Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...

More documents

Recommendations

Info

Chapter 14: Configuring Virtual Private Networks Sidewinder G2 VPN overview Table 27: VPN Authentication options 400 Authentication Summary 2 Enable Extended Authentication for the desired VPN security association(s). This is accomplished by selecting VPN Configuration > Security Associations and then clicking the Require Extended Authentication check box. See “Entering information on the Authentication tab” on page 442 for more details. Note: Extended Authentication must also be enabled on the remote client. See your client software documentation for information on configuring and enabling Extended Authentication. What type of VPN authentication should I use? The Sidewinder G2 supports four different VPN authentication methods. The characteristics of a VPN peer determine which type of authentication best fits your VPN configuration. Extended authentication may be added to any automated authentication method for increased security. Note: Extended authentication not available for Sidewinder G2-to-Sidewinder G2 configurations or any configuration that uses a manual key exchange. Manual key VPN • authenticates using a manual key exchanged over a telephone or other secure connection - keying information is cumbersome to enter and not changed often, which reduces security • uncommon in today’s networks, but used for resolving interoperability problems with other vendors’ IPSec products • cannot be used for dynamic IP-assigned clients or gateways • each VPN peer requires its own Sidewinder G2 VPN configuration Automatic key shared password VPN • primary authentication is password sharing with the VPN peer, recommended to use with Extended Authentication • ideally suited for travelling and home users when paired with a strong extended authentication, such as SafeWord PremierAccess • may be used with dynamic IP-assigned clients, but the clients must be configured to use Aggressive Mode. • single Sidewinder G2 VPN configuration can be used to administer many VPN clients More...
Authentication Summary Automatic key single certificate VPN Automatic key certificate authoritybased VPN Chapter 14: Configuring Virtual Private Networks Sidewinder G2 VPN overview • authenticates using a self-signed public certificate - each VPN peer must first import the corresponding peer’s certificate • ideally used for a small number of remote clients • used with dynamic IP-assigned clients and gateways • each peer certificate requires its own Sidewinder G2 security association • authenticates each VPN peer by using a certificate signed by a certificate authority trusted by the other peer • ideally suited for roving client VPN peers (such as those using laptop computers) • used with dynamic IP-assigned clients and gateways • single Sidewinder G2 security association can be used to administer many VPN clients. General guidelines for selecting a VPN authentication type Here are some general guidelines to follow when you are deciding which type of VPN to use: • If the VPN peer is not a Secure Computing product, and all other types of VPN methods do not work, try the manual key VPN. • For a small number of VPN peer clients with dynamically assigned IP addresses, the single certificate VPN is a cost-effective solution. A shared password VPN in conjunction with Extended Authentication is also an option. • If the VPN peer has a static IP address, the pre-shared password VPN is the easiest to configure. Extended Authentication would not be used in a gateway to gateway configuration as there is no one to provide the challenge/response. • If there is a large number of VPN peer clients with dynamically assigned-IP addresses (such as a traveling sales force), the CA-based VPN is often the easiest to configure and maintain. Another popular option is to use a preshared password VPN in conjunction with Extended Authentication. 401
Page 1:
ADMINISTRATION GUIDE
Page 5 and 6:
Copyright © 2006 Secure Computing
Page 7 and 8:
Other Terms and Conditions This pro
Page 9 and 10:
CONTENTS Preface . . . . . . . . .
Page 11 and 12:
Table of Contents Modifying the sta
Page 13 and 14:
Table of Contents Configuring the S
Page 15 and 16:
Table of Contents About mail exchan
Page 17 and 18:
