traffic: Proxy<br />
Connections window<br />
About the Network<br />
Traffic: Proxy<br />
Connections<br />
window<br />
Figure 216: Network<br />
Traffic: TCP State<br />
Information window<br />
About the Network<br />
Traffic: TCP State<br />
Information window<br />
This window allows you to monitor the type and number <strong>of</strong> active proxy<br />
sessions going through <strong>Sidewinder</strong> <strong>G2</strong>. Information provided includes:<br />
• Name — Name <strong>of</strong> the proxy passing traffic<br />
• Count — Number <strong>of</strong> current instances<br />
On this window, you can:<br />
• Click Refresh to update the information.<br />
• Click Close to return to the main window.<br />
This window allows you to monitor the various states <strong>of</strong> the TCP proxy<br />
connections going through <strong>Sidewinder</strong> <strong>G2</strong>. Information provided includes:<br />
• TCP State — Indicates the different possible states <strong>of</strong> a TCP connection<br />
• Count — Number <strong>of</strong> TCP sessions<br />
• Description — Describes the TCP state<br />
On this window, you can:<br />
• Click Refresh to update the information.<br />
• Click Close to return to the main window.
Viewing IPS<br />
attack and<br />
system event<br />
summaries<br />
Chapter 18: Monitoring<br />
Viewing IPS attack and system event summaries<br />
The statistics summary area <strong>of</strong> the dashboard displays a summary <strong>of</strong> the audit<br />
events <strong>Sidewinder</strong> <strong>G2</strong> detects. By default, <strong>Sidewinder</strong> <strong>G2</strong> audits packet and<br />
traffic patterns it assumes to be an attack. It also audits system events<br />
administrators tend to consider important. Each predefined audit event is<br />
related to a severity. The dashboard summarizes the audit events for a given<br />
time frame, providing administrators a quick overview <strong>of</strong> audit activity. View<br />
additional details by clicking the magnifying glasses, links, and audit rows.<br />
Understanding audit event severities<br />
IPS attack audit events are based on anomaly detection. They are not<br />
necessarily detecting a specific attack attempt, but are detecting unexpected or<br />
suspicious deviations from allowed packets and patterns. The severities<br />
represent the assumed risk to the <strong>Sidewinder</strong> <strong>G2</strong> and its protected system if<br />
the attack had not been blocked. For example, an attack event generated by a<br />
commonly occurring packet that is used to gather information is considered a<br />
warning. An attack event made up <strong>of</strong> packets that appear to be crafted and, if<br />
not blocked, could crash a vulnerable system are considered severe or critical.<br />
Administrators should immediately investigate all critical attacks. Table 30<br />
defines each severity in more detail.<br />
Table 30: Definitions <strong>of</strong> IPS attack event severities<br />
Severity Definition<br />
Critical Indicates activity that is definitely an attack and that could have<br />
significantly affected a protected system had it not been<br />
prevented.<br />
At the command line, these audit events are classified as<br />
emergency, alert, critical, and fatal priorities.<br />
Severe Indicates activity that represents a likely significant attack or<br />
policy violation.<br />
At the command line, these audit events are classified as a<br />
major priority.<br />
Warning Indicates activity that may be an attack or information<br />
gathering, or that represents a minor attempted violation <strong>of</strong> the<br />
site security policy (for example, attempting to use a restricted<br />
FTP command).<br />
At the command line, these audit events are classified as<br />
minor or trivial priorities.<br />
521
Chapter 18: Monitoring<br />
Viewing IPS attack and system event summaries<br />
522<br />
Figure 217: Summary statistics area<br />
System audit events are generated by expected and unexpected system<br />
behavior. The severities are generally based on the type <strong>of</strong> action, if any, an<br />
administrator should take in response to the event. Whereas a critical event<br />
generally requires immediate investigation, a warning generally requires no<br />
action from the administrator. Table 31 defines each severity in more detail.<br />
Table 31: Definitions <strong>of</strong> system event severities<br />
Severity Definition<br />
Critical Indicates that a system component or subsystem stopped<br />
working, that the system is going down (expectedly or<br />
unexpectedly), or that the system is not expected to work again<br />
without intervention.<br />
At the command line, these audit events are classified as<br />
emergency, alert, critical, and fatal priorities.<br />
Severe Indicates something is occurring in the system that an<br />
administrator should know.<br />
At the command line, these audit events are classified as a<br />
major priority.<br />
Warning Indicates something is occurring in the system that an<br />
administrator might want to know or might consider trivial.<br />
At the command line, these audit events are classified as minor<br />
or trivial priorities.<br />
Viewing the summary statistics<br />
The summary statistics areas is located in the lower portion <strong>of</strong> the dashboard.
Figure 218: Attacks by<br />
Service window<br />
About the Attacks<br />
by Service window<br />
In this area, you can:<br />
Chapter 18: Monitoring<br />
Viewing IPS attack and system event summaries<br />
• Change the displayed statistics based on time period by selecting different<br />
options in the Display summary statistics for drop-down list. The range <strong>of</strong><br />
options vary depending on the <strong>Sidewinder</strong> <strong>G2</strong>’s uptime.<br />
• View audit data for any system event or attack category by clicking the<br />
magnifying glass .<br />
• View a snapshot <strong>of</strong> all attacks listed by service by clicking<br />
Attacks by Service. See “About the Attacks by Service window” on page<br />
523 for more information.<br />
• View and save attack audit data by clicking Most Recent IPS Attacks.<br />
• View an individual audit record by double-clicking that audit event’s row.<br />
See “About the Audit Record window” on page 524 for more information.<br />
Use this area <strong>of</strong> the dashboard to monitor the following:<br />
• System events by severity — Lists system audit events according to<br />
severity<br />
• Attacks by severity — Lists audit attack events according to severity<br />
• Attacks by service — Lists audit attack events according to service<br />
• Most recent IPS attacks — Displays the audit events for recent attacks<br />
Note: Use the Admin Console’s IPS Attack Responses and System Event<br />
Responses to determine how <strong>Sidewinder</strong> <strong>G2</strong> reacts to different audit events. For<br />
more information, see the “IPS Attack and System Event Responses” chapter.<br />
This window displays audit <strong>of</strong> suspect traffic. Information provided includes:<br />
• Name — Name <strong>of</strong> the service being attacked<br />
• Count — Number <strong>of</strong> attack instances<br />
On this window, you can:<br />
• Click Refresh to update the information.<br />
• Select a service and click Show Audit to see the audit output. You can also<br />
view the audit by clicking the magnifying glass on the main window.<br />
• Click Close to return to the main window.<br />
523
Chapter 18: Monitoring<br />
Viewing IPS attack and system event summaries<br />
524<br />
Figure 219: Audit<br />
Record window<br />
About the Audit<br />
Record window<br />
When you double-click an audit event in the table, the detailed audit<br />
information for that attack appears in a pop-up window. The displayed fields<br />
vary, depending on the audit type. In general, the data in an audit message is a<br />
tag name followed by a colon and the tag’s value. The following table provides<br />
examples and descriptions <strong>of</strong> fields that may appear in an audit record.<br />
More information on audit fields is available using acat -c |more at a<br />
command line interface and in the <strong>Sidewinder</strong> Export Format application note<br />
at www.securecomputing.com/goto/appnotes.<br />
Table 32: Audit data field examples<br />
Tag Description<br />
facility The event facility code for the event that audited the message,<br />
such as the kernel or FTP<br />
area The area in the facility that audited the message, such as<br />
a_nil_area or a_proxylib<br />
type The event type code, such as t_attack<br />
category The event category code, such as c_policy_violation<br />
priority The event priority, such as p_major<br />
*id IDs that may appear include the process ID (pid), the real user<br />
ID (ruid), the effective user ID (euid), the process family ID (fid)<br />
and login ID (logid)<br />
srcservice/<br />
destservice<br />
srcburb/<br />
destburb<br />
The source or destination service name (/etc/services)<br />
The source or destination burb number<br />
reason The reason the <strong>Sidewinder</strong> <strong>G2</strong> generated an audit record
Monitoring<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
status using the<br />
command line<br />
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
In addition to what is available on the dashboard, you can use the following<br />
commands to check the <strong>Sidewinder</strong> <strong>G2</strong>’s system and network status.<br />
Checking system status<br />
Using the commands described in the sections that follow, you can display<br />
information on the current status <strong>of</strong> your network connections and take a look<br />
at what is happening on the system.<br />
CPU usage<br />
CPU usage allows you to obtain information on system performance. To view<br />
CPU usage information, enter the following commands at a <strong>Sidewinder</strong> <strong>G2</strong><br />
command prompt:<br />
vmstat<br />
uptime<br />
top<br />
Process status<br />
To view the status <strong>of</strong> all processes currently running on the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
ps -axd<br />
This information is useful for tasks such as determining which processes are<br />
using a lot <strong>of</strong> CPU time. The ps command allows you to look at information<br />
about the processes running on the system. This command is a variation on<br />
the standard UNIX process status command in that it includes information on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> domains. To display process information from the UNIX<br />
prompt, enter one <strong>of</strong> the following commands at a <strong>Sidewinder</strong> <strong>G2</strong> command<br />
prompt:<br />
• To list process information as well as information on the real domains in<br />
which processes are operating, enter the ps -D command. Real domains<br />
control the interaction between one process and other processes.<br />
• To list process information as well as information on the effective domains<br />
in which processes are operating, enter the ps -d command. Effective<br />
domains control the interaction between a process and files.<br />
Note: In most cases, the information displayed for either the real domain (RDOM)<br />
or the effective domain (EDOM) will be the same.<br />
525
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
526<br />
In addition to the information you normally get with the ps command, you see<br />
domain information similar to the following:<br />
RDOM PID TT STAT TIME COMMAND<br />
Rlg0 7418 p2 IW+ 0:01.30 .u (tcsh)<br />
tcp0 9806 pd Is+ 0:02.05 -tcsh (tcsh)<br />
where:<br />
• EDOM or RDOM — domain name<br />
• PID — process identification number<br />
• TT — terminal line from which the process was initiated<br />
• STAT — current status <strong>of</strong> the process<br />
• TIME — total amount <strong>of</strong> CPU time used by the process<br />
• COMMAND — command line used to start the process<br />
Disk usage<br />
To view statistics about the amount <strong>of</strong> free disk space on a file system, enter<br />
the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
df<br />
This information is useful to determine which file systems are using the most<br />
disk space.<br />
who<br />
To view who is currently logged onto your <strong>Sidewinder</strong> <strong>G2</strong>, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> prompt:<br />
who<br />
When you use this utility, you can see the user’s login name, console name,<br />
the date and time <strong>of</strong> their login, and their host name (if it is not a local host).<br />
lloyd console Aug 8 16:12 (rock.foo.bar)<br />
lloyd ttyp0 Aug 7 21:34 (10.1.1.1)
finger<br />
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
To obtain information about local <strong>Sidewinder</strong> <strong>G2</strong> users, type the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> prompt:<br />
finger<br />
When you use this command, you can find out the user names <strong>of</strong> people at<br />
your site, the exact terminal they are logged in on, when they last logged in,<br />
and how long they have been logged in.<br />
Login Name Tty Idle Login Time Office Office Phone<br />
lloyd Lloyd Frank *p0 2 Aug 8 16:12 ABC,Inc. 555-1234<br />
lloyd Lloyd Frank *p3 19:03 Aug 7 21:34 ABC,Inc. 555-1234<br />
Checking network status<br />
Using the commands described in the sections that follow, you can display<br />
information on the status <strong>of</strong> your network connections, routing tables, and<br />
network utilities. These commands can provide “snapshots” <strong>of</strong> different aspects<br />
<strong>of</strong> your system with command line outputs.<br />
Note: Output for netstat -i queries will display shared addresses with a plus<br />
(+) sign.<br />
Active network connections<br />
To view the status <strong>of</strong> any active TCP or UDP connections on the <strong>Sidewinder</strong><br />
<strong>G2</strong>, enter the following command:<br />
netstat -f inet<br />
Active connections/services<br />
To view the status <strong>of</strong> all sockets on the <strong>Sidewinder</strong> <strong>G2</strong>, enter the following<br />
command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
netstat -af inet<br />
Network interfaces<br />
To view the status <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s network interfaces, enter the<br />
following command at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
netstat -i -n<br />
527
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
528<br />
Routing tables<br />
To view the status <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> Operational kernel’s available routes<br />
and their status, enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong> command<br />
prompt:<br />
netstat -r<br />
route get<br />
The route get command looks up the route for a destination and displays the<br />
route in the window. To view this information, enter the following command at a<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
route get ipaddress<br />
The following shows sample output for this command:<br />
route to: rock<br />
destination: rock<br />
gateway: xx.xx.xx.xx<br />
interface: ef2<br />
if address: xx.xx.xx.x<br />
burb: y<br />
flags:<br />
nslookup<br />
The nslookup command queries the DNS database to get all <strong>of</strong> the<br />
information that is available about a particular address. The output includes the<br />
name and address <strong>of</strong> the DNS server used to provide the information, the<br />
name <strong>of</strong> the system you asked about and other data that might be available,<br />
such as where e-mail is delivered for the domain.<br />
To view this information, enter either <strong>of</strong> the following commands at a<br />
<strong>Sidewinder</strong> <strong>G2</strong> command prompt:<br />
nslookup ipaddress<br />
OR<br />
nslookup hostname<br />
The following shows sample output for this command.<br />
Server: localhost.foo.bar<br />
Address: 10.2.2.2<br />
Non-authoritative answer:<br />
Name: sharon.foo.bar<br />
Address: 10.1.1.1
dig<br />
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
The dig (Domain Information Groper) command gathers information from<br />
DNS based on an IP address, and obtains the corresponding host name.<br />
dig -x ipaddress any any<br />
; Dig 2.1 homer<br />
;; res options: init recurs defnam dnsrch<br />
;; got answer:<br />
“->>HEADER
Chapter 18: Monitoring<br />
Monitoring <strong>Sidewinder</strong> <strong>G2</strong> status using the command line<br />
530<br />
ping<br />
The ping command checks whether an Internet system is running by sending<br />
packets that the remote system should echo back. As output, ping lists how<br />
much time it took for the message to travel to the other system and back, the<br />
total number <strong>of</strong> packets sent and received, the percent <strong>of</strong> packets lost, and the<br />
average and maximum time it took for a round trip. To view this information,<br />
enter the following command:<br />
ping -c 5 ipaddress<br />
traceroute<br />
The traceroute command provides information on the gateways an IP<br />
packet must pass through to get to a destination. As input, the command needs<br />
the host name or IP address <strong>of</strong> the destination system. It then sends these IP<br />
packets from your <strong>Sidewinder</strong> <strong>G2</strong> to that address. As output, it lists the host<br />
names and IP addresses <strong>of</strong> each system the packets were handed <strong>of</strong>f to and<br />
how long it took to send each packet back and forth.<br />
To view this information, enter the following command at a <strong>Sidewinder</strong> <strong>G2</strong><br />
command prompt.<br />
traceroute -m 50 -p 33500 ipaddress
19<br />
CHAPTER<br />
Auditing and Reporting<br />
In this chapter...<br />
Overview <strong>of</strong> the audit process ......................................................532<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong>.....................................................533<br />
Logging application messages using syslog ................................548<br />
Generating reports using the Admin Console ..............................551<br />
Generating reports using <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter ........559<br />
Formatting & exporting audit data for use with external tools ......560<br />
531
Chapter 19: Auditing and Reporting<br />
Overview <strong>of</strong> the audit process<br />
Overview <strong>of</strong> the<br />
audit process<br />
532<br />
Figure 220: The audit<br />
flow<br />
Monitoring, auditing, reporting, and attack and system event responses are<br />
closely related pieces <strong>of</strong> the audit process. They function together to provide<br />
information to you about the activity on your <strong>Sidewinder</strong> <strong>G2</strong>. On the <strong>Sidewinder</strong><br />
<strong>G2</strong>, you can monitor the status <strong>of</strong> various processes in real time, view stored<br />
audit information, generate detailed reports, and have <strong>Sidewinder</strong> <strong>G2</strong> respond<br />
to audit events by alerting administrators and ignoring hosts sending malicious<br />
packets. The diagram below demonstrates how these pieces are related in the<br />
audit flow.<br />
Monitoring<br />
Using the Admin Console,<br />
you can monitor <strong>Sidewinder</strong><br />
<strong>G2</strong> activity and status in<br />
real time using the dashboard.<br />
Auditing<br />
auditd reads /dev/audit<br />
and places the<br />
information into<br />
audit.raw.<br />
This is the recorded<br />
audit stream. This is<br />
now "history" and<br />
contains everything that<br />
might be worth viewing.<br />
Reporting<br />
programs kernel<br />
live audit stream<br />
aka /dev/audit.....<br />
auditd<br />
/var/log/audit.raw<br />
auditdbd<br />
auditdb<br />
auditbotd<br />
auditbotd has a threshold<br />
and can trigger a response<br />
(see Chapter 20).<br />
Using the Admin Console,<br />
you can filter and view<br />
audit information.<br />
This is an SQL database <strong>of</strong><br />
information maintained by<br />
auditdbd. It contains all<br />
relevant audit information.<br />
Using <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter,<br />
the Admin Console, or a third-party tool,<br />
you can generate detailed, easy-to-read<br />
reports.
Auditing on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Auditing is one <strong>of</strong> the most important features on the <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> generates audit each time the <strong>Sidewinder</strong> <strong>G2</strong> or any<br />
<strong>Sidewinder</strong> <strong>G2</strong> service is stopped or started. Audit is also generated when any<br />
<strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong>’s audit facilities are modified. Other relevant audit<br />
information that is captured includes identification and authentication attempts<br />
(successful and failed), network communication (including the presumed<br />
addresses <strong>of</strong> the source and destination subject), administrative connections<br />
(using srole), and modifications to your security policy or system configuration<br />
(including all administrator activity, such as changing the system time).<br />
Audit can be viewed and monitored using tools such as <strong>Sidewinder</strong> <strong>G2</strong>’s<br />
dashboard, audit viewing and reporting windows, and the <strong>of</strong>f-box <strong>Sidewinder</strong><br />
<strong>G2</strong> Security Reporter. <strong>Sidewinder</strong> <strong>G2</strong> can also be configured to send alerts for<br />
particular types <strong>of</strong> audit using IPS Attack Responses and System Event<br />
Responses.<br />
The <strong>Sidewinder</strong> <strong>G2</strong>’s audit facilities monitor the state <strong>of</strong> log files to minimize the<br />
risk <strong>of</strong> lost data. Log files are compressed, labeled, and stored on a daily basis,<br />
and a new “current” log file is created. Using this mechanism, no audit data is<br />
lost during the storage transition.<br />
The amount <strong>of</strong> available audit storage space is monitored very closely on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> via the rollaudit and logcheck utilities to monitor the log file size<br />
and rotate log files as needed. (For information on using rollaudit, see<br />
“Rollaudit cron jobs” on page 599. For information on using the logcheck utility,<br />
refer to the logcheck man page.)<br />
There are three main components to the <strong>Sidewinder</strong> <strong>G2</strong> audit process:<br />
• auditd — This is the audit logging daemon. This daemon listens to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> audit device and writes the information to log files. The log<br />
files provide a complete record <strong>of</strong> audit events that can be viewed by an<br />
administrator. auditd sends all audit data to a binary file called<br />
/var/log/audit.raw.<br />
• auditbotd — The <strong>Sidewinder</strong> <strong>G2</strong> uses a daemon called auditbotd to<br />
listen to the audit device and gather the security-relevant information it<br />
finds. The auditbot daemon tracks these events and uses its configuration<br />
to determine when the data might be indicating a problem and require a<br />
response, such as an attempted break-in. If it does detect an audit event<br />
that has a configured response, <strong>Sidewinder</strong> <strong>G2</strong> responds accordingly. For<br />
more information on configuring IPS attack and system event responses,<br />
refer to Chapter 20.<br />
• auditdbd — This daemon maintains the audit database. auditdbd monitors<br />
the audit stream and sends reporting information to the MySQL database<br />
called auditdb. The auditdbd server is disabled by default.<br />
Important: Reporting services are not available until the auditdbd server is<br />
enabled. For information on enabling the auditdbd server, see “Enabling and<br />
disabling servers” on page 65.<br />
533
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
534<br />
To view a list <strong>of</strong> audit databases, enter the following command:<br />
cf audit listdb<br />
A list <strong>of</strong> audit databases appears. The database named auditdb_1 generally<br />
contains the previous day’s information. The database named<br />
auditdb_2 is generally from two days ago, and so on.<br />
Understanding audit file names<br />
The /var/log/audit.raw files contains all audit information and network probe<br />
audits contained on the <strong>Sidewinder</strong> <strong>G2</strong> in a binary format. When the file is<br />
rolled, a timestamp is appended to the file name. The easiest method for<br />
viewing the contents <strong>of</strong> the audit.raw files is to use the Admin Console’s Audit<br />
Viewing window. Refer to “Viewing audit information” on page 534.<br />
Tip: If you prefer to view the file contents via command line, refer to the<br />
showaudit and acat man pages.<br />
Audit log files use one <strong>of</strong> two file suffixes:<br />
• *.gz — This suffix is for files in compressed format. These files may be<br />
decompressed using acat or showaudit. The default file name format is<br />
audit.raw.YYYYMMDDhhmmssZZZ.YYYYMMDDhhmmssZZZ.gz, where<br />
the variables represent date and time (including time zone) <strong>of</strong> the beginning<br />
and end <strong>of</strong> that audit file’s contents. For example,<br />
20051231020000CST.20060101020000CST.gz is a file that contains audit<br />
data from December 31, 2005 at 2:00 am to January 1, 2006 at 2:00 am.<br />
• *.raw — This suffix is for files in raw audit format. These are binary<br />
formatted files that can be viewed in ASCII format using the Admin Console<br />
or command line.<br />
Viewing audit information<br />
Using the Admin Console, you can view the information contained in the audit<br />
log files. The Admin Console Audit Viewing window allows you to view audit<br />
information in real time, or for a specific time frame that you select. You can<br />
also apply filters to view specific types <strong>of</strong> audit information within a specific time<br />
frame. To view audit information using the Admin Console, follow the steps<br />
below.<br />
Using the Admin Console, select Audit and Reports > Audit Viewing. The<br />
following window appears.
Figure 221: Audit<br />
Viewing: View Mode tab<br />
About the View<br />
Mode tab<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
This tab allows you to configure the type <strong>of</strong> audit information you want to view.<br />
You can view the audit events via the Admin Console, or you can export the<br />
audit events to a text file for viewing or printing. Follow the steps below.<br />
1 In the Select a Viewing Mode area, select one <strong>of</strong> the following:<br />
• Real Time — Select this option and go to step 3 if you want to view<br />
streaming audit in real time.<br />
• Snapshot — Select this option and continue to step 2 if you want to view<br />
audit messages within a specific time frame.<br />
Important: The Audit Data Timespan field (located in the top portion <strong>of</strong> the<br />
Audit Data window) displays the range <strong>of</strong> audit data that is available on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> for viewing. If you select Snapshot mode, the audit time frame<br />
you select must fall within this range.<br />
2 [Conditional] If you selected Snapshot mode, specify the start and end time<br />
for the period <strong>of</strong> audit data that you want to view, as follows:<br />
a Select the start and end months in the corresponding month drop-down<br />
lists.<br />
b Select the start and end years in the corresponding year lists. You can<br />
either use the up and down arrows to advance the time ahead or back,<br />
or you can click in the field and modify it manually.<br />
c Select the start and end days in the corresponding calendars by clicking<br />
the appropriate dates.<br />
d Select the start and end time in the corresponding Time fields. You can<br />
either use the up and down arrows to advance the time ahead or back,<br />
or you can click in the field and modify it manually.<br />
Tip: To set the start date to the earliest available date, click Start <strong>of</strong> Data. To<br />
set the end date to the current date and time, click Now. The date and time<br />
fields will automatically fill in the correct information.<br />
535
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
536<br />
Figure 222: Snapshot<br />
Audit Data window<br />
3 In the Lines Per Page field, type the number <strong>of</strong> audit events that you want<br />
available within each page <strong>of</strong> audit. Valid values are 5–500. For example, if<br />
you select 50 audit events per page, you can scroll through 50 events at a<br />
time.<br />
Use the scroll bar to view all audit events within a page if needed.<br />
4 [Conditional] If you want to set up filtering options for the audit data, select<br />
the Filtering tab and see “Filtering audit data” on page 539.<br />
5 Once you have configured the time frame <strong>of</strong> audit events, do one <strong>of</strong> the<br />
following:<br />
• To export the audit information to a text file that you can edit and print,<br />
click Export and see “Exporting audit data” on page 538.<br />
Note: The Export option is only available if you selected Snapshot in step 1.<br />
• To view the results <strong>of</strong> your audit query in the Audit Data window, click<br />
View. The Audit Data window appears as a separate pop-up window.<br />
About the Audit Data window<br />
This window allows you to view the audit events that you selected in the Audit<br />
Viewing window. Each audit event appears as a single row in the table. Use the<br />
scroll bars to view all <strong>of</strong> the information in the table. If you selected Real Time<br />
audit data, the table will be grayed out and will populate with audit events as<br />
they happen in real time. You cannot modify the table or events while real time<br />
audit is running.
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The number <strong>of</strong> audit events you can scroll through on each page is dependent<br />
on the Lines Per Page value you entered in the Audit Viewing window (see<br />
page 535). For example, if you selected 50 audit events per page, you can<br />
scroll through 50 events at a time. To move to the next 50 events, click Next<br />
Page or Previous Page, accordingly.<br />
When you click an audit event in the table, the detailed audit information for<br />
that audit event is displayed in the bottom portion <strong>of</strong> the window (it also<br />
appears in the Info column). The following information is displayed in the table:<br />
Note: Some audit types will not contain information for each table column. If a<br />
column is blank, that information does not apply for that particular audit event.<br />
• Time — This row lists the time at which an audit event occurred.<br />
• Type — This row lists the type <strong>of</strong> each audit event (for example,<br />
<strong>Administration</strong> configuration change indicates that the audit event<br />
represents a configuration change made on the <strong>Sidewinder</strong> <strong>G2</strong>).<br />
• Service — This row lists the service type associated with an audit event.<br />
• Source IP — This row lists the source IP address associated with an audit<br />
event.<br />
• Source Burb — This row lists the source burb associated with an audit<br />
event.<br />
• Dest IP — This row lists the destination IP address associated with an audit<br />
event.<br />
• Dest Burb — This row lists the destination burb associated with an audit<br />
event.<br />
• Info — This row provides detailed audit information associated with an<br />
audit event. (This information is also displayed in the bottom portion <strong>of</strong> the<br />
window if you click an audit event.)<br />
Ordering the audit event table<br />
Initially, the audit events are listed in chronological order. However, you can reorder<br />
any column alphabetically or numerically by clicking the heading. You<br />
can also right-click a heading to select a default filtering option or create a<br />
custom filter. For information on filtering tables, see “Admin Console<br />
conventions” on page 25.<br />
To view the details <strong>of</strong> a particular audit event in the real time audit results, you<br />
must first click Stop to end real time audit. This will enable the table and allow<br />
you to use the window as you would if you were viewing a snapshot <strong>of</strong> audit<br />
events.<br />
Important: If you click Stop when viewing audit events in real time and then click<br />
Start, the table will be cleared and new real time audit events will be displayed as<br />
they happen.<br />
537
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
538<br />
Figure 223: Export Audit<br />
Data window<br />
About the Export<br />
Audit Data window<br />
Saving audit events<br />
To save some or all audit events listed in the Audit Viewing window, do one <strong>of</strong><br />
the following:<br />
• To save all <strong>of</strong> the audit events listed, click Save All. The Export Audit Data<br />
window appears. (Click Browse to specify a location in which to save the<br />
audit information.) To save the information, click Save (or click Save and<br />
View to save the file and launch the file for viewing).<br />
• To save selected audit events, press and hold the Ctrl key while clicking in<br />
the row <strong>of</strong> each audit event you want to save. When you have selected all<br />
<strong>of</strong> the audit events you want to save, click Save Selected. The Export Audit<br />
Data window appears. (Click Browse to specify a location in which to save<br />
the audit information.) To save the information, click Save (or click Save and<br />
View to save the file and launch the file for viewing).<br />
Exporting audit data<br />
To export audit data to a text file that can be viewed and printed, click Export in<br />
the Audit Viewing window (or Save/Save and View in the Audit Data window). A<br />
message appears warning you that the export process may take a while,<br />
depending on the number <strong>of</strong> results you are exporting. Click Yes to continue<br />
the Export process. The Export Audit Data window appears. (If you want to<br />
cancel the export action, click No.)<br />
Tip: If you do not want the warning message to appear each time you export audit<br />
data, select the Don’t Show Dialog Again check box.<br />
This window allows you to export the audit data you specified in the Audit<br />
Viewing or Audit Data window. Follow the steps below.<br />
1 In the Filename field, specify the file name and location for the audit data<br />
you are exporting.<br />
2 To specify the location where the file will be saved, click Browse and select<br />
the desired path.
Figure 224: Audit<br />
Veiwing: Filtering tab<br />
About the Audit<br />
Viewing: Filtering<br />
tab<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
3 In the Export Format area, select one <strong>of</strong> the following:<br />
• ASCII Audit — Select this option to save the audit information in ASCII<br />
format. This allows you to open the file using any standard text editor,<br />
such as Notepad.<br />
• ASCII <strong>Sidewinder</strong> Export Format — Select this option if you want to<br />
convert the data into ASCII text and export it in the <strong>Sidewinder</strong> Export<br />
Format (SEF). This format is used in the <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter and can also be used with third-party reporting tools.<br />
4 To save the file, select one <strong>of</strong> the following:<br />
• Click Save to save the file to the specified location for later viewing.<br />
• Click Save and View to save the file to the specified location and launch<br />
the file using a standard text editing program (such as Notepad).<br />
• Click Close to exit the window without saving the file.<br />
Filtering audit data<br />
To filter the type <strong>of</strong> audit data you want to view, select the Filtering tab in the<br />
Audit Viewing window. The Filtering tab appears.<br />
This tab allows you to configure filters to display or exclude certain types <strong>of</strong><br />
audit events. Follow the steps below.<br />
1 In the Audit Types area, select the types <strong>of</strong> audit events that you want to<br />
view. For descriptions <strong>of</strong> these filters, see Table 33 on page 540.<br />
To select all <strong>of</strong> the filters, click Select All. To clear all <strong>of</strong> the filters and clear<br />
any current selections, click Deselect All.<br />
539
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
540<br />
2 In the Advanced area, you can further refine the filter(s) you selected by<br />
specifying any <strong>of</strong> the following information:<br />
• Source Burb — Select this option to receive audit events generated by<br />
the source burb.<br />
• Source IP Address — Select this option to receive audit events<br />
generated by the source IP address.<br />
• Number Of Bits — If you selected Source IP, type the number <strong>of</strong> bits for<br />
the source IP address that you want to filter.<br />
• Destination Burb — Select this option to receive audit events generated<br />
by the destination burb.<br />
• Destination IP Address — Select this option to receive audit events<br />
generated by the destination burb.<br />
• Number Of Bits — If you selected Destination IP, type the number <strong>of</strong><br />
bits for the destination IP address that you want to filter.<br />
• Service — Select this option and enter a service name to receive only<br />
audit events generated by that service.<br />
3 To customize the filter expression to view more specialized audit<br />
information, select the Custom check box. For example, if you want to view<br />
HTTP attack audit events for a user named Lloyd, you would type the<br />
following information in this field:<br />
type t_attack and cmd httpp and username Lloyd<br />
You can also use the pre-defined filters as building blocks to create your<br />
own custom filter. To do this, you will need to clear the Custom check box,<br />
select the pre-defined filters that you want to use, and then select the Custom<br />
check box. You can then modify the filter as needed without having to<br />
create it completely from scratch.<br />
You cannot save a customized filter that you create in the Audit Filtering<br />
window. However, you can create and save custom filters using<br />
cf audit. Filters that you create will appear in the filter list when you next<br />
access the Filtering tab.<br />
For detailed instructions on creating custom audit filters, refer to the<br />
sacap_filter man page. See “Creating custom audit filters” on page 544<br />
for more information.<br />
Table 33: Pre-defined audit filters<br />
Attack Description<br />
ACL deny Detects when a connection is denied by a rule in the active<br />
policy.<br />
Access Control List Detects all ACL audit events.<br />
Application<br />
Defense violation<br />
all<br />
Detects attacks <strong>of</strong> all severities that violate active policy<br />
defined by Application Defenses. This attack category<br />
includes spam filter attacks and keyword filter failure<br />
attacks.<br />
More...
Attack Description<br />
Application<br />
Defense violation<br />
severe<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Detects when severe attacks violate active policy defined<br />
by Application Defenses, including spam filter reject and<br />
keyword filter reject audits.<br />
DOS all Detects Denial <strong>of</strong> Service attacks <strong>of</strong> all severities. This<br />
attack category also detects all severities <strong>of</strong> TCP SYN<br />
attacks and proxy flood attacks.<br />
DOS severe Detects severe Denial <strong>of</strong> Service attacks. This attack<br />
category also detects TCP SYN attacks and proxy flood<br />
attacks. Severe attacks indicate something is occurring<br />
that an administrator should know.<br />
HA failover Detects when a failover IP address changes because a<br />
High Availability cluster failed over to its secondary/<br />
standby.<br />
IPFilter deny Detects when a connection is denied by the active IP Filter<br />
policy.<br />
IPSEC error Detects when traffic generates IPSEC errors.<br />
TCP SYN attack Detects a possible attempt to overrun the <strong>Sidewinder</strong> <strong>G2</strong><br />
with connection attempts.<br />
Type Enforcement Detects when there is a TE violation due to an<br />
unauthorized user or process attempting to perform an<br />
illegal operation.<br />
VPN Detects VPN audit events.<br />
all audit Detects all attack and system events, regardless <strong>of</strong> type.<br />
attack all Detects attack events <strong>of</strong> all severities. This option also<br />
detects all severities <strong>of</strong> Application Defense violation<br />
attacks, buffer overflow attacks, DOS attacks, general<br />
attacks, policy violation attacks, protocol violation attacks,<br />
and content security violation attacks.<br />
attack severe Detects severe attacks. This option also detects<br />
Application Defense violation attacks, buffer overflow<br />
attacks, general attacks, DOS attacks, policy violation<br />
attacks, protocol violation attacks, and content security<br />
violation attacks. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
buffer overflow<br />
attack<br />
Detects attempted buffer overflow attacks targeted at<br />
systems protected by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
config change Detects when the <strong>Sidewinder</strong> <strong>G2</strong>’s configuration changes.<br />
More...<br />
541
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
542<br />
Attack Description<br />
content security<br />
violation<br />
content security<br />
violation severe<br />
denied<br />
authentication<br />
Detects attacks <strong>of</strong> all severities that are content security<br />
violations. This attack category detects spam, keyword<br />
reject, mime virus change, and mime virus reject attacks.<br />
Detects severe attacks that are content security violations.<br />
This attack category detects spam, keyword reject, mime<br />
virus change, and mime virus reject attacks. Severe<br />
attacks indicate something is occurring that an<br />
administrator should know.<br />
Detects when a user attempts to authenticate and enters<br />
invalid data. For example, if a user is required to enter a<br />
password and entered it incorrectly, the denied auth event<br />
would log the event.<br />
error Detects all system events identified as AUDIT_T_ERROR<br />
in the audit stream.<br />
general attack all Detects general attacks <strong>of</strong> all severities that do not fall into<br />
the pre-defined categories.<br />
general attack<br />
severe<br />
hardware s<strong>of</strong>tware<br />
failure<br />
host license<br />
exceeded<br />
keyword filter<br />
failure<br />
Detects severe general attacks that do not fall into the predefined<br />
categories. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
Detects when a hardware or s<strong>of</strong>tware component fails.<br />
Detects when the number <strong>of</strong> hosts protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> exceeds the number <strong>of</strong> licensed hosts.<br />
Detects when an SMTP mail message is rejected due to a<br />
configured keyword filter.<br />
license expiration Detects when a licensed feature is about to expire.<br />
log overflow Detects when the log partition is close to filling up.<br />
mime virus Detects when a connection is rejected due to the MIME or<br />
Anti-virus policy.<br />
network probe Detects network probe attacks, which occur any time a<br />
user attempts to connect or send a message to a TCP or<br />
UDP port which has no service.<br />
network traffic Detects all connections that successfully pass through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
not config change Detects all attack and system events that are not<br />
configuration changes.<br />
More...
Attack Description<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
policy violation all Detects attacks <strong>of</strong> all severities that violate the active<br />
policy. This attack category also detects all severities <strong>of</strong><br />
failed authentication attacks, ACL and IP Filter deny<br />
attacks, and Type Enforcement error attacks.<br />
policy violation<br />
severe<br />
Detects severe attacks that violate the active policy. This<br />
attack category also detects failed authentication attacks,<br />
ACL and IP Filter deny attacks, and Type Enforcement<br />
error attacks. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
power failure Detects when an Uninterruptible Power Supply (UPS)<br />
device detects a power failure and the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
running on UPS battery power.<br />
protocol violation<br />
all<br />
protocol violation<br />
severe<br />
Detects attacks <strong>of</strong> all severities that violate protocol<br />
compliance.<br />
Detects severe attacks that violate proxy protocols (HTTP,<br />
Telnet, FTP, etc.). Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
proxy flood Detects potential connection attack attempts. A connection<br />
attack is defined as one or more addresses launching<br />
numerous proxy connection attempts to try and flood the<br />
system. When NSS receives more connection attempts<br />
than it can handle for a proxy, new connections to that<br />
proxy are briefly delayed (to allow the proxy to “catch up”),<br />
and the attack is audited.<br />
spam filter failure Detects when an SMTP mail message is classified as<br />
spam by the spam filtering policy.<br />
syslog Detects all audit attacks and system events created via<br />
syslog.<br />
system all Detects all system events <strong>of</strong> all severities, including power<br />
failures, hardware and s<strong>of</strong>tware failures, failover events,<br />
license expiration, host license exceeded, log overflows,<br />
and IPSEC errors.<br />
system critical Detects all critical system events, including power failures,<br />
hardware failures, critical s<strong>of</strong>tware failures, and failover<br />
events. Critical system events indicate a component or<br />
subsystem stopped working, that the system is going down<br />
(expectedly or unexpectedly), or that the system is not<br />
expected to work again without intervention.<br />
More...<br />
543
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
544<br />
Attack Description<br />
system critical and<br />
severe<br />
Creating custom audit filters<br />
The Custom option in the Filter By field allows you to define a custom filter to<br />
view more specialized audit information. The basic structure includes<br />
specifying:<br />
• The type or facility for which you want to search, using one <strong>of</strong> the following<br />
formats:<br />
– name (AUDIT_T_TYPE as in AUDIT_T_ATTACK, AUDIT_F_FACILITY<br />
as in AUDIT_F_LOGIN)<br />
– short message (attack, login)<br />
– short message prepended with classification indicator (t_attack, f_login)<br />
Note: This format appears in audit records and is useful when copying or<br />
pasting directly from audit output.<br />
• Additional fields to further specify the audit results. Fields can be separated<br />
by Boolean operators (and, or, not) and grouped by parentheses.<br />
The following examples demonstrate the basic structure used to create custom<br />
audit filters.<br />
Note: Table 34 provides a list <strong>of</strong> the available fields (for example, facility, type,<br />
service, user, etc.) that you can use to filter your audit search.<br />
Example 1: Filtering for login records<br />
The following example shows the format used to display all system login<br />
records (successful and unsuccessful):<br />
facility f_login<br />
Detects critical and severe system events including power<br />
failures, hardware failures, critical and severe s<strong>of</strong>tware<br />
failures, failover events, license expiration, log overflows,<br />
and IPSEC errors. Critical system events indicate a<br />
component or subsystem stopped working, that the<br />
system is going down (expectedly or unexpectedly), or that<br />
the system is not expected to work again without<br />
intervention. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
system shutdown Detects when a UPS is running out <strong>of</strong> battery power or has<br />
been on battery power for the estimated battery time.<br />
If you want to view login records for a specific user, you would include a user<br />
name, as follows:<br />
facility f_login and username Josephine
Example 2: Filtering for services and users<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
The following example shows the format used to display HTTP network traffic<br />
audit records for a user named Lloyd:<br />
type t_attack and cmd httpp and username Lloyd<br />
where:<br />
• type t_attack — This field will filter audit records for all attack events.<br />
• cmd httpp — This field will filter the attack audit events to include only<br />
HTTP service records.<br />
• username Lloyd — This field will filter the HTTP attack events to include<br />
only events that are specific to actions performed by user name “Lloyd.”<br />
Example 3: Filtering for specific ports and IP addresses<br />
The following example shows the format used to display all network probe<br />
events on port 37337 and subnet 192.168.124.0/24 originating from burbs<br />
3 or 4. Enter text on one line:<br />
type t_netprobe and dst_port 37337 and dst_ip 192.168.124.0/<br />
24 and (src_burb 3 or src_burb 4)<br />
where:<br />
• type t_netprobe — This field will filter audit records for all network probe<br />
events.<br />
• dst_port 37337 — This field will filter the network probe events to include<br />
only records with a destination port <strong>of</strong> 37337.<br />
• dst_ip 192.168.124.0/24 — This field will filter the network probe events to<br />
include only records with a destination IP address <strong>of</strong> 192.168.124.0/24.<br />
• (src_burb 3 or src_burb 4) — This information will filter the network probe<br />
events to include only records with a source burb <strong>of</strong> 3 or 4.<br />
Example 4: Excluding information in a filter<br />
You can explicitly exclude certain types <strong>of</strong> audit information by placing the word<br />
“not” in front <strong>of</strong> a field. For example, the custom filter shown below will display<br />
all audit records EXCEPT attack records originating for the source IP address<br />
172.17.9.28:<br />
not type t_attack and src_ip 172.17.9.28<br />
where:<br />
• not type t_attack — This field will exclude any attack-based audit events.<br />
• src_ip 172.17.9.28 — This field will filter the non-attack audit events for<br />
records with a source address <strong>of</strong> 172.17.9.28.<br />
545
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Table 34: Custom audit filter fields<br />
546<br />
Field Description<br />
facility Specify an event facility code (such as AUDIT_F_LOGIN, AUDIT_F_PROXY, etc.). For<br />
a complete list <strong>of</strong> the available facility codes, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the<br />
srole command and then enter the following command: acat -c | more<br />
type Specify an event type code (for example, type AUDIT_T_NETTRAFFIC). For a<br />
complete list <strong>of</strong> the available type codes, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the srole<br />
command and then enter the following command: acat -c | more<br />
category Specify an event category code (for example, AUDIT_C_POLICY_VIOLATION). For a<br />
complete list <strong>of</strong> the available category codes, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the<br />
srole command and then enter the following command: acat -c | more<br />
eventid Specify an event identifier code (for example, AUDIT_R_LICEXCEEDED). For a<br />
complete list <strong>of</strong> the available event identifiers, at a <strong>Sidewinder</strong> <strong>G2</strong> prompt, enter the<br />
srole command and then enter the following command: acat -c | more<br />
pid Specify the process ID <strong>of</strong> the auditing process.<br />
pgid Specify the process group ID <strong>of</strong> the auditing process.<br />
ruser Specify the real user ID <strong>of</strong> the auditing process.<br />
euser Specify the effective user ID <strong>of</strong> the auditing process.<br />
username Specify a user name.<br />
src_ip Specify the source IP address using the dotted decimal IP version 4 notation, with<br />
optional mask bits separated by a slash (/).<br />
dst_ip Specify the destination IP address using the dotted decimal IP version 4 notation, with<br />
optional mask bits separated by a slash (/).<br />
src_port Specify the TCP or UDP source port.<br />
dst_port Specify the TCP or UDP destination port.<br />
src_burb Specify the source burb number.<br />
dst_burb Specify the destination burb number.<br />
service Specify the type <strong>of</strong> service (for example, Telnet, FTP, WebProxy, etc.).<br />
vpn_l_gw Specify a VPN local gateway using the standard dotted decimal IP version 4 notation<br />
with optional mask bits separated by a slash (/).<br />
vpn_r_gw Specify a VPN remote gateway using the dotted decimal IP version 4 notation with<br />
optional mask bits separated by a slash (/).
Understanding audit messages<br />
Chapter 19: Auditing and Reporting<br />
Auditing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
When viewing audit messages in the Admin Console, the form may vary<br />
depending on the purpose and content <strong>of</strong> the message. The form <strong>of</strong> the first<br />
two lines is the same for all audit messages, and provides general information<br />
about the process generating or causing the audit. The third line will vary, but<br />
usually includes Type Enforcement information and possibly some additional<br />
information. The other lines <strong>of</strong> an audit message will vary depending on the<br />
type <strong>of</strong> audit message.<br />
Important: To view audit message files, see “Viewing audit information” on page<br />
534.<br />
Sample audit message<br />
The message below is an example <strong>of</strong> a Type Enforcement audit message<br />
(using the te_filter filter). The numbers have been added to link the example<br />
line with the bullets below.<br />
(1)Jan 17 08:16:20 2006 CST f_kernel a_tepm t_ddtviolation p_major<br />
(2)pid: 19499 ruid: 100 euid: 100 pgid: 19499 fid: 0 logid: 100 cmd: 'grep'<br />
(3)domain: User edomain: User hostname: myg2.example.com<br />
(4)permwanted: 1 permgranted: 0 srcdmn: User filedom: Admn filetyp: file<br />
(5)file: rc.local OP: 0x2000042 perm wanted: 0x1 perm granted: 0x0<br />
• Line 1 — This line lists the date and time, the facility that audited the<br />
message (such as the Kernel, FTP or Telnet), the location (known as the<br />
area), in the facility that audited the message (such as general area or<br />
<strong>Sidewinder</strong> <strong>G2</strong> library), the type <strong>of</strong> audit message (such as Domain<br />
Definition Table Type Enforcement violation or access control list) and the<br />
priority <strong>of</strong> the message (such as major or minor).<br />
Note: Network probe attempts do not contain lines two or three.<br />
• Line 2 — This line lists the process ID, the real user ID, the effective user<br />
ID, the process group ID, the process family ID (<strong>Sidewinder</strong> <strong>G2</strong>-specific)<br />
and the command associated with the process ID.<br />
• Line 3 — This line lists the real domain the process is running in and the<br />
effective domain (the domain that the process for which permission is<br />
given). This also lists the system’s host name.<br />
• Lines 4 and 5 — These lines provide nine pieces <strong>of</strong> data. The fourth line<br />
contains the integer representation <strong>of</strong> the permissions requested by the<br />
process and granted to the process, the domain <strong>of</strong> the requesting process,<br />
and the type <strong>of</strong> file that the process is requesting access to. The fifth line<br />
contains the filen ame and the permissions wanted and granted for the file.<br />
In general, the data in an audit message is a tag name followed by a colon and<br />
the value <strong>of</strong> the tag. Table 35 contains examples and descriptions <strong>of</strong> some <strong>of</strong><br />
the tags used in audit messages that appear in the audit results window.<br />
547
Chapter 19: Auditing and Reporting<br />
Logging application messages using syslog<br />
Logging<br />
application<br />
messages using<br />
syslog<br />
548<br />
Table 35: Audit data field examples<br />
Name Type Description<br />
srcip 32 bit_integer source IP address<br />
dstip 32 bit_integer destination IP address<br />
srcport 16 bit_integer source port number<br />
srcservice string source service name (/etc/services)<br />
dstport 16 bit_integer destination port number<br />
dstservice string destination service name<br />
(/etc/services)<br />
srcburb 32 bit_integer source burb number<br />
dstburb 32 bit_integer destination burb number<br />
bytes_written_to_<br />
client<br />
bytes_written_to_<br />
server<br />
64 bit_integer number <strong>of</strong> bytes sent to a client<br />
64 bit_integer number <strong>of</strong> bytes sent to a server<br />
netsessid 64 bit_integer a network traffic session ID<br />
srchostname string source host name<br />
dsthostname string destination host name<br />
The <strong>Sidewinder</strong> <strong>G2</strong> uses the UNIX syslog facility to log messages sent by<br />
programs running on the system. These messages can be useful in tracking<br />
down unauthorized system users or in analyzing hardware or s<strong>of</strong>tware<br />
problems. All syslog data is stored in the <strong>Sidewinder</strong> <strong>G2</strong>’s audit log files.<br />
Logging is set up to be handled automatically on the <strong>Sidewinder</strong> <strong>G2</strong>. As an<br />
administrator, you will not need to intervene unless you want to change<br />
options, such as where log files are stored. Listed below are some basic points<br />
about syslog and how it works on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Secure Computing recommends that you edit these files only if you are an<br />
experienced UNIX administrator.<br />
• syslog runs as a daemon process called syslogd.<br />
• Each application determines whether it will use syslog and the types <strong>of</strong><br />
messages that will be generated. Normally, applications generate<br />
messages <strong>of</strong> different severity levels, such as informational and critical.
Chapter 19: Auditing and Reporting<br />
Logging application messages using syslog<br />
• The syslog configuration file, /etc/syslog.conf, specifies what syslogd<br />
should do with messages that are sent to it. You can specify what should be<br />
done with each type <strong>of</strong> message. For example, you might choose to discard<br />
informational messages and store more important messages in a file. In<br />
addition, you can choose to send messages that may require immediate<br />
attention directly to a specific user’s screen or to send output to a different<br />
system on the network. You can edit the configuration file if you want to<br />
handle messages differently or send files to different locations. See the next<br />
section and the syslog.conf man page for details.<br />
• Hackers will <strong>of</strong>ten try to edit syslog files to cover any evidence <strong>of</strong> their<br />
break-ins. The <strong>Sidewinder</strong> <strong>G2</strong> uses Type Enforcement to protect the syslog<br />
files from being modified by unauthorized users.<br />
• A copy <strong>of</strong> the syslog data is sent to the <strong>Sidewinder</strong> <strong>G2</strong> audit log files.<br />
• The log files generated by syslogd can get large and start using a lot <strong>of</strong><br />
hard disk space. To solve this problem, the log files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
are periodically rotated. See “Understanding automatic (cron) jobs” on page<br />
598 for more information on file rotation.<br />
Redirecting audit output to a syslog server<br />
If you would like other systems, such as the <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter,<br />
to generate and display reports based on the <strong>Sidewinder</strong> <strong>G2</strong>’s log files, you<br />
can configure the <strong>Sidewinder</strong> <strong>G2</strong> to send audit output to a syslog server.<br />
Redirect audit output to a syslog sever by doing the following:<br />
1 Using a file editor, open /etc/sidewinder/auditd.conf.<br />
2 Specify what type <strong>of</strong> logging to send to the syslog server by adding the<br />
following line to the end <strong>of</strong> the file:<br />
syslog (facility filters[“filter”] format)<br />
where<br />
• facility = information associated with a syslog message. You can<br />
use ‘local0’ through ‘local7’ as names for the facility; they are predefined<br />
in syslogd. In the next step, make sure to use the same facility<br />
you entered in this step.<br />
• filter = name <strong>of</strong> sacap filter to use in the output. Output all audit<br />
information by using [“NULL”].<br />
• format = output format. If using <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter, enter<br />
sef as the format.<br />
For example, use syslog (local0 filters[“NULL”] sef) to configure<br />
syslog to use the <strong>Sidewinder</strong> Export Format (SEF).<br />
3 Save the changes and close the file.<br />
4 Open /etc/syslog.conf.<br />
549
Chapter 19: Auditing and Reporting<br />
Logging application messages using syslog<br />
550<br />
5 Specify the IP address <strong>of</strong> the syslog server by adding the following line:<br />
facility.* @x.x.x.x<br />
where facility matches the facility in step 2 and x.x.x.x is the syslog<br />
server’s IP address.<br />
6 Save the changes and close the file.<br />
7 Look up syslog’s process ID by entering the following command:<br />
pss syslog<br />
8 Implement the changes by restarting the syslogd and audit processes,<br />
using the following commands:<br />
kill -HUP syslogpid<br />
cf server restart auditd<br />
The <strong>Sidewinder</strong> <strong>G2</strong> will now send audit data to a syslog server.<br />
Viewing syslog messages<br />
To view syslog messages, display the following files:<br />
/var/log/messages<br />
/var/log/daemon.log<br />
The following illustrates sample Logfile Messages:<br />
Mar 25 14:05:41 MyFirewall kernel: ef0: interfaces: AUI,<br />
10Base2<br />
Mar 25 14:05:41 MyFirewall kernel: ef0: rxf=5119 txf=3068<br />
Mar 25 14:05:41 MyFirewall kernel: ef1 at isa0 iobase 0x300<br />
Mar 25 14:05:41 MyFirewall kernel: ef1: 3C509-COMBO, ASIC<br />
rev 2<br />
Mar 25 14:05:41 MyFirewall root: Configuration changed<br />
Important: If you receive a message “Response from unexpected source,” it<br />
usually indicates name service responses sent by multihomed servers. Some<br />
multihomed servers select the wrong source IP address when sending the<br />
response. When the <strong>Sidewinder</strong> <strong>G2</strong> receives the response, it ignores it and logs a<br />
message in /var/log/messages. The example below displays what you would see in<br />
the syslog when this happens.<br />
Aug 31 12:57:56 shore named (1) [85]: Response from<br />
unexpected source ([192.55.214.1].53)<br />
Aug 31 12:57:57 shore named (1) [85]: Response from<br />
unexpected source ([199.199.125.108].53)<br />
Aug 31 13:03:51 shore named (1) [85]: Response from<br />
unexpected source ([204.52.248.130].53)
Generating<br />
reports using the<br />
Admin Console<br />
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
The <strong>Sidewinder</strong> <strong>G2</strong> Reports window in the Admin Console allows you to<br />
generate commonly used reports based on pre-defined report formats, such as<br />
administrative user connections, network probe attempts, traffic information,<br />
and active rule (ACL) usage, to name a few.<br />
The report information that is displayed is pulled from the audit database.<br />
When audit events are generated, information relevant to each event (such as<br />
a date and time, process identification information, user identity, and address<br />
information) is automatically appended to the audit information to help an<br />
administrator identify and categorize the audit data that is stored. If the report is<br />
comprised <strong>of</strong> numerous areas, the information in the report is appropriately<br />
categorized for ease <strong>of</strong> viewing.<br />
For example, if you run the traffic report, you will receive a summary <strong>of</strong> the<br />
various types <strong>of</strong> proxy traffic as follows: service, source host, destination, and<br />
user. If you want to view only traffic generated by users, you could instead run<br />
the user_traffic report to view only a summary <strong>of</strong> all user traffic.<br />
You can further refine your results by running the user_activity report and<br />
specify a single user whose activity you want to view. When you run the<br />
user_activity report, you will receive a detailed report <strong>of</strong> all <strong>of</strong> that user’s<br />
system activity, organized into sections (such as general traffic, root access<br />
attempts, rule violations, and so on). The information contained in a report will<br />
depend on the time frame you specify.<br />
Note: To view reports using a command line interface, see the cf_reports man<br />
page.<br />
To generate reports using the Admin Console, select Audit and Reports ><br />
Reports. The following window appears.<br />
Important: You must enable the auditdbd server before you can generate reports.<br />
See “Enabling and disabling servers” on page 65 for information on enabling the<br />
auditdbd server.<br />
551
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
552<br />
Figure 225: Reports<br />
window<br />
About the Reports window<br />
In this window you can generate commonly used reports based on a predefined<br />
report template. Follow the steps below.<br />
1 In the Report Period field, select the time frame for which you want to run a<br />
report.<br />
2 Select the report you want to run by clicking the appropriate table row. (For<br />
a description <strong>of</strong> each report, see Table 36 on page 553.)<br />
Tip: You can create custom reports using the cf_reports tool. Any reports you<br />
create using the cf_reports tool will appear in the Report list the next time you<br />
log into the Reports window. For information on creating custom reports, refer to<br />
the cf_reports man page.<br />
3 If you want the report to resolve any IP addresses, select the Resolve IP<br />
Addresses check box.<br />
4 [Conditional] If you are running a host or user activity report, you will need<br />
to enter information in the Template Parameter field as follows:<br />
• Host Activity — When you select the Host Activity report, the Template<br />
Parameter area will become available. In the Host field, enter the host<br />
name or IP address that will be used to generate the report.<br />
• User Activity — When you select the User Activity report, the Template<br />
Parameter area will become available. In the User Name field, enter the<br />
name <strong>of</strong> the user that will be used to generate the report.<br />
5 Click Run Report. The report results will be displayed in a separate Show<br />
Report window.
Figure 226: Show<br />
Report window<br />
Table 36: Available reports<br />
Report type Description<br />
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
Note: The reports that you generate in this window are view-only. You are not<br />
able to save or print these reports. If you need to save or print your reports, you<br />
will need to generate them using the command line interface. See the<br />
cf_reports man page for details.<br />
acl_usage This report summarizes proxy rule usage on the system. You can use this report to<br />
determine which proxy rules are being used most frequently.<br />
dest_traffic This report lists proxy information on the destination hosts that the <strong>Sidewinder</strong> <strong>G2</strong><br />
connected to, sorted by the number <strong>of</strong> bytes transferred. The report lists the destination<br />
host, the service used, the number <strong>of</strong> kB transferred, and the number <strong>of</strong> connections<br />
that were made.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 in Chapter 12 for information on viewing this e-mail.<br />
host_activity This report lists information about a specific host’s activity on the system. This report<br />
provides a section for the traffic generated, root access attempts, services denied, and<br />
user database actions involving the specified user.<br />
host_traffic This report produces proxy information for source host systems on internal and external<br />
networks. You might use this data for tracking which systems have the heaviest traffic<br />
going to and from the <strong>Sidewinder</strong> <strong>G2</strong>. The report lists the source host, the number <strong>of</strong> kB<br />
sent to the server, the number <strong>of</strong> kB sent to the client, the total number <strong>of</strong> kB, and the<br />
number <strong>of</strong> connections that were made.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
More...<br />
553
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
554<br />
Report type Description<br />
http_virus This report provides information on Web viruses that are detected by the <strong>Sidewinder</strong><br />
<strong>G2</strong>. The report includes virus frequency, hits by source address, and detected Web<br />
viruses.<br />
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the <strong>Sidewinder</strong><br />
<strong>G2</strong> connected to, sorted by the number <strong>of</strong> bytes transferred. The report lists the<br />
destination host, the service used, the number <strong>of</strong> kB transferred, and the number <strong>of</strong><br />
connections that were made.<br />
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external<br />
networks. You might use this data for tracking which systems have the heaviest traffic<br />
going to and from the <strong>Sidewinder</strong> <strong>G2</strong>. The report lists the source host, the number <strong>of</strong> kB<br />
sent to the server, the number <strong>of</strong> kB sent to the client, the total number <strong>of</strong> kB, and the<br />
number <strong>of</strong> connections that were made.<br />
ipf_port_traffic This report lists IP Filter traffic port information that occurred over a specific period <strong>of</strong><br />
time.<br />
The report lists each service, the number <strong>of</strong> kB sent to the server, the number <strong>of</strong> kB sent<br />
to the client, the total number <strong>of</strong> kB, and the number <strong>of</strong> connections that were made.<br />
When a service uses a non-standard port (for example, 8000 or 8010), the service’s<br />
port number will also appear in the Service column.<br />
ipf_traffic This report provides a summary <strong>of</strong> the IP Filter port, host, and destination reports.<br />
mail_virus This report provides information on mail viruses that are detected by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The report includes virus frequency, hits by source, and detected mail viruses.<br />
performance This report summarizes utilization information (based on one-hour increments) for CPU<br />
percentage and load average, as well as real, virtual, and mbuf memory usage.<br />
probes_attempted This report lists information about attempts made to connect or send a message to a<br />
<strong>Sidewinder</strong> <strong>G2</strong> port that either has no service associated with it or is associated with an<br />
unsupported service. This report contains a section for probes received in each burb on<br />
the system. The report lists where the probe originated from and how many probes<br />
occurred. The output <strong>of</strong> this report will be similar to the following:<br />
For each burb, the above report lists the time <strong>of</strong> the report,<br />
the interval covered by the report, the source host,<br />
destination host, destination port, and the number <strong>of</strong> probes<br />
generated by this source/destination host pair. Up to five<br />
destination port values are displayed.<br />
Depending on how you have set up your auditing configuration, you may have already<br />
been notified <strong>of</strong> these probe attempts. If you were not notified, you may want to change<br />
your auditing options as described in Chapter 16.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
More...
Report type Description<br />
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
http_virus This report provides information on Web viruses that are detected by the <strong>Sidewinder</strong><br />
<strong>G2</strong>. The report includes virus frequency, hits by source address, and detected Web<br />
viruses.<br />
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the <strong>Sidewinder</strong><br />
<strong>G2</strong> connected to, sorted by the number <strong>of</strong> bytes transferred. The report lists the<br />
destination host, the service used, the number <strong>of</strong> kB transferred, and the number <strong>of</strong><br />
connections that were made.<br />
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external<br />
networks. You might use this data for tracking which systems have the heaviest traffic<br />
going to and from the <strong>Sidewinder</strong> <strong>G2</strong>. The report lists the source host, the number <strong>of</strong> kB<br />
sent to the server, the number <strong>of</strong> kB sent to the client, the total number <strong>of</strong> kB, and the<br />
number <strong>of</strong> connections that were made.<br />
ipf_port_traffic This report lists IP Filter traffic port information that occurred over a specific period <strong>of</strong><br />
time.<br />
The report lists each service, the number <strong>of</strong> kB sent to the server, the number <strong>of</strong> kB sent<br />
to the client, the total number <strong>of</strong> kB, and the number <strong>of</strong> connections that were made.<br />
When a service uses a non-standard port (for example, 8000 or 8010), the service’s<br />
port number will also appear in the Service column.<br />
ipf_traffic This report provides a summary <strong>of</strong> the IP Filter port, host, and destination reports.<br />
mail_virus This report provides information on mail viruses that are detected by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The report includes virus frequency, hits by source, and detected mail viruses.<br />
performance This report summarizes utilization information (based on one-hour increments) for CPU<br />
percentage and load average, as well as real, virtual, and mbuf memory usage.<br />
probes_attempted This report lists information about attempts made to connect or send a message to a<br />
<strong>Sidewinder</strong> <strong>G2</strong> port that either has no service associated with it or is associated with an<br />
unsupported service. This report contains a section for probes received in each burb on<br />
the system. The report lists where the probe originated from and how many probes<br />
occurred. The output <strong>of</strong> this report will be similar to the following:<br />
For each burb, the above report lists the time <strong>of</strong> the report,<br />
the interval covered by the report, the source host,<br />
destination host, destination port, and the number <strong>of</strong> probes<br />
generated by this source/destination host pair. Up to five<br />
destination port values are displayed.<br />
Depending on how you have set up your auditing configuration, you may have already<br />
been notified <strong>of</strong> these probe attempts. If you were not notified, you may want to change<br />
your auditing options as described in Chapter 16.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
More...<br />
555
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
556<br />
Report type Description<br />
root_accesses This report contains a list <strong>of</strong> root access attempts by users who used the srole<br />
command to change roles. This report lists the date that the root access attempts<br />
occurred, the service (srole), the result <strong>of</strong> the attempt, which domain the user tried to<br />
srole to, and who the user was. This report is generated daily.<br />
service_denied This report lists instances when users were denied access to a service because <strong>of</strong> the<br />
restrictions you set up in your active rules (also referred to as the Access Control List, or<br />
ACL). The report lists the source and destination hosts, the user, the service that was<br />
denied, and the total number <strong>of</strong> times a check was made. The meaning <strong>of</strong> these events<br />
depends on several factors, including your site’s security policies. The report could<br />
indicate that an internal user is trying to access an unauthorized system on the Internet.<br />
It might also indicate a service that internal users need, and you may want to consider<br />
making it available.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
service_traffic This report lists proxy information on how <strong>of</strong>ten Internet services were used during a<br />
specific period <strong>of</strong> time. You can use this information to gauge how heavily your<br />
<strong>Sidewinder</strong> <strong>G2</strong> is being used.<br />
The report lists each service, the number <strong>of</strong> kB sent to the server, the number <strong>of</strong> kB sent<br />
to the client, the total number <strong>of</strong> kB, and the number <strong>of</strong> connections that were made.<br />
When a service uses a non-standard port (for example, 8000 or 8010), the service’s<br />
port number will also appear in the Service column.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
traffic This report lists information about a specific host’s activity while using the system. This<br />
report provides a section for the traffic generated, services denied, and probes<br />
generated by the host that was specified.<br />
udb_action This report, made up <strong>of</strong> two sections, shows the actions performed on the <strong>Sidewinder</strong><br />
<strong>G2</strong>’s user database. One section <strong>of</strong> the report shows the actions performed on the<br />
system components <strong>of</strong> the user database. The other section <strong>of</strong> the report shows the<br />
actions performed on user components <strong>of</strong> the user database.<br />
The user database report lists the date the action occurred, which user it affects, what<br />
action was made to the database (either an addition, a deletion, or a modification), what<br />
type <strong>of</strong> data, or class, received the action, and which administrator changed the data.<br />
user_activity This report lists information about a specific user’s activity on the system. This report<br />
provides a section for the traffic generated, root access attempts, services denied, and<br />
user database actions involving the specified user.<br />
More...
Report type Description<br />
Table 37: Auto-generated report<br />
Viewing auto-generated reports<br />
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
user_traffic This report lists which Internet services are being used and sorts it by the user’s name.<br />
You can use this information to gauge how heavily your <strong>Sidewinder</strong> <strong>G2</strong> is being used.<br />
The report lists each user’s name for each service he/she used on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Information on users is available only when they authenticate through the <strong>Sidewinder</strong><br />
<strong>G2</strong> services. A user name <strong>of</strong> “(null)” is used for traffic that is not authenticated. The<br />
report also lists the number <strong>of</strong> kB read by each user, the number <strong>of</strong> kB written by each<br />
user, the total number <strong>of</strong> kB transferred, and the number <strong>of</strong> connections for each user.<br />
Note: This report is automatically generated and e-mailed on a daily basis to the<br />
<strong>Sidewinder</strong> <strong>G2</strong> administrator. See “Viewing administrator mail messages on <strong>Sidewinder</strong><br />
<strong>G2</strong>” on page 350 for information on viewing this e-mail.<br />
vpn_traffic This report provides information on each VPN connection established on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. This report lists identifying information, gateways, kBytes transferred,<br />
and the number <strong>of</strong> connections made for each VPN.<br />
Auto-generated report Description<br />
This section describes a variety <strong>of</strong> automatically generated reports you can<br />
view using a file editor.<br />
daily system activity This report provides a summary <strong>of</strong> the /etc/daily script that is automatically run on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> every 24 hours. See “Understanding automatic (cron) jobs” on page<br />
598 for more information on this script and what it does. The report is compiled from<br />
the /var/log/daily.out file, which is generated each time the script is run.<br />
weekly system activity This report provides a summary <strong>of</strong> the /etc/weekly script that is automatically run on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> every week. See “Understanding automatic (cron) jobs” on page<br />
598 for more information on this script and what it does. The report is compiled from<br />
the /var/log/weekly.out file, which is generated each time the script is run.<br />
monthly system<br />
activity<br />
This report provides a summary <strong>of</strong> the /etc/monthly script that is automatically run on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> every month. See “Understanding automatic (cron) jobs” on page<br />
598 for more information on this script and what it does. The report is compiled from<br />
the /var/log/monthly.out file, which is generated each time the script is run.<br />
557
Chapter 19: Auditing and Reporting<br />
Generating reports using the Admin Console<br />
558<br />
Generating exportable reports<br />
The <strong>Sidewinder</strong> <strong>G2</strong> allows you to create exportable data files from the report<br />
data your site generates. This allows you to transfer files from the <strong>Sidewinder</strong><br />
<strong>G2</strong>, and load them into a database or spreadsheet application. You can export<br />
data via FTP, e-mail, a diskette, or a DAT.<br />
The report data that you can export from the <strong>Sidewinder</strong> <strong>G2</strong> is located in the<br />
/var/log/export_data directory unless you specify otherwise. The exportable<br />
files include:<br />
• probe_attempt<br />
• acl_denied<br />
• traffic<br />
• root_access<br />
• udb_action<br />
Note: These data files have dates added to them that correspond to the dates the<br />
files were created. Each file contains exportable <strong>Sidewinder</strong> <strong>G2</strong> audit data that<br />
corresponds to what is summarized in the respective <strong>Sidewinder</strong> <strong>G2</strong> reports.<br />
Enter the following commands at the UNIX prompt to generate exportable data<br />
files:<br />
• To create an exportable file in /var/log/export_data based on the previous<br />
day’s audit information:<br />
gen_reports -e -r all<br />
This generates all reports in separate files.<br />
• To create an exportable file in /var/log/export_data based on the latest<br />
(current) traffic audit information:<br />
gen_reports -f filename -r traffic<br />
This generates all traffic reports in separate files with the specified filename<br />
added to the front instead <strong>of</strong> the cf reports timestamp.
Generating<br />
reports using<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Security<br />
Reporter<br />
Figure 227: Sending<br />
data via syslog server to<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter<br />
Chapter 19: Auditing and Reporting<br />
Generating reports using <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
One method for generating and viewing reports <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong> audit output<br />
is the <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter. Security Reporter (also known as<br />
<strong>G2</strong>SR) provides more advanced reporting capabilities than what is available in<br />
the Admin Console. Enhanced capabilities include:<br />
• Generating reports for multiple <strong>Sidewinder</strong> <strong>G2</strong> from a single user interface.<br />
• Color-coded charts and graphs that are more user-friendly than text-only<br />
reports.<br />
• Reports are available in multiple languages.<br />
• Reports can be accessed without logging into a <strong>Sidewinder</strong> <strong>G2</strong>. This is<br />
particularly beneficial for companies that want to let auditors view reports<br />
without giving them <strong>Sidewinder</strong> <strong>G2</strong> administrator accounts.<br />
To use Security Reporter, <strong>Sidewinder</strong> <strong>G2</strong> must be configured to send its log<br />
files in the <strong>Sidewinder</strong> Export Format (SEF). You can then transfer the audit<br />
data to Security Reporter via a syslog server or FTP. The syslog server path is<br />
shown in Figure 227. For information on sending <strong>Sidewinder</strong> <strong>G2</strong> log files to a<br />
syslog server, see “Redirecting audit output to a syslog server” on page 549.<br />
For information on using FTP to transfer data to the Security Reporter, see<br />
“Formatting & exporting audit data for use with external tools” on page 560.<br />
syslog server syslog server<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Security Reporter<br />
*The syslog server and the Security Reporter may be installed on the same system.<br />
Installation and management information is available in the <strong>Sidewinder</strong> <strong>G2</strong><br />
Security Reporter <strong>Administration</strong> <strong>Guide</strong> and Release Notes. The administration<br />
guide is available at www.securecomputing.com/goto/manuals. For information<br />
on obtaining <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter, contact your sales<br />
representative.<br />
559
Chapter 19: Auditing and Reporting<br />
Formatting & exporting audit data for use with external tools<br />
Formatting &<br />
exporting audit<br />
data for use with<br />
external tools<br />
Table 38: Supported log formats and their uses<br />
560<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides you with the option to convert audit data into<br />
various formats used by third-party reporting tools. To generate reports based<br />
on the <strong>Sidewinder</strong> <strong>G2</strong> log files, you must format the <strong>Sidewinder</strong> <strong>G2</strong> audit data<br />
and then export those files to the workstation or host that contains the s<strong>of</strong>tware<br />
needed to generate log reports (for example, <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter). You can then generate the <strong>Sidewinder</strong> <strong>G2</strong> log reports on that<br />
machine.<br />
Overview <strong>of</strong> supported log file formats<br />
Table 38 lists the log formats <strong>Sidewinder</strong> <strong>G2</strong> supports, as well as some uses for<br />
each format, commands for generating each format, and other important<br />
information.<br />
Format Use Commands Comments<br />
<strong>Sidewinder</strong> Export<br />
Format (SEF)<br />
W3C Extend Log Format<br />
(HTTP)<br />
WebTrends Extended<br />
Logging Format (WELF)<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Security Reporter,<br />
various third-party<br />
tools<br />
various third-party<br />
reporting tools<br />
WebTrends®<br />
reporting tools<br />
acat -X<br />
cf export type=sef<br />
acat -H<br />
cf export type=http<br />
acat -W<br />
cf export type=wt<br />
SEF is the preferred format<br />
when exporting logs to<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter. More format<br />
information is available at<br />
www.securecomputing.com/<br />
pdf/sg2_sef_an.pdf.<br />
If using this format, set the<br />
audit level on the<br />
appropriate HTTP proxy<br />
rules to Informational<br />
(Rules > New/Modify ><br />
General tab).
Chapter 19: Auditing and Reporting<br />
Formatting & exporting audit data for use with external tools<br />
Using <strong>Sidewinder</strong> <strong>G2</strong> formatting and exporting tools<br />
You initiate the formatting and exporting process on the <strong>Sidewinder</strong> <strong>G2</strong> using<br />
acat or the <strong>Sidewinder</strong> export utility (cf export). These tools allow you to<br />
format raw audit data collected by the <strong>Sidewinder</strong> <strong>G2</strong> into SEF, WELF, HTTP,<br />
Squid, or generic (gen) files.<br />
Using acat<br />
acat converts data, but does not export it. To format <strong>Sidewinder</strong> <strong>G2</strong> audit data<br />
using acat, follow the steps below.<br />
1 Using a command line session, log into the <strong>Sidewinder</strong> <strong>G2</strong> and type the<br />
following command to switch to the admn role:<br />
srole<br />
2 Change directories so that your present working directory (pwd) is where<br />
you want the converted files saved.<br />
3 To convert your logs to an exportable format and save them to a file, enter<br />
the following command:<br />
acat -X /var/log/auditfile > filename.format<br />
where<br />
• -X indicates the new format. Use -X for SEF, -H for W3C, and<br />
-W for Webtrends. Note that all <strong>of</strong> these arguments are capital letters.<br />
• auditfile is the log file to convert.<br />
• filename.format is the new file name and format, such as<br />
audit012006.sef. Formats include sef, http, wt, squid, and gen.<br />
For example:<br />
acat -X /var/log/audit.raw.2006...CST.gz > audit.sef<br />
converts the existing audit file into the SEF format and saves it to a file<br />
named audit.sef.<br />
The specified file is now converted and ready to be manually exported via FTP<br />
or another method.<br />
Using cf export<br />
The cf export utility both converts and exports the specified log files to a<br />
destination host you specify. This utility can also be used to create a cron job<br />
that automatically initiates an FTP export program once every 24 hours. The<br />
FTP export program uses FTP to transfer the export files from the <strong>Sidewinder</strong><br />
<strong>G2</strong> to the host you specify. The host can be on a trusted network protected by<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, or it can be a host that resides somewhere on the Internet.<br />
561
Chapter 19: Auditing and Reporting<br />
Formatting & exporting audit data for use with external tools<br />
562<br />
To format and export <strong>Sidewinder</strong> <strong>G2</strong> audit data using cf export, follow the<br />
steps below.<br />
1 Using a command line session, log into the <strong>Sidewinder</strong> <strong>G2</strong> and type the<br />
following command to switch to the admn role:<br />
srole<br />
2 To configure the export utility, enter the following command on one line:<br />
cf export add type=file_type name=entry_name<br />
host=hostname user=username password=password<br />
targetdir=destination localfile=local_file_path<br />
where:<br />
• file_type = the type <strong>of</strong> file you want to export (sef, http, wt, squid, or<br />
gen)<br />
• entry_name = the name you want to apply to this configuration entry<br />
• hostname = the host name or IP address to which you are exporting<br />
the files<br />
• username = the user name that will be used for FTP authentication<br />
• password = the password that will be used for FTP authentication to<br />
the destination host<br />
• destination = the directory on the destination host on which you want<br />
the export files placed<br />
• local_file_path = (generic files only) the location <strong>of</strong> the generic file<br />
3 To export all files that are currently configured and ready to be exported,<br />
enter the following command:<br />
cf export ftp<br />
Tip: To export the current files and previously exported files, enter cf export all.<br />
4 [Optional] To enable a cron job to automatically determine which configured<br />
export files need to be exported, and format and export those files once<br />
every 24 hours (at 2:20 a.m. in most cases), enter the following command:<br />
cf export enable<br />
To disable the automatic cron job process, enter the following command:<br />
cf export disable<br />
The file has now been converted and exported to another system.
20<br />
CHAPTER<br />
IPS Attack and System<br />
Event Responses<br />
In this chapter...<br />
Overview <strong>of</strong> attack and system event responses .........................564<br />
Creating IPS attack responses.....................................................564<br />
Creating system responses..........................................................572<br />
Configuring new event types........................................................578<br />
Ignoring network probe attempts..................................................578<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps .........................................................579<br />
563
Chapter 20: IPS Attack and System Event Responses<br />
Overview <strong>of</strong> attack and system event responses<br />
Overview <strong>of</strong><br />
attack and<br />
system event<br />
responses<br />
Creating IPS<br />
attack responses<br />
564<br />
Figure 228: IPS Attack<br />
Response main window<br />
<strong>Sidewinder</strong> <strong>G2</strong> IPS attack responses and system event responses allow you to<br />
monitor your network for abnormal and potentially threatening activities<br />
ranging from an attempted attack to an audit overflow. Using the Admin<br />
Console, you can configure how many times a particular event must occur<br />
within a specified time frame before a response is triggered.<br />
When <strong>Sidewinder</strong> <strong>G2</strong> encounters audit activity that matches the specified type<br />
and frequency criteria, the response you configured for that system event or<br />
attack type determines how <strong>Sidewinder</strong> <strong>G2</strong> will react. <strong>Sidewinder</strong> <strong>G2</strong> can be<br />
configured to respond by alerting an administrator <strong>of</strong> the event via e-mail and/<br />
or SNMP trap, as well as ignoring packets from particular hosts for a specified<br />
period <strong>of</strong> time (known as a Strikeback).<br />
Some default attack and system event responses are automatically created on<br />
<strong>Sidewinder</strong> <strong>G2</strong> during its initial configuration. The additional configuration<br />
options you select will depend mainly on your site’s security policy and, to<br />
some extent, on your own experiences using the features. You may want to<br />
start with the default options and make adjustments as necessary to meet your<br />
site’s needs.<br />
Summary and detailed information about the audit events triggering responses<br />
can be found on the dashboard, located on the top node <strong>of</strong> the Admin Console<br />
tree. For more information about the dashboard, see the “Monitoring” chapter.<br />
IPS (intrusion protection system) attack responses allow you to configure how<br />
<strong>Sidewinder</strong> <strong>G2</strong> responds when it detects audit events that indicate a possible<br />
attack, such as Type Enforcement violations and proxy floods.<br />
To view or configure attack responses, start the Admin Console and select IPS<br />
Attack Responses. The following window appears:
About the IPS Attack<br />
Responses window<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
This window displays the currently configured IPS attack responses. You can<br />
perform the following actions in this window:<br />
• Filter the list <strong>of</strong> IPS attack responses — To modify the displayed list, rightclick<br />
a column name and select from the current list <strong>of</strong> filters or create a<br />
custom filter. The list will then display only IPS attack responses <strong>of</strong> that<br />
type.<br />
• Configure a new IPS attack response — To configure a new IPS attack<br />
response, click New. The Add Attack Response Wizard appears.<br />
• Modify an existing IPS attack response — To modify an existing IPS attack<br />
response, select the appropriate item within the list and click Modify. For<br />
information on modifying specific fields, see “Modifying an IPS attack<br />
response” on page 566.<br />
• Delete an existing IPS attack response — To delete an IPS attack<br />
response, select the list item you want to delete and then click Delete.<br />
• Disable/enable an IPS attack response — The disable and enable options<br />
depend on an IPS attack response’s current status. If one or more<br />
responses with the same status are selected, their status can be changed<br />
to its opposite (for example, if all selected responses are enabled, you may<br />
disable all <strong>of</strong> them). When multiple responses with mixed statuses are<br />
selected, the only available action is enabling the responses.<br />
• Create the e-mail list to notify in the event <strong>of</strong> an attack — To create or<br />
modify the list <strong>of</strong> e-mail addresses to notify if any IPS attack triggers an<br />
alert, click Response Settings. See “Configuring the e-mail settings” on<br />
page 571 for more information.<br />
565
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
566<br />
Figure 229: IPS Attack<br />
Responses: Modify<br />
window<br />
Modifying an IPS attack response<br />
When you modify an IPS attack response, the following window appears.<br />
About the Modify Attack Responses: Attack tab<br />
Use this tab to change this attack response’s attack type. An attack is generally<br />
defined as suspect traffic at either the network or application level. Each attack<br />
type identifies a different attack audit event.<br />
1 Select the attack type for which you want <strong>Sidewinder</strong> <strong>G2</strong> to send out a<br />
response. A complete list is provided in Table 39.<br />
To create additional attack types, see “Configuring new event types” on<br />
page 578.<br />
2 Click OK or the next tab you want to modify.<br />
Note: For descriptions <strong>of</strong> the audit severities, see “Viewing IPS attack and system<br />
event summaries” on page 521.<br />
Table 39: Descriptions <strong>of</strong> pre-defined attacks<br />
Attack Description<br />
ACL deny Detects when a connection is denied by a rule in the active<br />
policy.<br />
Application<br />
Defense violation<br />
all<br />
Detects attacks <strong>of</strong> all severities that violate active policy<br />
defined by Application Defenses. This attack category<br />
includes spam filter attacks and keyword filter failure<br />
attacks.<br />
More...
Attack Description<br />
Application<br />
Defense violation<br />
severe<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
Detects when severe attacks violate active policy defined<br />
by Application Defenses, including spam filter reject and<br />
keyword filter reject audits.<br />
attack all Detects attack events <strong>of</strong> all severities. This option also<br />
detects all severities <strong>of</strong> Application Defense violation<br />
attacks, buffer overflow attacks, DOS attacks, general<br />
attacks, policy violation attacks, protocol violation attacks,<br />
and content security violation attacks.<br />
attack severe Detects severe attacks. This option also detects<br />
Application Defense violation attacks, buffer overflow<br />
attacks, general attacks, DOS attacks, policy violation<br />
attacks, protocol violation attacks, and content security<br />
violation attacks. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
buffer overflow<br />
attack<br />
content security<br />
violation<br />
content security<br />
violation severe<br />
denied<br />
authentication<br />
Detects attempted buffer overflow attacks targeted at<br />
systems protected by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Detects attacks <strong>of</strong> all severities that are content security<br />
violations. This attack category detects spam, keyword<br />
reject, mime virus change, and mime virus reject attacks.<br />
Detects severe attacks that are content security violations.<br />
This attack category detects spam, keyword reject, mime<br />
virus change, and mime virus reject attacks. Severe<br />
attacks indicate something is occurring that an<br />
administrator should know.<br />
Detects when a user attempts to authenticate and enters<br />
invalid data. For example, if a user is required to enter a<br />
password and entered it incorrectly, the denied auth event<br />
would log the event.<br />
DOS all Detects Denial <strong>of</strong> Service attacks <strong>of</strong> all severities. This<br />
attack category also detects all severities <strong>of</strong> TCP SYN<br />
attacks and proxy flood attacks.<br />
DOS severe Detects severe Denial <strong>of</strong> Service attacks. This attack<br />
category also detects TCP SYN attacks and proxy flood<br />
attacks. Severe attacks indicate something is occurring<br />
that an administrator should know.<br />
general attack all Detects general attacks <strong>of</strong> all severities that do not fall into<br />
the pre-defined categories.<br />
general attack<br />
severe<br />
Detects severe general attacks that do not fall into the predefined<br />
categories. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
More...<br />
567
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
568<br />
Attack Description<br />
IPFilter deny Detects when a connection is denied by the active IP Filter<br />
policy.<br />
keyword filter<br />
failure<br />
Detects when an SMTP mail message is rejected due to a<br />
configured keyword filter.<br />
mime virus Detects when a connection is rejected due to the MIME or<br />
Anti-virus policy.<br />
network probe Detects network probe attacks, which occur any time a<br />
user attempts to connect or send a message to a TCP or<br />
UDP port that has no service.<br />
policy violation all Detects attacks <strong>of</strong> all severities that violate the active<br />
policy. This attack category also detects all severities <strong>of</strong><br />
failed authentication attacks, network probe attacks, ACL<br />
and IP Filter deny attacks, and Type Enforcement error<br />
attacks.<br />
policy violation<br />
severe<br />
protocol violation<br />
all<br />
protocol violation<br />
severe<br />
Detects severe attacks that violate the active policy. This<br />
attack category also detects failed authentication attacks,<br />
network probe attacks, ACL and IP Filter deny attacks, and<br />
Type Enforcement error attacks. Severe attacks indicate<br />
something is occurring that an administrator should know.<br />
Detects attacks <strong>of</strong> all severities that violate protocol<br />
compliance.<br />
Detects severe attacks that violate proxy protocols (HTTP,<br />
Telnet, FTP, etc.). Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
proxy flood Detects potential connection attack attempts. A connection<br />
attack is defined as one or more addresses launching<br />
numerous proxy connection attempts to try and flood the<br />
system. When NSS receives more connection attempts<br />
than it can handle for a proxy, new connections to that<br />
proxy are briefly delayed (to allow the proxy to “catch up”),<br />
and the attack is audited.<br />
spam filter failure Detects when an SMTP mail message is classified as<br />
spam by the spam filtering policy.<br />
TCP SYN attack Detects a possible attempt to overrun the <strong>Sidewinder</strong> <strong>G2</strong><br />
with connection attempts.<br />
Type Enforcement Detects when there is a TE violation due to an<br />
unauthorized user or process attempting to perform an<br />
illegal operation.
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
About the Modify Attack Response: Frequency tab<br />
Use this tab to modify the parameters to be met before <strong>Sidewinder</strong> <strong>G2</strong><br />
generates a response. The options are:<br />
• Always respond — Select this option to have <strong>Sidewinder</strong> <strong>G2</strong> respond each<br />
time the attack type specified on the Attack tab occurs.<br />
• Limit responses — Select this option to respond only when the attack<br />
pattern matches the parameters set here:<br />
– Respond if x attacks in y seconds where:<br />
• valid values for x are between 2 and 100000. <strong>Sidewinder</strong> <strong>G2</strong><br />
responds when the x attack occurs.<br />
• valid values for y are between 1 and 100000. This represents a<br />
buffer <strong>of</strong> y seconds, so <strong>Sidewinder</strong> <strong>G2</strong> checks the current time - y.<br />
For example, if you have configured a response to filter for netprobe<br />
attempts, and you want to trigger an attack response if 5 or more<br />
probe attempts occur within a 30-second period, you would enter<br />
“Respond if 5 attacks in 30 seconds.”<br />
– Reset attack count to zero after responding—After x attacks,<br />
<strong>Sidewinder</strong> <strong>G2</strong> zeroes out its attack counter and waits until another x<br />
attacks occur in y seconds before sending out the next e-mail alert or<br />
SNMP trap. If this option is not selected, the same attacks may be used<br />
to generate additional alerts.<br />
About the Modify Attack Response: Response tab<br />
Use this tab to configure how <strong>Sidewinder</strong> <strong>G2</strong> should respond when the attack<br />
type’s pattern matches the criteria on the Frequency tab. The options are:<br />
• Configure an alert — <strong>Sidewinder</strong> <strong>G2</strong> can send an alert using an e-mail, an<br />
SNMP trap, or both.<br />
– Send e-mail: Select this option to send an e-mail to each e-mail address<br />
listed in the Response Settings area. (Access this list from the main IPS<br />
Attack Response window. Additional information is available in<br />
“Configuring the e-mail settings” on page 571.)<br />
– Send SNMP trap: Select this option to send an SNMP trap to the<br />
location(s) configured for the snmpd server. (Configure the SNMP<br />
server at Services Configuration > Servers > snmpd. Additional<br />
information is available in “<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps” on page 579.)<br />
• [Conditional] If configuring an alert, specify how long <strong>Sidewinder</strong> <strong>G2</strong> should<br />
wait before sending the next e-mail or SNMP trap for the same attack type<br />
by using the Wait x seconds between alerts option.<br />
For example, suppose you configure an alert to trigger when 5 or more<br />
probe attempts occur in a 30-second period, and you instruct <strong>Sidewinder</strong><br />
<strong>G2</strong> to wait 300 seconds (five minutes) between alerts.<br />
569
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
570<br />
In this configuration, if an intruder launches 5 probe attempts in a 30 second<br />
period, a response is triggered. However, if the intruder sends 5 more<br />
probe attempts during the next 30 seconds, <strong>Sidewinder</strong> <strong>G2</strong> will not send<br />
another alert. However, if the response calls for a Strikeback (see next section),<br />
traffic will continue to be blackholed.<br />
After five minutes, if the threshold is again reached, another alert will be<br />
triggered.<br />
• Configure Strikeback — <strong>Sidewinder</strong> <strong>G2</strong> can blackhole, or ignore, traffic<br />
from a host that is sending suspect traffic.<br />
Caution:<strong>Sidewinder</strong> <strong>G2</strong> blackholes based on source address, as opposed to<br />
traffic type. If you choose to blackhole a host, all traffic from that host will be<br />
ignored.<br />
– Blackhole: Select this option to ignore all traffic from the suspect traffic’s<br />
source(s) for a set time period. The source <strong>of</strong> the attack is recorded in<br />
the audit event’s attack_ip field. The source <strong>of</strong> the suspect traffic may<br />
be the connection’s source IP address (a peer or a client) or destination<br />
IP address (if a server is attacking a client). If <strong>Sidewinder</strong> <strong>G2</strong> considers<br />
it likely that the source IP address could have been forged, it will leave<br />
the attack_ip field blank and not blackhole any IP address for this audit<br />
event. The apparent source and destination IP address is still recorded<br />
in the audit event.<br />
If you select the Blackhole option, you must also specify for how long<br />
you want to blackhole traffic.<br />
• Blackhole packets for x seconds where x is a value between 1 and<br />
100000.<br />
Tip: If you find you need to blackhole traffic for more than 100,000<br />
seconds (a little over 24 hours), consider creating an IP Filter deny rule for<br />
that traffic.<br />
– All attacking hosts: Select this option to blackhole all hosts involved in<br />
triggering the alert. For example, if you want an alert after 5 occurrences<br />
in 30 seconds and host A sent 4 occurrences and host B sent 1, all<br />
traffic from hosts A and B would be ignored for the set amount <strong>of</strong> time.<br />
– Each host responsible for y% <strong>of</strong> the attacks: Select this option to limit<br />
blackholing on a percentage basis. For example, if you set the<br />
percentage at 50% and host A caused 4 out <strong>of</strong> 5 attacks and host B<br />
caused 1 out <strong>of</strong> 5 attacks, only traffic from host A would be ignored.
Figure 230: Attack<br />
Responses: Settings<br />
window<br />
About the Attack<br />
Responses: E-mail<br />
Response Settings<br />
Configuring the e-mail settings<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating IPS attack responses<br />
To view, add, modify, or delete the e-mail addresses that will receive alerts,<br />
click Response Settings, in the IPS Attack Responses main window’s lowerright<br />
corner. The following window appears:<br />
Use this window to configure the e-mail address list that will receive alerts. For<br />
every triggered attack response that is set to send an e-mail alert, each e-mail<br />
address listed here will receive an alert. You can add, modify, or delete entries<br />
by using the buttons described here:<br />
• New — Click this button to define a new e-mail address to receive attack<br />
alerts. See “About the E-mail Settings: New/Modify window” on page 571<br />
for more details.<br />
• Modify — Select an entry and click this button to modify an existing e-mail<br />
address. See “About the E-mail Settings: New/Modify window” on page 571<br />
for more details.<br />
• Delete — Select an entry and click this button to delete that e-mail address.<br />
About the E-mail Settings: New/Modify window<br />
This window allows you to add or modify an e-mail address for the list <strong>of</strong> e-mail<br />
addresses to send an alert during an attack response. To change this list, do<br />
the following:<br />
1 In the E-mail address field, either type a new e-mail address or edit an<br />
existing e-mail address.<br />
2 Click OK to return to the Response Settings window.<br />
3 Click OK on the Response Settings window to save your changes.<br />
571
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
Creating system<br />
responses<br />
572<br />
Figure 231: System<br />
Responses main window<br />
About the System<br />
Responses main<br />
window<br />
System responses allow you to configure how <strong>Sidewinder</strong> <strong>G2</strong> responds when it<br />
detects audit events that indicate significant system events, such as license<br />
failures and log overflow issues.<br />
To view or configure system responses, use the Admin Console to select<br />
Firewall <strong>Administration</strong> > System Responses. The following window appears.<br />
This window displays the currently configured system responses. You can<br />
perform the following actions in this window:<br />
• Filter the list <strong>of</strong> system responses — To modify the displayed list, rightclick<br />
a column name and select from the current list <strong>of</strong> filters or create a<br />
custom filter. The list will then display only that system responses <strong>of</strong> that<br />
type.<br />
• Configure a new system event response — To configure a new system<br />
response, click New. The Add System Response Wizard appears.<br />
• Modify an existing system response — To modify an existing system<br />
response, select the appropriate item within the list and click Modify. For<br />
information on modifying specific fields, refer to the following sub-sections.<br />
• Delete an existing system response — To delete a system response,<br />
select the list item you want to delete and then click Delete.
Figure 232: System<br />
Responses Modify window<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
• Disable/enable a system response — The disable and enable options<br />
depend on a system response’s current status. If one or more responses<br />
with the same status are selected, their status can be changed to its<br />
opposite (for example, if all selected responses are enabled, you may<br />
disable all <strong>of</strong> them). When multiple responses with mixed statuses are<br />
selected, the only available action is enabling the responses.<br />
• Create the e-mail list to notify in the event <strong>of</strong> a system event — To create<br />
or modify the list <strong>of</strong> e-mail addresses to notify if any system event triggers<br />
an alert, click Response Settings. See “About the Response Settings: New/<br />
Modify window” on page 577 for more information.<br />
Modifying a system response<br />
When you modify a system response, the following window appears.<br />
About the Modify System Responses: Event tab<br />
Use this tab to change this system response’s event type. An event is generally<br />
defined as an important, generally unexpected, change in your system. Each<br />
event type identifies a different set <strong>of</strong> system changes.<br />
1 Select the event type for which you want <strong>Sidewinder</strong> <strong>G2</strong> to send out a<br />
response. A complete list is provided in Table 40.<br />
To create additional system event types, see “Configuring new event types”<br />
on page 578.<br />
2 Click OK or the next tab you want to modify.<br />
Note: For descriptions <strong>of</strong> the audit severities, see “Viewing IPS attack and system<br />
event summaries” on page 521.<br />
573
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
574<br />
Table 40: Description <strong>of</strong> pre-defined system events<br />
Event Description<br />
Access Control List Detects all ACL audit events.<br />
all audit Detects all attack and system events, regardless <strong>of</strong><br />
characteristics.<br />
config change Detects when the <strong>Sidewinder</strong> <strong>G2</strong>’s configuration changes.<br />
error Detects all system events identified as AUDIT_T_ERROR<br />
in the audit stream.<br />
HA failover Detects when a failover IP address changes because a<br />
High Availability cluster failed over to its secondary/<br />
standby.<br />
hardware s<strong>of</strong>tware<br />
failure<br />
host license<br />
exceeded<br />
Detects when a hardware or s<strong>of</strong>tware component fails.<br />
Detects when the number <strong>of</strong> hosts protected by the<br />
<strong>Sidewinder</strong> <strong>G2</strong> exceeds the number <strong>of</strong> licensed hosts.<br />
IPSEC error Detects when traffic generates IPSEC errors.<br />
license expiration Detects when a licensed feature is about to expire.<br />
log overflow Detects when the log partition is close to filling up.<br />
network traffic Detects all connections that successfully pass through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
not config change Detects all attack and system events that are not<br />
configuration changes.<br />
power failure Detects when an Uninterruptible Power Supply (UPS)<br />
device detects a power failure and the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
running on UPS battery power.<br />
syslog Detects all audit attacks and system events created via<br />
syslog.<br />
system all Detects all system events <strong>of</strong> all severities, including power<br />
failures, hardware and s<strong>of</strong>tware failures, failover events,<br />
license expiration, host license exceeded, log overflows,<br />
and IPSEC errors.<br />
system critical Detects all critical system events, including power failures,<br />
hardware failures, critical s<strong>of</strong>tware failures, and failover<br />
events. Critical system events indicate that a component<br />
or subsystem stopped working, that the system is going<br />
down (expectedly or unexpectedly), or that the system is<br />
not expected to work again without intervention.<br />
More...
Event Description<br />
system critical and<br />
severe<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
Detects critical and severe system events including power<br />
failures, hardware failures, critical and severe s<strong>of</strong>tware<br />
failures, failover events, license expiration, log overflows,<br />
and IPSEC errors. Critical system events indicate a<br />
component or subsystem stopped working, that the<br />
system is going down (expectedly or unexpectedly) or that<br />
the system is not expected to work again without<br />
intervention. Severe attacks indicate something is<br />
occurring that an administrator should know.<br />
system shutdown Detects when a UPS is running out <strong>of</strong> battery power or has<br />
been on battery power for the estimated battery time.<br />
VPN Detects VPN audit events.<br />
About the Modify System Responses: Frequency tab<br />
Use this tab to modify the parameters to be met before <strong>Sidewinder</strong> <strong>G2</strong><br />
generates a response. The options are:<br />
• Always respond — Select this option to have <strong>Sidewinder</strong> <strong>G2</strong> respond each<br />
time the event type specified on the Event tab occurs.<br />
• Limit responses — Select this option to respond only when the event’s<br />
pattern matches the parameters set here:<br />
– Respond if x events in y seconds where:<br />
• valid values for x are between 2 and 100000. <strong>Sidewinder</strong> <strong>G2</strong><br />
responds when the x event occurs.<br />
• valid values for y are between 1 and 100000. This represents the<br />
last y seconds, so <strong>Sidewinder</strong> <strong>G2</strong> checks the current time - y.<br />
– Reset event count to zero after responding — After x events,<br />
<strong>Sidewinder</strong> <strong>G2</strong> zeroes out its event counter and waits until another x<br />
events occur in y seconds. If this option is not selected, each<br />
subsequent system event that occurs in y seconds will generate a<br />
response.<br />
For example, if you want to respond to 5 events in 30 seconds, <strong>Sidewinder</strong><br />
<strong>G2</strong> constantly checks the past 30 seconds. When <strong>Sidewinder</strong> <strong>G2</strong> receives<br />
5 system events in that time frame, it responds according to the Response<br />
tab settings. If it zeroes out after responding, it waits until 5 more events<br />
occur in a 30 second time period before responding again.<br />
575
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
576<br />
About the Modify System Response: Response tab<br />
Use this tab to configure how <strong>Sidewinder</strong> <strong>G2</strong> should respond when the event<br />
matches the parameters on the Frequency tab. <strong>Sidewinder</strong> <strong>G2</strong> can send an<br />
alert using an e-mail, an SNMP trap, or both. The options are:<br />
• Configure an alert. <strong>Sidewinder</strong> <strong>G2</strong> can send an alert using an e-mail, an<br />
SNMP trap, or both.<br />
– Send e-mail: Select this option to send an e-mail to each e-mail address<br />
listed in the E-mail Settings area. (Access this list from the main System<br />
Responses window. Additional information is available in “Configuring<br />
the e-mail settings” on page 577.)<br />
– Send SNMP trap: Select this option to send an SNMP trap to the<br />
location(s) configured for the snmpd server. (Configure the SNMP<br />
server at Services Configuration > Servers > snmpd. Additional<br />
information is available in “<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps” on page 579)<br />
• [Conditional] If configuring an alert, specify how long <strong>Sidewinder</strong> <strong>G2</strong> should<br />
wait before sending the next e-mail or SNMP trap for the same system<br />
event by using the Wait x seconds between alerts option. Valid values are<br />
between 0 and 65535.<br />
For example, suppose you configure an alert to trigger when 10 or more<br />
IPSec errors occur in a 60 second period, and you instruct <strong>Sidewinder</strong> <strong>G2</strong><br />
to wait 300 seconds (five minutes) between alerts.<br />
In this configuration, if <strong>Sidewinder</strong> <strong>G2</strong> detects 10 errors in a 60 second<br />
period, a response is triggered. However, if <strong>Sidewinder</strong> <strong>G2</strong> detects 5 more<br />
IPSec errors during the next 30 seconds, <strong>Sidewinder</strong> <strong>G2</strong> will not send<br />
another alert.<br />
After five minutes, if the threshold is again reached, another alert will be<br />
triggered.
Figure 233: System<br />
Responses: Response<br />
Settings window<br />
About the System<br />
Responses:<br />
Response Settings<br />
Configuring the e-mail settings<br />
Chapter 20: IPS Attack and System Event Responses<br />
Creating system responses<br />
To view, add, modify, or delete the e-mail addresses that will receive alerts,<br />
click Response Settings, in the System Responses main window’s lower right<br />
corner. The following window appears:<br />
This window is used to configure the e-mail address list that will receive alerts.<br />
For every triggered system event response that is set to send an e-mail alert,<br />
each e-mail address listed here will receive an alert. You can add, modify, or<br />
delete entries by using the buttons describe here:<br />
• New — Click this button to define a new e-mail address to receive system<br />
event alerts. See “About the Modify System Responses: Event tab” on page<br />
573 for more details.<br />
• Modify — Select an entry and click this button to modify an existing e-mail<br />
address. See “About the Modify System Responses: Event tab” on page<br />
573 for more details.<br />
• Delete — Select an entry and click this button to delete that e-mail address.<br />
About the Response Settings: New/Modify window<br />
This window allows you to add or modify an e-mail address for the list <strong>of</strong> e-mail<br />
addresses to send an alert to during a system response. To change this list, do<br />
the following:<br />
1 In the E-mail address field, either type a new e-mail address or edit an<br />
existing e-mail address.<br />
2 Click OK to return to the Response Settings window.<br />
3 Click OK on the Response Settings window to save your changes.<br />
577
Chapter 20: IPS Attack and System Event Responses<br />
Configuring new event types<br />
Configuring new<br />
event types<br />
Ignoring network<br />
probe attempts<br />
578<br />
You may decide that you would like to add a customized IPS attack or system<br />
event type to the pre-defined list. New entries can be created using the<br />
command line. Once added, the new event will appear on the appropriate list in<br />
the Admin Console. At that point, you may create new responses for that<br />
event.<br />
To add a new attack or system event type, do the following:<br />
1 Start a command line session with <strong>Sidewinder</strong> <strong>G2</strong> and log in.<br />
2 Use the srole command to switch to the administrator role.<br />
3 Enter the following command, using a single line:<br />
cf audit add filter name=name filter_type=system|attack<br />
sacap_filter=sacap_filter number=int comments=comments<br />
where:<br />
• name = name <strong>of</strong> the new event type.<br />
• system|attack = type <strong>of</strong> filter. This option determines if the new event<br />
type will appear on the IPS Response attack type list or the System<br />
Responses event list.<br />
• sacap_filter = string which identifies a sacap_filter expression to use<br />
• int = number <strong>of</strong> SNMP trap to use. See “<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps”<br />
on page 579 for more information about SNMP traps.<br />
• comments = text that will appear in the Event tab’s Description field.<br />
Refer to the cf_audit and the sacap_filter man pages for information for<br />
configuring event types (referred to as filters) and responses (referred to as<br />
auditbots). Refer to acat -c for a list <strong>of</strong> current audit events.<br />
If a host on the network attempts to connect to the <strong>Sidewinder</strong> <strong>G2</strong> for a service<br />
that is not running, an audit record is generated and may trigger an alarm. An<br />
ignore list can be set up to ignore unimportant network probe audit events, but<br />
save the audit to keep track <strong>of</strong> the probe attempts. However, if connection<br />
attempts are frequent and are coming from a trusted network, then it may be<br />
desirable to ignore them completely and not audit the connection attempt by<br />
configuring the appropriate IP Filter rules.
<strong>Sidewinder</strong> <strong>G2</strong><br />
SNMP traps<br />
Chapter 20: IPS Attack and System Event Responses<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
To ignore network probes (commonly referred to netprobes), you can create IP<br />
Filter rules to deny connection requests for specific ports. For example, if you<br />
have problems with netbios generating netprobes on the <strong>Sidewinder</strong> <strong>G2</strong>, you<br />
can discard them and prevent audit events by creating an IP Filter with the<br />
following key values:<br />
Type: UDP Audit Level: None<br />
Action: Deny Direction: Uni-directional<br />
Source/Dest Burbs: internal Source/Dest: All (subnet 0.0.0.0:0)<br />
Source/Dest Ports: 137<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can cause network probe attempts between services<br />
running on the system. These probe attempts usually indicate one <strong>of</strong> the<br />
services is responding slowly, and do not show that a problem exists on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. By default, auditing these loopback network probes is<br />
disabled. To turn on auditing for the network probe attempts between services<br />
running on the system, enter the following command in the admin role:<br />
sysctl -w kern.audit_netprobe_loopback=1<br />
Note: If you want to ensure that this remains configured, you should also add this<br />
command to the end <strong>of</strong> the /etc/rc.local file.<br />
An SNMP trap is an alert message (also known as an alarm message) that is<br />
sent as an unsolicited transmission <strong>of</strong> information from a managed node<br />
(router, <strong>Sidewinder</strong> <strong>G2</strong>, etc.) to a management station. <strong>Sidewinder</strong> <strong>G2</strong> gives<br />
you the option <strong>of</strong> sending audit alert SNMP traps when an audit event triggers<br />
a response in <strong>Sidewinder</strong> <strong>G2</strong>. Pre-defined alert events in <strong>Sidewinder</strong> <strong>G2</strong> are<br />
contained in the 200 range (for example, 201, 202). You also have the option to<br />
create your own custom traps. Custom traps will return messages that contain<br />
numbers 215–225. For a list <strong>of</strong> available SNMP traps, see the snmptrap man<br />
page.<br />
To configure <strong>Sidewinder</strong> <strong>G2</strong> to send the following pre-defined traps, refer to<br />
“About the Modify Attack Response: Response tab” on page 569 and “About<br />
the Modify System Response: Response tab” on page 576.<br />
• ATTACK_ATTEMPT — This trap is sent when an attack attempt (that is, any<br />
suspicious occurrence) is identified by one <strong>of</strong> the services on <strong>Sidewinder</strong><br />
<strong>G2</strong>. For example, if the Network Services Sentry (NSS) detects a<br />
suspicious IP address on an incoming connection, it will issue an attack<br />
attempt trap.<br />
• FAILOVER_EVENT — This trap is sent any time a <strong>Sidewinder</strong> <strong>G2</strong> changes<br />
its status in an HA cluster from secondary to primary, or from primary to<br />
secondary.<br />
579
Chapter 20: IPS Attack and System Event Responses<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
580<br />
• MAIL_FILTER_FAILURE — This trap is sent when SMTP mail messages<br />
fail a configured mail filter. For example, if a mail message failed the Key<br />
Word Search filter, a mail filter failure event would be logged.<br />
The mail filter map configuration determines what is done with failed messages.<br />
• IPSEC_FAILURE — This trap is sent when IPSec errors exceed the<br />
configured threshold values.<br />
• LICEXCEED_FILTER — This trap is sent when users are denied access<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> due to a user license cap violation.<br />
• LOG_FILE_OVERFLOW — This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong> audit<br />
logs are close to filling the partition.<br />
• PROBE_ATTEMPT — This trap is sent when network probe attempts are<br />
detected (that is, any time a user attempts to connect or send a message to<br />
a TCP or UDP port that either has no service associated with it or it is<br />
associated with an unsupported service).<br />
To ignore network probe attempts, create an IP Filter deny rule to discard<br />
probes coming from recognized <strong>of</strong>fenders. See “Ignoring network probe<br />
attempts” on page 578 for key values to configure.<br />
• ACCESS_CONTROL — This trap is sent when the number <strong>of</strong> denied<br />
access attempts to services exceeds a specified number. For example, you<br />
may set up your system so that internal users cannot FTP to a certain<br />
Internet address. If a user tried to connect to that address, the attempt<br />
would be logged as a denial.<br />
• UPS_POWER_FAILURE — This trap is sent when a connected<br />
Uninterruptible Power Supply (UPS) has a power failure and the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is running on UPS battery power.<br />
• PROXY_FLOOD — This trap is sent when potential connection attack<br />
attempts are detected. A connection attack is defined as one or more<br />
addresses launching numerous proxy connection attempts to try and flood<br />
the system. When NSS receives more connection attempts than it can<br />
handle for a proxy, that proxy is briefly stopped (to allow the proxy to “catch<br />
up”) and is then restarted, and an audit event is created.<br />
• DENIED_AUTH — This trap is sent when a user attempts to authenticate<br />
and enters invalid data. For example, if a user is required to enter a<br />
password and entered it incorrectly, the denied auth_filter would log the<br />
event.<br />
Note: This type <strong>of</strong> event is not logged when an administrator attempts to switch<br />
to an unauthorized role (srole) or enter incorrect login information.<br />
• UPS_SYSTEM_SHUTDOWN — This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong><br />
has been running on UPS battery power for the estimated battery time.<br />
(See “Configuring the <strong>Sidewinder</strong> <strong>G2</strong> to use a UPS” on page 93 for<br />
additional information on UPS.)
Chapter 20: IPS Attack and System Event Responses<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
• SYN_FLOOD_ATTACK — This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong><br />
encounters a SYN attack.<br />
• TE_VIOLATION — This trap is sent when an unauthorized user or process<br />
attempts to perform an illegal operation on a file on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
• NETWORK_TRAFFIC — This trap is sent when the number <strong>of</strong> traffic audit<br />
events written by the various proxies (WWW, Telnet, FTP, etc.) going<br />
through the <strong>Sidewinder</strong> <strong>G2</strong> exceeds a specified number in a specified time<br />
period. This information can be useful for monitoring the use <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> services by internal users.<br />
Note: Network traffic thresholds are reported as number <strong>of</strong> events per second,<br />
and not as number <strong>of</strong> bytes per second.<br />
• CRIT_COMP_FAILURE — This trap is sent when the <strong>Sidewinder</strong> <strong>G2</strong> detects<br />
that a critical component has failed. For example, this trap occurs when<br />
daemond detects a s<strong>of</strong>tware module has failed.<br />
• VIRUSMIME — This trap occurs when the number <strong>of</strong> mail or HTTP<br />
messages that failed the MIME/Virus/Spyware filter exceeds a specified<br />
threshold in a specified time period.<br />
581
Chapter 20: IPS Attack and System Event Responses<br />
<strong>Sidewinder</strong> <strong>G2</strong> SNMP traps<br />
582
A APPENDIX<br />
Command Line<br />
Reference<br />
In this appendix...<br />
Overview <strong>of</strong> cf...............................................................................584<br />
Summary <strong>of</strong> cf structure ...............................................................584<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong>......................................594<br />
Understanding automatic (cron) jobs ...........................................598<br />
583
Appendix A: Command Line Reference<br />
Overview <strong>of</strong> cf<br />
584<br />
Overview <strong>of</strong> cf The cf (configurator) command makes it possible for you to configure various<br />
<strong>Sidewinder</strong> <strong>G2</strong> areas (rules, burbs, DNS, etc.) directly from the UNIX<br />
command line. You can use the cf command as an alternative to the Admin<br />
Console (the <strong>Sidewinder</strong> <strong>G2</strong>’s graphical user interface) for performing most<br />
system administration tasks.<br />
Summary <strong>of</strong> cf<br />
structure<br />
There are several situations when you may want to use the cf command<br />
interface instead <strong>of</strong> the Admin Console to perform configuration activities. With<br />
cf, you can automate repetitive configuration tasks (for example, adding many<br />
similar rules) by using scripts. Also, cf is useful under circumstances when the<br />
Admin Console cannot be used, such as performing <strong>Sidewinder</strong> <strong>G2</strong><br />
configuration from a text-only terminal. A final benefit <strong>of</strong> cf is that it provides a<br />
quick and easy way to see how a certain area <strong>of</strong> your <strong>Sidewinder</strong> <strong>G2</strong> is<br />
currently configured.<br />
Note: cf commands should be run in the Operational kernel (most cf commands<br />
will not function properly in the Administrative kernel).<br />
The following table summarizes the structure <strong>of</strong> cf, showing the primary<br />
commands available for each area. This table does not show the keywords<br />
available for each <strong>Sidewinder</strong> <strong>G2</strong> area.<br />
The online manual entry (man page) for cf provides a full description <strong>of</strong> all<br />
areas available in the cf command and the keywords/options associated with<br />
each area.<br />
• To display the man page listing for the cf command, enter:<br />
man cf<br />
• To display the man page listing for a specific cf area, enter:<br />
man cf_areaname<br />
For example, man cf_acl or man cf_interface.<br />
Summary <strong>of</strong> cf structure<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
acl add<br />
defrag<br />
delete<br />
export<br />
flushcache<br />
modify<br />
purge<br />
query<br />
repair restore_console_access<br />
set<br />
Use this area to maintain rules on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
More...
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
adminuser add<br />
delete<br />
modify<br />
set<br />
query<br />
antivirus add<br />
delete<br />
disable<br />
enable<br />
modify<br />
query<br />
set<br />
appfilter add<br />
delete<br />
modify<br />
purge<br />
set<br />
query<br />
audit add<br />
delete<br />
disable<br />
enable<br />
modify<br />
query<br />
listdb<br />
set<br />
burb set<br />
add<br />
modify<br />
start<br />
query<br />
verify<br />
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> administrator<br />
database.<br />
Use this area to configure the anti-virus scan engine and<br />
the <strong>Sidewinder</strong> <strong>G2</strong>’s scanner service.<br />
Use this area to configure Application Defenses on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure audit, including auditbot, e-mail,<br />
pager, filter and strikeback options.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> burbs and<br />
hostname.<br />
More...<br />
585
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
586<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
cert add<br />
addsslcert<br />
delete<br />
getcert<br />
getkey<br />
getcrl<br />
modify<br />
updatedbs<br />
view<br />
query<br />
cfg add<br />
delete<br />
modify<br />
query<br />
cmd set<br />
query<br />
config backup<br />
delete<br />
list<br />
query<br />
restore<br />
set<br />
crontab set<br />
query<br />
daemond query<br />
set<br />
dns add<br />
delete<br />
dumpdb<br />
notrace<br />
query<br />
querylog<br />
reload<br />
set<br />
status<br />
stats<br />
trace<br />
Use this area to configure all VPN certificate entries used<br />
by the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to define custom attributes for your<br />
configuration files.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> certificate<br />
management daemon.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
backup and restore process. (Backs up/restores the<br />
configuration files, not the hard disk.)<br />
Use this area to configure the SmartFilter and package<br />
crontab entries.<br />
Use this area to configure daemond.<br />
Use this area to configure DNS on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
More...
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
entrelayd reload<br />
status<br />
export add<br />
all<br />
delete<br />
disable<br />
enable<br />
ftp<br />
modify<br />
query<br />
webtrends<br />
failover add<br />
delete<br />
query<br />
reload<br />
reset<br />
restart<br />
set<br />
start<br />
status<br />
stop<br />
gated set<br />
add<br />
modify<br />
delete<br />
validate<br />
query<br />
ikmpd set<br />
query<br />
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure and manage the entrelayd<br />
server.<br />
Use this area to configure the export utility.<br />
Use this area to configure the failover (High Availability)<br />
service on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure the gated daemon.<br />
Configure global settings for the ISAKMP daemon.<br />
More...<br />
587
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
588<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
interface add<br />
modify<br />
delete<br />
detect<br />
up<br />
down<br />
set<br />
status<br />
swap<br />
query<br />
update<br />
ipfilter add<br />
delete<br />
export<br />
modify<br />
purge<br />
query<br />
reload<br />
set<br />
stop<br />
ipsec add<br />
delete<br />
keydump<br />
modify<br />
policydump<br />
query<br />
reload<br />
status<br />
lca add<br />
modify<br />
delete<br />
query<br />
list<br />
revoke<br />
gencrl<br />
getcrl<br />
getcacert<br />
gencert<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> network<br />
interfaces.<br />
Use this area to configure IP filtering for the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure IPSec parameters.<br />
Use this area to configure the local (on-box) certification<br />
authority.<br />
More...
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
ldap add<br />
delete<br />
modify<br />
query<br />
set<br />
license check<br />
features<br />
firewallID<br />
get<br />
host<br />
read<br />
set<br />
query<br />
msnt add<br />
delete<br />
modify<br />
set<br />
query<br />
mvm import<br />
query<br />
nss enable<br />
disable<br />
modify<br />
query<br />
ntp add<br />
config<br />
delete<br />
modify<br />
enable<br />
disable<br />
set<br />
restart<br />
query<br />
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure LDAP authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to license this <strong>Sidewinder</strong> <strong>G2</strong> and any<br />
premium features.<br />
Use this area to configure Micros<strong>of</strong>t NT authentication<br />
servers.<br />
Use this area to configure multi-version management.<br />
Use this area to configure the NSS, which controls access<br />
to all <strong>of</strong> the transparent and non-transparent proxies, as<br />
well as enable/disable some servers.<br />
Use this area to configure network time protocol (NTP).<br />
More...<br />
589
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
590<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
package backup<br />
check<br />
contents<br />
description<br />
download<br />
errors<br />
install<br />
list<br />
load_cdrom<br />
load_floppy<br />
log<br />
query<br />
readme<br />
set<br />
verify<br />
password expire<br />
set<br />
query<br />
pool add<br />
delete<br />
modify<br />
query<br />
proxy add<br />
create<br />
delete<br />
destroy<br />
disable<br />
enable<br />
help<br />
modify<br />
query<br />
set<br />
radius add<br />
delete<br />
modify<br />
set<br />
query<br />
Use this area to configure the package download system.<br />
This is used for loading patches.<br />
Use this area to configure the reusable password<br />
authentication method.<br />
Use this area to create and modify client address and entry<br />
pools.<br />
Use this area to configure <strong>Sidewinder</strong> <strong>G2</strong> proxies.<br />
Use this area to configure RADIUS authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
More...
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
reports add_query<br />
add_report<br />
delete_query<br />
delete_report<br />
modify_query<br />
modify_report<br />
query<br />
run_report<br />
show_tables<br />
show_aggregates<br />
show_databases<br />
show_groups<br />
show_columns<br />
routed add<br />
delete<br />
query<br />
restart<br />
set<br />
start<br />
stop<br />
safeword add<br />
delete<br />
modify<br />
query<br />
securid install<br />
query<br />
sendmail flush<br />
rebuild<br />
server enable<br />
disable<br />
status<br />
restart<br />
reload<br />
query<br />
smartfilter download<br />
set<br />
query<br />
version<br />
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
Use this area to define, store, and run audit reports.<br />
Use this area to configure RIP processing on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure SafeWord authentication for the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure the reusable SecurID<br />
authentication method.<br />
Use this area to rebuild the sendmail database files.<br />
Use this area to administer servers. This includes<br />
displaying status, enabling/disabling, and restarting/<br />
reloading servers. Configuration <strong>of</strong> an individual server is<br />
done in its own area (acl, httpd, nss, ntp, snmp, udpproxy).<br />
Use this area to configure SmartFilter.<br />
More...<br />
591
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
592<br />
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
snk backup-dss<br />
delete<br />
primary-dss<br />
query<br />
set<br />
snmp add<br />
delete<br />
modify<br />
query<br />
restart<br />
set<br />
start<br />
stop<br />
usr2<br />
Use this area to configure the reusable SecureNet Key<br />
(snk) authentication method.<br />
Use this area to configure simple network management<br />
protocol (SNMP).<br />
sshd start Use this area to start the secure shell daemon (sshd)<br />
ssl query<br />
set<br />
sso delete<br />
list<br />
set<br />
query<br />
swede breaklock<br />
defrag<br />
listlocks<br />
repair<br />
override<br />
syncd add<br />
delete<br />
query<br />
set<br />
start<br />
stop<br />
udb add<br />
delete<br />
modify<br />
purge<br />
query<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong> SSL<br />
certificates.<br />
Use this area to configure single sign-on authentication.<br />
Use this area to configure the <strong>Sidewinder</strong> enterprise<br />
database engine.<br />
Use this area to configure the <strong>Sidewinder</strong> <strong>G2</strong><br />
synchronization feature.<br />
Use this area to manage the authentication user database.<br />
More...
<strong>Sidewinder</strong> <strong>G2</strong> area Commands Area Description<br />
ups query<br />
set<br />
warders clearauthfailures<br />
listauthfailures<br />
query<br />
set<br />
www add<br />
delete<br />
set<br />
restart<br />
status<br />
reconfigure<br />
rotate<br />
query<br />
Appendix A: Command Line Reference<br />
Summary <strong>of</strong> cf structure<br />
Use this area to configure the use <strong>of</strong> an uninterruptible<br />
power supply with the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Use this area to configure <strong>Sidewinder</strong> <strong>G2</strong> authentication<br />
servers.<br />
Use this area to configure the Web proxy on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
593
Appendix A: Command Line Reference<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Working with<br />
files on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
594<br />
The File Editor is an easy-to-use text editor that is available directly from the<br />
Admin Console. The File Editor simplifies the editing process, enabling you to<br />
perform virtually every necessary editing task from the Admin Console instead<br />
<strong>of</strong> command line. The File Editor also provides some additional conveniences<br />
such as unique file backup and restore features. Refer to “Using the Admin<br />
Console File Editor” on page 26 for details.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> also supports typical UNIX editors for you to use, including<br />
vi, emacs, and pico.<br />
Important: The pico -w parameter disables word wrapping on lines that contain up<br />
to 256 characters. If you do not include the -w parameter, pico will insert hard<br />
carriage returns after about the 80th column <strong>of</strong> each line that exceeds 80 columns.<br />
This corrupts certain system files, such as the .conf files. Therefore, when you enter<br />
the pico command, be sure to include the -w parameter. However, be aware that<br />
certain files may contain lines over 256 characters and even using the -w<br />
parameter will not prevent word wrapping.<br />
Changing your default editor<br />
By default, the <strong>Sidewinder</strong> <strong>G2</strong> uses the vi text editor. However, the <strong>Sidewinder</strong><br />
<strong>G2</strong> also supports the emacs and pico editors.<br />
You can change your default editor by following these steps:<br />
1 Log in at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
2 Open the .cshrc file in an editor.<br />
3 Locate the line that reads as follows:<br />
setenv EDITOR editorname<br />
4 Replace the name <strong>of</strong> the current editor with the name <strong>of</strong> the one you want<br />
to use.<br />
For example, you might replace vi with emacs.<br />
5 Save the .cshrc file and quit the editor.<br />
The next time you log in, your default editor will be the one you specified in<br />
the .cshrc file.<br />
6 Type the following command at the system prompt to make the change<br />
effective in the current shell:<br />
source .cshrc
About editing <strong>Sidewinder</strong> <strong>G2</strong> files<br />
Appendix A: Command Line Reference<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
UNIX files are not protected against simultaneous editing by two individuals.<br />
For this reason, an administrator should take care not to make changes to a file<br />
when another administrator is working on it. In the UNIX world, whoever writes<br />
the file last usually prevails. In some cases, file corruption occurs.<br />
For example, if an administrator is editing the server.conf configuration file<br />
using the Admin Console while someone else is using a text editor to change<br />
that file, there may be undesirable results. If two people try editing the same file<br />
using either vi or emacs, however, the editor will warn the users about the<br />
situation.<br />
Also, when editing the <strong>Sidewinder</strong> <strong>G2</strong> configuration files (server.conf,<br />
roles.conf, etc.), be aware <strong>of</strong> the use <strong>of</strong> special characters that are used to<br />
format commands within these files. Special characters include double quotes,<br />
single quotes, brackets ([ ]), the pound symbol (#), and parenthesis ( ).<br />
Inadvertently placing special characters in the <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
files will make the files unreadable to the <strong>Sidewinder</strong> <strong>G2</strong>. Enter man<br />
sidewinder.conf at <strong>Sidewinder</strong> <strong>G2</strong> command prompt for details.<br />
Important: Save any scripts you create for the <strong>Sidewinder</strong> <strong>G2</strong> in the /usr/local/bin<br />
directory. If you ever need to upgrade your <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware, Secure<br />
Computing’s upgrade procedure will automatically save any scripts that reside in<br />
that directory.<br />
Checking file and directory permissions (ls)<br />
As described in Chapter 2, Type Enforcement restricts users to certain roles<br />
and restricts domains to certain files. Under standard UNIX, files and<br />
directories use access controls. Whether you can read, write, or execute a file<br />
depends on the groups you belong to and the permissions set on the file. If you<br />
try accessing a <strong>Sidewinder</strong> <strong>G2</strong> file and are denied, even though the UNIX file<br />
permissions indicate that you have access, Type Enforcement may be<br />
preventing access.<br />
Checking file types<br />
To check Type Enforcement file types, enter the following command:<br />
/bin/ls -aly filename<br />
You will see output similar to the following:<br />
595
Appendix A: Command Line Reference<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
596<br />
Admn:file filename<br />
File Name<br />
File Type (such as exec, file, conf, util, diry)<br />
Creating Domain<br />
Checking directory types<br />
To check Type Enforcement directory types, enter the following command:<br />
/bin/ls -dy directory_name<br />
You will see output similar to the following:<br />
$Sys:diry directory_name<br />
$Sys indicates that the directory was created in the $Sys domain. This is a<br />
domain used by the operating system for various tasks.<br />
Changing a file’s type (chtype)<br />
Use the chtype command to change a file’s type. Normally, you will be in the<br />
Administrative kernel when changing a file’s type. It is always possible to<br />
change a file’s type in the Administrative kernel rather than the Operational<br />
kernel because the Administrative kernel does not use Type Enforcement. The<br />
Operational kernel uses Type Enforcement, which may prevent you from<br />
changing a file’s type.<br />
There may, however, be situations where it would be convenient to change a<br />
file’s domain while in the Operational kernel without having to boot to the<br />
Administrative kernel. The following procedures describe how to change a file’s<br />
type from either the Administrative or the Operational kernel.<br />
Changing file types in the administrative kernel<br />
To change a file’s type in the Administrative kernel, follow the steps below.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> system.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items to the front connection ports or both<br />
in the back connection ports).<br />
2 Enter the following command at the UNIX prompt:<br />
chtype domain:type filename<br />
For example, entering the command:<br />
chtype Admn:exec myprogram<br />
changes the domain and type for the myprogram file to Admn:exec.
Changing file types in the operational kernel<br />
Appendix A: Command Line Reference<br />
Working with files on the <strong>Sidewinder</strong> <strong>G2</strong><br />
To change a file’s type in the Operational kernel, follow these steps:<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in and enter the following<br />
command to switch to the Admn role.<br />
srole<br />
2 Copy the file you want to change.<br />
cp file1 newfile<br />
3 Delete the original file.<br />
rm file1<br />
4 Change the new file to the target domain and/or file type.<br />
chtype domain:filetype newfile<br />
5 Rename the file.<br />
mv newfile file1<br />
Auditing the use <strong>of</strong> chtype commands<br />
The <strong>Sidewinder</strong> <strong>G2</strong> audits each failed occurrence <strong>of</strong> a chtype command.<br />
However, you can also audit successful chtype events. Use the following<br />
commands to enable or disable the auditing <strong>of</strong> successful chtype commands.<br />
• To enable auditing <strong>of</strong> successful chtype commands, enter the following<br />
command:<br />
sysctl -w kern.auditchtype=1<br />
• To disable auditing <strong>of</strong> successful chtype commands, enter the following<br />
command:<br />
sysctl -w kern.auditchtype=0<br />
Note: Whether you enable or disable auditing <strong>of</strong> successful chtype events,<br />
failed chtype events are always audited.<br />
Creating your own scripts<br />
While operating in either the User or Admn domains, you can create your own<br />
scripts for use on the <strong>Sidewinder</strong> <strong>G2</strong>. Scripts created in the User domain will be<br />
executable by the Admn and User domain but no other domain. Scripts created<br />
in the Admn domain will not be executable by anyone until the type is changed<br />
to Admn:scrp using the chtype command.<br />
597
Appendix A: Command Line Reference<br />
Understanding automatic (cron) jobs<br />
Understanding<br />
automatic (cron)<br />
jobs<br />
598<br />
The <strong>Sidewinder</strong> <strong>G2</strong> contains jobs that perform routine maintenance tasks such<br />
as rotating files and cleaning out old files. These jobs are run by the cron<br />
daemon, which reads its configuration file (/etc/crontab) to determine which<br />
jobs to run and when to run them.<br />
The following summarizes each automatic cron job on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
/etc/daily<br />
When enabled, this job runs at 2:00 a.m. each day and performs the following<br />
tasks:<br />
• Tells the operator which file systems need rotating.<br />
• Prints a summary <strong>of</strong> mail messages to be sent.<br />
• Prints a status <strong>of</strong> the mounted file systems.<br />
• Reports on system security by checking if files such as password files have<br />
changed.<br />
• Runs daily.local. (This allows you to remove miscellaneous old or junk files<br />
from directories such as /usr and /var/tmp (however, you must first<br />
uncomment the appropriate cleandir command line(s) in /etc/daily.local).<br />
• Rotates the /var/account/acct file.<br />
• Prints a summary <strong>of</strong> network status.<br />
• Compresses and rotates messages in the mail filtering log directories.<br />
• Sends e-mail if the /var/log directory becomes 85% full and again when it<br />
becomes 100% full.<br />
The output <strong>of</strong> this job is sent to the /var/log/daily.out file. You can view this<br />
output as described in Chapter 19.<br />
/etc/weekly<br />
This job runs each Saturday at 3:30 a.m and performs these tasks:<br />
• Rotates the access_log and error_log files in /var/log/httpd. These files<br />
exist only if the httpd server is running.<br />
• Runs weekly.local. (This allows you to remove miscellaneous “.o” files from<br />
the /usr/src and /usr/obj directories (however, you must first uncomment the<br />
find command line in /etc/weekly.local).<br />
The output <strong>of</strong> this job is sent to the /var/log/weekly.out file. You can view this<br />
output as described in Chapter 19.
etc/monthly<br />
Appendix A: Command Line Reference<br />
Understanding automatic (cron) jobs<br />
This jobs runs at 5:30 a.m. on the first day <strong>of</strong> each month and rotates the<br />
/var/log/wtmp file. The output <strong>of</strong> this job is sent to the /var/log/monthly.out file.<br />
You can view this output as described in Chapter 19.<br />
Rollaudit cron jobs<br />
There are two /usr/sbin/rollaudit jobs listed in /etc/crontab. The first job<br />
checks the size <strong>of</strong> various audit and log files daily at 2:00 a.m. The second job<br />
runs each hour and rotates files found to be growing too quickly. When these<br />
jobs run, they check the /etc/sidewinder/rollaudit.conf configuration file to see<br />
which files should be rotated. The following files are checked by rollaudit:<br />
• /var/log/audit.* (the <strong>Sidewinder</strong> <strong>G2</strong> generates reports when these files are<br />
rolled.)<br />
• /var/log/auditd.log<br />
• /var/log/cron<br />
• /var/log/lpd-errs<br />
• /var/log/messages<br />
• /var/log/maillog (This file is rotated once a week. The output is used for the<br />
mail traffic reports described in Chapter 19.)<br />
• /var/log/snmpd.log<br />
You can edit the /etc/sidewinder/rollaudit.conf file to specify how large files are<br />
allowed to get before they are rotated and the maximum amount <strong>of</strong> time that<br />
should elapse between rotations. See the rollaudit man page for details on<br />
editing this file.<br />
Caution: To avoid serious system problems, do not allow the /var/log partition to<br />
become full. The /sbin/logcheck job will generate an e-mail message warning you if<br />
the /var/log partition becomes 85% full and then again if it becomes 100% full.<br />
Spamfilter cron job<br />
The spamfilter server filter files are updated hourly by the following job:<br />
/usr/sbin/spamfilter_download<br />
Running this cron job is important for keeping anti-spam and anti-fraud<br />
services current.<br />
Note: This cron job is disabled by default.<br />
599
Appendix A: Command Line Reference<br />
Understanding automatic (cron) jobs<br />
600<br />
SmartFilter 3.x cron job<br />
The SmartFilter control list is updated weekly by the following job:<br />
/usr/sbin/smartfilter_auto_download<br />
The system administrator is notified via e-mail whenever the control list is<br />
successfully downloaded. This cron job is only necessary if maintaining<br />
SmartFilter 3.x instead <strong>of</strong> upgrading to SmartFilter 4.0.2.<br />
Note: This cron job is disabled by default.<br />
Monitor data retrieval cron job<br />
The following cron job retrieves disk utilization information once every minute:<br />
/usr/bin/get_monitor_data<br />
The data gathered from this job is used to generate the performance report.<br />
See Chapter 19 for information on generating audit reports.<br />
Report generating cron jobs<br />
You can use the Admin Console Reporting window to generate the following<br />
reports:<br />
• Root_access, service_denied, and traffic reports.<br />
• A network_probe report.<br />
Note: Daily reports are initially disabled in /etc/crontab. If you want to enable daily<br />
reports, you must first enable the auditdbd server or you will not receive any data.<br />
See “Activating the <strong>Sidewinder</strong> <strong>G2</strong> license” on page 55.<br />
Squid log rotation cron job<br />
The Web proxy server is implemented using Squid, an open source s<strong>of</strong>tware<br />
program that provides proxy and caching capabilities. Squid’s log files<br />
(access_log, cache_log, and store.log) are rolled over daily using the following<br />
command:<br />
/usr/sbin/cf www rotate
CRL and certificate retrieval cron job<br />
Appendix A: Command Line Reference<br />
Understanding automatic (cron) jobs<br />
The following cron job automatically retrieves certificates and CRLs from<br />
Netscape Certificate Authorities (CAs):<br />
/usr/sbin/cf cert updatedbs<br />
For more information on certificates, see Chapter 14.<br />
Anti-virus DAT file cron job<br />
The following cron job automatically updates the anti-virus DAT file.<br />
/usr/sbin/datupdate<br />
Package download cron job<br />
The following cron job automatically performs package downloads:<br />
/usr/sbin/cf package download<br />
Export utility cron job<br />
The following cron job automatically removes old export data:<br />
/usr/sbin/cf export ftp<br />
Logcheck cron job<br />
The following cron job automatically runs the logcheck utility every five<br />
minutes:<br />
/usr/sbin/logcheck<br />
601
Appendix A: Command Line Reference<br />
Understanding automatic (cron) jobs<br />
602
B APPENDIX<br />
Setting Up Network<br />
Time Protocol<br />
In this appendix...<br />
Overview <strong>of</strong> NTP ..........................................................................594<br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong> ..........................................597<br />
References...................................................................................599<br />
593
Appendix B: Setting Up Network Time Protocol<br />
Overview <strong>of</strong> NTP<br />
Overview <strong>of</strong> NTP NTP provides a way to synchronize all clocks on a network, or to synchronize<br />
the clocks on one network with those on another network. You may find NTP<br />
useful in the following situations:<br />
594<br />
Figure 234: NTP serverclient<br />
relationship<br />
• When your internal network includes a system that already provides time<br />
for the rest <strong>of</strong> your network.<br />
• When, for time-critical services, it is important to synchronize your network<br />
with a more accurate chronometer on an external network.<br />
Important: If exact synchronization is not important to your site, you may ignore<br />
NTP entirely. NTP is not automatically enabled during <strong>Sidewinder</strong> <strong>G2</strong> installation,<br />
and is active only if you configure and enable it as described later in this appendix.<br />
This release <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> is compatible with NTP versions 1, 2, and 3.<br />
Version 3 is the preferred version and is the default on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
NTP servers and clients<br />
In NTP, a server is a system that sends a time-feed to another system. (The<br />
server is also referred to as a host.) The receiving system—the one whose<br />
time is being set by the server—is an NTP client.<br />
Consider the simple configuration in Figure 234 showing an NTP time server<br />
with two NTP clients (A and B) in the same network. The NTP server supplies<br />
the time to NTP clients A and B. Using their own NTP s<strong>of</strong>tware, each client<br />
system must also be set up to receive time from the server.<br />
NTP server<br />
(time source)<br />
Client A Client B<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be set up as an NTP server or a client. Secure<br />
Computing Corporation recommends that the <strong>Sidewinder</strong> <strong>G2</strong> be set up as an<br />
NTP client, receiving time from an NTP server on your internal network.
Figure 235: <strong>Sidewinder</strong><br />
<strong>G2</strong> as an NTP client —<br />
internal server provides<br />
time to the <strong>Sidewinder</strong> <strong>G2</strong><br />
and to other internal<br />
workstations (no timefeed<br />
to or from Internet)<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client<br />
Appendix B: Setting Up Network Time Protocol<br />
Overview <strong>of</strong> NTP<br />
Figure 235 shows a common NTP setup. It is the recommended configuration,<br />
with the <strong>Sidewinder</strong> <strong>G2</strong> configured as a client receiving time from a server<br />
labeled “Internal time source.” In this configuration, a server in the internal<br />
network (shown with an analog clock) is the designated time-setter for the rest<br />
<strong>of</strong> the network. The three other systems in the internal network are also NTP<br />
clients.<br />
internal time source<br />
Internal network<br />
time-feed<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
By means <strong>of</strong> NTP, the server automatically maintains the correct time on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and also maintains the time on other workstations in the<br />
network. The advantages <strong>of</strong> this setup are the following:<br />
• The internal network does not rely on an external time server and is<br />
therefore not exposed to any security breaches that might conceivably<br />
result. For this reason, this is the configuration recommended by Secure<br />
Computing.<br />
• Since the <strong>Sidewinder</strong> <strong>G2</strong> is not supplying time for other systems but is only<br />
receiving it, this setup has minimal effect on <strong>Sidewinder</strong> <strong>G2</strong> performance.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server<br />
Internet<br />
You can also set up the <strong>Sidewinder</strong> <strong>G2</strong> to be a time-setter for the rest <strong>of</strong> the<br />
network. The <strong>Sidewinder</strong> <strong>G2</strong> can feed the time to an internal system which in<br />
turn supplies time to your other workstations. The <strong>Sidewinder</strong> <strong>G2</strong> could also be<br />
set up to supply time to the workstations in your network directly. However, this<br />
setup might decrease the <strong>Sidewinder</strong> <strong>G2</strong>’s performance, especially if the<br />
<strong>Sidewinder</strong> <strong>G2</strong> has to supply time directly to a number <strong>of</strong> systems.<br />
595
Appendix B: Setting Up Network Time Protocol<br />
Overview <strong>of</strong> NTP<br />
596<br />
Figure 236: The<br />
<strong>Sidewinder</strong> <strong>G2</strong> as an NTP<br />
server—external time<br />
servers supply time to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, which<br />
passes time on to the<br />
internal system (multiple<br />
servers provide backup)<br />
As shown in Figure 236, the <strong>Sidewinder</strong> <strong>G2</strong> is receiving time from NTP servers<br />
on an external network and passing the time on to the internal network. This<br />
would be advantageous if your company required constant and precise time<br />
updates to within microseconds <strong>of</strong> world standard time.<br />
Important: Unlike the previous two configurations, an external-to-internal NTP<br />
configuration may introduce security concerns to the <strong>Sidewinder</strong> <strong>G2</strong> and thus to<br />
your network. Therefore, this configuration is only recommended for sites that need<br />
world standard time.<br />
Note: For the configuration shown in Figure 236, the router must be able to handle<br />
NTP traffic.<br />
time from the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
time-feed<br />
internal<br />
network<br />
Router<br />
Servers on external network<br />
supply time to the <strong>Sidewinder</strong> <strong>G2</strong><br />
To pass a clock setting to the internal network, the external side <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong> needs to be configured as a client to the external clocks. The<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s NTP client then takes the “tick” from the remote clock, and<br />
sends it to the on-board system clock. On the internal side <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>, the NTP server is enabled with the clock type set to “local.” This forces the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to look to its internal clock for the time information, and<br />
configured as an internal server, pass the “tick” to the server on the internal<br />
burb interface.<br />
NTP must also be configured on each <strong>of</strong> the external time servers. For certified<br />
time servers, it is safe to assume that this has already been done correctly.<br />
An external NTP configuration is recommended only for sites that require time<br />
within microseconds <strong>of</strong> world standard time. This is achieved by configuring<br />
NTP on the <strong>Sidewinder</strong> <strong>G2</strong> to accept time signals from one or more certified<br />
time servers located outside your company network. For a list <strong>of</strong> certified time<br />
servers, check the following Web site:<br />
http://ntp.isc.org/bin/view/Servers/WebHome<br />
R
Figure 237: NTP<br />
conflict: <strong>Sidewinder</strong> <strong>G2</strong><br />
receiving time from<br />
external and internal<br />
servers<br />
(DO NOT CONFIGURE<br />
NTP IN THIS WAY!)<br />
Configuring NTP<br />
on a <strong>Sidewinder</strong><br />
<strong>G2</strong><br />
Using the Admin<br />
Console:<br />
Appendix B: Setting Up Network Time Protocol<br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong><br />
Note: The list <strong>of</strong> certified time servers includes stratum1 and stratum2 servers. Be<br />
sure to select stratum2 servers only. It is also best to choose a time server that is<br />
located within your time zone.<br />
Figure 237 shows a configuration that should not be used and that is almost<br />
guaranteed to cause trouble. This happens when NTP is configured to supply<br />
time to the <strong>Sidewinder</strong> <strong>G2</strong> from two servers—one external and one internal.<br />
Input from the external time server cannot be reconciled with that from the<br />
internal server.<br />
internal time source<br />
supplies time to<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
time-feed<br />
internal<br />
network<br />
Router<br />
time server on external network also<br />
supplies time to the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
creating a conflict<br />
Use the following procedures to configure the <strong>Sidewinder</strong> <strong>G2</strong> for NTP. You can<br />
enable NTP for the appropriate burbs using the Admin Console. However, you<br />
must configure NTP via the command line. For information on configuring NTP<br />
via the command line see the cf_ntp man page.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client<br />
Follow the steps below to set up the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP client to receive<br />
the time from another NTP server.<br />
1 Disable the fixclock server, as follows (you must disable fixclock before you<br />
enable NTP):<br />
a In the Admin Console, select Services Configuration > Servers, and<br />
select fixclock from the Server List. The fixclock Control tab appears.<br />
b Select the Disable radio button.<br />
c Click the Save icon in the toolbar.<br />
R<br />
597
Appendix B: Setting Up Network Time Protocol<br />
Configuring NTP on a <strong>Sidewinder</strong> <strong>G2</strong><br />
Using command<br />
line:<br />
Using the Admin<br />
Console:<br />
598<br />
2 Enable the NTP server in the appropriate burbs, as follows:<br />
a Select Services Configuration > Servers, and select NTP from the<br />
Server List. The NTP Control tab appears.<br />
b Select the check box for the burbs in which you want NTP enabled.<br />
c Click the Save icon in the toolbar.<br />
3 At the command line, do the following:<br />
a Connect to the <strong>Sidewinder</strong> <strong>G2</strong> and enter the srole command.<br />
b Select the machine(s) from which the <strong>Sidewinder</strong> <strong>G2</strong> will receive time by<br />
entering the following command:<br />
cf ntp add server burb=server_burb ip=NTPserver_ip_addr<br />
4 [Optional] Configure the appropriate NTP rules using the following format:<br />
cf ntp add restrict burb=burb_name ip=restricted_ip_<br />
address_or_subnet mask=network_mask_for_ip_address<br />
flags=comma_separated_lists_<strong>of</strong>_flags: notrust, noquery,<br />
etc.<br />
Note: Flags are used to restrict the NTP functions <strong>of</strong> a server, peer, or client.<br />
Refer to man cf_ntp for details.<br />
As an NTP client, synchronization to the server clock will occur at a rate <strong>of</strong><br />
seconds per hour. That is, a difference <strong>of</strong> several minutes between the server<br />
clock and the client clock may take several days to synchronize.<br />
Configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server<br />
Follow the steps below to set up the <strong>Sidewinder</strong> <strong>G2</strong> as an NTP server to send<br />
the time to other systems. Note the following:<br />
• This section assumes the same configuration as shown in Figure 236. It<br />
also assumes you have already set up the <strong>Sidewinder</strong> <strong>G2</strong> as a client on the<br />
external burb to receive the time-feed from an external time server.<br />
• If you are setting up NTP to provide time to your network from another<br />
network, and there is a router between that network and your network,<br />
make sure the router allows NTP traffic.<br />
1 Disable the fixclock server, as follows (you must disable fixclock before you<br />
enable NTP):<br />
a In the Admin Console, select Services Configuration > Servers, and<br />
select fixclock from the Server List. The fixclock Control tab appears.<br />
b Select the Disable radio button.<br />
c Click the Save icon in the toolbar.
Using command<br />
line:<br />
Appendix B: Setting Up Network Time Protocol<br />
References<br />
2 Enable the NTP server in the appropriate burbs, as follows:<br />
a Select Services Configuration > Servers, and select NTP from the<br />
Server List. The NTP Control tab appears.<br />
b Select the check box for the burbs in which you want NTP enabled.<br />
c Click the Save icon in the toolbar.<br />
3 At the command line, connect to the <strong>Sidewinder</strong> <strong>G2</strong> and enter the srole<br />
command.<br />
4 Create a local clock by entering the following command:<br />
cf ntp add peer burb=burb_name ip=127.127.1.0 prefer=yes<br />
Setting prefer=yes specifies that the <strong>Sidewinder</strong> <strong>G2</strong>’s time signals take<br />
precedence over a set <strong>of</strong> correctly operating servers that are also sending<br />
the time.<br />
5 (Optional: Perform if configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an authoritative NTP<br />
clock) Add a list <strong>of</strong> NTP peers that can query the <strong>Sidewinder</strong> <strong>G2</strong> by entering<br />
the following command:<br />
cf ntp add peer burb=peer_burb ip=ip_addr<br />
An NTP peer is a server that is a designated “colleague” to another server<br />
(peers can set each other’s clocks). Peers are sometimes used in large,<br />
internationally-known time sites.<br />
6 (Optional: Perform if configuring the <strong>Sidewinder</strong> <strong>G2</strong> as an authoritative NTP<br />
clock): Set up the NTP rules by entering the following command:<br />
cf ntp add restrict burb=burb_name ip=restricted_ip_<br />
address_or_subnet mask=network_mask_for_ip_address<br />
flags=comma_separated_lists_<strong>of</strong>_flags: notrust, noquery,<br />
etc.<br />
Note: Flags are used to restrict the NTP functions <strong>of</strong> a server, peer, or client.<br />
Refer to man cf_ntp for details.<br />
References NTP is a complicated protocol with many options. There are numerous places<br />
where more information can be obtained. These include RFCs, Web sites, and<br />
local manual (man) pages. For more information about NTP, see the following<br />
sources:<br />
Internet Request For Comments (RFC)<br />
The following RFCs provide information on NTP:<br />
• RFC 1059 Network Time Protocol (Version 1)<br />
• RFC 1119 Network Time Protocol (Version 2)<br />
• RFC 1305 Network Time Protocol (Version 3)<br />
599
Appendix B: Setting Up Network Time Protocol<br />
References<br />
600<br />
Web Sites<br />
Point your browser to the following Web site:<br />
http://www.ntp.org/<br />
On-line manual (man) pages<br />
Type the following commands:<br />
man cf_ntp<br />
man ntpd<br />
man ntpdc
C APPENDIX<br />
Configuring Dynamic<br />
Routing with OSPF<br />
In this appendix...<br />
Overview <strong>of</strong> OSPF routing............................................................602<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong>.........................................604<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong>...........................606<br />
Configuring "passive" OSPF ........................................................612<br />
Other implementation details........................................................612<br />
601
Appendix C: Configuring Dynamic Routing with OSPF<br />
Overview <strong>of</strong> OSPF routing<br />
Overview <strong>of</strong><br />
OSPF routing<br />
602<br />
OSPF is a routing protocol in that it provides information used to figure out<br />
routes in a portion <strong>of</strong> a network. Unfortunately, it is not a routing protocol in that<br />
it does not actually pass routes, but information about links each router has.<br />
Based upon this link information, each router runs the same algorithm and<br />
comes up with the same "picture" <strong>of</strong> the network.<br />
Note: OSPF runs as its own protocol (protocol 89) on top <strong>of</strong> IP.<br />
OSPF uses a fair amount <strong>of</strong> multicasting. When a host detects a change to a<br />
routing table or a change in the network topology, it immediately multicasts the<br />
information to all other hosts in the network. Unlike the RIP in which the entire<br />
routing table is sent, the host using OSPF sends only the part that has<br />
changed. With RIP, the routing table is sent to neighboring hosts every 30<br />
seconds. OSPF multicasts updated information only when a change occurs.<br />
Tip: You should read this appendix only if you have identified that your routing<br />
topology is too complicated to use only static routing or the Routing Information<br />
Protocol (RIP). OSPF is a complex IP routing protocol and deploying OSPF should<br />
involve discussions between routing subject matter experts and security subject<br />
matter experts.<br />
A closer look at OSPF<br />
Rather than counting the number <strong>of</strong> hops, OSPF bases its path descriptions on<br />
link states that factor in additional network information. Also, OSPF lets you<br />
assign cost metrics to a given host router so that some paths are given<br />
preference.<br />
There are three phases to the OSPF protocol:<br />
1 Routers "discover" neighboring OSPF routers by exchanging Hello<br />
messages. The Hello messages also determine which routers will act as<br />
the Designated Router (DR) and Backup Designated Router (BDR). These<br />
messages are periodically exchanged to ensure connectivity between<br />
neighbors still exists.<br />
2 Routers exchange their "link state databases." Link state means the<br />
information about a system's interfaces (IP address, network mask, cost for<br />
using that interface, and whether it is up or down).<br />
3 Finally, the routers exchange additional information via a number <strong>of</strong><br />
different type <strong>of</strong> Link State Advertisements (LSAs). These "fill out" the<br />
information needed to calculate routes. Some reasons for generating LSAs<br />
are interfaces going up or down, distant routes changing, static routes<br />
being added or deleted, etc.
Figure 238: Three OSPF<br />
protocol phases<br />
Appendix C: Configuring Dynamic Routing with OSPF<br />
Overview <strong>of</strong> OSPF routing<br />
At this point, all routers should have a full database. Each database contains<br />
consistent (not identical) information about the network. Based upon this<br />
information, routes are calculated via the "Dijkstra" algorithm. This algorithm<br />
generates the set <strong>of</strong> shortest routes needed to traverse the network. These<br />
routes are then enabled for use by IP.<br />
All OSPF routers on a network do not exchange OSPF data—this limits<br />
network overhead. Instead, they communicate with the DR (and BDR), which<br />
are then responsible for updating all other routers on the network. Election <strong>of</strong><br />
the DR is based upon the priority <strong>of</strong> that router.<br />
OSPF multicasts using the AllSPFRouters (224.0.0.5) and AllDRouters<br />
(224.0.0.6) addresses. The Designated Router (DR) and Backup Designated<br />
Router (BDR) receive packets on the second address.<br />
Important: Since the <strong>Sidewinder</strong> <strong>G2</strong> performs many other functions, Secure<br />
Computing Corporation recommend that customers should not configure the<br />
<strong>Sidewinder</strong> <strong>G2</strong> to become DR (or BDR) unless forced to by network topology.<br />
OSPF routing<br />
OSPF router<br />
R<br />
OSPF router<br />
OSPF router<br />
1 Exchange hello messages to discover neighbor OSPF<br />
routers<br />
2 Exchange Link state databases<br />
3 Exchange Link state advertisements<br />
OSPF is considered an Interior Gateway Protocol (IGP). An IGP limits the<br />
exchange <strong>of</strong> routes to a "domain <strong>of</strong> control," known as an Autonomous System<br />
(AS). An AS is a large network (an ISP for example) created under a central<br />
authority running a consistent routing policy, policies that include different<br />
routing protocols. RIP (both V1 and V2), IS-IS, EIGRP (a proprietary Cisco<br />
protocol), are all IGPs.<br />
Exterior Gateway Protocols, such as EGP and Boundary Gateway Protocols<br />
(BGP), communicate routing information between Autonomous Systems.<br />
Routers on the "edge" <strong>of</strong> the AS generate "special" LSAs (AS-External-LSAs)<br />
for the rest <strong>of</strong> the AS. There's also a mechanism (forwarding address) so that<br />
an OSPF router can "point over there" for a route. This feature allows a<br />
customer to introduce static routes for their network from a central router.<br />
603<br />
R<br />
R
Appendix C: Configuring Dynamic Routing with OSPF<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong><br />
604<br />
Figure 239: OSPF areas<br />
OSPF<br />
processing on a<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Autonomous Systems can be large. It is not necessary for the whole AS to<br />
need to know "everything" about routes. Each AS may be broken down into<br />
areas. All routing information must be identical within an area. Routing<br />
between areas goes through a "backbone." All routers on a backbone have to<br />
be able to communicate with each other. Since they belong to the same area<br />
(area 0 <strong>of</strong> a particular AS), they also all have to agree. Area Border Routers<br />
(ABRs) will have one interface defined to run in the backbone area. Other<br />
interfaces can then be defined to run in a different area.<br />
Take a look at a sample configuration. Figure 239 shows a large internal<br />
network and backbone terminating at a router.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
Autonomous system (AS)<br />
R<br />
ABR<br />
area n (8.8.8.8)<br />
Complicated<br />
Network<br />
ASB<br />
EGP<br />
BGP<br />
Stub areas are areas where there is a single exit point. An OSPF router sends<br />
"summary" LSAs into the stub that point back to that router as the default<br />
router for the stub area.<br />
For more information on OSPF and Internet routing, check with your router<br />
vendor. The following books may also be useful:<br />
• Routing in the Internet, 2nd edition by Christian Huitema, Prentice Hall<br />
(2000)<br />
• Cisco Router OSPF: Design and Implementation <strong>Guide</strong>, by William R.<br />
Parkhurst (Cisco <strong>Technical</strong> Expert), McGraw Hill (1998)<br />
OSPF processing is done via a <strong>Sidewinder</strong> <strong>G2</strong> server process called gated. To<br />
implement OSPF processing on the <strong>Sidewinder</strong> <strong>G2</strong>, a gated server process<br />
must be configured, enabled, and started in the burb expecting to handle<br />
OSPF broadcasts. Only one gated may be started per burb, but that gated<br />
will handle all network interfaces within that burb.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> currently runs version 3.6 <strong>of</strong> gated. This is the most recent<br />
freely available version <strong>of</strong> gated available from the OSPF Consortium and it's<br />
successor, NextHop.<br />
This release <strong>of</strong> OSPF on the <strong>Sidewinder</strong> <strong>G2</strong> runs gated as an “intra-area”<br />
router. That means all interfaces that are configured to run OSPF exist in the<br />
same OSPF area.<br />
Note: Support for the <strong>Sidewinder</strong> <strong>G2</strong> running as an ABR will come in a future<br />
release.<br />
R
Figure 240: <strong>Sidewinder</strong><br />
<strong>G2</strong> within OSPF area 0<br />
backbone<br />
Figure 241: <strong>Sidewinder</strong><br />
<strong>G2</strong> within OSPF area “n”<br />
Appendix C: Configuring Dynamic Routing with OSPF<br />
OSPF processing on a <strong>Sidewinder</strong> <strong>G2</strong><br />
<strong>Sidewinder</strong> <strong>G2</strong> in an OSPF network topology<br />
Essentially there are two choices for locating the <strong>Sidewinder</strong> <strong>G2</strong> within the<br />
OSPF network topology.<br />
• the <strong>Sidewinder</strong> <strong>G2</strong> within OSPF area 0 backbone<br />
• the <strong>Sidewinder</strong> <strong>G2</strong> within OSPF area n<br />
The first choice, shown in Figure 240, extends the AS backbone through the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Any area boundary external is to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
b<br />
u<br />
r<br />
b<br />
area n (8.8.8.8)<br />
The second choice, shown in Figure 241, runs a non-backbone area through<br />
the <strong>Sidewinder</strong> <strong>G2</strong>, placing the backbone completely internal. This second<br />
option is preferable for security policy reasons, but may not be practical without<br />
re-engineering the OSPF network.<br />
area 0 (backbone)<br />
Complicated<br />
Network<br />
Autonomous system (AS)<br />
b<br />
u<br />
r<br />
b<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
R<br />
ABR<br />
Autonomous system (AS)<br />
R<br />
ABR<br />
Network<br />
area n (8.8.8.8)<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
ASBR<br />
In order for OSPF to work, it is important that all routers work <strong>of</strong>f <strong>of</strong> a consistent<br />
link state database. The <strong>Sidewinder</strong> <strong>G2</strong> implementation allows a customer to<br />
control which routers it will communicate with by using the rule list. The active<br />
rule list can be configured to only allow known routers to talk to gated.<br />
b<br />
u<br />
r<br />
b<br />
b<br />
u<br />
r<br />
R<br />
b ASBR<br />
R<br />
605
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Setting up OSPF<br />
routing on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
606<br />
Interoperability with other OSPF routers<br />
The 3.6 distribution <strong>of</strong> gated supports OSPF version 2 as described in RFC<br />
1583. Many routers will detect this automatically; other routers have an RFC<br />
1583 compatibility mode setting. This setting should be enabled for all other<br />
routers (if available) in the same area as the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Other routing protocols<br />
There are many versions <strong>of</strong> gated that support a number <strong>of</strong> routing protocols.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> gated currently supports OSPF. A future release will<br />
include RIP (both v1 and v2) support. At this time, we are NOT expecting to<br />
support IS-IS (another interior routing protocol similar to OSPF), or any exterior<br />
routing protocols (EGP or BGP).<br />
Follow the steps below to set up OSPF on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
1 Sketch a diagram showing your planned <strong>Sidewinder</strong> <strong>G2</strong> configuration<br />
(similar to the diagram in Figure 241). Include the following items on your<br />
diagram:<br />
• configuration <strong>of</strong> the routers to which the <strong>Sidewinder</strong> <strong>G2</strong> connects<br />
• OSPF areas in the network(s)<br />
• the <strong>Sidewinder</strong> <strong>G2</strong> interfaces (burbs)<br />
2 On the <strong>Sidewinder</strong> <strong>G2</strong>, define one or more netgroups for the routers to<br />
which <strong>Sidewinder</strong> <strong>G2</strong> connects. See Chapter 5 for details on creating<br />
netgroups.<br />
3 On the <strong>Sidewinder</strong> <strong>G2</strong>, configure one or more rules for the OSPF traffic.<br />
See Chapter 8 for details on setting up rules.<br />
4 On the <strong>Sidewinder</strong> <strong>G2</strong>, configure the following OSPF parameters:<br />
a Properties<br />
b OSPF properties<br />
c OSPF Areas<br />
d Advanced<br />
Tip: Follow the procedures in the next sections to use the Admin Console to<br />
set your OSPF options.<br />
5 Enable the OSPF (gated) server by doing the following:<br />
a Using the Admin Console, select Services Configuration > Servers and<br />
then select gated-unbound.<br />
b Click Enable.
Figure 242: OSPF<br />
Properties tab<br />
About the OSPF<br />
Properties tab<br />
Configuring OSPF properties<br />
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
To configure OSPF properties, start the Admin Console and select Services<br />
Configuration > Routing > Dynamic. Click the OSPF Properties tab, the<br />
following window appears:<br />
The OSPF Properties tab specifies the parameters that affect overall OSPF<br />
function on the <strong>Sidewinder</strong> <strong>G2</strong>. Follow the steps below.<br />
1 In the Default Preference field, specify the default preference for selection<br />
<strong>of</strong> routes learned by OSPF versus other gated routing protocols. The<br />
default is 150. Do not change this field unless directed by Secure<br />
Computing.<br />
2 In the Default Cost field, specify the metric for external routes that OSPF is<br />
going to advertise to the Autonomous System (AS). The default is 1. Do not<br />
change this field unless directed to by Secure Computing.<br />
3 In the Default Tag field, specify the tag OSPF routes for other protocoldependent<br />
filtering. The default tag is 0. Do not change this field unless<br />
directed to by Secure Computing.<br />
4 In the Default Type drop-down list, select whether OSPF will advertise<br />
external routes into the AS as either Type 1 or Type 2 Autonomous System<br />
External routes (ASEs) depending on the value <strong>of</strong> this field. The default is<br />
1. Do not change this field unless directed to by Secure Computing.<br />
5 In the Default Inherit Metric field, select one <strong>of</strong> the following:<br />
• Yes: If this field is set to Yes, OSPF will use the metric from the external<br />
route when exporting ASEs rather than using the default cost.<br />
• No: This is the default value. Do not change this field unless directed to<br />
by Secure Computing.<br />
6 In the Export Limit field, specify the throttle rate at which an ASBR<br />
advertises ASEs into the AS. The default is 100 ASEs per interval. Do not<br />
change this field unless directed to by Secure Computing.<br />
7 In the Export Interval field, specify how <strong>of</strong>ten an ASBR will advertise ASEs<br />
into the AS. The value specifies seconds, with a default <strong>of</strong> 1. Do not change<br />
this field unless directed to by Secure Computing.<br />
607
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
608<br />
Figure 243: OSPF Area<br />
tab<br />
About the OSPF<br />
Area tab<br />
8 The syslog field provides you with the ability to allow gated to log<br />
occasional packets to syslog (and thereby <strong>Sidewinder</strong> <strong>G2</strong> audits) in<br />
addition to the depth <strong>of</strong> information obtainable from trace options. The<br />
format is first pktcnt every pktcnt2, which means OSPF will log the first<br />
pktcnt packets for each type <strong>of</strong> OSPF packet. After that, it will then log one<br />
message per pktcnt2 packets. The default is no entry, which means no<br />
logging. Do not change this field unless directed to by Secure Computing.<br />
9 In the OSPF Enabled field specify whether OSPF is enabled (yes or no).<br />
10 To save your changes, click the Save icon in the toolbar.<br />
Configuring OSPF Areas<br />
To configure OSPF areas, start the Admin Console and select Services<br />
Configuration > Routing > Dynamic. Click the OSPF Areas tab, the following<br />
window appears:<br />
The OSPF Area tab configure communication with other routers. Follow the<br />
steps below.<br />
1 In the Area field, specify the area number as follows:<br />
• Backbone—Select this option to define area 0.<br />
• Number—Select this option to define a non-zero area. The area is<br />
defined in the Area Number field. Values can be simple numbers (like<br />
3), or "dotted decimal" (like IP addresses). Areas are 32 bit numbers.
Configuring the<br />
OSPF Area:<br />
Interfaces window<br />
Figure 244: OSPF Area<br />
window: Interface<br />
Information<br />
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
2 In the Stub field, specify the areas where there are no external routes as<br />
follows:<br />
• Yes—Select this option If the <strong>Sidewinder</strong> <strong>G2</strong> is an intra-area router<br />
inside a stub area. In the Default Cost area, specify the cost <strong>of</strong> the<br />
default route. If this is the Area Border Router (ABR) for the stub area,<br />
this indicates the cost <strong>of</strong> the default route that will be flooded into the<br />
stub area.<br />
• No—Select this option if the <strong>Sidewinder</strong> <strong>G2</strong> is not an intra-area router<br />
inside a stub area.<br />
3 To modify the Interfaces table, see “Configuring the OSPF Area: Interfaces<br />
window” on page 609. The Interfaces table defines the configuration for<br />
each OSPF interface on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Note: Do not change the Networks field unless directed to by Secure Computing.<br />
When you click New or Modify under the Interfaces table, the following window<br />
appears:<br />
1 In the Interfaces field, specify the <strong>Sidewinder</strong> <strong>G2</strong> IP address for each<br />
interface that should use OSPF.<br />
2 In the Cost field, specify the metric that OSPF should advertise when<br />
calculating routes using this interface. (OSPF leaves this undefined, but it is<br />
an integer.)<br />
3 In the Enabled field, specify whether this interface should currently run<br />
OSPF.<br />
4 In the Retransmit Interval field, specify the retransmit interval (in seconds)<br />
between link state advertisement retransmits (the range is 0-65535).<br />
5 In the Transit Delay field, specify a reasonable estimate on how long it<br />
takes an OSPF packet to be transmitted on this interface (range is 0-<br />
65535). Except for very long delay paths, this parameter will normally be<br />
set to 1.<br />
609
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Authentication<br />
Information window<br />
610<br />
Figure 245: Authenticating<br />
Information window<br />
6 In the Priority field, specify the priority for becoming a Designated Router<br />
(DR) on this interface. Values are from 0–255, with the higher priorities<br />
being more likely to be elected as DR (or Backup DR). When set to 0 (the<br />
default setting), gated will not become a DR under any circumstance.<br />
Note: Secure Computing recommends that you keep this value 0 on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> whenever possible; DR functionality can cause significant<br />
utilization impact.<br />
7 In the Hello Interval field, specify the time in seconds between Hello<br />
packets sent to maintain connectivity with neighboring routers. The default<br />
is 10 seconds. Values range from 0–255.<br />
8 In the Router Dead Interval field, specify the time in seconds OSPF will wait<br />
without receiving Hello packets from a neighbor before assuming that<br />
neighbor is down. The default is 40 seconds. Values from 0–65535.<br />
9 [Optional] In the Passive field, specify whether OSPF will NOT send<br />
packets on this interface, but will send information about this interface to<br />
other interfaces. Routes can then be established through the <strong>Sidewinder</strong><br />
<strong>G2</strong> to systems on the passive interface. The default setting is No.<br />
10 In the Auth field, specify which type <strong>of</strong> primary authentication is used on<br />
OSPF packets for this interface<br />
• none—No authentication (default).<br />
• simple—Specifies that a clear text value (as specified in the Auth Keys<br />
list) must be present on all packets.<br />
• md5:—Specifies that a clear text value and key (as specified in the Auth<br />
Keys list) must be present on all packets.<br />
Note: If you select simple or md5, click New (or Modify) to specify the<br />
authentication key data. See “Authentication Information window” below.<br />
11 To save your changes, click the Save icon in the toolbar.<br />
The Authentication Information window specifies settings for simple or md5<br />
authentication settings.
Configuring the<br />
OSPF Areas:<br />
Networks window<br />
Figure 246: OSPF<br />
Advanced window<br />
Appendix C: Configuring Dynamic Routing with OSPF<br />
Setting up OSPF routing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
1 In the Authentication Key field, specify the clear text value that must be<br />
present on all packets. This entry may be one to eight decimal digits<br />
separated by periods, a one to eight hexadecimal string preceded by 0x, or<br />
a one to eight character string in double quotes. More than one<br />
Authentication key can be defined. The only requirement is that the keys do<br />
not share the same Start Generate time.<br />
2 (md5 authentication only) In the Id Number field, specify a value from<br />
1–255.<br />
3 In the Start/Stop Generate fields, define the time when gated will use the<br />
key to sign outgoing packets.<br />
4 In the Start/Stop Accept fields, define the time gated will use the key to<br />
validate incoming packets.<br />
Note: The Generate/Accept fields are optional fields that specify when an md5<br />
key is valid. If you specify any time value, you must also specify all other time<br />
values. Specify overlapping valid times to ensure service is not lost. Also,<br />
multiple keys cannot share the same Start Generate or Start Accept times.<br />
The Networks area on the OSPF Areas window should not be configured<br />
unless directed to do so by Secure Computing <strong>Technical</strong> Support.<br />
Configuring Advanced options<br />
To configure advanced options, start the Admin Console and select Services<br />
Configuration > Routing > Dynamic. Click the Advanced tab, the following<br />
window appears:<br />
611
Appendix C: Configuring Dynamic Routing with OSPF<br />
Configuring "passive" OSPF<br />
About the Advanced<br />
window<br />
Configuring<br />
"passive" OSPF<br />
Other<br />
implementation<br />
details<br />
612<br />
The Advanced window allows you to directly edit and test the gated<br />
configuration file.<br />
• Edit "gated.conf" File: Clicking this button allows you to set up and specify<br />
features that are not available through the Admin Console.<br />
• Validate "gated.conf" File: Clicking this button launches a test utility that<br />
checks the configuration file’s entries and ensures a valid configuration.<br />
The resulting test determines whether the file has valid parameter settings that<br />
do not conflict with each other, however, it does not evaluate the "logic" <strong>of</strong> the<br />
specified configuration.<br />
You can configure and run OSPF through the <strong>Sidewinder</strong> <strong>G2</strong> without affecting<br />
the <strong>Sidewinder</strong> <strong>G2</strong> routing tables. To do this, you must edit /etc/server.conf file<br />
as follows:<br />
1 Using a text editor <strong>of</strong> your choice, find the entry:<br />
server(gated-unbound ...........)<br />
2 Change the args[-N] to args[-n -N].<br />
3 Save the file.<br />
4 Stop and start the gated server from the Services Configuration > Servers<br />
menu.<br />
Important: In order for the <strong>Sidewinder</strong> <strong>G2</strong> to correctly pass data, static routes must<br />
have been previously defined.<br />
As with any routing protocol, OSPF passes routable addresses. This defeats<br />
the purpose <strong>of</strong> NAT at the <strong>Sidewinder</strong> <strong>G2</strong> running OSPF. However, NAT can<br />
still be performed at the ASBR.<br />
gated supports a method to “query” remote gated implementations about<br />
their current state and information. This is done via the ospf monitor<br />
command. For security, the ospf monitor command is not supplied on the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and it does not accept queries from remote gated instances.<br />
Filtering <strong>of</strong> routes should not be performed within an area. This leads to<br />
inconsistent link state databases. In turn, the Dijkstra algorithm will probably<br />
end up calculating routing loops. The <strong>Sidewinder</strong> <strong>G2</strong> will support route filtering<br />
when it supports running as an ABR.
D APPENDIX<br />
Configuring Dynamic<br />
Routing with RIP<br />
In this appendix...<br />
RIP with standard IP routers ........................................................614<br />
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong> .........................................615<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing............616<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> not using transparent IP addressing......619<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong> ........................................622<br />
Enabling/disabling the routed server ............................................625<br />
Trace and log information.............................................................625<br />
613
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with standard IP routers<br />
RIP with<br />
standard IP<br />
routers<br />
614<br />
Figure 247: Dynamic<br />
routing a with standard IP<br />
route<br />
The following describes how RIP processing aids in routing IP packets through<br />
a network that has a redundant routing architecture. Figure 247 illustrates this<br />
redundant architecture.<br />
Security Alert: RIP version 1 is an inherently insecure protocol. Without careful<br />
configuration <strong>of</strong> this service, this system may be susceptible to route confusion<br />
attacks.<br />
Bizco<br />
Network<br />
Telnet server<br />
R<br />
router_a<br />
router_b<br />
CorpCity<br />
Network<br />
Note: This figure assumes that all routers (a, b, c, and d) are exchanging RIP<br />
packets between each other every 30 seconds.<br />
In this example, it is unnecessary for the Telnet server and the client to be<br />
accepting RIP packets. The server can statically configure its gateway to be<br />
Router_a. The client can statically configure its gateway to Router_b.<br />
The Telnet client has two different possible paths <strong>of</strong> reaching the server: (1) via<br />
Router_b-to-Router_a, and (2) via Router_d-to-Router_c-to-Router_a.<br />
Examining the routing table on Router_b, you would find that there are two<br />
possible routes to the Bizco network, one with a hop count equal to two<br />
(through Router_a), the other with a hop count to three (through Router_d).<br />
When the Telnet client needs to connect to the Telnet server, it sends a TCP<br />
connection request to Router_b because its internal default route points to<br />
Router_b. Router_b receives the connection frame and because the route to<br />
the Bizco network is shorter via Router_a (two hops verses three hops), it<br />
forwards the connection frame on to Router_a. Router_a forwards the frame<br />
into the Bzco network and it eventually gets received by the Telnet server. The<br />
Telnet server builds and sends a reply frame back, this frame typically follows<br />
the same route back to the client. The two systems have established a<br />
connection.<br />
The dynamic routing capability <strong>of</strong> RIP can be seen when the link between<br />
Router_a and Router_b is lost. As soon as Router_b notices that it is no longer<br />
receiving RIP updates from Router_a, it updates its local routing table hop<br />
count for that route to 16 (route unreachable) and broadcasts this to others on<br />
its local network (this is to notify Router_d).<br />
R<br />
R<br />
router_c<br />
R<br />
Telnet<br />
client<br />
router_d
RIP processing<br />
on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Next, the Telnet client sends another IP frame to Router_a unaware that the<br />
route between Router_a-to-Router_b has been lost. Router_a looks at its local<br />
routing table and discovers there are two routes, one unreachable, the other<br />
through Router_d. Because Router_d is on the same network as the client,<br />
Router_b sends an ‘ICMP Redirect’ back at the client stating that it can reach<br />
the Telnet server network through Router_d. If the client’s TCP/IP stack is<br />
operating correctly, it updates its local routing table to point that host at<br />
Router_d. The client TCP/IP stack then re-sends its last frame to Router_d.<br />
Router_d receives the frame and forwards it on to Router_c, which forwards it<br />
on to Router_a, etc.<br />
Important: Note that the TCP session continues on through Router_d as if nothing<br />
had happened, and when the link between Router_a and Router_b is reestablished,<br />
the Telnet client again should receive an ‘ICMP Redirect’ from<br />
Router_d pointing it back at Router_a. The session should continue as if nothing<br />
important happened.<br />
RIP processing is done via a <strong>Sidewinder</strong> <strong>G2</strong> server process called routed. To<br />
implement RIP processing on the <strong>Sidewinder</strong> <strong>G2</strong>, a routed server process<br />
must be configured, enabled, and started in the burb expecting to handle RIP<br />
broadcasts. Only one routed may be started per burb, but it will handle all<br />
network interfaces within that burb.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be configured to support RIP processing via the<br />
following Admin Console options:<br />
• Receive routing information from other routers<br />
Setting this option to Yes enables routed to receive UDP RIP updates from<br />
any interface within that burb and update the local routing table.<br />
Setting this option to No disables the updating <strong>of</strong> local routing tables with<br />
RIPs received from the local network interfaces.<br />
• Advertise routing information<br />
Setting this option to Yes enables routed to broadcast UDP RIP updates,<br />
advertising local routing information available within this burb.<br />
Setting this option to No disables broadcasting <strong>of</strong> any UDP RIP updates.<br />
• Advertise as default gateway<br />
Setting this option to Yes enables routed to send the default route.<br />
Setting this option to No disables sending the default route.<br />
• Advertise burb/routes from burbs<br />
This option specifies which burbs (other than the current burb) should have<br />
their routing information included in RIP updates sent by THIS burb. If no<br />
burbs are listed under this option, routed will only send routing information<br />
about the current burb.<br />
615
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
616<br />
Figure 248: Routed on<br />
the <strong>Sidewinder</strong> <strong>G2</strong><br />
RIP with<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
using<br />
transparent IP<br />
addressing<br />
Figure 249: RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Figure 248 illustrates the implementation <strong>of</strong> RIP processing within the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. This example, shows a trusted burb with two network<br />
interfaces. When the routed server is started in this trusted burb, both these<br />
interfaces will automatically be supporting RIP.<br />
TCP<br />
/IP<br />
local<br />
routing<br />
table<br />
local<br />
routing<br />
table<br />
Internet burb routed<br />
routed trusted burb<br />
Admin Console options set:<br />
Receive routing information from<br />
other routers = yes<br />
Advertise routing information = no<br />
No other burbs specified<br />
TCP<br />
/IP<br />
Admin Console options set:<br />
Receive routing information from<br />
other routers = no<br />
Advertise routing information = yes<br />
External burb (1) specified<br />
Routed on the <strong>Sidewinder</strong> <strong>G2</strong> operates by listening for UDP broadcasts on port<br />
520. It also sets a timer to send a RIP packet advertising its routing information<br />
every 30 seconds. When a RIP broadcast is received, the routed server<br />
updates the local routing table with any new routes. When the 30 second timer<br />
expires, the routed server reads and updates its local routing table, and then<br />
broadcasts its local routing information<br />
Important: Through Type Enforcement, no routed is allowed to update the local<br />
route table in a different burb.<br />
The following describes how RIP processing occurs through the <strong>Sidewinder</strong><br />
<strong>G2</strong>. Figure 249 illustrates an architecture where the <strong>Sidewinder</strong> <strong>G2</strong> has been<br />
positioned to control IP traffic between the two company networks. If the<br />
<strong>Sidewinder</strong> <strong>G2</strong>s do NOT provide RIP support, the automatic rerouting <strong>of</strong> traffic<br />
through the use <strong>of</strong> dynamic routing is lost.<br />
Bizco<br />
Network<br />
Telnet server<br />
R<br />
router_a<br />
Internet burb trusted burb<br />
<strong>Sidewinder</strong><strong>G2</strong>_b<br />
R<br />
router_b<br />
Internet burb trusted burb<br />
R<br />
router_c<br />
<strong>Sidewinder</strong><strong>G2</strong>_c<br />
R<br />
CorpCity<br />
Network<br />
Telnet<br />
client<br />
router_d
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
For this example, Router_a will broadcast UDP RIP packets to<br />
<strong>Sidewinder</strong><strong>G2</strong>_b but they will be dropped. Because the <strong>Sidewinder</strong> <strong>G2</strong> now<br />
supports RIP, the <strong>Sidewinder</strong> <strong>G2</strong> can be configured to act as a router and<br />
actively participate in the dynamic RIP processing. In order to pass data traffic<br />
through the <strong>Sidewinder</strong> <strong>G2</strong>, however, some proxy or server must be configured<br />
and enabled.<br />
The assumption for this discussion is that the administrator has configured the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Telnet proxy. The administrator must also enable the rule<br />
allowing trusted burb-to-Internet burb traffic from the Telnet client to the Telnet<br />
Server. Also, to pass the RIP information through the <strong>Sidewinder</strong> <strong>G2</strong>s, both<br />
systems must configure and enable the routed server.<br />
For discussion purposes, the administrator must use the Admin Console to<br />
configure routed on the Internet burb for the following options:<br />
• Advertise routing information: yes<br />
• Advertise as default gateway: no<br />
• Receive routing information from other routers: yes<br />
• Routes from burbs: none<br />
Also, routed on the trusted burb must be configured as follows:<br />
• Advertise routing information: yes<br />
• Advertise as default gateway: no<br />
• Receive routing information from other routers: no<br />
• Routes from burbs: Internet (2)<br />
Given the above configuration, both <strong>Sidewinder</strong> <strong>G2</strong>s will do the following:<br />
• broadcast the external routing table information to Router_a (so Router_a<br />
knows when the link is up or down)<br />
• receive routing information from Router_a (all Bizco’s routing information)<br />
and update the external routing table<br />
• broadcast both the internal and external routing information into CorpCity’s<br />
network (which provides CorpCity’s) networks with routing information to<br />
Bizco’s network)<br />
• NOT listen to any RIP broadcasts from the CorpCity network.<br />
Important: The last bullet here is VERY IMPORTANT. This will be discussed in<br />
more detail later in this document.<br />
As in the above discussion, when the Telnet client needs to connect to the<br />
Telnet server, it sends a TCP connection request to Router_b because its<br />
internal default route points to Router_b. Router_b receives the connection<br />
frame and because the route to the Bizco network is shorter via Router_a (3<br />
617
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> using transparent IP addressing<br />
If connection is lost<br />
between Router_a<br />
and <strong>Sidewinder</strong><strong>G2</strong>_b<br />
618<br />
hops verses 4 hops), it forwards the connection frame on to Router_a, which<br />
forwards the frame to the <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong> <strong>G2</strong> IP services<br />
receive the frame, and checks its routing table to decide if it knows where this<br />
connection request should be sent.<br />
Because the external routing table has a route to Bizco’s network, the IP<br />
services sends the request up to the Telnet proxy. If there was no route to<br />
Bizco’s network, and a default route had not been specified, the <strong>Sidewinder</strong> <strong>G2</strong><br />
IP services would have discarded the packet. The Telnet proxy receives and<br />
validates the connection request, then proceeds to issue a new, independent<br />
TCP connection request to the Telnet server (on the external network). This<br />
new request, which has an originating address <strong>of</strong> the external <strong>Sidewinder</strong> <strong>G2</strong>,<br />
gets sent to Router_a and is forwarded on into the Bizco network and so on<br />
and so forth. The Bizco Telnet server replies back to the <strong>Sidewinder</strong> <strong>G2</strong>,<br />
thinking that the <strong>Sidewinder</strong> <strong>G2</strong> is the originator <strong>of</strong> the session. The Telnet<br />
proxy then replies back to the Telnet client, and the session is now in place<br />
between the server and the client.<br />
If the connection between Router_a and <strong>Sidewinder</strong><strong>G2</strong>_b is lost, the following<br />
occurs:<br />
1 <strong>Sidewinder</strong><strong>G2</strong>_b notices that it is no-longer receiving RIP updates from<br />
Router_a and updates its local routing table hop count for that route to 16<br />
(route unreachable), and broadcasts this out on the internal network (this is<br />
to notify Router_b).<br />
2 The Telnet client sends another IP frame to Router_a unaware that the<br />
route between Router_a-to-<strong>Sidewinder</strong><strong>G2</strong>_b has been lost. Router_a looks<br />
at its local routing table and discovers there are two routes, one<br />
unreachable, the other through Router_d.<br />
3 Because Router_d is on the same network as the client, Router_b sends an<br />
‘ICMP Redirect’ back at the client stating that it can reach the Telnet server<br />
network through Router_d.<br />
4 The client updates its local routing table to point that host at Router_d, then<br />
re-sends its last frame to Router_d.<br />
5 Router_d receives the frame and forwards it on to Router_c, which<br />
forwards it on to <strong>Sidewinder</strong><strong>G2</strong>_c.<br />
6 <strong>Sidewinder</strong><strong>G2</strong>_c, receives the IP frame for the Telnet server, checks the<br />
route, has a route, and sends it up to the internal TCP servers. The<br />
<strong>Sidewinder</strong> <strong>G2</strong> TCP services checks the frame and discovers this is not a<br />
TCP connection request and that it there is not currently a session with the<br />
client. Because <strong>of</strong> this, TCP services builds a ‘TCP reset’ frame and sends<br />
it back to the client.<br />
Note: This causes the current Telnet session to be lost. However, when the Telnet<br />
client opens another session to the server, that connection request will get sent to<br />
<strong>Sidewinder</strong><strong>G2</strong>_c, which will go through all the above steps and establish a NEW<br />
session with the Telnet server.
RIP with<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
not using<br />
transparent IP<br />
addressing<br />
Figure 250: RIP with the<br />
<strong>Sidewinder</strong> <strong>G2</strong> “spo<strong>of</strong>ing”<br />
the client’s address<br />
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> not using transparent IP addressing<br />
So what happened to the sessions between <strong>Sidewinder</strong><strong>G2</strong>_b and the client,<br />
and <strong>Sidewinder</strong><strong>G2</strong>_b and the server? These sessions will time-out according<br />
to what has been configured for the Telnet proxy inactivity timer. Currently this<br />
defaults to 2700 seconds, or 45 minutes. Unless the Telnet server also has a<br />
connection time-out, the session will remain between the two systems until the<br />
time-out occurs, at which time the proxy closes both sessions.<br />
What will happen when the route between Router_a and <strong>Sidewinder</strong><strong>G2</strong>_b<br />
becomes available again? The Telnet client sends the frame to Router_d which<br />
will send an ‘ICMP Redirect’ back to the client telling it to communicate through<br />
Router_b. The client will resend the frame to Router_b, which forwards it to the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. Again the <strong>Sidewinder</strong> <strong>G2</strong> has received a frame for which it is<br />
not in session, and it will send a ‘TCP reset’ back to the client, causing the client<br />
to again close the session. As far as the client is concerned the Telnet server has<br />
unexpectedly closed the session. And again, if the client opens a new session<br />
all will be fine. But remember the sessions are timing out between<br />
<strong>Sidewinder</strong><strong>G2</strong>_c and the Telnet server.<br />
Important: The administrator should change this Telnet idle session timer to<br />
something more reasonable such as 10 minutes.<br />
The assumption for this discussion is that the Telnet server must be able to<br />
identify the Telnet clients IP address. The above configuration would not allow<br />
this, the Telnet server will see all sessions from CorpCity network as originating<br />
from the <strong>Sidewinder</strong> <strong>G2</strong>. In Figure 250 as with Figure 249, in order to pass any<br />
traffic through the <strong>Sidewinder</strong> <strong>G2</strong>, some proxy or server must be configured<br />
and enabled.<br />
Bizco<br />
Network<br />
Telnet server<br />
R<br />
router_a<br />
Internet burb trusted burb<br />
<strong>Sidewinder</strong><strong>G2</strong>_b<br />
router_b<br />
CorpCity<br />
Network<br />
To accomplish the ‘spo<strong>of</strong>ing’, you must configure the <strong>Sidewinder</strong> <strong>G2</strong>s generic<br />
TCP proxy to listen on port 23, and enable it to spo<strong>of</strong> the original workstations<br />
IP address (refer to the “use_client_address” feature in the /etc/sidewinder/<br />
conf/tcpgsp.conf file). The administrator must also enable the rule list allowing<br />
internal to external traffic from the Telnet client to the Telnet Server for the<br />
R<br />
Internet burb trusted burb<br />
<strong>Sidewinder</strong><strong>G2</strong>_c<br />
R<br />
router_c<br />
R<br />
Telnet<br />
client<br />
router_d<br />
619
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> not using transparent IP addressing<br />
620<br />
generic TCP proxy. Also, to pass the RIP information through the <strong>Sidewinder</strong><br />
<strong>G2</strong>s, both systems must configure and enable the routed server.<br />
Again for discussion purposes, the administrator must use the Admin Console<br />
to configure routed on the Internet burb for the following options:<br />
• Advertise routing information: yes<br />
• Advertise as default gateway: no<br />
• Receive routing information from other routers: yes<br />
• Routes from burbs: none<br />
Also, routed on the trusted burb must be configured as follows:<br />
• Advertise routing information: yes<br />
• Advertise as default gateway: no<br />
• Receive routing information from other routers: no<br />
• Routes from burbs: Internet (2)<br />
When the Telnet client needs to connect to the Telnet server, it sends a TCP<br />
connection request to Router_b which forwards the frame on to<br />
<strong>Sidewinder</strong><strong>G2</strong>_b. The <strong>Sidewinder</strong><strong>G2</strong>_b IP services receives the frame and<br />
passes it up to the generic_TCP proxy, which validates the connection request<br />
and issues a new, independent TCP connection request to the Telnet server<br />
(on the external network).<br />
This new request, however, contains the originating IP address <strong>of</strong> the real<br />
client, not the external <strong>Sidewinder</strong> <strong>G2</strong> IP address. The request gets sent to<br />
Router_a and is forwarded to the Telnet server in the Bizco network. Next, the<br />
Bizco Telnet server builds and sends a reply to Router_a, expecting it to be<br />
delivered on to the client. Router_a receives the reply and looks at its routing<br />
table to find a route to CorpCity’s client network. Router_a will not find one,<br />
and the packet will be dropped.<br />
Because the <strong>Sidewinder</strong> <strong>G2</strong> is NOT advertising its internal routes Router_a<br />
does NOT know how to get to CorpCity’s networks. What the administrator<br />
should do is set “Routes from Burb to Internal (0)” on the external side. This will<br />
cause the routed server in the external burb to also advertise all the routes it<br />
finds on the internal burb. What happens now is Router_a gets additional<br />
information about internal routes available on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Does this solve the problem? The answer is NO. Since the internal routed<br />
server is NOT updating the internal route table (“Receive routing information<br />
from other routers” was set to NO), no routes about CorpCity’s network will be<br />
available. The <strong>Sidewinder</strong> <strong>G2</strong> administrator must set as “Receive routing<br />
information from other routers to YES” on the internal routed server. Now the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will advertise CorpCity’s routes to router_a, and when Router_a<br />
receives the packet for CorpCity it will understand how to route it.
Appendix D: Configuring Dynamic Routing with RIP<br />
RIP with <strong>Sidewinder</strong> <strong>G2</strong> not using transparent IP addressing<br />
Note: Beware <strong>of</strong> enabling “Receive routing information from other routers = Yes”<br />
in more than one burb!<br />
Enabling the setup we just described, both <strong>Sidewinder</strong><strong>G2</strong>_b and<br />
<strong>Sidewinder</strong><strong>G2</strong>_c will begin updating their internal routing tables with RIP<br />
information received from the internal routers. Keep in mind that<br />
<strong>Sidewinder</strong><strong>G2</strong>_c is advertising routing information about Bizco’s network<br />
internally, and the internal routers (Router_b, Router_c, and Router_d) will now<br />
contain routing information about how to reach Bizco’s networks. When the<br />
internal routed on <strong>Sidewinder</strong><strong>G2</strong>_b receives the route information, it will<br />
contain routes to Bizco’s network.<br />
What would happen if <strong>Sidewinder</strong><strong>G2</strong>_b updated its internal route table with a<br />
route to Bizco (the external network) via Router_a? Incoming packets which<br />
should be destined for the external network would be forwarded back into the<br />
internal network to Router_a! Both <strong>Sidewinder</strong> <strong>G2</strong>s would do this and the<br />
frames would never pass through the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The <strong>Sidewinder</strong> <strong>G2</strong>s routed server handles this by NOT adding a route into<br />
the local routing table if the route to be added exists in one <strong>of</strong> the other route<br />
tables. These route updates will be silently discarded.<br />
Note: Beware, however, that whichever routed updates the table with the route<br />
first, wins!<br />
For example, when <strong>Sidewinder</strong><strong>G2</strong>_b is started and the link to Router_a is<br />
down, <strong>Sidewinder</strong><strong>G2</strong>_b has not received routing information about Bizco’s<br />
network. If <strong>Sidewinder</strong><strong>G2</strong>_c broadcasts a RIP out that Bizco is available<br />
through it, <strong>Sidewinder</strong><strong>G2</strong>_a will eventually receive this (via the routers) at the<br />
internal routed server which will update its local table with the route to Bizco’s<br />
network through Router_b.<br />
What about the instance such as above where we need it? The only way to<br />
avoid this problem is to configure a filter for which routes it will advertise to<br />
<strong>Sidewinder</strong><strong>G2</strong>_b. More information on how and why to do this is given later.<br />
One last note about the above example. If Router_b were removed from this<br />
network and the <strong>Sidewinder</strong> <strong>G2</strong> directly connected to the internal network,<br />
<strong>Sidewinder</strong><strong>G2</strong>_b would be tied directly to the Telnet clients network. If the<br />
Burbs option is set on the external routed server, it would advertise the<br />
necessary route to Router_a on how to reach the client’s network. In this<br />
instance, there would be no reason to set the “Receive routing information from<br />
other routers” to YES on the internal routed server. Also, in this scenario, if<br />
the Telnet client has its default route pointing to the <strong>Sidewinder</strong> <strong>G2</strong> and the link<br />
between Router_a and <strong>Sidewinder</strong><strong>G2</strong>_b fails, the internal routed will not know<br />
that another route is available (it is not updating its local table with RIPS from<br />
Router_d). Subsequently because the <strong>Sidewinder</strong> <strong>G2</strong> does not know the<br />
alternate route it cannot know to send the client the ‘ICMP Redirect’ frame to<br />
allow the session to be re-routed.<br />
621
Appendix D: Configuring Dynamic Routing with RIP<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Configuring RIP<br />
on the<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
622<br />
Figure 251: Routed<br />
Configuration window<br />
Entering information<br />
on the Routed<br />
Configuration<br />
window<br />
To configure the routed server, using the Admin Console select Services<br />
Configuration > Routing > Routed. The following window appears.<br />
This window allows you to configure a routed server in a specific burb. Follow<br />
the steps below.<br />
1 In the Burb drop-down list, select the burb for which you want to configure<br />
routing.<br />
2 In the Routing information field, select one <strong>of</strong> the following options:<br />
• Yes—Select this option to enable routed to broadcast UDP RIP<br />
updates, advertising all local routing information available within the<br />
burb(s) selected in the Routes from Burbs box.<br />
• No—Select this option to disable broadcasting <strong>of</strong> any UDP RIP updates.<br />
3 In the As Default Gateway field, select one <strong>of</strong> the following options:<br />
• Yes—Select this option to enable routed to send the default route.<br />
• No—Select this option to disable sending the default route.<br />
4 In the Routes from Burbs box, select the burbs for which routes will be<br />
advertised. (This option is only available if you selected Yes in the Routing<br />
Information field.)<br />
5 In the Receive routing information from other routers field, select one <strong>of</strong><br />
the following options:<br />
• Yes—Select this option to enable routed to receive UDP RIP updates<br />
from any interface within that burb and update the local routing table.<br />
• No—Select this option to disables the updating <strong>of</strong> local routing tables<br />
with RIPs received from the local network interfaces.
Appendix D: Configuring Dynamic Routing with RIP<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
6 In the Filter type field, determine whether to allow or deny routes using the<br />
following information:<br />
Filtering provides the administrator the ability to both control which routes<br />
the <strong>Sidewinder</strong> <strong>G2</strong> uses to establish external connections, and to control<br />
what routing information is advertised by the <strong>Sidewinder</strong> <strong>G2</strong> from one network<br />
to another. This control focuses on two areas.<br />
• which external routes are added into a <strong>Sidewinder</strong> <strong>G2</strong>’s routing table<br />
from a RIP broadcast received via the network.<br />
• which routes in a <strong>Sidewinder</strong> <strong>G2</strong>’s routing table are advertised in a RIP<br />
broadcast being sent to an external network.<br />
The possible settings are:<br />
• Allow—Specifies that only routes specifically listed will be either<br />
accepted from the network or sent by the routed running in this burb. If<br />
set to Allow, at least one entry must be specified in the Address/<br />
Network/Type/Direction table, or routed cannot be enabled. Also, all<br />
routes will be blocked from being added, including local network<br />
interfaces, unless specifically listed in the Address/Netmask/Type/<br />
Direction table.<br />
• Deny—Specifies that routes are accepted and sent unless specifically<br />
listed in the Address/Netmask/Type/Direction table.<br />
Note: There is no provision for allowing some routes and denying other routes.<br />
7 The Address/Netmask/Type/Direction table lists the route filter entries<br />
currently defined for the selected burb. Use the New, Modify, and Delete<br />
buttons to modify this table. See “Defining route filter information” on page<br />
624 for details.<br />
When you allow or deny a route, it can be either a host route (indicating a<br />
path to a specific address), or a network route (indicating a path to a group<br />
<strong>of</strong> common machines).<br />
Route filtering is performed whenever routed is going to add a route to its<br />
local routing table. This means that different routing filters can be applied to<br />
different burbs.<br />
The route filter entries highlight one <strong>of</strong> the major limitations <strong>of</strong> routed and<br />
the RIP protocol. routed recognizes only the standard class A, class B,<br />
and class C IP network masks (255.0.0.0, 255.255.0.0, and<br />
255.255.255.0). The <strong>Sidewinder</strong> <strong>G2</strong> route filter entries allow more flexible<br />
network masks for forward compatibility.<br />
8 Click the Save icon in the toolbar to save your routed configuration<br />
changes.<br />
623
Appendix D: Configuring Dynamic Routing with RIP<br />
Configuring RIP on the <strong>Sidewinder</strong> <strong>G2</strong><br />
Defining route filter<br />
information<br />
624<br />
The Route Filter Information window appears if you click the New or Modify<br />
button from the Routed Configuration window. The Route Filter Information<br />
window allows you to create a new or modify an existing route filter. Follow the<br />
steps below.<br />
1 In the Type field, select the type <strong>of</strong> route being defined: host (host route) or<br />
net (network route).<br />
2 In the Address field, specify either the IP address <strong>of</strong> the host for host<br />
routes, or the network portion <strong>of</strong> the IP address for network routes.<br />
3 (Network route only) If you selected net in step 1, specify which portion <strong>of</strong><br />
the address parameter should be considered valid in the Netmask field.<br />
There are two possible ways to enter the network mask. One is to use the<br />
“dotted decimal” form, such as 255.255.255.0 for class C networks. The<br />
other is to use the hexadecimal representation, which would be ffffff00 for<br />
class C.<br />
4 In the Direction drop-down list, select which direction routed should apply<br />
for this filter. This option provides you with a lot <strong>of</strong> flexibility in determining<br />
what routing information you accept and provide.<br />
Important: Be careful about what routes you advertise to external users and about<br />
accepting routes from those same external users.<br />
• Inbound—Specifies routed will not accept this route from the network.<br />
However, it WILL include this route in an advertisement if you have<br />
selected the Advertise option.<br />
• Outbound—Specifies that routed will accept this route from the network.<br />
but NOT advertise this route regardless <strong>of</strong> the advertise option setting.<br />
• Both—Specifies routed to ignore this route.<br />
5 Click Add to add the route filter to the list and exit the window.<br />
Rule list support<br />
Another routed feature is rule list support to identify from which routers to<br />
accept RIP packets. The rule list will be based primarily on the source IP<br />
address on the incoming RIP packets. Create these rules using the Admin<br />
Console by selecting Policy Configuration > Proxy Rules.<br />
Note: A rule must be defined for routed or it will not function.<br />
To allow incoming traffic, create a new rule with the Service Type field set to<br />
Server and the Service field set to routed. The source IP address can be either<br />
a single router who you want to accept RIP traffic from or a netgroup <strong>of</strong> routers<br />
and/or hosts. The destination IP address will usually be set to “All Destination<br />
Addresses,” since the destination is the broadcast address <strong>of</strong> the network for<br />
the burb the rule applies to. The source and destination burbs will be equal and<br />
should be set to the burb that you want to receive RIP packets from.
Enabling/<br />
disabling the<br />
routed server<br />
Trace and log<br />
information<br />
Appendix D: Configuring Dynamic Routing with RIP<br />
Enabling/disabling the routed server<br />
All routed configuration files are located in /etc/sidewinder/routed with one<br />
configuration file per burb named routed.conf.burb_name. The<br />
configuration file contains three rules which directly correspond to the options<br />
available in the cf routed area.<br />
Perform the following steps to enable or disable the routed server.<br />
1 In the Admin Console, select Services Configuration > Servers.<br />
2 Select routed from the list <strong>of</strong> server names.<br />
3 Click a burb to either enable or disable the routed server in that burb.<br />
A check mark appears if the server is enabled for a burb.<br />
4 Click the Save icon in the toolbar.<br />
To debug routed, add the -t flag to the args field <strong>of</strong> the routed entry located<br />
in /etc/server.conf to enable routed tracing.<br />
server(routed /sbin/routed<br />
config_file[/etc/sidewinder/routed/routed.conf.%n]<br />
directory[]<br />
env(domain[rou%b] user[root] group[wheel] core[] files[2048]<br />
memory[] processes[500] stack[] rss[])<br />
pidfile(/var/run/routed/routed.pid.%n lock)<br />
valid[0 1 2 3 4 5 6 7 8] enabled[]<br />
require[]<br />
refuse[]<br />
args[-t] roles[$Sys] failure_mode[<strong>of</strong>f] faild_critical[yes])<br />
Note: You can add one -t flag to routed to increase the tracing level. If you add<br />
more than one -t flag, routed will not start.<br />
All tracing information is logged to the routed log files located in<br />
/var/log/routed/routed.log.burb_name which can be viewed using standard<br />
UNIX commands in the admin role.<br />
A note about flushing filter routes<br />
In the possibility that you misconfigure your routing tables, you will need to use<br />
the Admin Console (or cf routed commands) to disable routed and make<br />
corrections to the tables.<br />
Before restarting routed, enter the following command at a UNIX prompt to<br />
flush the routing tables <strong>of</strong> all gateways.<br />
route flush<br />
625
Appendix D: Configuring Dynamic Routing with RIP<br />
Trace and log information<br />
626
E APPENDIX<br />
Setting Up SmartFilter<br />
Services<br />
In this appendix...<br />
Overview <strong>of</strong> SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong> ..................................628<br />
Controlling Web access using the SmartFilter Control List ..........628<br />
Configuring SmartFilter for HTTP/HTTPS ....................................630<br />
Category codes ............................................................................633<br />
627
Appendix E: Setting Up SmartFilter Services<br />
Overview <strong>of</strong> SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong><br />
Overview <strong>of</strong><br />
SmartFilter for<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Controlling Web<br />
access using the<br />
SmartFilter<br />
Control List<br />
628<br />
SmartFilter controls your company’s users’ access to the Internet. When<br />
configured with <strong>Sidewinder</strong> <strong>G2</strong>, SmartFilter manages Internet access at<br />
several levels, ranging from simple access restrictions to thorough blocking <strong>of</strong><br />
all sites deemed unproductive or non-business related.<br />
Note: This appendix pertains to SmartFilter 4.0.2. If you use SmartFilter 3.x, refer<br />
to the <strong>Sidewinder</strong> <strong>G2</strong> online help for information.<br />
In order to use SmartFilter, you must:<br />
1 Purchase and activate SmartFilter.<br />
2 Install the SmartFilter administration s<strong>of</strong>tware. Go to<br />
http://www.securecomputing.com/goto/sf/downloads to download and<br />
install the s<strong>of</strong>tware.<br />
3 Configure your SmartFilter policy using the SmartFilter Admin Console.<br />
Consult the SmartFilter documentation before configuring.<br />
4 Configure SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong>. Go to “Configuring SmartFilter for<br />
HTTP/HTTPS” on page 630 for configuration information and instructions.<br />
SmartFilter uses a Control List that contains millions <strong>of</strong> URLs. These URLs are<br />
categorized into pre-defined categories. You configure which categories are<br />
allowed, blocked, coached, or delayed.<br />
• For a list <strong>of</strong> the categories used by <strong>Sidewinder</strong> <strong>G2</strong>, see Table 41 on page<br />
633.<br />
• For a description <strong>of</strong> each category, go to http://securecomputing.com/goto/<br />
controllist.<br />
• For more information on SmartFilter and the Control List, please read the<br />
SmartFilter Primer.<br />
Evaluating the SmartFilter Control List<br />
If you are not a current SmartFilter user, you can evaluate the full Control List<br />
by following the steps contained in the sections that follow.<br />
Evaluating the full Control List<br />
You can retrieve a 30-day evaluation copy <strong>of</strong> the full Control List by performing<br />
the following steps:<br />
1 Go to http://www.smartfilter.com.<br />
2 Click the Product Evaluation option.<br />
3 Select SmartFilter for <strong>Sidewinder</strong> <strong>G2</strong> Firewall from the drop-down list.
4 Click Evaluate this version.<br />
5 Complete and submit the registration form.<br />
Appendix E: Setting Up SmartFilter Services<br />
Controlling Web access using the SmartFilter Control List<br />
Within one business day after you complete and submit the registration<br />
form, you will receive information via e-mail that includes an evaluation<br />
serial number. Enter this serial number into the SmartFilter <strong>Administration</strong><br />
Console during or after installation to obtain the Control List.<br />
Subscribing to the SmartFilter Control List<br />
1 Order the SmartFilter service option through Secure Computing or your<br />
reseller.<br />
After you submit your order, you will be mailed an activation certificate with<br />
a serial number.<br />
2 Enter this serial number into the SmartFilter <strong>Administration</strong> Console,<br />
Enterprise > License window, to download the Control List.<br />
629
Appendix E: Setting Up SmartFilter Services<br />
Configuring SmartFilter for HTTP/HTTPS<br />
Configuring<br />
SmartFilter for<br />
HTTP/HTTPS<br />
630<br />
SmartFilter 4.0.2 for <strong>Sidewinder</strong> <strong>G2</strong> uses the HTTP/HTTPS proxies.<br />
SmartFilter settings for HTTP/HTTPS, such as downloading the control list, are<br />
configured using the SmartFilter Admin Console.<br />
Note: For additional configuration information, see the SmartFilter Installation<br />
<strong>Guide</strong>. One-to-Many and High Availability clusters, in particular, require procedures<br />
found in that guide.<br />
<strong>Sidewinder</strong> <strong>G2</strong> includes preconfigured elements to improve the ease <strong>of</strong><br />
administering SmartFilter on <strong>Sidewinder</strong> <strong>G2</strong>. These include:<br />
• Proxy rules to allow the necessary SmartFilter administration traffic.<br />
• Web and Secure Web application defenses customized for SmartFilter<br />
traffic.<br />
• Once SmartFilter is configured, the ability to enable Web filtering on<br />
existing HTTP/HTTPS proxy rules by simply updating the existing Web or<br />
Secure Web application defenses.<br />
To begin using SmartFilter services through <strong>Sidewinder</strong> <strong>G2</strong>, you must<br />
complete the following:<br />
1 Enable SmartFilter on <strong>Sidewinder</strong> <strong>G2</strong> (Services Configuration ><br />
SmartFilter). See “Configuring the SmartFilter for Web and Secure Web<br />
tab” on page 631 for more information.<br />
2 Enable the HTTP/HTTPS proxies (Services Configuration > Proxies):<br />
Select http and/or https from the Server Name list and enable the source<br />
burb.<br />
3 Enable Web filtering for the desired HTTP/HTTPS traffic by enabling<br />
SmartFilter on the appropriate Web and/or Secure Web application<br />
defenses (Policy Configuration > Application Defenses > Defenses > Web<br />
and Secure Web). See “Creating Web or Secure Web Application<br />
Defenses” on page 156 for more information.<br />
4 Set SmartFilter rules (Policy Configuration > Rules):<br />
• Move the default SmartFilter rule group to the active rule group above<br />
the Deny All rule.<br />
• Create a rule for HTTP or HTTPS traffic using the application defense<br />
with SmartFilter enabled.<br />
See “Configuring proxy rules for SmartFilter version 4.0.2” on page 632 for<br />
more information.
Figure 252: SmartFilter<br />
for Web and Secure Web<br />
tab<br />
About the<br />
SmartFilter for Web<br />
and Secure Web tab<br />
Appendix E: Setting Up SmartFilter Services<br />
Configuring SmartFilter for HTTP/HTTPS<br />
Configuring the SmartFilter for Web and Secure Web tab<br />
When configuring SmartFilter 4.0.2 for <strong>Sidewinder</strong> <strong>G2</strong>, select Services<br />
Configuration > SmartFilter. The following window appears.<br />
The SmartFilter for Web and Secure Web tab allows you to configure<br />
<strong>Sidewinder</strong> <strong>G2</strong> for use with SmartFilter version 4.0.2. Follow the steps below.<br />
Note: Downloading and management <strong>of</strong> the Control List is managed via the<br />
SmartFilter Admin Console. Refer to the SmartFilter Installation <strong>Guide</strong>.<br />
1 In the SmartFilter Server area, select the burb(s) for which Web traffic to be<br />
filtered by SmartFilter will be allowed. To select all burbs, click Select All. To<br />
deselect all burbs, click Deselect All.<br />
2 In the Management Burb field, select the burb that will be used to<br />
communicate with the SmartFilter <strong>Administration</strong> Server.<br />
3 In the SmartFilter Configuration area, do the following:<br />
a In the SmartFilter Server Port field, modify the port as needed. This port<br />
listens for traffic from clients’ Web browsers and displays the blocked<br />
and warning pages. The default is 9015.<br />
b In the Management Port field, modify the port as needed. This port<br />
listens from traffic from the SmartFilter <strong>Administration</strong> Server. The<br />
default is 9013.<br />
c Click Change SmartFilter Server Password to change or assign a<br />
password to be used when connecting to <strong>Sidewinder</strong> <strong>G2</strong>’s SmartFilter<br />
server from your SmartFilter <strong>Administration</strong> Server. This password must<br />
be set before you can connect to the SmartFilter Admin Console. (The<br />
default user name is sfadmin.) See “About the Change SmartFilter<br />
Server Password window” on page 632 for more information.<br />
631
Appendix E: Setting Up SmartFilter Services<br />
Configuring SmartFilter for HTTP/HTTPS<br />
632<br />
d Click the Save icon to save your changes.<br />
4 Configure the appropriate HTTP/HTTPS proxy rules and their associated<br />
application defenses. For more information, see the following section,<br />
“Configuring proxy rules for SmartFilter version 4.0.2”.<br />
About the Change SmartFilter Server Password window<br />
The SmartFilter Server Password is used to authenticate the SmartFilter<br />
<strong>Administration</strong> Server to <strong>Sidewinder</strong> <strong>G2</strong>’s SmartFilter server. This password<br />
corresponds to the SmartFilter Plugin Definition Admin Password, set in the<br />
SmartFilter Admin Console. Any changes made to this password made in the<br />
<strong>Sidewinder</strong> <strong>G2</strong> Admin Console must also be made in the SmartFilter Admin<br />
Console. This password must be set before the SmartFilter Admin Console can<br />
connect to the plugin.<br />
1 Enter the password.<br />
2 Confirm the password.<br />
3 Click OK.<br />
4 Click Save.<br />
Configuring proxy rules for SmartFilter version 4.0.2<br />
<strong>Sidewinder</strong> <strong>G2</strong> provides two preconfigured SmartFilter rules in a SmartFilter<br />
rule group. The rules are:<br />
• SmartFilter Admin — This rule regulates the SSL traffic between the<br />
<strong>Sidewinder</strong> <strong>G2</strong> and the SmartFilter <strong>Administration</strong> Server. The default<br />
application defense restricts HTTP header replies to only those required by<br />
the SmartFilter <strong>Administration</strong> Server.<br />
• SmartFilter Redirect — When SmartFilter needs to display a message at a<br />
client’s Web browser, this rule allows the client to connect to the SmartFilter<br />
server to receive the message. This rule also restricts HTTP header replies<br />
to only those required by the SmartFilter server.<br />
Move the SmartFilter rule group to the active rule group by doing the following:<br />
1 Select Policy Configuration > Rules.<br />
2 Double-click the active rule group (<strong>of</strong>ten the Default group).<br />
3 Select the SmartFilter rule group and click the down arrow to add the<br />
SmartFilter group to the active rule group.<br />
4 Move the SmartFilter rule group the desired position, somewhere above the<br />
Deny All rule.<br />
5 Click OK.
Appendix E: Setting Up SmartFilter Services<br />
Category codes<br />
6 Click New > Proxy Rule to create rules for HTTP or HTTPS traffic to be<br />
filtered by SmartFilter. The rule must use an application defense with<br />
SmartFilter enabled. For more information, see “Creating proxy rules” on<br />
page 222.<br />
For additional SmartFilter configuration information, see the SmartFilter<br />
<strong>Administration</strong> <strong>Guide</strong>.<br />
Category codes The following table identifies the category codes to use for the corresponding<br />
Control List categories<br />
Table 41: Category Codes for SmartFilter 4.0.2<br />
Control List category Code Control List category Code<br />
Alcohol al Politics/Opinion po<br />
Anonymizer an Pornography sx<br />
Anonymizing Utilities au Portal Sites ps<br />
Art/Culture/Heritage ac Pr<strong>of</strong>anity pr<br />
Auction eb Provocative Attire pa<br />
Business bu Religion and Ideology rl<br />
Chat ch Remote Access ra<br />
Computing/Internet ci Resource Sharing rs<br />
Consumer Information cm School Cheating<br />
Information<br />
Criminal Skills cs Search Engines se<br />
Dating/Social mm Sexual Materials sm<br />
Drugs dr Shareware/Freeware sw<br />
Education/Reference ed Shopping/Merchandising os<br />
Entertainment/Recreation/<br />
Hobbies<br />
et Sports sp<br />
Extreme ex Spyware sy<br />
Finance fi Stock Trading in<br />
sc<br />
More...<br />
633
Appendix E: Setting Up SmartFilter Services<br />
Category codes<br />
634<br />
Control List category Code Control List category Code<br />
Forum/Bulletin Boards mb Streaming Media st<br />
Gambling gb Tobacco tb<br />
Games gm Travel tr<br />
General News nw Usenet News na<br />
Government/Military gv User Defined Category 0 u0<br />
Gruesome Content tg User Defined Category 1 u1<br />
Hacking hk User Defined Category 2 u2<br />
Hate Speech hs User Defined Category 3 u3<br />
Health hl User Defined Category 4 u4<br />
Humor mh User Defined Category 5 u5<br />
Instant Messaging im User Defined Category 6 u6<br />
Internet Radio/TV ir User Defined Category 7 u7<br />
Job Search js User Defined Category 8 u8<br />
Malicious Sites ms User Defined Category 9 u9<br />
Media Downloads mp Violence vi<br />
Mobile Phone mo Visual Search Engine vs<br />
Non-Pr<strong>of</strong>it Organizations/<br />
Advocacy Groups<br />
np Weapons we<br />
Nudity nd Web Ads wa<br />
P2P/File Sharing pn Web Mail wm<br />
Personal Pages pp Web Phone wp
F APPENDIX<br />
Basic Troubleshooting<br />
In this chapter...<br />
Powering up the system to the Administrative kernel...................636<br />
Restoring access to the Admin Console ......................................637<br />
Backing up system files................................................................638<br />
Restoring system files ..................................................................641<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong> ..............................647<br />
Recovering when the licensed NIC fails.......................................649<br />
What to do if the boot process fails ..............................................651<br />
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong> ..................................................652<br />
If you forget your administrator password ....................................653<br />
Interpreting beep patterns ............................................................655<br />
If a patch installation fails .............................................................656<br />
Troubleshooting proxy rules .........................................................657<br />
Understanding FTP and Telnet connection failure messages ......661<br />
Troubleshooting High Availability .................................................662<br />
Troubleshooting NTP ...................................................................666<br />
Troubleshooting VPNs .................................................................668<br />
635
Appendix F: Basic Troubleshooting<br />
Powering up the system to the Administrative kernel<br />
Powering up the<br />
system to the<br />
Administrative<br />
kernel<br />
636<br />
You must be in the Administrative kernel to perform certain system<br />
maintenance tasks such as installing s<strong>of</strong>tware or creating a full system backup.<br />
Follow the steps below to boot the system to the Administrative kernel when<br />
your <strong>Sidewinder</strong> <strong>G2</strong> is powered OFF.<br />
Important: When you are in the Administrative kernel, all network connections are<br />
disabled and Internet services are not available. Type Enforcement is also disabled.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Turn the <strong>Sidewinder</strong> <strong>G2</strong> ON by pressing the power button.<br />
3 When the “Booting <strong>Sidewinder</strong> Operational kernel” message appears,<br />
press any key (excluding Esc) to interrupt the boot sequence.<br />
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel is<br />
booting. Press any key (excluding Esc) before the 0 appears. A Boot:<br />
prompt then appears.<br />
4 Enter the following command:<br />
bsd.sw.admin -w<br />
5 Press Enter when asked whether to check and mount all file systems. The<br />
system prompt will appear. At the system prompt, you can perform any<br />
administrative tasks that require the Administrative kernel.<br />
If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
6 When you have finished working in the Administrative kernel, reboot or shut<br />
down the system.<br />
Note: See “Rebooting or shutting down using a command line interface” on<br />
page 42 to reboot or shut down the system from a command line interface.<br />
Enabling and disabling authentication for the<br />
administrative kernel<br />
The following steps explain how to enable and disable authentication for the<br />
administrative kernel. By default, administrative kernel authentication is<br />
disabled. This is because it is generally assumed that the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
be housed in a secure location that is not easily accessible by nonadministrators.<br />
If your <strong>Sidewinder</strong> <strong>G2</strong> is housed in an insecure area (that is,<br />
non-administrators could easily gain access to the physical system), you<br />
should enable administrative kernel authentication.
Restoring<br />
access to the<br />
Admin Console<br />
Appendix F: Basic Troubleshooting<br />
Restoring access to the Admin Console<br />
To enable or disable authentication for the administrative kernel, follow the<br />
steps below.<br />
1 Log into the Admin Console, and select File Editor.<br />
2 Click Start File Editor.<br />
3 Select File > Open.<br />
4 In the Source field, select Firewall File.<br />
5 In the File field, type /etc/ttys and click OK.<br />
6 To enable or disable administrative kernel authentication, edit the following<br />
line:<br />
console /usr/libexec/getty pccons” ibmpc3 on secure<br />
• To require authentication, change the value to insecure.<br />
• To disable authentication, change the value to secure.<br />
7 Select File > Save to save your changes.<br />
8 Select File > Exit to close the file editor.<br />
If an administrator accidentally configures the active rule group in a way that<br />
prevents an administrator from logging into the <strong>Sidewinder</strong> <strong>G2</strong> (for example,<br />
moving the deny_all rule to the first position or deleting certain access rules),<br />
the following procedure allows you to regain access.<br />
1 Reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the Administrative kernel. For information on<br />
rebooting to the Administrative kernel, see “Powering up the system to the<br />
Administrative kernel” on page 636.<br />
2 At a console attached directly to the <strong>Sidewinder</strong> <strong>G2</strong>, run the following script:<br />
restore_console_access<br />
This script will create a temporarily proxy rule called<br />
restore_console_access and adds it to the first position <strong>of</strong> the active proxy<br />
rule group. This rule allows an administrator to log into the <strong>Sidewinder</strong> <strong>G2</strong><br />
directly (using a console that is directly attached to the <strong>Sidewinder</strong> <strong>G2</strong>).<br />
3 When the script completes, reboot to the Operational kernel. See<br />
“Rebooting or shutting down using a command line interface” on page 42.<br />
4 When the <strong>Sidewinder</strong> <strong>G2</strong> finishes rebooting, log in at a console attached<br />
directly to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
5 Using the command line, identify and correct the problem in your active<br />
proxy rule group that is preventing administrator access. See Appendix A or<br />
refer to the cf acl man page for information on configuring your active<br />
rules via command line.<br />
6 Once you have configured your active rules to allow administrator access,<br />
you will need to delete the restore_console_access rule. If you do not<br />
delete this rule and accidentally misconfigure the active rule group<br />
(displacing the position <strong>of</strong> the restore_console_access rule), a new rule<br />
cannot be configured and added in the correct position.<br />
637
Appendix F: Basic Troubleshooting<br />
Backing up system files<br />
Backing up<br />
system files<br />
638<br />
You can back up your <strong>Sidewinder</strong> <strong>G2</strong> file system to a digital audio tape (DAT)<br />
using scripts provided with the <strong>Sidewinder</strong> <strong>G2</strong>. The backup (and restore)<br />
functions on your system have been modified to be aware <strong>of</strong> Type<br />
Enforcement. When you restore files (as described on page 641), they are<br />
automatically restored with the correct Type Enforcement properties.<br />
The backup and restore procedures described in this section affect the entire<br />
<strong>Sidewinder</strong> <strong>G2</strong> file system, including configuration files, mail queues, audit<br />
trails, and so on. If you want to backup and restore only the configuration files<br />
on your <strong>Sidewinder</strong> <strong>G2</strong>, see “Configuration file backup and restore” on page 50<br />
for details.<br />
Tip: Be sure to backup your system on a regular basis!<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides scripts for performing a full system backup and<br />
incremental backups. The backup scripts listed in Table 42 are provided in the /<br />
etc/backups directory. The log file for backups is stored in /var/log/backup.log.<br />
Table 42: <strong>Sidewinder</strong> <strong>G2</strong> backup scripts<br />
Backup Type Backup script What it does<br />
Full backup ./level0.backup Backs up everything<br />
Incremental<br />
backup<br />
Performing a full system backup (level0)<br />
Use the /etc/backups/level0.backup script to back up all <strong>of</strong> the file<br />
systems on your <strong>Sidewinder</strong> <strong>G2</strong>. The file systems that exist on your <strong>Sidewinder</strong><br />
<strong>G2</strong> may vary depending on how you have configured your <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
file systems that are backed up may include the following (as well as any other<br />
file systems that you have on your <strong>Sidewinder</strong> <strong>G2</strong>):<br />
• /<br />
• /var<br />
• /usr<br />
• /home<br />
• /var/log<br />
• /var/spool<br />
./do.dump fs level<br />
filenum<br />
Backs up the specified file<br />
system and labels it with the<br />
specified filenum<br />
Note: If your <strong>Sidewinder</strong> <strong>G2</strong> has multiple hard disks, resulting in re-partitioning <strong>of</strong> a<br />
file system, the backup scripts will manage that for you. The scripts also support<br />
backups that span multiple tapes.
Appendix F: Basic Troubleshooting<br />
Backing up system files<br />
To perform a full (level 0) system backup, follow the steps below.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Enter the following command on your <strong>Sidewinder</strong> <strong>G2</strong> system to reboot to<br />
the Administrative kernel:<br />
shutdown -g now<br />
3 Press Enter when asked whether to check and mount all file systems. The<br />
system prompt will appear.<br />
If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4 Insert a backup DAT in the <strong>Sidewinder</strong> <strong>G2</strong>’s tape drive and wait for the tape<br />
to reach its load-point.<br />
5 Enter the following command to run the full backup script:<br />
/etc/backups/level0.backup<br />
The backup process will take several minutes. You will see a “DUMP IS<br />
DONE” message for each file system. When the backup is complete, the<br />
# prompt appears and the tape ejects.<br />
6 Label the tape (include type <strong>of</strong> backup, date, time, and so on).<br />
7 Reboot the system to the Operational kernel by entering the following<br />
command:<br />
shutdown -r now<br />
Performing an incremental backup<br />
The /etc/backups/do.dump command allows you to use several different<br />
options that track which files have changed since the last time you backed up,<br />
so that you are not doing full backups each time.<br />
This allows you to back up only the files that have changed since the last<br />
backup. For example, your first system backup would be a full backup (Level<br />
0). The next time you back up, you would assign a backup level (a number<br />
from 1 to 9); for example, you could label it backup Level 1. The Level 1<br />
backup procedure would check your file system, searching for files that were<br />
not backed up in Level 0. Only those files would be written to the tape. The<br />
next time you did an incremental backup, it would back up only the files that<br />
had changed since the previous Level 1 backup.<br />
639
Appendix F: Basic Troubleshooting<br />
Backing up system files<br />
Performing an<br />
incremental backup<br />
640<br />
Note: While incremental backups can eliminate multiple copies <strong>of</strong> unchanged files,<br />
using incremental backups does increase the duration and complexity <strong>of</strong> the<br />
restore process. If you have a fast tape drive and the level 0 backup fits onto a<br />
single tape, you may want to consider performing only level 0 backups.<br />
Tip: How <strong>of</strong>ten you should perform incremental backups depends on many factors,<br />
such as how much your system is used. The UNIX System <strong>Administration</strong><br />
Handbook <strong>of</strong>fers several types <strong>of</strong> schedules that meet various needs.<br />
The following example shows an incremental backup (Level >0) that backs up<br />
four file systems. The backed up files are labeled file 1 through file 4.<br />
Level 5 dump for /var as file 1 to /dev/nrst0 on Fri Feb 17<br />
03:00:03 CST 1995<br />
Level 5 dump for /usr as file 2 to /dev/nrst0 on Fri Feb 17<br />
03:00:11 CST 1995<br />
Level 5 dump for / as file 3 to /dev/nrst0 on Fri Feb 17<br />
03:01:33 CST 1995<br />
Level 5 dump for /var/log as file 4 to /dev/nrst0 on Fri Feb<br />
17 03:06:10 CST 1995<br />
The following example performs an incremental backup <strong>of</strong> the /usr file system.<br />
The tape will not be rewound, and the backed up file will not be compressed.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and reboot.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Enter the following command at the command prompt:<br />
shutdown -g now<br />
3 Press Enter when asked whether to check and mount all file systems. The<br />
system prompt will appear.<br />
If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4 Insert a backup DAT into the tape drive and wait for the tape to reach its<br />
load-point.<br />
5 Type the following command to run the incremental backup script,<br />
Important: You must type this command for each file system except /tmp.<br />
/etc/backups/do.dump /usr level filenum<br />
where:<br />
• level = the backup level (see Incremental backup on “Performing an<br />
incremental backup” on page 639)
Restoring<br />
system files<br />
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
• filenum = a file number, indicating the position on the backup tape.<br />
For example, if this is the second file system on the tape the value for<br />
this parameter should be 1 (the first file system will be at position 0). For<br />
more information on how this parameter is used, see “Performing an<br />
incremental restore via the do.restore script” on page 643.<br />
This command backs up the /usr file system to the “no rewind” tape device<br />
(usually /dev/nrst0) and labels it.<br />
You will see a “DUMP IS DONE” message for each file system. When the<br />
backup is complete, the # prompt appears.<br />
6 When you have finished all incremental backups, rewind and eject the DAT<br />
by entering the following command:<br />
mt o<br />
7 Label the tape, indicating the type <strong>of</strong> backup, date, and time. You should<br />
also record the file systems that were backed up along with the<br />
corresponding file number (filenum) and mount point in case the file system<br />
order changes over time.<br />
8 Reboot the system to the Operational kernel by entering the following<br />
command:<br />
shutdown -r now<br />
In the unlikely event that your <strong>Sidewinder</strong> <strong>G2</strong>’s hard disk needs to be replaced,<br />
you will need to restore the file system that you have backed up. You will also<br />
need to do a full system restore if you add hardware (for example, memory or<br />
disk space) to your active <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The restore process allows you to restore your <strong>Sidewinder</strong> <strong>G2</strong> to your last level<br />
0 backup without reconfiguring your system.To do this, follow the instructions in<br />
“Performing a full system restore” on page 642. Then use the procedure in<br />
“Performing an incremental restore via the do.restore script” on page 643 to<br />
restore files from your incremental backup tapes.<br />
When you restore files, they are automatically restored with the correct Type<br />
Enforcement properties.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> provides the capability to restore files from a full system<br />
backup (Level 0) or incremental backup tape. Table 43 explains some<br />
differences between these two methods.<br />
641
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
642<br />
Table 43: <strong>Sidewinder</strong> <strong>G2</strong> restore scripts<br />
Restore Type Restore method What it does<br />
Full restore via boot process Restores your <strong>Sidewinder</strong> <strong>G2</strong> from<br />
the level 0 backup tape<br />
Incremental<br />
restore<br />
./do.restore<br />
filenum<br />
Important: You must perform all incremental restore operations from the<br />
Administrative kernel.<br />
Performing a full system restore<br />
Restores the specified file system<br />
from the specified filenum<br />
Use the following procedure to restore your <strong>Sidewinder</strong> <strong>G2</strong> using a level 0<br />
backup. The restore process allows you to restore your <strong>Sidewinder</strong> <strong>G2</strong> to your<br />
last level 0 backup without reconfiguring your system.<br />
Caution: When you perform this procedure, all existing data will be overwritten by<br />
your last level 0 backup. Any files or directories added since the level 0 backup will<br />
be lost.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and reboot.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Enter the following command on your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
shutdown -h now<br />
3 Once the system is halted, insert the <strong>Sidewinder</strong> <strong>G2</strong> product CD-ROM, and<br />
then power <strong>of</strong>f the system.<br />
4 Power up the system.<br />
5 Press Enter when the Installation Wizard appears.<br />
Tip: See Appendix B <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong> for additional details<br />
on the Installation Wizard.<br />
6 In the Installation Type window, use the down-arrow to move to the Restore<br />
Full System Backup option, and then press the space bar to select it.<br />
7 Tab to Continue and then press Enter.<br />
The Restore Full System Backup command will prompt you to insert a<br />
backup DAT; this is the DAT that you created when you did the level 0<br />
backup.
8 [Conditional] If needed, change partitioning information.<br />
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
During the boot process the Default Disk Allocation screen displays the<br />
default values. If you need to modify the values, tab to Configure and then<br />
press Enter.<br />
Note: You may need to modify these values if you have installed new hardware.<br />
Otherwise, it is recommended that you use either the default values or whatever<br />
values that were set when the system backup was performed.<br />
9 Insert the DAT and wait for the tape to reach its load-point. Press Enter to<br />
initiate the restore process. The restore process will repartition the drives<br />
and reload all <strong>of</strong> the system files from the tape.<br />
10 When the restore is finished, the following message will appear:<br />
File restore complete.<br />
11 Remove the DAT and CD-ROM from their respective drives.<br />
12 Press Enter to reboot. The system then reboots to the Administrative<br />
kernel.<br />
13 If needed, restore any incremental backups. See “Performing an<br />
incremental restore via the do.restore script” on page 643 for information.<br />
14 Perform a new full system (level 0) backup. See “Performing a full system<br />
backup (level0)” on page 638.<br />
Important: Do this even if you have not restored any old incremental backups.<br />
Performing a new level 0 backup might seem unnecessary at this point, but it<br />
must be done in order for future incremental backups to remain in sync with the<br />
new file structure. Problems will likely occur if you do a new incremental backup<br />
at a later date and then try to restore the system without having first done a full<br />
system (level 0) backup.<br />
15 When the full system backup is complete, enter the following command to<br />
reboot to the Operational kernel:<br />
shutdown -r now<br />
Performing an incremental restore via the do.restore<br />
script<br />
As noted earlier in this section, the <strong>Sidewinder</strong> <strong>G2</strong> file systems are stored as<br />
separate files on the backup tape. To restore a file system, you can use the<br />
do.restore script in the /etc/backups directory. Incremental restores must be<br />
performed from the Administrative kernel.<br />
643
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
644<br />
Follow these steps to restore files on the <strong>Sidewinder</strong> <strong>G2</strong>:<br />
Caution: If you are restoring the root (/) file system, DO NOT restore the /shlib<br />
directory, which contains shared libraries. If you restore this directory, the system<br />
will hang and you will not be able to reboot it. To restore this file system, first use<br />
the add command to restore all files. Then use the delete command to delete the<br />
/shlib directory from the list <strong>of</strong> files. Extract the files as usual.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and reboot.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Reboot the system to the Administrative kernel by entering the following<br />
command:<br />
shutdown -g now<br />
3 Press Enter when asked whether to check and mount all file systems. The<br />
system prompt will appear.<br />
If you have enabled authentication for the administrative kernel, you will be<br />
prompted to log in before the system prompt appears.<br />
4 Insert your backup DAT into the tape drive. Use the DAT on which you<br />
backed up your files.<br />
5 Type df to display the file system on the current <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Important: The file system on the current <strong>Sidewinder</strong> <strong>G2</strong> may not reflect the<br />
order in which the file systems were backed up on a back up tape.<br />
For example, the output might look like this:<br />
Filesystem 512-blocks Used Avail Capacity Mounted on<br />
/dev/sd0a 21150 14392 4642 76% /<br />
/dev/sd0d 123903 86320 25192 77% /var<br />
/dev/sd0e 123903 86320 25192 77% /var/log<br />
/dev/sd0g 3837972 939306 2514868 27% /usr<br />
/dev/sd1a 4047224 2131220 1511280 59% /home<br />
6 Use the cd command to switch to the appropriate directory.<br />
Switch to the directory shown in the “Mounted on” column, as shown in the<br />
previous step.<br />
7 Position the tape and invoke the restore script by entering the following<br />
command.<br />
/etc/backups/do.restore filenum<br />
Note: You must enter this command for each file system that you want to<br />
restore.
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
The filenum variable refers to the order in which the file system appears<br />
on the backup tape. For example, typing do.restore 0 will position the<br />
tape to restore the first file system that was backed up. In the example list<br />
shown in step 5, the first file system backed up was /.<br />
Typing do.restore 4 will forward the tape four file systems from the first<br />
one. (This script automatically rewinds the tape first.) Based on the example<br />
in step 5, the tape would move to /home.<br />
After you type the command, you are in the interactive mode for the<br />
restore command (the prompt is restore>).<br />
8 Type the command you want to use to build the extract list.<br />
• You can type any <strong>of</strong> the commands listed in Table 44.<br />
• These commands build the extract list, but relative to the current<br />
directory specified in step 4. For example, use the add command to add<br />
files to the list <strong>of</strong> the ones you want to restore. A restore is not started<br />
until the next step is completed.<br />
Table 44: Restore Script Commands<br />
Command What it does<br />
ls directory Lists contents <strong>of</strong> the specified directory<br />
cd directory Changes to specified directory<br />
pwd Prints the full path name <strong>of</strong> the current working<br />
directory<br />
add directory<br />
add file<br />
delete directory<br />
delete file<br />
Adds directory or file to list <strong>of</strong> files to be extracted<br />
Important: If you are restoring the root file<br />
system, see Caution note at beginning <strong>of</strong> steps.<br />
Deletes directory or file from list <strong>of</strong> files to be<br />
extracted<br />
extract Extracts all files that were added to the list<br />
setmodes Sets modes <strong>of</strong> requested directories<br />
quit Exits program immediately<br />
what Lists dump header information<br />
verbose Toggles verbose flag (useful with ls command)<br />
help or ? Prints this command list<br />
9 After you have selected the files, enter the extract command.<br />
645
Appendix F: Basic Troubleshooting<br />
Restoring system files<br />
646<br />
10 When prompted, enter the volume number by typing 1 and press Enter. You<br />
will be asked whether you want to change owner/mode/types for the current<br />
working directory.<br />
11 Type y or n and press Enter.<br />
You should almost always type n to prevent the owner/mode/types in the<br />
current working directory from being changed.<br />
12 To exit the restore script, type quit at the >restore prompt.<br />
13 Repeat step 6 through step 12 for other file systems you want to restore.<br />
14 When you are finished restoring files from the DAT, rewind and eject the<br />
tape by entering the following command:<br />
mt o<br />
15 Reboot to the Operational kernel by entering the following command:<br />
shutdown -r now<br />
Restoring configuration files using the command line<br />
If you need to restore your <strong>Sidewinder</strong> <strong>G2</strong> to a backup configuration saved on<br />
floppy diskette and do not have access to the Admin Console, use the<br />
following steps to restore your configuration backup via the command line.<br />
1 Insert the configuration backup diskette in the <strong>Sidewinder</strong> <strong>G2</strong>’s diskette<br />
drive.<br />
2 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, enter the following command:<br />
cf config restore loc=floppy<br />
3 The <strong>Sidewinder</strong> <strong>G2</strong> restores the configuration files. If your backup<br />
configuration uses multiple diskettes, you will be prompted when you need<br />
to remove the current diskette and insert the next diskette.<br />
4 When restore process is complete, remove the diskette and reboot.<br />
Important: The version <strong>of</strong> the configuration backup must match the version on the<br />
Installation–Disk Imaging CD used during the restore process. Avoid complications<br />
by backing up your configuration after every upgrade.
Adding hardware<br />
to an active<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
Appendix F: Basic Troubleshooting<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong><br />
You can use the full system (level 0) restore process if you want to add<br />
hardware (for example, memory or disk space) to your active <strong>Sidewinder</strong> <strong>G2</strong>,<br />
or if you are moving to a new chassis.<br />
• The best time to add memory or disk space is before you install your<br />
<strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware. When you have completed the procedure, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> will automatically detect the new memory and disk space.<br />
• You can purchase a Performance Pack to increase your hardware’s<br />
capabilities. For more information, contact your sales representative.<br />
To add hardware, follow these steps.<br />
Note: You do not need to perform this procedure if you are adding network<br />
devices.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and reboot.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items to the front connection ports or both<br />
in the back connection ports).<br />
2 Perform a level 0 backup <strong>of</strong> your system.<br />
Important: You must back up your s<strong>of</strong>tware system because you will be<br />
repartitioning the disk drives in step 7, and you will need a full backup to restore<br />
the system. Given the significance <strong>of</strong> this backup, it is a good idea to perform<br />
two level 0 backups, in case there is a problem with the first backup. See<br />
“Backing up system files” on page 638 for instructions on performing a level 0<br />
backup.<br />
3 Type the following command to halt the system.<br />
shutdown -h now<br />
4 Power <strong>of</strong>f the system.<br />
5 Add the new hardware to your system.<br />
Be sure to take the necessary precautions to prevent accidental electrostatic<br />
shock.<br />
6 Power up the system and quickly insert the <strong>Sidewinder</strong> <strong>G2</strong> Installation–Disk<br />
Imaging CD-ROM.<br />
Tip: See Appendix B <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> Startup <strong>Guide</strong> for additional details<br />
on the Installation Wizard.<br />
7 Press Enter when the Installation Wizard appears.<br />
8 In the Installation Type window, use the down-arrow to move to the Restore<br />
Full System Backup option, and then press the space bar to select it.<br />
9 Tab to Continue and then press Enter.<br />
647
Appendix F: Basic Troubleshooting<br />
Adding hardware to an active <strong>Sidewinder</strong> <strong>G2</strong><br />
648<br />
The Restore Full System Backup command will prompt you to insert a<br />
backup DAT; this is the DAT that you created when you did the level 0<br />
backup.<br />
10 [Conditional] If needed, change partitioning information.<br />
During the boot process the Default Disk Allocation screen displays the<br />
default values. If you need to modify the values, tab to Configure and then<br />
press Enter.<br />
Note: You may need to modify these values if you installed new hardware.<br />
Otherwise, it is recommended that you use either the default values or whatever<br />
values that were set when the system backup was performed.<br />
11 Insert the DAT and wait for the tape to reach its load-point. Press Enter to<br />
initiate the restore process. The restore process will repartition the drives<br />
and reload the system files from the tape.<br />
12 When the restore is finished, the following message will appear:<br />
File restore complete.<br />
13 Remove the DAT and CD-ROM from their drives.<br />
14 Press Enter to reboot the system to the Administrative kernel.<br />
15 If needed, restore any incremental backups. See “Performing an<br />
incremental restore via the do.restore script” on page 643 for information.<br />
16 Perform a new full system (level 0) backup.<br />
Important: Do this even if you have not restored any old incremental backups.<br />
Performing a new level 0 backup might seem unnecessary at this point, but it<br />
must be done in order for future incremental backups to remain in sync with the<br />
new file structure. Problems are likely to occur if you perform a new incremental<br />
backup at some later date and then try to restore the system without having first<br />
performed a full system backup.<br />
17 When the full system backup is complete, enter the following command to<br />
reboot to the Operational kernel:<br />
shutdown -r now<br />
The hardware is now successfully added.
Recovering<br />
when the<br />
licensed NIC fails<br />
Appendix F: Basic Troubleshooting<br />
Recovering when the licensed NIC fails<br />
When the <strong>Sidewinder</strong> <strong>G2</strong> obtains its license, its submits a MAC address <strong>of</strong> one<br />
<strong>of</strong> its NICs. The license is then associated with that MAC address. If that MAC<br />
address cannot be found, the <strong>Sidewinder</strong> <strong>G2</strong> invalidates the license. At this<br />
point, you must obtain a new license using the MAC address <strong>of</strong> the new NIC or<br />
another NIC on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Replacing and relicensing a network interface card<br />
Do the following to remove the failed NIC, install the new NIC, and relicense<br />
your <strong>Sidewinder</strong> <strong>G2</strong>:<br />
1 As soon as a failure is detected, enter cf interface q at a command line<br />
and record the following information about the failed NIC:<br />
• the MAC address(es)<br />
• the ifname <strong>of</strong> each interface associated with that NIC<br />
• any capabilities listed in the ifcap field<br />
2 Power down the <strong>Sidewinder</strong> <strong>G2</strong> by doing one <strong>of</strong> the following:<br />
• Using the Admin Console, select Firewall <strong>Administration</strong> > System<br />
Shutdown and select Halt System.<br />
• Using a command line, enter shutdown -h now. When a message<br />
appears telling you it is safe to shut down, press the power button.<br />
3 Remove the failed NIC. Follow safe elctrostatic shock discharge<br />
procedures.<br />
4 [Optional] If replacing that NIC, put in a new network interface card.<br />
5 Attach a monitor and keyboard to the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
6 Press the <strong>Sidewinder</strong> <strong>G2</strong>’s power button. The <strong>Sidewinder</strong> <strong>G2</strong> comes up in<br />
failure mode because it is not licensed.<br />
7 At the command prompt, enter the following command:<br />
cf interface query<br />
Note: If the new NIC has the same number <strong>of</strong> interfaces as the old NIC and was<br />
made by the same manufacturer, skip to step 10.<br />
8 For each NIC that was removed and is now replaced, enter on one line:<br />
cf interface swap mac_addr=old_MAC_addr<br />
swap_mac_addr=new_MAC_addr<br />
where old_MAC_addr is the MAC address <strong>of</strong> the failed NIC and<br />
new_MAC_addr is the MAC address <strong>of</strong> the new NIC.<br />
649
Appendix F: Basic Troubleshooting<br />
Recovering when the licensed NIC fails<br />
650<br />
9 [Conditional] If any <strong>of</strong> the new interfaces have an enabled licensed<br />
capability, clear the capability by entering the following:<br />
cf interface modify ifname=ifname ifcap=<br />
Note: Leave the ifcap field blank. You will add the interface capabilities after the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is licensed.<br />
10 Enable all the replaced interfaces by entering:<br />
cf interface modify ifname=ifname enabled=on<br />
11 Check the license by entering:<br />
cf license query<br />
12 Assign the license to a new NIC by entering:<br />
cf license set firewall_id=MAC_addr<br />
where MAC_addr = the MAC address <strong>of</strong> the new NIC.<br />
13 Obtain the license by entering:<br />
cf license get<br />
14 [Conditional] If the <strong>Sidewinder</strong> <strong>G2</strong> does not successfully obtain a license,<br />
skip to step 2 in “Troubleshooting licensing problems” on page 650.<br />
15 Reboot the <strong>Sidewinder</strong> <strong>G2</strong> to the operational kernel by entering:<br />
shutdown -r now<br />
16 [Conditional] If the failed NIC had licensed capabilities, add them to the new<br />
NIC by entering the following:<br />
cf interface modify ifname=ifname ifcap=ifcap<br />
where ifname is the interface’s name and ifcap is the interface’s capability<br />
recorded in step 1.<br />
Your <strong>Sidewinder</strong> <strong>G2</strong> should now be licensed.<br />
Troubleshooting licensing problems<br />
If the <strong>Sidewinder</strong> <strong>G2</strong> comes up in failure mode because it did not license during<br />
the reboot, check the following:<br />
1 Try to obtain the license by entering:<br />
cf license get<br />
2 Verify that there is a default route by entering:<br />
netstat -nr<br />
If there is not a default route, add it back with<br />
route add default aaa.bbb.ccc.ddd<br />
where aaa.bbb.ccc.ddd is the next hop router for the default route.<br />
3 Verify that DNS is resolving by entering:<br />
nslookup www.securecomputing.com
What to do if the<br />
boot process<br />
fails<br />
Appendix F: Basic Troubleshooting<br />
What to do if the boot process fails<br />
4 Obtain the license by doing one <strong>of</strong> the following:<br />
• If DNS is resolving, enter cf license get.<br />
• If DNS is not resolving, you will need to get the license using the Secure<br />
Computing activation server’s IP address by entering the following on a<br />
single line:<br />
cf license get activation_url=https://66.45.10.76/cgibin/sidewinder-activation.cgi<br />
5 Reboot the system to the operational kernel by entering:<br />
shutdown -r now<br />
The <strong>Sidewinder</strong> <strong>G2</strong> should now be correctly licensed and fully functional.<br />
Boot failure may be caused by the fsck command. This command is run as<br />
part <strong>of</strong> the system boot process. If this command fails, the <strong>Sidewinder</strong> <strong>G2</strong> will<br />
not boot properly. If the boot process fails, you will need to attach a keyboard<br />
and monitor and repower the system. If you see a # prompt (indicating that the<br />
fsck command failed), type the following at the # prompt to fix any disk<br />
problems:<br />
ind Kern /sbin/fsck -p<br />
Then restart the system by entering shutdown -r now at the command<br />
prompt.<br />
System reboot messages<br />
During a system reboot, certain system events will cause messages to be<br />
stored in the audit holding area prior to auditd being started. When auditd<br />
starts, one or more blue messages stating “sacopen: transferred 1<br />
records from hold” may appear on the console’s display. This merely<br />
indicates that the messages stored in the audit holding area were transferred<br />
to the audit stream. Normally, these messages can be ignored.<br />
651
Appendix F: Basic Troubleshooting<br />
Re-imaging your <strong>Sidewinder</strong> <strong>G2</strong><br />
Re-imaging your<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
652<br />
If you need to re-image your <strong>Sidewinder</strong> <strong>G2</strong> configuration, follow the steps<br />
below. You will need both your <strong>Sidewinder</strong> <strong>G2</strong> Installation–Disk Imaging CD-<br />
ROM and your configuration backup diskette. (You may need to use this<br />
process if your original configuration was incorrect.)<br />
Note: Any changes you made to the multi-processor configuration (mp.config) file,<br />
will be overwritten during the re-installation process.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Power on or reboot the system.<br />
3 Quickly insert the Installation-Disk Imaging CD into the drive<br />
The system boots from the CD and displays standard boot-up information.<br />
After the boot sequence finishes, the <strong>Sidewinder</strong> <strong>G2</strong> s<strong>of</strong>tware Installation<br />
Wizard appears.<br />
4 Run the wizard.<br />
Note: In most situations, the default values are sufficient. Only experienced<br />
administrators should change the partitioning.<br />
5 Once the Installation Wizard completes, remove the CD from its drive.<br />
6 Reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
7 Run your chosen Quick Start method. (See the <strong>Sidewinder</strong> <strong>G2</strong> Startup<br />
<strong>Guide</strong> for more information.) Once configured, <strong>Sidewinder</strong> <strong>G2</strong> reboots.<br />
• If the system successfully accesses the Secure Computing activation<br />
server and retrieves its license key, it will emit two beeps indicating the<br />
<strong>Sidewinder</strong> <strong>G2</strong> is active.<br />
Note: The <strong>Sidewinder</strong> <strong>G2</strong> will try to send the activation request for one<br />
minute. If the activation is not successful in that time, you must activate your<br />
<strong>Sidewinder</strong> <strong>G2</strong> using the Admin Console.<br />
• If the system cannot retrieve its license key, the <strong>Sidewinder</strong> <strong>G2</strong> will emit<br />
four beeps and come up in Safe Mode. <strong>Sidewinder</strong> <strong>G2</strong> will not pass<br />
traffic until it is licensed.<br />
8 [Conditional] If you applied any system patches to your <strong>Sidewinder</strong> <strong>G2</strong> prior<br />
to making your last configuration backup, you will need to load and install to<br />
your previous patch level before you apply the configuration backup<br />
diskette. (For information on loading and installing patches, see “Loading<br />
and installing patches” on page 76.)<br />
9 Restore your <strong>Sidewinder</strong> <strong>G2</strong> configuration data. See “Restoring<br />
configuration files using the Admin Console” on page 54.
If you forget your<br />
administrator<br />
password<br />
Appendix F: Basic Troubleshooting<br />
If you forget your administrator password<br />
If you forget your administrator password, you can change your password on<br />
the <strong>Sidewinder</strong> <strong>G2</strong> itself by booting to the administrative kernel.<br />
Important: By default, the administrative kernel does not require authentication.<br />
However, if you have configured your system to require administrative kernel<br />
authentication, you will need to temporarily disable authentication using the<br />
maintenance mode option before you can access the administrative kernel and<br />
change your password. For information on disabling administrative kernel<br />
authentication when you have forgotten your password, see “Using maintenance<br />
mode to disable authentication when you have forgotten your password” on page<br />
653.<br />
Changing your password in the administrative kernel<br />
Follow the steps below to change your password in the administrative kernel.<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong> and reboot.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 When the “loading/boot . . . . . ." message appears, press any<br />
key to interrupt the boot sequence.<br />
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel<br />
is booting. Press any key (excluding Esc) before the 0 appears. A<br />
Boot: prompt then appears.<br />
3 Enter the following command:<br />
bsd.sw.admin -w<br />
4 Press Enter when asked whether to check and mount all file systems. The<br />
system prompt will appear.<br />
5 Enter the following command to change your password:<br />
cf adminuser modify user=name password=newpassword<br />
6 To reboot to the Operational kernel, enter the following command:<br />
shutdown -r now<br />
You can now log in using your new password.<br />
Using maintenance mode to disable authentication when<br />
you have forgotten your password<br />
If you have configured your system to require administrative kernel<br />
authentication and you forget your password, you will need to temporarily<br />
disable administrative kernel authentication using the maintenance mode<br />
option, as described below.<br />
653
Appendix F: Basic Troubleshooting<br />
If you forget your administrator password<br />
654<br />
1 Attach a keyboard and monitor directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 Insert the <strong>Sidewinder</strong> <strong>G2</strong> Installation–Disk Imaging CD in the <strong>Sidewinder</strong><br />
<strong>G2</strong>’s CD drive, and then power <strong>of</strong>f the system.<br />
3 Power up the system. Click Continue when the Installation Wizard appears.<br />
4 On the Installation Type window, use the down arrow to move the cursor to<br />
the Maintenance Mode option, and press the space bar to select it.<br />
5 Tab to Continue and press Enter. The shell prompt appears.<br />
6 Open the /etc/ttys file for editing.<br />
7 Modify the value <strong>of</strong> the following line to be secure:<br />
console /usr/libexec/getty pccons ibmpc3 on secure<br />
8 Save your changes and exit. The Install Wizard closes.<br />
9 At the shell prompt, type exit and press Enter.<br />
10 See “Changing your password in the administrative kernel” on page 653 for<br />
information on changing your password in the administrative kernel.<br />
Manually clearing an authentication failure lockout<br />
If you have enabled the authentication failure lockout option and have been<br />
locked out <strong>of</strong> your system, another administrator can log into the system and<br />
clear the lock using the Admin Console (see “Configuring authentication<br />
services” on page 284). However, if you do not have another administrator who<br />
can clear your lock for you, you can still manually clear your lock by<br />
successfully logging in at the <strong>Sidewinder</strong> <strong>G2</strong>, as follows:<br />
1 Attach a keyboard and monitor (or laptop) directly to your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
If your system has multiple keyboard/monitor connection ports, you must<br />
attach the keyboard and monitor into the same keyboard/monitor connection<br />
port pair (that is, attach both items either to the front connection ports<br />
or the back connection ports).<br />
2 [Conditional] If the <strong>Sidewinder</strong> <strong>G2</strong> does not detect the keyboard and<br />
monitor (or laptop), reboot the <strong>Sidewinder</strong> <strong>G2</strong>. When the <strong>Sidewinder</strong> <strong>G2</strong><br />
has booted, the login prompt appears.<br />
3 Log into the <strong>Sidewinder</strong> <strong>G2</strong>. When you successfully log in directly on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>, the lock will be cleared automatically and you should be<br />
able to log into the <strong>Sidewinder</strong> <strong>G2</strong> as usual.
Interpreting beep<br />
patterns<br />
Table 45: <strong>Sidewinder</strong> <strong>G2</strong> beep patterns<br />
Appendix F: Basic Troubleshooting<br />
Interpreting beep patterns<br />
At times, your <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance may emit a beep pattern. The<br />
beep pattern may repeat itself until the issue is addressed. This is the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s way <strong>of</strong> communicating to you its status and what needs to<br />
happen next. Refer to this chart to interpret the various patterns and take the<br />
appropriate action.<br />
What you hear What it means What you should do<br />
TWO (2) short beeps<br />
(non-repeating)<br />
THREE (3) short beeps<br />
(non-repeating)<br />
FOUR (4) short beeps<br />
(repeating)<br />
FIVE (5) short beeps<br />
(repeating)<br />
<strong>Sidewinder</strong> <strong>G2</strong> successfully<br />
rebooted and is now passing<br />
traffic.<br />
<strong>Sidewinder</strong> <strong>G2</strong> is ready for its<br />
Quick Start information.<br />
There are non-content errors<br />
on Quick Start Wizard<br />
diskette.<br />
If you have already completed<br />
an initial configuration, this<br />
indicates an unlicensed<br />
<strong>Sidewinder</strong> <strong>G2</strong> running in safe<br />
mode.<br />
If the <strong>Sidewinder</strong> <strong>G2</strong>’s license<br />
is already activated, this<br />
indicates a network failure.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> needs you<br />
to remove media from its<br />
drives.<br />
No action needed, the <strong>Sidewinder</strong> <strong>G2</strong> is<br />
operational.<br />
Configure the <strong>Sidewinder</strong> <strong>G2</strong> using one <strong>of</strong> the<br />
three methods described in “Selecting the best<br />
startup method” in the Startup <strong>Guide</strong>.<br />
Try again with a new Quick Start Wizard<br />
diskette.<br />
Do one <strong>of</strong> the following:<br />
• License the <strong>Sidewinder</strong> <strong>G2</strong> (see “Checking<br />
for license activation” in the Startup <strong>Guide</strong><br />
for details).<br />
• Attach a monitor and keyboard, wait for a<br />
pause between beeps, and then enter the<br />
following command: stop_beep<br />
Note: Using this command turns <strong>of</strong>f the beep<br />
pattern, but does not make your <strong>Sidewinder</strong><br />
<strong>G2</strong> fully operational. You must license your<br />
<strong>Sidewinder</strong> <strong>G2</strong> before it will pass and monitor<br />
traffic.<br />
Troubleshoot your network connectivity.<br />
Remove media and reboot.<br />
More...<br />
655
Appendix F: Basic Troubleshooting<br />
If a patch installation fails<br />
If a patch<br />
installation fails<br />
656<br />
What you hear What it means What you should do<br />
ONE (1) medium beep<br />
THREE (3) short beeps<br />
Long beep followed by<br />
n short beeps<br />
(repeating)<br />
(where n = sequential<br />
number <strong>of</strong> diskette to be<br />
installed)<br />
Long beep<br />
(repeating)<br />
The managed <strong>Sidewinder</strong> <strong>G2</strong><br />
failed to register with the <strong>G2</strong><br />
Enterprise Manager.<br />
Note: This beep pattern<br />
can only occur on a<br />
managed <strong>Sidewinder</strong> <strong>G2</strong>.<br />
The system is ready for next<br />
diskette in configuration<br />
backup.<br />
Verify the <strong>Sidewinder</strong> <strong>G2</strong> name, registration<br />
key, and administration user name and<br />
password information.<br />
Verify connectivity between the managed<br />
<strong>Sidewinder</strong> <strong>G2</strong> and the EM. Then try again<br />
manually to register the <strong>Sidewinder</strong> <strong>G2</strong> to the<br />
EM.<br />
See “Dealing with a failed managed firewall<br />
registration” in Appendix B <strong>of</strong> the Startup<br />
<strong>Guide</strong> for more information.<br />
Insert the next diskette in your configuration<br />
backup.<br />
Task failed. Contact <strong>Technical</strong> Support<br />
(if you have a support contract).<br />
In the unlikely event the patch installation fails, the <strong>Sidewinder</strong> <strong>G2</strong> will not be<br />
operational, and will instead boot into failure mode. A message appears when<br />
you log into the <strong>Sidewinder</strong> <strong>G2</strong> and it is in failure mode.<br />
Failure mode enables the <strong>Sidewinder</strong> <strong>G2</strong> to boot far enough to allow an<br />
administrator to log in. The administrator can then display the log files and<br />
perform diagnostic functions in an effort to determine what went wrong.<br />
Important: Unless you are an extremely experienced <strong>Sidewinder</strong> <strong>G2</strong> administrator,<br />
please contact Secure Computing <strong>Technical</strong> Support if your <strong>Sidewinder</strong> <strong>G2</strong> boots<br />
into failure mode.<br />
After correcting the problem you should perform the following steps:<br />
1 Exit failure mode by typing the following command:<br />
cf daemond set failure_mode=<strong>of</strong>f<br />
2 Reboot the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
Reinstall or restore a configuration backup.<br />
See the <strong>Sidewinder</strong> <strong>G2</strong> <strong>Administration</strong> <strong>Guide</strong><br />
for details.<br />
Note: For more information on failure mode, see “daemond” on page 12.
Troubleshooting<br />
proxy rules<br />
Appendix F: Basic Troubleshooting<br />
Troubleshooting proxy rules<br />
The following sections provide information on troubleshooting basic proxy rule<br />
problems. For additional information on troubleshooting proxy rules, refer to<br />
the cf_proxy man page.<br />
Failed connection requests<br />
If the <strong>Sidewinder</strong> <strong>G2</strong> rejects a connection request that you feel should have<br />
succeeded, you can take steps to determine why the connection was rejected.<br />
The steps shown below will help you to locate and correct rule configuration<br />
errors. They will also help you gain a better understanding <strong>of</strong> how those rules<br />
work.<br />
1 Start the Admin Console and select Services Configuration > Proxies.<br />
Verify that the appropriate proxy is enabled. The most common mistake is<br />
failing to enable the service type indicated by the proxy rule.<br />
Tip: Verify that all appropriate servers are enabled as well.<br />
2 Select Policy Configuration > Rules.<br />
Verify that the proxy rule for the proxy or server specifies the correct network.<br />
You need to enable the service type on the correct network to listen<br />
for incoming connections. In the Rules Source/Dest tab, this corresponds to<br />
the Source Burb column.<br />
3 Verify the position <strong>of</strong> the rules within the Active Rules window. (Select<br />
Policy Configuration > Rules > and then click View Active Policy).<br />
The order <strong>of</strong> the rules in the Active Rules window is important. The<br />
attributes <strong>of</strong> a connection request sometimes may match more than one<br />
proxy rule. See “Creating proxy rules” on page 222 for a detailed example.<br />
4 Check the audit log information.<br />
If the connection still fails, scan the audit log to determine which proxy rule<br />
denied the connection. See Chapter 19 for details on viewing audit.<br />
The below displays a common scenario, a connection that failed to match a<br />
rule:<br />
Apr 29 16:52:29 2002 CDT f_nss a_server t_acldeny p_major<br />
pid: 27122 ruid: 0 euid: 0 pgid: 188 fid: 2000001 logid: 0<br />
cmd: ’nss’<br />
domain: nss1 edomain: nss1 srcip: 172.17.9.27 srcburb: 1<br />
dstip: 172.17.9.27 dstburb: 1 protocol: 6 service_name:<br />
telnet agent_type: server user_name: authmethod:<br />
acl_id: cache_hit: 0<br />
5 Turn on verbose auditing <strong>of</strong> rule (ACL) checks.<br />
To determine why no proxy rule matched the connection request, type the<br />
following command to turn on verbose auditing <strong>of</strong> rule checks:<br />
657
Appendix F: Basic Troubleshooting<br />
Troubleshooting proxy rules<br />
658<br />
cf acl set loglevel=4<br />
This increases the level <strong>of</strong> rule audits from the default level 2 (minor) to<br />
level 4 (major).<br />
Note: Modifications to the log level setting will not be overwritten if acld is<br />
restarted. To return the log level to its default value, you must manually reset it.<br />
When the connection attempt is rejected, the proxy or server will generate a<br />
more verbose audit message as shown below:<br />
May 5 02:37:42 2002 CDT f_ping_proxy a_aclquery t_info<br />
p_major<br />
pid: 184 ruid: 0 euid: 0 pgid: 184 fid: 2000001 logid: 0<br />
cmd: 'pingp'<br />
domain: Ping edomain: Ping<br />
+|pingp|INFO|MAJOR|PING_PROXY|aclQUERY<br />
=Skipped 'http_out': query service 'ping' != rule 'http'.<br />
Skipped 'telnet_external': query agent 'proxy' != rule<br />
'server'.<br />
Skipped 'http_ssl_out': query service 'ping' != rule<br />
'https'.<br />
Skipped 'ftp_out': query service 'ping' != rule 'ftp'.<br />
Skipped 'telnet_out': query service 'ping' != rule<br />
'telnet'.<br />
Skipped 'nntp_out': query service 'ping' != rule 'nntp'.<br />
Skipped 'real_media_out': query service 'ping' != rule<br />
'RealMedia'.<br />
Skipped 'rtsp_out': query service 'ping' != rule 'rtsp'.<br />
Skipped 'gopher_out': query service 'ping' != rule<br />
'gopher'.<br />
Skipped 'finger_out': query service 'ping' != rule<br />
'finger'.<br />
Skipped 'dns_self': query service 'ping' != rule 'dns'.<br />
Skipped 'smtp_out': query service 'ping' != rule 'smtp'.<br />
Skipped 'smtp_in': query service 'ping' != rule 'smtp'.<br />
Skipped 'cobra_all': query agent 'proxy' != rule<br />
'server'.<br />
Skipped 'login_console': query agent 'proxy' != rule<br />
'server'.<br />
Access denied by rule 'deny_all'.<br />
You can use this output to determine why each proxy rule failed to match<br />
the connection request. Locate the proxy rule that you thought should have<br />
matched. Then inspect and correct the proxy rule.<br />
6 When you are done troubleshooting, type the following command to lower<br />
the level <strong>of</strong> rule audits back to the default:<br />
cf acl set loglevel=2
Appendix F: Basic Troubleshooting<br />
Troubleshooting proxy rules<br />
If you do not set the loglevel back to 2, you will run out <strong>of</strong> disk space.<br />
Monitoring allow and deny rule audit events<br />
Another troubleshooting tool is the rule monitoring tool (acat_acls). This real<br />
time monitoring tool enables you to display allow and deny rule audit events as<br />
they occur on the <strong>Sidewinder</strong> <strong>G2</strong>. Because the rule audit events are displayed<br />
in real time, this tool provides a <strong>Sidewinder</strong> <strong>G2</strong> administrator a unique window<br />
by which to view <strong>Sidewinder</strong> <strong>G2</strong> rule activity. You can use the tool to determine<br />
if your rule database is properly configured, or to simply view how your rules<br />
are being used on a live system.<br />
For example:<br />
• If you are not certain whether your Telnet rule is properly configured, you<br />
can start the monitoring tool, attempt your Telnet connection and see (in<br />
real time) whether the connection is allowed or denied.<br />
• If you want to see (in real time) which rules are currently the most heavily<br />
used, start the monitoring tool and watch as the current rule audit events<br />
scroll by within a command window.<br />
The remainder <strong>of</strong> this section provides information on using the monitoring<br />
tool. Information can also be found by typing<br />
man acat_acls at a <strong>Sidewinder</strong> <strong>G2</strong> command prompt.<br />
Starting the rule monitoring tool (acat_acls)<br />
To start the rule monitoring tool, enter the following commands at a <strong>Sidewinder</strong><br />
<strong>G2</strong> command prompt:<br />
srole<br />
/usr/bin/acat_acls -a -d<br />
where:<br />
• -a = display allow rule audit events<br />
• -d = display deny rule audit events<br />
If you want to view only allow rule audit events or only deny rule audit events,<br />
simply omit the undesired option (-a or -d).<br />
659
Appendix F: Basic Troubleshooting<br />
Troubleshooting proxy rules<br />
660<br />
Viewing the output from the rule monitoring tool<br />
Each rule audit event is displayed on a single 80-character line using the<br />
following format:<br />
Action Date Time Source Source Dest. Dest. Service Agent<br />
Burb IP Burb IP<br />
The source burb and the destination burb fields will display the burb index<br />
number, not the burb name. The following example shows both an allow rule<br />
audit event and a deny rule audit event:<br />
DENY 02/05/05 02:41:04 2 192.168.179.76 1 192.168.180.87 ping proxy<br />
ALLOW 02/05/05 02:42:32 2 192.168.179.76 1 192.168.180.87 telnet proxy<br />
Halting and resuming rule monitoring tool output<br />
If the output from the monitoring tool is scrolling by too quickly, you can<br />
temporarily halt the output by pressing the following key combination:<br />
Ctrl+S<br />
To resume output, press the following key combination:<br />
Ctrl-Q<br />
Stopping the rule monitoring tool<br />
To stop the rule monitoring tool, press the following key combination:<br />
Ctrl-C<br />
Active rules and the DNS<br />
If you create a proxy rule that contains a host name or a domain name, that<br />
rule will consult the Domain Name System (DNS) in order to translate the<br />
name to its corresponding IP address. Because <strong>of</strong> this, there are some facts<br />
related to DNS that you should consider when setting up your security policy.<br />
The <strong>Sidewinder</strong> <strong>G2</strong> can be configured to use transparent DNS, one DNS<br />
server (known as single or unbound DNS), or two DNS servers (known as split<br />
DNS). The split DNS scenario is the most secure, as one DNS server is<br />
dedicated to your Internet burb and the second DNS server services your<br />
remaining burbs. This essentially isolates the two DNS servers from each<br />
other, protecting your non-Internet burbs from attacks by malicious persons on<br />
the Internet.
Understanding<br />
FTP and Telnet<br />
connection<br />
failure messages<br />
Appendix F: Basic Troubleshooting<br />
Understanding FTP and Telnet connection failure messages<br />
However, it is theoretically possible for attackers on the Internet to feed false<br />
information to your Internet DNS server. Therefore, you should be careful when<br />
using rules to allow or deny access to specific hosts on the Internet.<br />
When dealing with outside connections, there are steps that you can take to<br />
increase the level <strong>of</strong> assurance:<br />
1 Use IP addresses in your proxy rule instead <strong>of</strong> host names or domain<br />
names. This avoids having to depend on external DNS.<br />
2 Make the proxy rule demand strong authentication (for example,<br />
SafeWord).<br />
3 Make the proxy rule demand encryption <strong>of</strong> the connection (for example,<br />
VPN).<br />
For additional protection you should do a combination <strong>of</strong> the above.<br />
Depending on your <strong>Sidewinder</strong> <strong>G2</strong>’s configuration, FTP and Telnet users will<br />
see one <strong>of</strong> two messages when a connection attempt is denied by the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The type and meaning <strong>of</strong> these messages are summarized<br />
below.<br />
Table 46: Connection failure messages for Telnet<br />
Message Possible Causes<br />
telnet 192.55.214.24<br />
Trying 192.55.214.24<br />
Connected to 192.55.214.24<br />
Escape character is ‘^]’.<br />
Connection closed by foreign host.<br />
telnet 192.55.214.24<br />
telnet: Unable to connect to remote<br />
host: Connection refused.<br />
✔ Rule entry denied the connection<br />
✔ Server is down<br />
✔ No proxy enabled on port but the<br />
<strong>Sidewinder</strong> <strong>G2</strong> server is enabled<br />
✔ Distinguishing IP addresses were used<br />
but no match was found<br />
✔ No proxy or <strong>Sidewinder</strong> <strong>G2</strong> server<br />
enabled on that port<br />
✔ Default route is wrong on client<br />
Note: Similar messages are displayed for failed FTP connections.<br />
661
Appendix F: Basic Troubleshooting<br />
Troubleshooting High Availability<br />
Troubleshooting<br />
High Availability<br />
662<br />
This section provides information to determine whether High Availability is<br />
functioning properly.<br />
Viewing configuration-specific information<br />
The cf failover query command gives you configuration-specific<br />
information, as shown in the following example:<br />
failover set priority=255 multicast_group=239.192.0.1 \<br />
heartbeat_burb=internal firewall_id=1 \<br />
interface_test_time=30 ping_wait=0 load_sharing=<strong>of</strong>f<br />
interval_time=1 \ interface_test_failures=3 enabled=on<br />
failover set password=pasword type=sha1<br />
failover add address alias=10.10.1.22 \ remote=172.27.1.21<br />
network=172.27.1.2<br />
failover add address alias=10.10.10.12 \ remote=10.10.10.21<br />
burb=internal<br />
Viewing status information<br />
The cf failover status command gives you information on whether or not<br />
HA is active, what state the system is in (primary or secondary/standby), and<br />
useful statistical information.<br />
Viewing status information for a primary<br />
The following example shows sample results for a primary in a peer-to-peer HA<br />
configuration:<br />
This system is operating as primary.<br />
Failover is running in burb 3<br />
IP alias 10.10.10.186 assigned to interface eb0<br />
IP alias 192.168.222.186 assigned to interface exp1<br />
IP alias 192.168.107.186 assigned to interface exp0 This<br />
system was configured as a standby with priority 245 for<br />
firewall ID 186.<br />
Failover interface status:<br />
Interface eb0 not monitored<br />
Interface exp1 up<br />
Interface exp0 not monitored<br />
IP Filter tracking state as primary
Active firewall list:<br />
10.10.10.7<br />
Statistics for failover<br />
Failover running since Wed Feb 2 15:04:48 2005<br />
Appendix F: Basic Troubleshooting<br />
Troubleshooting High Availability<br />
Failover allowing 3 seconds for interface swap (default)<br />
Number <strong>of</strong> advertisements sent = 210<br />
Number <strong>of</strong> received advertisements = 0<br />
Number <strong>of</strong> rcvd advertisements since primary = 0<br />
Number <strong>of</strong> times this system has become primary = 1<br />
Number <strong>of</strong> release messages received = 0<br />
Number <strong>of</strong> release messages sent = 0<br />
Number <strong>of</strong> failed takeover attempts = 0<br />
Number <strong>of</strong> possible duplicate primary messages = 0<br />
Number <strong>of</strong> heartbeat ack messages received = 0<br />
Number <strong>of</strong> heartbeat ack messages sent = 0<br />
Number <strong>of</strong> messages received with errors = 0<br />
Number <strong>of</strong> same priority advertisements rcvd = 0<br />
Number <strong>of</strong> pings received on interface eb0 = 0<br />
Number <strong>of</strong> pings received on interface exp1 = 7<br />
Number <strong>of</strong> pings received on interface exp0 = 0<br />
Viewing status information for a secondary<br />
The following example shows sample results for a secondary that is configured<br />
for load sharing HA:<br />
This system is operating in load sharing mode as secondary.<br />
This system is node 1.<br />
The primary is node 0 (10.10.10.6).<br />
Failover is running in burb 3<br />
cluster heartbeat address 10.10.10.186 assigned to interface<br />
eb0<br />
shared cluster address 192.168.222.186 assigned to interface<br />
exp1<br />
shared cluster address 192.168.107.186 assigned to interface<br />
exp0<br />
Failover interface status:<br />
Interface eb0 not monitored<br />
Interface exp1 up<br />
663
Appendix F: Basic Troubleshooting<br />
Troubleshooting High Availability<br />
664<br />
Interface exp0 not monitored<br />
IP Filter tracking state as load sharing peer<br />
Active firewall list:<br />
nodeaddress<br />
0 10.10.10.6 (primary)<br />
Statistics for failover<br />
Failover running since Wed Feb 2 14:08:52 2005<br />
Failover allowing 3 seconds for interface swap (default)<br />
Number <strong>of</strong> advertisements sent = 0<br />
Number <strong>of</strong> received advertisements = 1404<br />
Number <strong>of</strong> rcvd advertisements since primary = 1404<br />
Number <strong>of</strong> times this system has become primary = 0<br />
Number <strong>of</strong> release messages received = 0<br />
Number <strong>of</strong> release messages sent = 0<br />
Number <strong>of</strong> failed takeover attempts = 0<br />
Number <strong>of</strong> possible duplicate primary messages = 0<br />
Number <strong>of</strong> heartbeat ack messages received = 0<br />
Number <strong>of</strong> heartbeat ack messages sent = 1404<br />
Number <strong>of</strong> messages received with errors = 0<br />
Number <strong>of</strong> same priority advertisements rcvd = 0<br />
Number <strong>of</strong> pings received on interface eb0 = 0<br />
Number <strong>of</strong> pings received on interface exp1 = 46<br />
Number <strong>of</strong> pings received on interface exp0 = 0<br />
Tip: The failover daemon is named faild. Enter the pss faild command to<br />
determine whether the failover daemon is active.
Appendix F: Basic Troubleshooting<br />
Troubleshooting High Availability<br />
Identifying load sharing addresses in netstat and ifconfig<br />
Output for netstat -i queries will display load sharing addresses with a<br />
plus (+) sign. The following example displays the results for the netstat -i<br />
command with load sharing enabled.<br />
Name Index MTU Speed Mtrc Burb Address Network<br />
em0 1 1500 100M 0 external 00:0c:f1:c7:ba:ea<br />
em0+ 1 0 external 172.27.1.22 172.27<br />
em0 1 0 external 172.27.1.2 172.27<br />
exp0 2 1500 100M 0 internal 00:a0:c9:9d:99:a1<br />
exp0+ 2 0 internal 10.10.10.22 10.10.10/24<br />
exp0 2 0 internal 10.10.10.2 10.10.10/24<br />
eb0 3 1500 100M 0 heartbeat 00:10:5a:98:51:26<br />
eb0 3 0 heartbeat 10.10.1.2 10.10.1/24<br />
eb0 3 0 heartbeat 10.10.1.22 10.10.1/24<br />
lo0 4 1500 0 Firewall<br />
lo0 4 0 Firewall 127.0.0.1 127<br />
lo0 4 0 external 127.1.0.1 127<br />
lo0 4 0 internal 127.2.0.1 127<br />
lo0 4 0 heartbeat 127.3.0.1 127<br />
Output for ifconfig -a queries will display load sharing addresses with the<br />
word shared. The following example displays the results for the ifconfig -a<br />
command with load sharing enabled.<br />
em0: flags=8843<br />
link type ether 0:c:f1:c7:ba:ea mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 172.27.1.22 netmask 255.255.0.0 broadcast 172.27.255.255<br />
burb external, burb index 1 shared<br />
inet 172.27.1.2 netmask 255.255.0.0 broadcast 172.27.255.255<br />
burb external, burb index 1<br />
exp0: flags=8843<br />
link type ether 0:a0:c9:9d:99:a1 mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 10.10.10.22 netmask 255.255.255.0 broadcast 10.10.10.255<br />
burb internal, burb index 2 shared<br />
inet 10.10.10.2 netmask 255.255.255.0 broadcast 10.10.10.255<br />
burb internal, burb index 2<br />
eb0: flags=8843<br />
link type ether 0:10:5a:98:51:26 mtu 1500 speed 100Mbps<br />
media auto (100basetx full_duplex) status active<br />
inet 10.10.1.2 netmask 255.255.255.0 broadcast 10.10.1.255<br />
burb heartbeat, burb index 3<br />
inet 10.10.1.22 netmask 255.255.255.0 broadcast 10.10.1.255<br />
burb heartbeat, burb index 3<br />
lo0: flags=8009<br />
link type loop mtu 1500<br />
inet 172.0.0.1 netmask 255.0.0.0<br />
burb Firewall, burb index 0<br />
inet 172.1.0.1 netmask 255.0.0.0<br />
burb external, burb index 1<br />
inet 172.2.0.1 netmask 255.0.0.0<br />
burb internal, burb index 2<br />
inet 172.3.0.1 netmask 255.0.0.0<br />
burb heartbeat, burb index 3<br />
665
Appendix F: Basic Troubleshooting<br />
Troubleshooting NTP<br />
Troubleshooting<br />
NTP<br />
666<br />
Interface configuration issues with HA<br />
If you modify your interface configuration, your HA configuration will not<br />
function until you update the HA Interfaces table (in the Admin Console, select<br />
High Availability > Common Parameters tab) to match the modified interface<br />
configuration. When you are finished updating the interface information, reboot<br />
the <strong>Sidewinder</strong> <strong>G2</strong>s.<br />
Troubleshooting remote interface test failover for peer-topeer<br />
HA<br />
If you have a peer-to-peer HA cluster configured and the remote host used for<br />
interface testing becomes unavailable, the primary will report an interface<br />
failure (after the specified number <strong>of</strong> failed ping attempts is reached) and<br />
failover will occur. When this happens, the new primary will receive the<br />
interface failure status from the former primary, and interface failure testing will<br />
be disabled. In this state, the standby will take over for the primary only if the<br />
primary becomes unavailable.<br />
Once the remote host is restored, you will need to issue the cf failover<br />
reset command on the standby, and then on the primary to reset and reenable<br />
the interface failover indicators.<br />
If you have NTP properly configured and enabled, you should be able to<br />
monitor NTP packets being sent/received on the appropriate <strong>Sidewinder</strong> <strong>G2</strong><br />
interfaces. To do so, enter the following command:<br />
tcpdump -npi ext_interface# port 123<br />
where: ext_interface# is the external interface and number (for example<br />
em0, em1, etc.)<br />
NTP packets should be sent/received every 15-30 seconds.<br />
To check the exact time, enter the date command and compare it to a known<br />
good clock source (for example, www.time.gov).<br />
Note: An NTP proxy and an NTP server cannot run in the same burb. Therefore, if<br />
you have a proxy enabled and running in the same burb as the NTP server, the<br />
NTP server will not start.
Why did NTP stop?<br />
Appendix F: Basic Troubleshooting<br />
Troubleshooting NTP<br />
NTP is designed to automatically quit whenever the client’s time deviates from<br />
the server’s signal by more than 15 minutes. When a deviation <strong>of</strong> this<br />
magnitude occurs, NTP writes a message to file /var/log/messages before<br />
quitting.<br />
To restart NTP, first set the <strong>Sidewinder</strong> <strong>G2</strong>’s clock manually (refer to “Setting<br />
the system date and time” in Chapter 3) and then follow the directions below<br />
for restarting NTP.<br />
Why does NTP appear to be inaccurate?<br />
You probably have fixclock running.<br />
NTP clients will not synchronize with the <strong>Sidewinder</strong> <strong>G2</strong><br />
This may be because, when the <strong>Sidewinder</strong> <strong>G2</strong> is configured as an NTP<br />
server, it reports itself as a stratum 0 time server. Not all clients can<br />
synchronize from a stratum 0 server. To change the stratum setting, type the<br />
following command:<br />
cf ntp add server burb=burbname ip=127.127.1.0<br />
where: burbname = the burb that is serving time to the NTP clients.<br />
If the <strong>Sidewinder</strong> <strong>G2</strong> is serving time to clients in multiple burbs, and one or<br />
more clients in each burb has a problem with stratum 0 servers, you must type<br />
this command once for each burb.<br />
Restarting NTP from the UNIX prompt<br />
If the NTP process stops, you can restart the NTP process by doing the<br />
following:<br />
1 At a <strong>Sidewinder</strong> <strong>G2</strong> command prompt, log in and enter the following<br />
command to switch to the Admn role:<br />
srole<br />
2 To start the NTP time server, enter the following command:<br />
cf server restart ntp burb=burb<br />
3 [Optional] Verify the state <strong>of</strong> the NTP servers by entering the following<br />
command:<br />
cf server status ntp<br />
667
Appendix F: Basic Troubleshooting<br />
Troubleshooting VPNs<br />
Troubleshooting<br />
VPNs<br />
668<br />
In addition to standard logging, the <strong>Sidewinder</strong> <strong>G2</strong> also performs auditing <strong>of</strong><br />
certain system events which allows you to generate information on VPN<br />
connections. Table 47 shows some useful commands you can use to track<br />
VPN connections in real time mode and check VPN settings/configuration.<br />
Table 47: Basic <strong>Sidewinder</strong> <strong>G2</strong> VPN troubleshooting commands<br />
Commands<br />
tcpdump -npi ext_interface port 500 or proto 50<br />
To show IPSec and ESP traffic arriving at the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
cf ipsec q<br />
To review VPN policies on the console.<br />
cf ipsec policydump<br />
To determine if VPN is active - the presence <strong>of</strong> SPI and transform numbers<br />
indicates the secure connection is functioning.<br />
showaudit -v<br />
To show detailed audit trace information for VPN. To enable a more detailed<br />
auditing level, in the Admin Console select VPN Configuration> ISAKMP<br />
Server and change the audit level using the pull-down menu.
GLOSSARY<br />
ACE/Server A server made by Security Dynamics Incorporated that can be used to<br />
authenticate users attempting connections through (or to) the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
ACL (access control list) Another term for active rule group.<br />
activation The process by which a customer’s licensed s<strong>of</strong>tware becomes active.<br />
activation key A string <strong>of</strong> numbers and characters that allows the operation <strong>of</strong> the s<strong>of</strong>tware.<br />
active rule group A rule group, <strong>of</strong>ten made up <strong>of</strong> nested rule groups and rules, that is loaded in<br />
to the <strong>Sidewinder</strong> <strong>G2</strong> kernel and begins actively monitoring traffic coming into<br />
and leaving the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
ActiveX Micros<strong>of</strong>t’s name for certain object-oriented programming technologies and<br />
tools. ActiveX is <strong>of</strong>ten downloaded and executed on a local system when<br />
browsing the Internet, and may require specific port restrictions. Consult<br />
Micros<strong>of</strong>t’s documentation for more information.<br />
Admin Console The graphic user interface (GUI) used to configure and manage the<br />
<strong>Sidewinder</strong> <strong>G2</strong>. The Admin Console runs on Windows-based platforms.<br />
Admin Console tree The hierarchical layout in the left–hand panel <strong>of</strong> the Admin Console.<br />
Admn domain The physical and logical resources within the UNIX operating system that has<br />
access to most <strong>of</strong> the other domains.<br />
admin role The role is assigned to administrators authorized to work in the Admn domain<br />
with full privileges. An administrator assigned the admin role can use all<br />
menus and commands in the Admin Console. This includes adding or<br />
removing users, backing up and restoring the system, and using all other<br />
system functions and commands.<br />
adminRO role The read–only role assigned to administrators authorized to access and view,<br />
but not modify, information. The AdminRO role is essentially an auditor role,<br />
allowing the administrator to view system and audit information, as well as<br />
generate reports.<br />
669
<strong>Glossary</strong><br />
Administrative kernel A UNIX kernel that provides the environment needed to perform<br />
administrative tasks such as installing s<strong>of</strong>tware or running a system backup.<br />
When the Administrative kernel is running, all network connections are<br />
disabled and Internet services are not available; Type Enforcement security is<br />
disabled. See also Operational kernel.<br />
alarm event A <strong>Sidewinder</strong> <strong>G2</strong> feature used to monitor your network for potentially<br />
threatening activity, such as an attempted attack or an audit overflow. When<br />
an alarm event is generated, an appropriate event response is issued.<br />
alias An arbitrary name that a system administrator can assign to a network<br />
element. Aliases can typically be any combination <strong>of</strong> up to 16 characters<br />
(without spaces).<br />
API (application program<br />
interface)<br />
670<br />
A stable, published s<strong>of</strong>tware interface to an operating system or specific<br />
s<strong>of</strong>tware program by which a programmer writing a custom application can<br />
make requests <strong>of</strong> the operating system or specific s<strong>of</strong>tware program. (An API<br />
provides an easy and standardized connection to a particular s<strong>of</strong>tware<br />
component.).<br />
Application Defenses A feature that is incorporated in proxy rules to configure application-specific<br />
properties for each proxy on a per-rule basis. Properties include basic timeout<br />
properties and application-specific permissions, as well as anti-virus/spyware,<br />
anti-spam/fraud, SSL decryption, and Web services management for key<br />
proxies.<br />
application-layer proxy Also known as an intelligent proxy. Application-layer proxies check<br />
application-layer data as it comes into the <strong>Sidewinder</strong> <strong>G2</strong>. If the data is<br />
compliant with that application’s standard, the <strong>Sidewinder</strong> <strong>G2</strong> initiates a new<br />
connection on its opposite side and passes on the data. If the data is not<br />
compliant, the <strong>Sidewinder</strong> <strong>G2</strong> drops the data.<br />
ARP (address resolution<br />
protocol)<br />
A protocol used to map an IP address to a MAC address. A gratuitous ARP is<br />
a system broadcasting its own information, <strong>of</strong>ten after an address change, so<br />
other devices can update their ARP caches.<br />
auditing A method <strong>of</strong> collecting and storing information that can be used to track<br />
system activity (for example authentication attempts, configuration<br />
modifications, stopping and starting <strong>of</strong> services, etc.).<br />
authentication A process that verifies the authenticity <strong>of</strong> a person or system before allowing<br />
access to a network system or service.<br />
authenticator A device or mechanism used to verify the identity <strong>of</strong> an individual logging onto<br />
a network, application, or computer. Authenticators are also called tokens.<br />
BIND (Berkeley Internet<br />
Name Domain)<br />
A standard program which implements the Domain Name Service (DNS).<br />
BSD/OS The operation system obtained from Wind River, Inc., and used as a base for<br />
developing SecureOS. See also SecureOS
<strong>Glossary</strong><br />
burb A set <strong>of</strong> one or more interfaces and the group <strong>of</strong> systems connected to each<br />
interface that are to be treated the same from a system security policy point <strong>of</strong><br />
view.<br />
certificate See digital certificate.<br />
Certificate Authority (CA) A highly trusted entity, that issues and revokes certificates for a set <strong>of</strong><br />
subjects, and is ultimately responsible for their authenticity.<br />
CGI (common gateway<br />
interface)<br />
Any server-side code that accepts data from forms via HTTP. The forms are<br />
generally on Web pages and submitted by end users.<br />
challenge A set <strong>of</strong> random numbers generated by the computer being accessed. The<br />
numbers are entered into the authenticator, which then generates a password.<br />
You can set some authenticators to generate a password in response to a<br />
challenge.<br />
cipher key In order for encryption to be unique, it uses a random set <strong>of</strong> characters, called<br />
a cipher key. Encrypting data using two different keys will produce two<br />
completely different results. All authenticators contain at least one key that<br />
they use to generate passwords.<br />
circuit proxy See network-layer proxy.<br />
client A program or user that requests network service(s) from a server.<br />
daemon A s<strong>of</strong>tware routine within UNIX that runs in the background, performing<br />
system-wide functions.<br />
daemond (Pronounced daimon-dee) A powerful <strong>Sidewinder</strong> <strong>G2</strong> component process that<br />
enhances overall security by monitoring and controlling all <strong>of</strong> the <strong>Sidewinder</strong><br />
<strong>G2</strong>’s major s<strong>of</strong>tware components. It also detects and audits some classes <strong>of</strong><br />
attacks against the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
dark data center A term used to describe a data process facility where all machines are<br />
designed to be managed remotely. This type <strong>of</strong> facility maximizes storage<br />
space by rack-mounting computers and minimizes overhead costs by not<br />
needing lights. Machines stored in a dark data center ideally require minimal<br />
physical human interaction.<br />
DHCP (dynamic host<br />
configuration protocol)<br />
A protocol for dynamically assigning IP addresses to networked devices. In a<br />
dynamic environment, IP addresses may change frequently. Using DHCP<br />
addressing requires the device be on a network with a DHCP server.<br />
digital certificate A data structure that is digitally signed by a CA, or a signature source that<br />
users can trust. The certificate contains a series <strong>of</strong> values, such as the<br />
certificate name and usage, information identifying the owner <strong>of</strong> the public<br />
key, the public key itself, an expiration date, and the name <strong>of</strong> the CA that<br />
generated the certificate.<br />
671
<strong>Glossary</strong><br />
DMZ (demilitarized zone) A network buffer zone that generally hosts services that require interaction<br />
with Internet traffic, while still protecting internal systems. On <strong>Sidewinder</strong>, the<br />
DMZ is generally a burb for hosting Web servers and other hosts that<br />
receiving large volumes <strong>of</strong> external, untrusted traffic.<br />
DNS (domain name<br />
system)<br />
672<br />
A TCP/IP service that maps domain and host names to IP addresses, IP<br />
addresses to domain and host names, and provides information about<br />
services and points <strong>of</strong> contact in a network or the Internet. A set <strong>of</strong> connected<br />
name servers and resolvers allows users to use a host name rather a 32-bit<br />
Internet address.<br />
domain (1) Relative to networking, the portion <strong>of</strong> an Internet address that denotes the<br />
name <strong>of</strong> a computer network. For instance, in the e-address<br />
jones@example.sales.com, the domain is example.sales.com. (2) Relative to<br />
Type Enforcement, an attribute applied to a process running on SecureOS<br />
that determines which system operation the process may perform.<br />
DoS (denial <strong>of</strong> service) Event in which a network experiences a loss <strong>of</strong> a service, like e-mail or a Web<br />
server, that is expected to be available. This event is generally caused by a<br />
malicious attack, but may also happen accidentally.<br />
DSS (defender security<br />
server)<br />
A server made by AssureNet Pathways that can be used to authenticate users<br />
attempting connections through (or to) the <strong>Sidewinder</strong> <strong>G2</strong>. See also<br />
SecureNet Key (SNK).<br />
dynamic password The unique one–time response to a log in challenge or special code<br />
presented by an authentication server. Each password is obtained using a<br />
s<strong>of</strong>tware or hardware authenticator that communicates with a password<br />
generator.<br />
editor A program that can be used to create or modify text files. See also file editor.<br />
encryption Data encryption uses a secret code to scramble information so that it can be<br />
read only by computers using the same code or encryption technology. While<br />
encryption reduces the risk <strong>of</strong> unauthorized access, it does not create a totally<br />
safe networking environment on its own.<br />
end user See user.<br />
event response A response to an alarm event that includes notifying the administrator and/or<br />
performing a Strikeback.<br />
extended authentication<br />
(XAUTH)<br />
An extension <strong>of</strong> the IKE protocol. It provides a mechanism to employ an<br />
administrator–selected authentication mechanism in addition to the existing<br />
IKE authentication (that is, in addition to certificate based or pre-shared key<br />
authentication). It initiates after the existing IKE authentication mechanism is<br />
successful. XAUTH enables use <strong>of</strong> strong authentication (sometimes referred<br />
to as legacy authentication) in VPN configurations.
<strong>Glossary</strong><br />
external DNS External DNS provides a limited external view <strong>of</strong> the organizational domain.<br />
No internal information is available to the external DNS and only the external<br />
DNS can communicate with the outside. Therefore, no internal naming<br />
information can be obtained by anyone on the outside. The external DNS<br />
cannot query the internal DNS or any other DNS server inside the <strong>Sidewinder</strong><br />
<strong>G2</strong>.<br />
failover See high availability.<br />
failure mode See safe mode.<br />
File Editor The program available directly in the Admin Console that can be used to<br />
create or modify text files. The File Editor communicates with the <strong>Sidewinder</strong><br />
<strong>G2</strong> using a secured connection.<br />
firewall A network component that filters traffic between a designated “protected<br />
network” and external networks. A firewall ensures that the protected network<br />
is safe from unauthorized entry and file manipulation.<br />
firewall ID The MAC address by which you choose to identify your <strong>Sidewinder</strong> <strong>G2</strong>. The<br />
firewall ID is used when activating your <strong>Sidewinder</strong> <strong>G2</strong>.<br />
fixed password A string <strong>of</strong> characters <strong>of</strong> varying lengths and composition (text and/or<br />
numerics) used to identify a user attempting to access a service. Fixed<br />
passwords remain unchanged unless given a finite life span. Fixed passwords<br />
are also known as memorized passwords.<br />
FTP (file transfer<br />
protocol)<br />
A protocol used on the Internet for transferring files.<br />
FTP site An Internet site that hosts directories and files that you can browse and copy<br />
to your system using the file transfer protocol (FTP).<br />
gateway A network component used to connect two or more networks that may use<br />
dissimilar protocols and data transmission media.<br />
generic proxy An administrator–configured <strong>Sidewinder</strong> <strong>G2</strong> proxy that is not part <strong>of</strong> the<br />
<strong>Sidewinder</strong> <strong>G2</strong>’s preconfigured proxies.<br />
group Logical groupings <strong>of</strong> two or more users, identified by a single name. See rule<br />
groups, user groups.<br />
hardware acceleration A licensed feature that improves throughput for system performance when<br />
processing traffic. This feature consists <strong>of</strong> both hardware and s<strong>of</strong>tware<br />
elements.<br />
hardware authenticator Also referred to as tokens. Hardware authenticators are hand-held devices<br />
that use an internally held cryptographic variable to generate a dynamic<br />
(single-use) passcode.<br />
high availability A licensed feature that allows a second <strong>Sidewinder</strong> <strong>G2</strong> to be configured either<br />
in a load sharing capacity or in “hot backup” mode.<br />
673
<strong>Glossary</strong><br />
host Any computer connected to a network; for example, a workstation, router,<br />
<strong>Sidewinder</strong> <strong>G2</strong>, or server.<br />
HTML (hypertext markup<br />
language)<br />
HTTP (hypertext transfer<br />
protocol)<br />
HTTPS (hypertext<br />
transfer protocol-secure)<br />
ICANN (Internet<br />
Corporation for Assigned<br />
Names and Numbers)<br />
IETF (Internet<br />
Engineering Task Force)<br />
IKE (Internet key<br />
exchange)<br />
674<br />
A simple programming language used to create Web documents. Hypertext<br />
uses special links that you can click to jump from one related topic to another.<br />
An agreed-upon format (protocol) that requests and transfers HTML<br />
documents on the World Wide Web.<br />
An agreed-upon format (protocol) that requests and transfers HTML<br />
documents on the World Wide Web in a secured manner.<br />
A U.S. non-pr<strong>of</strong>it organization designated to allocate IP address space, assign<br />
protocol parameters, perform domain name system management, and<br />
maintain root server systems. Other domain registration companies are<br />
available.<br />
The organization that developed the IPSec standard which protects data on<br />
unprotected (or untrusted) networks such as the Internet.<br />
A key management protocol standard which automates the implementations<br />
<strong>of</strong> other protocols (ISAKMP, Oakley, etc.) used in a VPN connection.<br />
interface A shared boundary through which information can be exchanged. (An<br />
interface may be a shared portion <strong>of</strong> computer s<strong>of</strong>tware accessed by two or<br />
more programs, a hardware component linking two devices, or a device or<br />
program allowing a user to communicate and use the computer or program.)<br />
internal DNS Manages DNS information only available to internal machines. The internal<br />
name server cannot receive queries from external hosts since it cannot<br />
communicate directly with the external network. Resolution <strong>of</strong> external DNS<br />
information both for the <strong>Sidewinder</strong> <strong>G2</strong> itself and to handle internal queries for<br />
external information are handled by the internal name server. Although it is<br />
unable to communicate directly with external hosts, it is able to send queries<br />
and receive the responses via the external DNS.<br />
IP address A 32- bit address that uses standard dotted quad notation assigned to TCP/IP<br />
network devices. An IP address is unique to each machine on the Internet. An<br />
IP address contains a network and host field.<br />
IP Filter Provides the ability to specify rules to allow IP-based traffic to flow through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> at the network layer. For example, traffic may pass through the<br />
<strong>Sidewinder</strong> <strong>G2</strong> without being passed to the application proxies. IP Filter can<br />
be used for tracking TCP session states, and is sometime referred to as<br />
“stateful inspection.”<br />
IPSec (Internet Protocol<br />
Security)<br />
A set <strong>of</strong> standards created to provide data integrity and confidentiality at the IP<br />
layer <strong>of</strong> the network stack.
ISAKMP (internet<br />
security association and<br />
key management<br />
protocol)<br />
ISP (Internet Service<br />
Provider)<br />
A protocol framework which sets the parameters for a VPN connection by<br />
defining the payload format, how the key exchange protocol will be<br />
implemented, and how the security association will be negotiated.<br />
<strong>Glossary</strong><br />
A company that provides individuals and other companies access to the<br />
Internet and other related services such as Web site building and virtual<br />
hosting. An ISP has the equipment and the telecommunication line access<br />
required to have a point-<strong>of</strong>-presence (POP) on the Internet for the geographic<br />
area served.<br />
kernel Manages all physical resources, including scheduling <strong>of</strong> processes, virtual<br />
memory, file system management, reading and writing files to disk or tape,<br />
printing, and network communications. The <strong>Sidewinder</strong> <strong>G2</strong> is run in one <strong>of</strong> two<br />
kernels: the operational kernel or the administrative kernel.<br />
key pair The reference to a private key and a mathematically-related public key. The<br />
private key is safeguarded by the owner, and known only to them. The public<br />
key can be distributed to anyone. This allows one key to be used for<br />
encryption, and the other key to be used for decryption.<br />
key pair generation The process <strong>of</strong> generating mathematically-related public/private key pairs.<br />
LDAP Lightweight Directory Access Protocol. An internet standard for directory<br />
services that run over TCP/IP.<br />
login ID When used in conjunction with a password, a means <strong>of</strong> authentication to start<br />
a session with a computer system.<br />
MAC (media access<br />
control)<br />
A unique address assigned to network interface card hardware as a means <strong>of</strong><br />
identification. <strong>Sidewinder</strong> <strong>G2</strong> licenses are locked to a MAC address on the<br />
<strong>Sidewinder</strong> <strong>G2</strong>.<br />
mail server A network computer that serves as an intermediate station for electronic mail<br />
transfers.<br />
man page Short for manual page, refers to the online help that is available within the<br />
UNIX operating system. For example, entering man ls at the UNIX prompt<br />
displays a description <strong>of</strong> the UNIX ls command.<br />
MAT (multiple address<br />
translation)<br />
MIB (management<br />
information base)<br />
MIME (Multi-purpose<br />
Internet Mail Exchange)<br />
The ability for a single <strong>Sidewinder</strong> <strong>G2</strong> interface to support multiple external IP<br />
addresses so that inbound connections can be directed based on IP<br />
addresses and service. MAT allows proxies to be directed to different<br />
destinations for the same service by the IP address to which it was connected.<br />
Within SNMP architecture, a database that stores information about managed<br />
objects. These objects are used in the management <strong>of</strong> networks.<br />
Allows a mail client or Web browser to send and receive non-textual<br />
information, such as graphics, audio, video, and spreadsheets.<br />
675
<strong>Glossary</strong><br />
MX (mail exchanger)<br />
records<br />
676<br />
Entries in DNS that define where e-mail addresses within domain names get<br />
delivered.<br />
name resolution The process in which name servers supply address and hostname information<br />
to hosts.<br />
name server A network computer that maintains a relationship between IP addresses and<br />
corresponding domain names.<br />
NAS (Network Access<br />
server)<br />
NAT (network address<br />
translation)<br />
A computer that is specially made to receive communications from outside an<br />
organization and distribute them within the organization on its network. It uses<br />
TACACS +, RADIUS, or other protocols for authorization and sometimes for<br />
accounting.<br />
The ability <strong>of</strong> the <strong>Sidewinder</strong> <strong>G2</strong> to rewrite the source address <strong>of</strong> a packet to a<br />
new IP address specified by the administrator.<br />
nested rule group A nested rule group is a rule group that you place within another rule group.<br />
network-layer proxy Also known as a circuit proxy. Network-layer proxies check data at the<br />
transport and session (TCP/IP) layers to verify that the data packet complies<br />
with expected standards.<br />
NIC (network interface<br />
controller)<br />
NNTP (network news<br />
transport protocol)<br />
Hardware, like a computer circuit board, that contains a port or a jack that<br />
enables a computer to connect to network wiring (ethernet cable, phone line,<br />
etc.).<br />
The protocol by which network news articles are transferred or read across<br />
the Internet.<br />
node (1) Any network device such as a workstation or server.<br />
(2) The connection point for devices in a network.<br />
non-anonymous FTP An FTP site that can only be accessed by individuals who enter a valid user<br />
name and password.<br />
nslookup (name server<br />
lookup)<br />
NSS (network service<br />
sentry)<br />
NTP (network time<br />
protocol)<br />
A UNIX command that allows you to interactively query a DNS server and<br />
ensure the name server is properly resolving host names and IP addresses.<br />
Manages servers and proxy services on the <strong>Sidewinder</strong> <strong>G2</strong>.<br />
A protocol that provides a way to synchronize all clocks on a network, or to<br />
synchronize the clocks on one network with those on another network.<br />
object Generally an item that you can individually select and manipulate, including<br />
shapes and pictures that appear on a display screen, as well as less tangible<br />
s<strong>of</strong>tware entities.
ODBC (Open Database<br />
Connectivity)<br />
<strong>Glossary</strong><br />
A widely accepted application programming interface (API) for database<br />
access. It is based on the Call-Level Interface (CLI) from X/Open and ISO/IEC<br />
for database APIs and uses Structured Query Language (SQL) as its<br />
database access language.<br />
<strong>of</strong>f-line State <strong>of</strong> a computer when it is not connected to another device.<br />
on-line State <strong>of</strong> a computer when it is connected to another device.<br />
operational kernel The <strong>Sidewinder</strong> <strong>G2</strong> SecureOS kernel that provides the normal operating<br />
state, including Type Enforcement controls. When this kernel is running, the<br />
<strong>Sidewinder</strong> <strong>G2</strong> can connect to both the Internet and the internal network, and<br />
all configured services are operational.<br />
OS (Operating System) The master control program that keeps everything flowing smoothly inside<br />
your computer.<br />
OSPF (Open Shortest<br />
Path First)<br />
A routing protocol that dynamically updates changes to routing table<br />
information. This protocol is an enhancement over previous protocols that<br />
required entire tables to be updated instead <strong>of</strong> changed data only.<br />
packet filtering Packet filters allow network administrators to limit a user's access to specific<br />
services on the network. For example, a user may be allowed to send<br />
electronic mail, but not copy data files from the network. Packet filtering on the<br />
communications server analyzes each message being sent from a remote<br />
client. The filter can determine the computer and service the user is<br />
attempting to reach and either permit or deny access to that service.<br />
password The most common form <strong>of</strong> authentication security. Some networks require<br />
multiple levels <strong>of</strong> passwords to gain access to various servers or databases.<br />
Passwords become weak links when they are shared among colleagues,<br />
stolen, written down or created in such a way that they can be easily guessed.<br />
PIN (Personal<br />
Identification Number)<br />
A number known only by an individual for the purpose <strong>of</strong> helping identify a<br />
person during a computer-based authentication process. PINs should be<br />
memorized by the individual.<br />
ping A command that sends an ICMP message from a host to another host over a<br />
network to test connectivity and packet loss.<br />
PKI Public Key Infrastructure. A PKI is a system for distributing public<br />
cryptographic keys within a community <strong>of</strong> interested users. The predominant<br />
model (based on X.509) makes use <strong>of</strong> digital certificates generated by<br />
certificate authorities. A PKI enables secure remote communication in a<br />
number <strong>of</strong> network application areas.<br />
port The number that identifies the destination application process for transmitted<br />
data. Port numbers range from 1 to 65535. (For example, Telnet typically uses<br />
port 23, DNS uses 53, etc.)<br />
primary name server The DNS server for a domain where the name information is stored and<br />
maintained.<br />
677
<strong>Glossary</strong><br />
private key The private key is used to decrypt messages that were encrypted with the<br />
corresponding public key. A private key can also be used to digitally sign<br />
messages. The recipient can use the corresponding public key to verify the<br />
authenticity <strong>of</strong> the message.<br />
protocol A set <strong>of</strong> rules by which one entity communicates with another, especially over<br />
a network. This is important when defining rules by which clients and servers<br />
talk to each other over a network. Important protocols become published,<br />
standardized, and widespread.<br />
proxy A s<strong>of</strong>tware agent that acts on behalf <strong>of</strong> a user requesting a network<br />
connection through the <strong>Sidewinder</strong> <strong>G2</strong>. Proxies accept a connection from a<br />
user, make a decision as to whether or not the user or client IP address is<br />
permitted to use the proxy, optionally does additional authentication, and then<br />
completes a connection on behalf <strong>of</strong> the user to a remote destination.<br />
proxy server A server that acts on behalf <strong>of</strong> another server, and may perform tasks such as<br />
caching, access control, or provide a route to a destination server.<br />
Administrators may choose to configure proxy servers as transparent,<br />
meaning the end user is unaware <strong>of</strong> the proxy server’s presence, or nontransparent,<br />
meaning the end user must authenticate to, or interact with, the<br />
server.<br />
public key A public key is used to encrypt messages that only the holder <strong>of</strong> the<br />
corresponding private key can decrypt. Public keys can also be used to verify<br />
the authenticity <strong>of</strong> digitally-signed documents.<br />
public key cryptography A class <strong>of</strong> cryptographic methods that employ a pair <strong>of</strong> keys for encrypting and<br />
decrypting messages. A message encrypted with the public key can only be<br />
decrypted with the corresponding private key. Within a public key<br />
cryptography system, the public key may be made public without<br />
compromising the encrypted data. Public key cryptography enables<br />
encryption and digital signatures, and simplifies cryptographic key distribution<br />
through the use <strong>of</strong> a public key infrastructure.<br />
Quick Start Wizard A Windows-based program that allows you to initially configuration your<br />
<strong>Sidewinder</strong> <strong>G2</strong> or <strong>G2</strong> Enterprise Manager.<br />
RADIUS Remote Authentication Dial-In User Service. An authentication protocol<br />
developed by Livingston Enterprises Inc. Recognized by the Internet<br />
Engineering Task Force (IETF) as a dial-in security solution on the<br />
Internet.(RFC 2138).<br />
RAID (redundant array <strong>of</strong><br />
individual disks)<br />
678<br />
Stores information on multiple hard disks to provide redundancy. Using RAID<br />
can improve performance and fault-tolerance.<br />
redirected proxy A <strong>Sidewinder</strong> <strong>G2</strong> proxy option that reroutes a connection to a specific host<br />
system, hiding the actual destination address or port from the system<br />
requesting the connection.
eference implementation An IETF term. It is the particular implementation <strong>of</strong> the protocol or standard<br />
that is referred to and used in the associated RFC.<br />
<strong>Glossary</strong><br />
registration The process <strong>of</strong> authenticating one <strong>Sidewinder</strong> <strong>G2</strong> to an HA cluster or One-To-<br />
Many cluster. This process establishes an encrypted, trusted connection<br />
between the two systems.<br />
remote management The ability to administer a system from a remote location.<br />
RFC (Request for<br />
Comments)<br />
RIP (Routing Information<br />
Protocol)<br />
One <strong>of</strong> a series <strong>of</strong> documents recognized by the Internet Engineering Task<br />
Force (IETF). Most RFCs document protocol specifications and standards.<br />
A protocol that updates routing tables.<br />
role A login mode used for administrating the <strong>Sidewinder</strong> <strong>G2</strong>. The <strong>Sidewinder</strong> <strong>G2</strong><br />
separates administrator access into two roles: admin (write privileges) or<br />
adminro (read-only privileges).<br />
root In UNIX, a user name that gives special privileges to a person who logs onto<br />
the system using that name and the correct password. The root user name<br />
allows the user to have access to all <strong>of</strong> the systems files. The <strong>Sidewinder</strong> <strong>G2</strong><br />
does not allow root privileges.<br />
root servers The highest level DNS servers.<br />
router A network device that forwards data between two or more networks, delivering<br />
them to their final destination or to another router.<br />
rule A rule is a mini policy which contains criteria that is used to inspect incoming<br />
or outgoing traffic. Rules determine whether that traffic will be allowed to<br />
continue to its destination. There are two distinct rules types that you can<br />
configure on the <strong>Sidewinder</strong> <strong>G2</strong>: proxy rules and IP Filter rules.<br />
rule group An organized set <strong>of</strong> rules. A rule group can consist <strong>of</strong> both rules and nested<br />
rule groups.<br />
safe mode Also known as failure mode, a <strong>Sidewinder</strong> <strong>G2</strong> operating state that allows<br />
system administration while not allowing network traffic to pass through. A<br />
<strong>Sidewinder</strong> <strong>G2</strong> can enter this mode under conditions that include: (a) after a<br />
failed license check, (b) after a reboot during which the system detects a<br />
problem with an installed patch, (c) after a reboot during which the system<br />
failed to start a critical service, or (d) after the audit partition has overflowed.<br />
secondary name server DNS servers that download and record a backup copy <strong>of</strong> domain information<br />
from a primary DNS server.<br />
SecurID token A small hand-held device used to calculate the proper response during a login<br />
attempt.<br />
SecureNet Key (SNK) A strong authentication system made by Digital Pathways Incorporated.<br />
679
<strong>Glossary</strong><br />
SecureOS The UNIX-based operating system used in a <strong>Sidewinder</strong> <strong>G2</strong> system.<br />
SecureOS is built upon BSD/OS and includes Type Enforcement security<br />
mechanisms.<br />
session The time period during which a terminal user logs on the system until they log<br />
<strong>of</strong>f the system.<br />
server A computer system that provides services (such as FTP) to a network, or a<br />
program running on a host that <strong>of</strong>fers a service to other hosts on a network.<br />
SMTP (simple mail<br />
transport protocol)<br />
SNMP (simple network<br />
management protocol)<br />
680<br />
The TCP/IP protocol that transfers e-mail as it moves through the system.<br />
The industry standard protocol used for network management.<br />
SNMP agent A server that communicates with SNMP management stations to provide<br />
information and status for a network node.<br />
SOA (Start <strong>of</strong> Authority) A record found in every DNS zone that contains information about which DNS<br />
server is the primary name server, in addition to other administrative<br />
information about the zone.<br />
srole A <strong>Sidewinder</strong> <strong>G2</strong> UNIX command used to change to a different domain (User,<br />
Admn, or AdmRO).<br />
SSO (single sign-on) The ability <strong>of</strong> a user to authenticate once and then have access to protected<br />
content on sites in multiple internet domains.<br />
standalone Refers to a device or s<strong>of</strong>tware program that is self-contained; one that does<br />
not require any other device or s<strong>of</strong>tware program to function.<br />
standard password<br />
authentication<br />
A UNIX mechanism that requires someone logging into a network server to<br />
enter a password in order to prove they have a valid login account.<br />
stateful inspection Method <strong>of</strong> checking a data packet’s source and destination. The information is<br />
recorded in a dynamic state table. New packets from the same session are<br />
checking against the table to ensure that they are valid. Invalid packets are<br />
dropped.<br />
Strikeback® A <strong>Sidewinder</strong> <strong>G2</strong> feature that can be configured to gather information about<br />
detected network access violations, or ignore packets from a particular host<br />
for a specified period <strong>of</strong> time.<br />
strong authentication A login process that requires a user to enter a unique, one-time response to a<br />
login challenge or special code presented by an authentication server. The<br />
authentication server resides somewhere in the internal network and sends a<br />
log in challenge to a user when he or she attempts to log in. The user must<br />
make the proper response to the challenge using a special hardware or<br />
s<strong>of</strong>tware token.
<strong>Glossary</strong><br />
subnet A network addressing scheme that separates a single network into a number<br />
<strong>of</strong> smaller physical networks to simplify routing.<br />
syntax Refers to the spelling and grammar <strong>of</strong> a programming language. Computers<br />
are inflexible machines that only understand what you type if you type it in the<br />
exact form (syntax) that the computer expects.<br />
TCP/IP (transmission<br />
control protocol/internet<br />
protocol<br />
A networking protocol suite created for use in the Internet.<br />
Telnet A TCP/IP protocol that directs the exchange <strong>of</strong> character-oriented data during<br />
a client-to-server session.<br />
token A small hand-held hardware device or client s<strong>of</strong>tware used to generate a onetime<br />
passcode or password. See hardware authenticator.<br />
traceroute A UNIX command that shows all <strong>of</strong> the routing steps between a host and<br />
another host.<br />
trap An SNMP alert message sent as an unsolicited transmission <strong>of</strong> information<br />
from a managed node (router, <strong>Sidewinder</strong> <strong>G2</strong>, etc.) to an SNMP management<br />
station.<br />
Type Enforcement® Secure Computing’s patented security technology that protects against<br />
intruders by preventing someone from taking over the UNIX operating system<br />
within <strong>Sidewinder</strong> <strong>G2</strong> and accessing critical files or doing other damage.<br />
UAP User Authentication Points.<br />
UDP (user datagram<br />
protocol)<br />
A connectionless protocol that transfers data across a network with no<br />
reliability checking or error checking.<br />
UNIX A powerful operating system used in high-end workstations and computer<br />
systems on the Internet. It allows a single computer to operate multiple<br />
programs and be accessed by other computers, all at the same time.<br />
URL (universal resource<br />
locator)<br />
Provides the address <strong>of</strong> specific documents on the Web. Every Internet file<br />
has a unique URL; they indicate the name <strong>of</strong> the server, the directory, and the<br />
specific document. The form <strong>of</strong> a URL is protocol://pathname. For example,<br />
ftp://www.website.com; http://www.website.com.<br />
user (end user) A collection <strong>of</strong> specific data elements that identify the user to the system,<br />
define the resources to which they have access, the administrative group to<br />
which they belong, and their role within a network structure.<br />
user domain The domain that allows access to all nonsensitive files.<br />
user groups A logical grouping <strong>of</strong> two or more users, identified by a single name.<br />
681
<strong>Glossary</strong><br />
VPN (virtual private<br />
network)<br />
682<br />
A method <strong>of</strong> authenticating and encrypting data transmissions between the<br />
machines (<strong>Sidewinder</strong> <strong>G2</strong>-to-<strong>Sidewinder</strong> <strong>G2</strong>, <strong>Sidewinder</strong> <strong>G2</strong>-to-client) via the<br />
Internet. VPN makes it appear as though the networks on the internal side <strong>of</strong><br />
the <strong>Sidewinder</strong> <strong>G2</strong>s are connected to each other via a pair <strong>of</strong> routers with a<br />
leased line between them.<br />
VPN tunnel A secure route via the Internet between two machines (<strong>Sidewinder</strong> <strong>G2</strong>-to-<br />
<strong>Sidewinder</strong> <strong>G2</strong>, <strong>Sidewinder</strong> <strong>G2</strong>-to-client, etc.) that use authentication and<br />
encryption to transfer data.<br />
warder A <strong>Sidewinder</strong> <strong>G2</strong> server that provides an interface between the proxy s<strong>of</strong>tware<br />
and the various authentication services.<br />
weak authentication A login process that merely requires a user to enter the same password each<br />
time he or she logs in. The “standard” UNIX password process is considered a<br />
weak authentication method. If someone “sniffs” the password <strong>of</strong>f the phone<br />
line or network as it is transmitted they can conceivably use that password to<br />
then break into the system. Because your internal network is thought to be<br />
“trusted,” this type <strong>of</strong> authentication is generally used for authenticating<br />
internal-to-external proxy connections.<br />
TCP/IP (transmission<br />
control protocol/internet<br />
protocol<br />
UDP (User Datagram<br />
Protocol)<br />
A networking protocol suite created for use in the Internet.<br />
A connectionless protocol that transfers data across a network, with only<br />
limited reliability checking or error checking.<br />
Web farm A group <strong>of</strong> computers that host multiple Web servers for one Web site or a<br />
group <strong>of</strong> Web sites belonging to the same company. Load balancing is <strong>of</strong>ten<br />
used to distribute traffic among the servers to handle shifts in demand.<br />
XAUTH An abbreviation <strong>of</strong> Extended Authentication.
INDEX<br />
A<br />
A record (address record) 331, 334<br />
acat_acls 659<br />
accept certificate 21<br />
access control<br />
report 556<br />
account<br />
administrator 43<br />
changing password 47<br />
ACE/Server 281<br />
ACL<br />
monitoring tool 659<br />
rule checking 353<br />
sort 553<br />
activation<br />
troubleshooting 655<br />
activation process 55<br />
active network connections report 527<br />
active rule group 240<br />
activity reports 557<br />
adding<br />
disk space 647<br />
hardware 647<br />
host 20<br />
memory 647<br />
add-on modules<br />
anti-spam 173<br />
anti-virus 69<br />
patches for 76<br />
SSL decryption 159<br />
address<br />
pools 407<br />
redirection 224, 247<br />
Admin Console 18<br />
administration options 18<br />
configuring user groups 133<br />
exit 24<br />
File Editor 26<br />
file editor 353<br />
logging in 21<br />
main window 23<br />
management 92<br />
setting system date and time 47<br />
tips when using 25<br />
valid port values 15<br />
admin role<br />
file access 8<br />
tasks 43<br />
administration<br />
remote via Admin Console 19–25<br />
remote via SSH 30<br />
remote via telnet 36<br />
administration tool 18<br />
administrative kernel 4, 8<br />
authentication 636<br />
backups 639<br />
booting to 636<br />
checking if you’re in 49<br />
clear authentication lockout 654<br />
features 5<br />
when to use 40<br />
administrator<br />
account 43<br />
authentication 275<br />
cautions when editing UNIX files 595<br />
adminro role 43<br />
Admn domain 8<br />
alarms see IPS attack responses and<br />
system event responses<br />
algorithms with VPN 448<br />
alias<br />
IP addresses 88, 127<br />
mail 365, 369<br />
root 369<br />
allow-query option 324, 328<br />
allow-transfer option 324, 328<br />
allow-update option 328<br />
analysis see <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter<br />
anomaly detection 521<br />
see also attacks<br />
683
Index<br />
684<br />
anonymous ftp 470<br />
Anti-spam filtering<br />
advanced 356<br />
threshold configuration 359<br />
whitelist configuration 356<br />
Anti-virus filtering<br />
for FTP 188–190<br />
for Mail 177<br />
for Web 165<br />
scanner configuration 69–73<br />
aol proxy 250<br />
Application Defenses<br />
Citrix 185<br />
FTP 186<br />
groups 202<br />
Mail 172<br />
Multimedia 192<br />
Oracle 194<br />
Secure Web 156<br />
SNMP 198<br />
SOCKS 197<br />
standard 201<br />
Web 156<br />
Web Cache 170<br />
ARP<br />
force reset and HA 496–497<br />
gratuitous 491<br />
Network Defense 217<br />
attack audits<br />
ICMP 215<br />
IP 212<br />
TCP 210<br />
UDP 213<br />
attacks<br />
about responses 564<br />
audit<br />
*.gz files 534<br />
*.raw files 534<br />
attack responses 564<br />
configuring 564<br />
dashboard 521–524<br />
events 533<br />
exporting data 538<br />
overview 533<br />
probe attempts 554, 555<br />
root accesses 556<br />
sample message 547<br />
sending SNMP traps 466, 579<br />
sending to syslog 549<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security Reporter 559<br />
SNMP traps 466, 579<br />
system event responses 564<br />
understanding messages 547<br />
viewing 534<br />
viewing messages 547<br />
audit.raw file 343, 533<br />
auditbotd 532, 533<br />
auditd 532, 533, 549<br />
auditdbd 66<br />
authentication<br />
administrative kernel 636<br />
administrators 275, 306<br />
authenticators 276<br />
clear locks 654<br />
defined 395<br />
enable/disable in admin kernel 653<br />
failure lockout 285<br />
in proxy rules 113<br />
methods 277<br />
overview 282<br />
password 278, 291<br />
proxies 274<br />
RADIUS 281, 292<br />
SafeWord PremierAccess 279, 294<br />
SafeWord RemoteAccess 279<br />
SecurID 281<br />
SNK 281, 296<br />
SNMP message header 465<br />
SSH login 30<br />
SSO 300<br />
strong 275<br />
summary 274<br />
user groups 104<br />
warder 282<br />
weak 275<br />
Web session authentication 305<br />
Windows Domain 280, 298–300<br />
with VPN 395<br />
authenticators 276
B<br />
backup<br />
backup_file_list 51<br />
complete (full) 638<br />
configuration files 50<br />
contents 51<br />
example 640<br />
file types 638<br />
in administrative kernel 638<br />
incremental 639<br />
levels 638<br />
overview 638<br />
restore 641<br />
backup configuration files<br />
via command line 646<br />
bibliography xxi<br />
binary characters 176<br />
BIND 314<br />
blackhole list 366, 367<br />
Blackhole option 570<br />
boot process<br />
failure 651<br />
boot prompt 636<br />
booting 40<br />
broadcast address 413, 624<br />
browser 378, 381, 389<br />
caching 381, 385<br />
download MIB files 470<br />
Internet Explorer 390<br />
Netscape 390<br />
SmartFilter compatible 171<br />
BSD/OS 4<br />
burb 8<br />
configuring 82<br />
Internet 83<br />
Bypass IP Filter Rules 123, 230<br />
C<br />
caching<br />
configuring 385<br />
WebProxy server 259, 385<br />
category codes (SmartFilter) 633<br />
category names (SmartFilter) 633<br />
central management see Enterprise<br />
Manager<br />
certificate accept window 21<br />
Certificate Authority (CA)<br />
checking 426, 428<br />
defined 397<br />
definition 415<br />
public versus private 419<br />
certificate management daemon 404<br />
certificate server 404<br />
certificates<br />
configuring 424, 427<br />
defined 415<br />
cf command<br />
command syntax 584<br />
displaying the man page listing 584<br />
list 584–593<br />
overview 584<br />
change password server 66, 306<br />
changepw_form proxy 250, 307<br />
changing admin password 47<br />
chtype command 364, 596<br />
Citrix proxy (ica) 251<br />
client address pools 407<br />
clientless VPN 259, 375<br />
cluster<br />
high availability 488<br />
clustering<br />
see One-To-Many 474<br />
CMD server 66, 404<br />
CNAME record 334, 335<br />
command line interface 18<br />
commands<br />
cf areas 584–593<br />
dig 529<br />
finger 527<br />
mail queue 370<br />
netstat 528<br />
nslookup 528<br />
ping 530<br />
process 525<br />
route 528<br />
showaudit 534, 668<br />
tcpdump 666, 668<br />
top 525<br />
traceroute 530<br />
uptime 525<br />
vmstat 525<br />
whereami 49<br />
whois 529<br />
community names 465<br />
Index<br />
685
Index<br />
686<br />
configuration<br />
auditing 564<br />
DNS 315, 318<br />
files 50, 595<br />
interface 83<br />
mail 355<br />
mail host 350<br />
OSPF 606<br />
Strikeback 564<br />
configuring<br />
network objects 139<br />
user groups 133<br />
connection service type 112<br />
control list (SmartFilter)<br />
category codes 633<br />
category names (SmartFilter) 633<br />
control list for Web access 384<br />
CPU<br />
time by process 525<br />
CRL 421<br />
cron scripts 598<br />
D<br />
daemond 12<br />
daily system activity report 557<br />
dashboard<br />
about 514–515<br />
audit 521–524<br />
device information 515–517<br />
HA management 503<br />
monitord 66, 514<br />
network traffic 518–520<br />
One-To-Many managment 485<br />
summary <strong>of</strong> statistics 521–524<br />
date (setting) 47<br />
decryption 396<br />
default<br />
route 90<br />
default proxy rules 115<br />
deleting<br />
roles 45<br />
destination burb 112, 224<br />
destination network object 112<br />
DHCP 86, 87<br />
dig command 529<br />
directory type<br />
checking 596<br />
disable<br />
servers 65<br />
disk space 647<br />
Distinguished Names 422<br />
DNS<br />
A record (address record) 331, 334, 335<br />
advanced server options 324<br />
advanced zone options 327<br />
BIND 314<br />
CNAME record 334, 335<br />
configuration 315, 318, 320<br />
configuration utility 336<br />
disabling servers 317<br />
editing configuration files 318<br />
enabling servers 317<br />
file types 342<br />
files 314<br />
forward zones 326<br />
forwarders 322<br />
HINFO 335<br />
hosts 333<br />
if turned <strong>of</strong>f 317<br />
logging 343<br />
mail exchanger records 332<br />
master zone 326<br />
master zone attributes 329<br />
master zone contents 333<br />
MX record 314, 335<br />
name servers table 331<br />
proxy 250<br />
query 314<br />
reconfigure 336<br />
reverse zones 326<br />
rules 120<br />
serial number 330<br />
servers for VPNs 412<br />
<strong>Sidewinder</strong> Hosted 313<br />
<strong>Sidewinder</strong> hosted 320<br />
slave zone 326<br />
SOA record 329<br />
split DNS mode 317, 318<br />
sub-domain 331<br />
transparent 312, 318<br />
TTL value 330<br />
zone 325<br />
do.dump script 638, 642<br />
do.restore script 643<br />
documentation xix<br />
domain definition table 5, 7<br />
domain name 112<br />
domain object 105, 142
domains<br />
access 7<br />
Admn 8<br />
checking 49<br />
creator 595<br />
current 49<br />
defined 6<br />
file access 7<br />
for processes 525<br />
in operational vs. admin kernels 5<br />
mail 347, 350<br />
DSS 281, 296<br />
dynamic IP addressing<br />
Adding a new VPN 441<br />
interface configuration 86<br />
see also DHCP<br />
E<br />
editing UNIX files 595<br />
editors<br />
Admin Console File Editor 26<br />
changing default 594<br />
emacs 594<br />
vi 594<br />
emacs editor<br />
commands 594<br />
using 594<br />
enable<br />
automated package install 81<br />
periodic patch imports 79<br />
servers 65<br />
encryption 396<br />
defined 395<br />
for external-to-internal proxy 245<br />
with VPN 395<br />
Enterprise Manager xx, 474, 516<br />
enterprise-managed firewall 656<br />
entrelayd 66, 478, 587<br />
etc/crontab 598<br />
etc/daily script 557<br />
etc/login.conf 12<br />
etc/monthly script 557<br />
etc/resolv.conf file 315<br />
etc/server.conf 12<br />
etc/sidewinder/daemond.conf 12<br />
etc/syslog.conf file 549<br />
etc/weekly script 557<br />
event analysis 514<br />
event analysis see <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter<br />
exclude_file_list file 51<br />
executables<br />
installing 7<br />
exiting roles 49<br />
export<br />
audit data 538<br />
Extended Authentication 399<br />
F<br />
Index<br />
failed connection request<br />
proxy rules 657<br />
failover see high availability<br />
failure lockout 285<br />
failure mode 656<br />
see safe mode<br />
fast path sessions 204<br />
Federal Information Processing Standard<br />
95<br />
file editor<br />
Admin Console 353<br />
file permissions 595<br />
file type<br />
.forward files 364<br />
checking 595<br />
DNS files 342<br />
when backing up 638<br />
when restoring 638<br />
files<br />
backing up 638<br />
configuration 595<br />
restoring 643<br />
rotating 598<br />
filesystems<br />
restoring 644<br />
filtering<br />
mail 172<br />
Web 165<br />
filters see sacap_filters<br />
finger command 527<br />
finger proxy 250<br />
FIPS 95<br />
firewall certificate 424<br />
firewall license 55<br />
fixclock 66, 597, 598, 667<br />
fixed IP 413<br />
forward files 349, 364<br />
forward zones 326<br />
fraud 359<br />
687
Index<br />
688<br />
fsck command 651<br />
FTP<br />
command filtering 187<br />
in Internet Services rule 120<br />
virus/spyware filtering 188<br />
ftp proxy 250, 257<br />
G<br />
<strong>G2</strong> SR see <strong>Sidewinder</strong> <strong>G2</strong> Security<br />
Reporter<br />
gated 604<br />
gated-unbound 66, 606, 612<br />
general system information 514<br />
gopher proxy 250<br />
groups<br />
active rules 240<br />
Application Defense 202<br />
network 103, 148<br />
rules 236–238<br />
user 103, 104<br />
H<br />
H.323 proxy 250<br />
considerations 262<br />
HA and 87<br />
halt command 42<br />
hardware<br />
about appliances 2<br />
acceleration for VPNs 398<br />
adding 647<br />
authenticator 276<br />
full system restores and 641<br />
warranty 2<br />
header stripping 366<br />
heartbeat 490, 491<br />
help (online) xxi<br />
high availability 488<br />
configuration options 489<br />
configuring 492<br />
heartbeat 490, 491<br />
load sharing 489<br />
peer-to-peer 494<br />
primary-secondary 491<br />
VLANs and 492<br />
HINFO 335<br />
Host Enrollment List 62<br />
host name 112<br />
firewall 37<br />
host object 106<br />
configuring 143<br />
hosted DNS<br />
on firewall 320<br />
single 313<br />
split server 313<br />
hosts<br />
DNS 333<br />
hotfixes 76<br />
HTTP<br />
proxy 250, 376<br />
HTTP/HTTPS 120<br />
HTTPS<br />
proxy 250, 376<br />
I<br />
ica proxy 251<br />
ICMP 83, 252<br />
IP Filter rules 122, 229–236<br />
Network Defense 215<br />
ident proxy 251<br />
identity theft 359<br />
IDS<br />
server configuration 74<br />
IETF 395<br />
IIOP<br />
Application Defense 111, 191<br />
proxy 251<br />
IKE 394, 396<br />
imap proxy 251<br />
importing<br />
SecureClient certificates 435<br />
in-addr-arpa 326<br />
inbound proxy 245<br />
incremental backup 639<br />
inetd 15<br />
installation<br />
executables 7<br />
failed patch 656<br />
reinstalling s<strong>of</strong>tware 641<br />
Installation-Disk Imaging CD 652<br />
installing patches 80<br />
interface configuration 83<br />
interfaces report 527<br />
Internet<br />
hosts (connection information) 553, 554,<br />
555<br />
Internet Explorer (browser) 390<br />
Internet Key Exchange 396
Internet server 317<br />
InterNIC 529<br />
IP address object 106<br />
configuring 145<br />
IP Filter rules<br />
Bypass IP Filter Rules 99<br />
HA and 128<br />
maximum number <strong>of</strong> sessions allowed<br />
129, 241<br />
NAT and redirection 125–128<br />
overview 11, 121<br />
with stateful packet inspection 122–123<br />
without stateful packets inspection 124<br />
IP Network Defense 212<br />
IP sniffing 2<br />
IP spo<strong>of</strong>ing 2<br />
IPS attack responses<br />
about 564<br />
attack descriptions 566–568<br />
creating customized 578<br />
e-mail settings 571<br />
ignore network probe attempts 578<br />
modifying 566–570<br />
viewing 564–565<br />
IPSec<br />
defined 395<br />
irc proxy 251<br />
ISAKMP server 66, 399, 402, 402–403,<br />
407, 443, 445, 446<br />
K<br />
kernels<br />
defined 4<br />
determining current 49<br />
differences 5<br />
keys (VPN)<br />
defined 396<br />
encryption and decryption 396<br />
generating 396<br />
kmvfilter 66, 69, 175, 348<br />
L<br />
LDAP 404, 434<br />
level0.backup script 638<br />
license<br />
Host Enrollment List 62<br />
how to 55<br />
load sharing HA 489<br />
loading patches 78<br />
lockout<br />
authentication failure 285<br />
log in<br />
Admin Console 21<br />
logcheck 533<br />
logging 548<br />
backups 638<br />
DNS 343<br />
loopback address 326<br />
lotus proxy 251<br />
ls -dy command 596<br />
ls -y command 595<br />
M<br />
Index<br />
m4 macros 354<br />
mail<br />
.forward files 349, 364<br />
aliases 369<br />
configuration 353, 354<br />
domains 347, 350<br />
internal server 347<br />
local delivery 349<br />
local server 347<br />
mailertables 355<br />
postmaster 350<br />
program mailers 349<br />
reconfiguring 351<br />
redirecting 369<br />
servers 350<br />
setup 350<br />
SMTP 346<br />
SMTP hosted 346<br />
transparent SMTP 346<br />
Type Enforcement restrictions 349<br />
mail exchanger records 314, 329, 331, 332<br />
mail filtering<br />
anti-spam filter configuration 356<br />
anti-spam filtering 173<br />
keyword search filter 173<br />
MIME/Anti-Virus filter 173<br />
size filter 173, 174<br />
mail host 350<br />
configuring 350<br />
mail queue commands 370<br />
mail queues 349, 371<br />
checking 370<br />
mail.local program 347<br />
mailertable files 355<br />
689
Index<br />
690<br />
maintenance 598<br />
maintenance mode<br />
enable/disable authentication in 653<br />
management information base (MIB) 465<br />
manuals xix<br />
master zone 326<br />
attributes 329<br />
contents (DNS) 333<br />
maximum segment size (MSS) 271<br />
membership<br />
user groups 138<br />
memory 647<br />
messages<br />
audit 547<br />
DNS 343<br />
in mail queues 370<br />
log 548<br />
postmaster 350<br />
system reboot 651<br />
methods used to authenticate users 277<br />
MIME filtering<br />
for mail 177<br />
for Web 165<br />
mode<br />
safe 12<br />
modify 83<br />
monitord 66, 514<br />
monitoring<br />
attacks 521, 523<br />
network traffic 518–520<br />
<strong>Sidewinder</strong> <strong>G2</strong> 514<br />
system events 521<br />
system status 515<br />
using Security Reporter 559<br />
VPN status 439, 519<br />
Monitoring tool (ACLs) 659<br />
monthly system activity report 557<br />
montitoring<br />
system resources 516–517<br />
msn proxy 251<br />
MSS (maximum segment size) 271<br />
mssql proxy 251<br />
mta domain 347<br />
mta0 domain 350<br />
mta1 domain 350<br />
mtac domain 347, 350<br />
Multicast Group Address 504<br />
Multiple Address Translation (MAT) 88<br />
MX record 314, 335<br />
N<br />
name servers<br />
boot files 314<br />
configuring 315<br />
name servers table 331<br />
named-internet 13, 66, 316<br />
named-unbound 13, 66, 316<br />
NAT 11, 83, 106<br />
in proxy rules 114<br />
netgroup object 107<br />
configuring 148<br />
netgroups<br />
configuring 148<br />
netmap<br />
member 106, 145<br />
object 145<br />
netmap object 106<br />
netmask 86, 89<br />
Netscape<br />
browser 390<br />
Netscape browser 389<br />
netstat 527, 665<br />
netstat command 527, 528<br />
network address translation (NAT) 313<br />
Network Defenses<br />
about 208–210<br />
ARP 217<br />
ICMP 215<br />
IP 212<br />
TCP 210<br />
UDP 213<br />
network groups 103, 112<br />
network interfaces 83<br />
report 527<br />
network object<br />
destination 112<br />
network objects 112<br />
configuring 139<br />
domain 105, 112<br />
host 106, 112<br />
IP address 106, 112<br />
netgroup 107<br />
netmap 106<br />
subnet 107, 112<br />
network probe attempts 578<br />
network security<br />
and VPNs 395<br />
network service 113
networks<br />
connections report 527<br />
interfaces report 527<br />
process status 525<br />
routing tables 528<br />
services 15<br />
stack separation 9<br />
News<br />
feed 260<br />
proxy 260<br />
proxy redirection 262<br />
server configurations 261<br />
servers 260<br />
newsgroups 260<br />
NNTP 260<br />
NNTP proxy 251<br />
non-transparent proxies 254<br />
notify option 324, 327<br />
nslookup command 528<br />
NSS 15<br />
nss.common.conf file 12<br />
NTP 594<br />
commands 589<br />
configurations 595<br />
flags 598, 599<br />
overview 594<br />
peer 599<br />
proxy 252<br />
reasons for having stopped 667<br />
references 599<br />
restarting 667<br />
server 66<br />
servers and clients 594<br />
stratum 0 667<br />
troubleshooting 666<br />
version number 594<br />
O<br />
OID<br />
editing 200<br />
One-To-Many<br />
considerations 475<br />
defining additional secondary firewalls<br />
479<br />
exiting 483<br />
managing 484<br />
scenario 476<br />
synchronized areas 485<br />
online help xxi<br />
operating system (BSD/OS) 4<br />
operational kernel 4<br />
checking if you’re in 49<br />
features 5<br />
routing tables 528<br />
using remotely 18<br />
when to use 40<br />
optional feature patches 76<br />
OSPF<br />
configuration 606<br />
gated 604<br />
overview 602<br />
outbound proxy 244<br />
P<br />
Index<br />
packages 76<br />
password<br />
authentication 137<br />
changing 47, 304, 306<br />
changing in the administrative kernel 653<br />
how users change their own 308<br />
setting user 137<br />
what to do if you forget 653<br />
password authentication 278, 291<br />
Password Change Server 306<br />
patches<br />
failed installation 656<br />
installing 80<br />
loading 78<br />
types <strong>of</strong> 76<br />
peer-to-peer<br />
high availability 494<br />
Performance Pack 647<br />
performance report 525<br />
phishing 359<br />
pico editor 594<br />
ping 120, 530<br />
ping proxy 252<br />
planning<br />
network and user groups 103<br />
policy.cfg for spam filtering 359<br />
pop proxy 252<br />
port<br />
no service 554, 555<br />
redirection 249<br />
specified in Web browser 389<br />
unsupported service 554, 555<br />
postmaster 350<br />
pre-shared password, defined 397<br />
691
Index<br />
692<br />
primary name server 317<br />
primary-secondary HA 491<br />
printer proxy 252<br />
process<br />
access to files 5<br />
displaying information 525<br />
domain 525<br />
domain access 7<br />
file access 7<br />
process command 525<br />
processes<br />
CPU time 525<br />
report 525<br />
status 525<br />
promiscuous relaying 366, 368<br />
protocol anomaly detection see anomaly<br />
detection<br />
proxies<br />
address redirection 247<br />
aol 250<br />
authentication 274<br />
changepw_form 250<br />
connection service type 113<br />
dns 250<br />
enabling and disabling 98, 266<br />
finger 250<br />
for external-to-internal proxy 245<br />
FTP 257<br />
ftp 250<br />
gopher 250<br />
H.323 250<br />
HTTP 250, 376<br />
HTTPS 250, 376<br />
ica (Citrix) 251<br />
IIOP 251<br />
imap 251<br />
inbound 245<br />
indent 251<br />
initial set-up 250<br />
irc 251<br />
lotus 251<br />
msn 251<br />
mssql 251<br />
News 260<br />
NNTP 251<br />
non-transparent 254<br />
NTP 252<br />
outbound 244<br />
overview 10, 244<br />
ping 252<br />
pop 252<br />
port redirection 249<br />
printer 252<br />
real media 252<br />
redirection 262<br />
rlogin 252<br />
rsh 252<br />
rtsp 252<br />
smtp 252<br />
snmp 252<br />
socks5 252<br />
sql 252<br />
ssh 252<br />
streamworks 252<br />
sunrcp 253<br />
t120 253<br />
telnet 36, 252, 253, 255<br />
transparent 254<br />
wais 253<br />
Web 374<br />
Web proxy considerations 382<br />
WebProxy server 259<br />
whois 253<br />
wins 253<br />
Xscreen0 253<br />
proxy rules<br />
authentication 113<br />
connection service type 112<br />
default 115<br />
destination burb 112<br />
failed connection request 657<br />
NAT 114<br />
optional criteria 113<br />
overview 112<br />
redirection 114<br />
SafeWord groups 226<br />
service group 108, 118<br />
source burb 112<br />
temporary 227, 233<br />
time to live option 227, 233<br />
troubleshooting 657<br />
ps command 525<br />
Q<br />
Quick Start Wizard<br />
beep patterns 655<br />
configurations set during 90, 91, 239,<br />
379<br />
Management Tools CD 18
R<br />
RADIUS authentication 281, 292<br />
Real Media 120<br />
real media proxy 252<br />
realtime blackhole list 366<br />
rebooting 41<br />
to administrative kernel command 42<br />
to operational kernel command 42<br />
reconfigure<br />
DNS 336<br />
mail 351<br />
redirecting proxies 262<br />
address redirection 224, 247<br />
port redirection 249<br />
redirection 106<br />
in proxy rules 114<br />
reference material xxi<br />
online help xxi<br />
RFCs xxi<br />
registration<br />
troubleshooting 656<br />
re-imaging<br />
<strong>Sidewinder</strong> <strong>G2</strong> 652<br />
reinstallation 652<br />
remote access<br />
clientless VPN 375<br />
remote administration<br />
via SSH 30<br />
via telnet 36<br />
remote certificate 427<br />
Remote Identities<br />
defined and configuring 422<br />
remote management<br />
Admin Console 91<br />
reporting<br />
Admin Console 551–557<br />
exporting data 548, 558, 560–562<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security Reporter 559<br />
reports<br />
3rd party tools 560<br />
daily activity 557<br />
mail queues 370<br />
monthly activity 557<br />
network connections 527<br />
network connections/services 527<br />
network interfaces 527<br />
routing tables 528<br />
VPN activity 557<br />
weekly activity 557<br />
Index<br />
responses see IPS attack responses and<br />
system event responses<br />
restarting 41<br />
restore 641, 643<br />
complete 642<br />
configuration files 50<br />
file types 638<br />
overview 641<br />
root filesystem 644<br />
script command options 645<br />
shlib directory 644<br />
restore configuration files<br />
via command line 646<br />
restricting<br />
access by date and time 113<br />
reverse zones 326<br />
RFCs xxi<br />
RIP<br />
configuring 622<br />
trace and log information 625<br />
transparent IP addressing 616<br />
without transparent IP addressing 619<br />
rlogin proxy 252<br />
roles<br />
about 43<br />
admin 8<br />
deleting 45<br />
exiting 49<br />
restore 642<br />
switching 49<br />
roles.conf file 45<br />
rollaudit 599<br />
rollaudit.conf file 599<br />
root 5, 8<br />
restoring filesystem<br />
restoring 644<br />
rotating files 549, 598<br />
route command 528<br />
routed 615<br />
configuring 622<br />
filter 624<br />
flushing filter routes 625<br />
routes<br />
default 90<br />
static 90<br />
routing tables report 528<br />
rsh proxy 252<br />
RTSP 120<br />
rtsp proxy 252<br />
693
Index<br />
694<br />
rule elements 103<br />
network objects 105<br />
planning for 103<br />
user groups 104<br />
users 104<br />
rule groups 236–238<br />
about 98–102<br />
rules<br />
default proxy 115<br />
IP Filter 121<br />
proxy 112<br />
sort 553<br />
run levels 13<br />
S<br />
sacap_filters<br />
creating customized responses 578<br />
syslog 549<br />
viewing 540<br />
safe mode 12<br />
SafeWord PremierAccess<br />
authentication 279, 294<br />
SafeWord RemoteAccess<br />
authentication 279<br />
SafeWord user groups 226<br />
scanner (MIME/virus/spyware scanning)<br />
69–73<br />
SCEP 421, 426, 428, 429<br />
scripts<br />
/etc/daily 557<br />
/etc/monthly 557<br />
/etc/weekly 557<br />
creating your own 597<br />
cron 598<br />
do.dump 638, 642<br />
do.restore 643<br />
level0.backup 638<br />
sdconf.rec file 296<br />
secondary name server 317<br />
secure shell (SSH) 30<br />
Secure Web<br />
Application Defenses 156<br />
SecureClient certificates<br />
importing 435<br />
SecureOS 2, 9<br />
SecurID authentication 281, 295<br />
security association, VPN 438<br />
Security Parameters Index (SPI)<br />
using manual key exchange 447<br />
SEF<br />
and <strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
559–562<br />
and syslog 549<br />
converting using the Admin Console 539<br />
sender id filter 67<br />
sender id server 67<br />
sendmail 350<br />
blackhole list 366<br />
configuration 354<br />
header stripping 366<br />
m4 macros 354<br />
promiscuous relaying 366, 368<br />
RealTime Blackhole list 367<br />
version 354<br />
sendmail.cf files 354<br />
serial number (DNS) 330<br />
server.conf file 595, 625<br />
servers<br />
connection service type 113<br />
DNS 317<br />
enabling/disabling 65<br />
mail 350<br />
News 260, 261<br />
sender id 67<br />
telnet 36, 37<br />
Web 374, 375<br />
service group 108, 113, 118<br />
service groups<br />
configuring 150<br />
example 108<br />
service type 112<br />
sftp 30<br />
sftp-server 30<br />
shlib directory 644<br />
showaudit command 534, 668<br />
shun server 74<br />
shund 74<br />
shutdown 41<br />
<strong>Sidewinder</strong> Export Format see SEF<br />
<strong>Sidewinder</strong> <strong>G2</strong><br />
administrator interfaces 18<br />
authentication methods 275<br />
defined 2<br />
filesystems 638<br />
kernels 4<br />
NTP 594<br />
re-imaging 652<br />
SNMP agent 464
<strong>Sidewinder</strong> <strong>G2</strong> Enterprise Manager xx,<br />
474, 516<br />
<strong>Sidewinder</strong> <strong>G2</strong> Security Reporter<br />
about 559<br />
syslog 549<br />
<strong>Sidewinder</strong> Hosted<br />
DNS 313<br />
sidfilter server 67<br />
sighup command 14<br />
single sign-on (SSO)<br />
authentication 300<br />
size filter 174<br />
slave zone 326<br />
SmartFilter<br />
control list 384<br />
overview 628<br />
version 3.x 170–172, 384, 600, 628<br />
version 4.0.2 628, 630<br />
Web/Secure Web application defense<br />
630–633<br />
SMTP 346<br />
ACL rule checking 353<br />
configuration 353<br />
configuring servers 353<br />
secure split servers 346<br />
transparent mail 346<br />
smtp proxy 252<br />
SNK authentication 281, 296<br />
SNMP<br />
agent 464<br />
application defenses 198<br />
authentication header 465<br />
basic information 464<br />
community names 465<br />
configuring agent on the firewall 467<br />
enabling/disabling agent 467<br />
management information base (MIB)<br />
465<br />
proxy 252<br />
response trap 466<br />
trap 579<br />
traps 466, 569, 576, 579<br />
SOA record 329<br />
SOCKS proxy 197<br />
socks5 proxy 252<br />
S<strong>of</strong>tRemote 399, 431<br />
s<strong>of</strong>tware authenticator 276<br />
s<strong>of</strong>tware packages 76<br />
installing 80<br />
source burb 112<br />
Index<br />
spam see anti-spam filtering<br />
spam threshold 359<br />
spamfilter server 67<br />
SPI (Security Parameters Index)<br />
using manual key exchange 447<br />
SPI index 447<br />
split DNS 317, 318<br />
spyware see category codes (SmartFilter)<br />
spyware see virus scanning, Anti-virus<br />
filtering<br />
sql proxy 252<br />
Squid 259, 388, 600<br />
squid.conf.template file 388<br />
srole command 49, 556<br />
SSH 30<br />
client 33<br />
enabling server 31<br />
proxy 252<br />
server 35<br />
sshd server 67<br />
SSL decryption 156, 259<br />
SSO<br />
authentication 300<br />
SSO server 67, 225<br />
authentication cache 287<br />
configuring 300–302<br />
stacks 9<br />
standard<br />
Application Defenses 201<br />
startup<br />
kernel 4<br />
State Change Wizard 23<br />
HA create cluster 494<br />
HA join existing 498<br />
HA remove primary 501<br />
One-To-Many add primary 478<br />
One-To-Many add secondary 480<br />
One-To-Many remove primary 483<br />
starting 516<br />
stateful inspection 11<br />
static route 90<br />
status<br />
process 525<br />
status reports<br />
routing tables 528<br />
stop_beep 655<br />
stratum 0 667<br />
streamworks proxy 252<br />
Strikeback 564<br />
strong authentication 275<br />
695
Index<br />
696<br />
Strong Cryptography 159, 379<br />
sub-domain (DNS) 331<br />
subnet<br />
network object 112<br />
subnet object 107<br />
configuring 147<br />
sunrcp proxy 253<br />
super-user 5, 8<br />
support for multiple networks 2<br />
syslog<br />
about 548<br />
audit messages 549<br />
configuration file 549<br />
redirecting output using 549<br />
syslogd 548<br />
file rotation 549<br />
system boot 4<br />
system calls 7<br />
system event responses<br />
about 564<br />
creating customized 578<br />
system reboot<br />
messages 651<br />
system resources 516–517<br />
system responses<br />
e-mail settings 577<br />
modifying 573–576<br />
viewing 572<br />
T<br />
T.120 proxy 253, 263<br />
TCP<br />
IP Filter rules 229–235<br />
Network Defense 210<br />
TCP checksum <strong>of</strong>fload 83<br />
TCP connections 527<br />
maximum segment size 271<br />
tcpdump command 666, 668<br />
TE see Type Enforcement<br />
Telnet 120<br />
telnet<br />
defined 36<br />
no connection 256<br />
proxy 36, 252, 253, 255<br />
server 36<br />
server setup 37<br />
threshold for spam 359<br />
time (setting) 47<br />
top command 525<br />
traceroute command 530<br />
transparent<br />
DNS 312, 318<br />
mail (SMTP) 346<br />
proxies 254<br />
transport mode 440<br />
traps within SNMP 466, 579<br />
troubleshooting<br />
NTP 666<br />
proxy rules 657<br />
TTL value (DNS) 330<br />
tunnel mode 398, 440<br />
TXT record 331, 334, 335<br />
Type Enforcement<br />
about 4<br />
administrative kernel 8<br />
defined 6<br />
directory types 596<br />
dump function 638<br />
effects 8<br />
file types 595<br />
how it works 5<br />
restore 638<br />
sendmail 349<br />
U<br />
UDP<br />
IP Filter rules 122, 229–235<br />
IP Filter sessions 129, 241<br />
Network Defense 213<br />
UDP connections 527<br />
uname -a<br />
command 49<br />
unbound DNS server 317<br />
Unified Threat Management 2<br />
UNIX<br />
editing files 595<br />
security 5<br />
text editors 595<br />
upgrades 76<br />
hardware 647<br />
UPS (Uninterruptible Power Supply) 93<br />
uptime command 525<br />
Usenet News 260<br />
user groups 103, 104<br />
authentication 104<br />
configuring 133<br />
displaying 132<br />
in proxy rules 113<br />
membership 138
user passwords 137<br />
users<br />
changing password 47<br />
displaying 132<br />
using the Admin Console 41<br />
UTM (Unified Threat Management) 2<br />
V<br />
var/log directory<br />
backup.log 638<br />
daily.out 598<br />
monthly.out 599<br />
weekly.out 598<br />
wtmp file 599<br />
var/log/audit.raw file 343<br />
var/log/daemon.log file 343<br />
var/log/daily.out file 557<br />
var/log/monthly.out file 557<br />
var/log/weekly.out file 557<br />
var/spool/mqueue.0 349, 370<br />
var/spool/mqueue.1 349, 370<br />
var/spool/mqueue.c 349, 370<br />
vendor patches 76<br />
version<br />
sendmail 354<br />
vi editor<br />
commands 594<br />
using 594<br />
virtual burb 405<br />
virus scanning 69–73<br />
VLAN 87<br />
DHCP and 86<br />
HA and 492<br />
interface configuration 85, 87<br />
vmstat command 525<br />
VPN<br />
AH keys 447<br />
algorithms 448<br />
and SecureClient 399<br />
association 438<br />
certificate authority 415<br />
certificate management daemon 404<br />
certificate server 404<br />
client 399<br />
client address pools 407<br />
client ID 415<br />
clientless 259, 375<br />
embedded 394<br />
Extended Authentication 399<br />
firewall certificate 424<br />
fixed IP 413<br />
hardware acceleration 398<br />
how it works 396<br />
IKE 394<br />
ISAKMP server 402<br />
key types 396<br />
LDAP 434<br />
public CA server 419<br />
remote certificate 427<br />
Remote Identities 422<br />
scenarios 450<br />
security association 438<br />
SPI 447<br />
transport mode 397<br />
tunnel mode 397<br />
understanding 394<br />
VPN report 557<br />
W<br />
Index<br />
wais proxy 253<br />
warder 282<br />
warranty 2<br />
weak authentication 275<br />
Web<br />
access 374<br />
access via proxy 374, 375<br />
Application Defenses 156<br />
browser 378, 381<br />
configuring the Squid caching proxy 382<br />
configuring Web proxy on port 80 379<br />
implementation options 376<br />
Web filtering see SmartFilter<br />
Web proxy 374<br />
Web servers 374, 375<br />
Web sites<br />
activation 57<br />
WebProxy server 259, 305, 308, 376, 381,<br />
383<br />
options 385<br />
transparent/non-transparent mode 388<br />
weekly system activity report 557<br />
whereami command 49<br />
whitelist configuration for anti-spam 356<br />
whois command 253, 529<br />
whois proxy 253<br />
Windows Domain<br />
authentication 280<br />
configuring 298–300<br />
summary 278<br />
697
Index<br />
698<br />
wins proxy 253<br />
WINS server 412<br />
X<br />
X Windows proxy 253<br />
Xscreen0 proxy 253<br />
Z<br />
zones 325
The <strong>Sidewinder</strong> <strong>G2</strong> ® Security Appliance is the most comprehensive<br />
gateway security appliance in the world, with the strongest credentials<br />
<strong>of</strong> any leading all-in-one firewall or Unified Threat Management security<br />
appliance. This market leading Internet security appliance protects your<br />
applications and networks against both known and unknown attacks—<br />
and at Gigabit speeds. This appliance consolidates the widest variety<br />
<strong>of</strong> gateway security functions in one system, reducing the complexity<br />
<strong>of</strong> managing a total perimeter security solution. These security<br />
functions include our unprecedented Application Defenses firewall<br />
with embedded anti-virus/spyware, anti-spam/fraud, traffic anomaly<br />
detection, IDS/IPS, and more.<br />
Our unique unequalled CERT advisory record and zero emergency<br />
security patches over the 11-year life <strong>of</strong> <strong>Sidewinder</strong> <strong>G2</strong> sets us apart.<br />
Broadly deployed world-wide, the <strong>Sidewinder</strong> <strong>G2</strong> Security Appliance is<br />
extensively used by all types <strong>of</strong> organizations from small to enterprise,<br />
and is the only security appliance to have achieved the pre-eminent<br />
EAL4+ common criteria certification for application firewalls.<br />
Secure Computing Corporation<br />
www.securecomputing.com<br />
Corporate Headquarters<br />
4810 Harwood Road<br />
San Jose, Ca 95124 USA<br />
Tel +1.800.379.4944<br />
Tel +1.408.979.6100<br />
Fax +1.408.979.6501<br />
European Headquarters<br />
1, The Arena<br />
Downshire Way<br />
Bracknell<br />
Berkshire, RG12 1PU UK<br />
Tel +44.0.870.460.4766<br />
Fax +44.0.870.460.4767<br />
SWOP-MN-ADMN61-D<br />
Asia/Pac Headquarters<br />
1604-5 MLC Tower<br />
248 Queen’s Road East<br />
Wan Chai, Hong Kong<br />
Tel +852.2520.2422<br />
Fax +852.2587.1333<br />
Japan Headquarters<br />
Level 15 JT Bldg.<br />
2-2-1 Toranomen Minato-Ku<br />
Tokyo 105-0001 Japan<br />
Tel +81.3.5114.8224<br />
Fax +81.3.5114.8226<br />
ADDITIONAL SECURITY<br />
SOLUTIONS FROM<br />
SECURE COMPUTING<br />
SIDEWINDER <strong>G2</strong> ENTERRPISE MANAGER<br />
<strong>Sidewinder</strong> <strong>G2</strong> ® Enterprise Manager from<br />
Secure Computing is an enterprise strong ®<br />
security appliance that delivers single-point<br />
policy management for hundreds <strong>of</strong> distributed<br />
<strong>Sidewinder</strong> <strong>G2</strong> systems, and a simple Power-It-On deployment. It provides a robust audit repository,<br />
and is managed remotely from an intuitive<br />
Windows-based s<strong>of</strong>tware package. It makes central<br />
management <strong>of</strong> complex hierarchical policies a<br />
reality. SQL database architecture enables you to<br />
customize the s<strong>of</strong>tware to group firewalls in any<br />
way that is meaningful to your organization, goals,<br />
and mission.<br />
SMARTFILTER PRODUCTS<br />
SmartFilter ® products (SmartFilter, and SmartFilter,<br />
Bess ® edition) enable organizations to understand<br />
and monitor their Internet use, while taking effective<br />
steps to provide appropriate control over outbound<br />
Web access.<br />
SAFEWORD PRODUCTS<br />
SafeWord ® products provide Strong authentication<br />
technology that positively identifies users and<br />
eliminates the password risk—ensuring that only the<br />
right people can make connections to your business.<br />
© 2006 Secure Computing Corporation. All Rights Reserved. Secure Computing,<br />
SafeWord, <strong>Sidewinder</strong>, SmartFilter, Type Enforcement, S<strong>of</strong>Token, SecureSupport,<br />
SecureOS, MobilePass, <strong>G2</strong> Firewall, Bess, <strong>Sidewinder</strong> <strong>G2</strong>, enterprise strong,<br />
PremierAccess, and Strikeback are trademarks <strong>of</strong> Secure Computing Corporation,<br />
registered in the U.S. Patent and Trademark Office and in other countries.<br />
<strong>G2</strong> Enterprise Manager, Application Defenses, RemoteAccess, On-Box, Power-It-On!,<br />
Sentian, and Securing connections between people, applications, and networks are<br />
trademarks <strong>of</strong> Secure Computing Corporation. All other trademarks used herein<br />
belong to their respective owners.