Table of Contents Configuring and d
Page 19 and 20:
Table of Contents CHAPTER 20 IPS At
Page 21 and 22:
Table of Contents APPENDIX F Basic
Page 23 and 24:
PREFACE Who should read this guide
Page 25 and 26:
Online help Preface The Sidewinder
Page 27 and 28:
1 CHAPTER Introduction In this chap
Page 29 and 30:
Figure 2: Protecting multiple netwo
Page 31 and 32:
Chapter 1: Introduction The Type En
Page 33 and 34:
Type Enforced attributes Chapter 1:
Page 35 and 36:
Figure 4: Multiple Type Enforced ar
Page 37 and 38:
Chapter 1: Introduction Additional
Page 39 and 40:
Chapter 1: Introduction Additional
Page 41 and 42:
Network Services Sentry (NSS) Chapt
Page 43 and 44:
2 CHAPTER Administrator’s Overvie
Page 45 and 46:
Admin Console basics Chapter 2: Adm
Page 47 and 48:
Figure 7: Admin Console Login windo
Page 49 and 50:
Figure 9: Main Admin Console menu M
Page 51 and 52:
Admin Console conventions Chapter 2
Page 53 and 54:
Figure 11: Open File window Opening
Page 55 and 56:
Figure 14: Find/Replace window Ente
Page 57 and 58:
Chapter 2: Administrator’s Overvi
Page 59 and 60:
Chapter 2: Administrator’s Overvi
Page 61 and 62:
Figure 15: sshd Server Configuratio
Page 63 and 64:
To access the trusted Telnet server
Page 65 and 66:
3 CHAPTER General System Tasks In t
Page 67 and 68:
Figure 16: System Shutdown window E
Page 69 and 70:
Setting up and maintaining administ
Page 71 and 72:
Figure 18: Administrator Informatio
Page 73 and 74:
Changing passwords Setting the syst
Page 75 and 76:
Using system roles to access type e
Page 77 and 78:
Figure 20: Configuration file backu
Page 79 and 80:
Chapter 3: General System Tasks Con
Page 81 and 82:
Activating the Sidewinder G2 licens
Page 83 and 84:
Chapter 3: General System Tasks Act
Page 85 and 86:
Figure 23: Firewall License: Compan
Page 87 and 88:
Figure 25: Firewall License: Enroll
Page 89 and 90:
Chapter 3: General System Tasks Pro
Page 91 and 92:
Enabling and disabling servers Figu
Page 93 and 94:
Server Name Notes Chapter 3: Genera
Page 95 and 96:
Configuring virus scanning services
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Figure 32: IDS Server window About
Page 103 and 104:
Figure 34: Software Management: Sum
Page 105 and 106:
Chapter 3: General System Tasks Loa
Page 107 and 108:
Chapter 3: General System Tasks Loa
Page 109 and 110:
Modifying the interface configurati
Page 111 and 112:
About the Interface Status window M
Page 113 and 114:
Chapter 3: General System Tasks Mod
Page 115 and 116:
About the Aliases: New/Modify Netwo
Page 117 and 118:
About the Static: Route window Conf
Page 119 and 120:
About the SSL certificate fields fo
Page 121 and 122:
Enabling/disabling the UPS server C
Page 123 and 124:
4 CHAPTER Understanding Policy Conf
Page 125 and 126:
Figure 45: Example of active rules
Page 127 and 128:
Chapter 4: Understanding Policy Con
Page 129 and 130:
Page 131 and 132:
Figure 47: User Groups user group n
Page 133 and 134:
Figure 48: Netgroup Subnet objects
Page 135 and 136:
Application Defenses Table 11: Samp
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Simple proxy rule examples Chapter
Page 143 and 144:
Page 145 and 146:
Table 17: Proxy rules for the advan
Page 147 and 148:
IP Filter rule basics Chapter 4: Un
Page 149 and 150:
Page 151 and 152:
Figure 52: Example network Chapter
Page 153 and 154:
Figure 53: Normal NAT IP Filter rul
Page 155 and 156:
Page 157 and 158:
5 CHAPTER Creating Rule Elements In
Page 159 and 160:
Chapter 5: Creating Rule Elements C
Page 161 and 162:
About the Group Information tab Abo
Page 163 and 164:
About the User Password tab Chapter
Page 165 and 166:
About the User Group Membership win
Page 167 and 168:
Figure 60: New Network Object windo
Page 169 and 170:
Figure 62: Host network object wind
Page 171 and 172:
Figure 63: IP Address network objec
Page 173 and 174:
Figure 65: Subnet network object wi
Page 175 and 176:
Figure 67: Group Membership window
Page 177 and 178:
About the Service Groups window Cha
Page 179 and 180:
6 CHAPTER Configuring Application D
Page 181 and 182:
Chapter 6: Configuring Application
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
About the URL Control tab Chapter 6
Page 189 and 190:
Figure 73: Web/Secure Web: HTTP Rep
Page 191 and 192:
Figure 74: Web/Secure Web: MIME/Vir
Page 193 and 194:
Page 195 and 196:
Figure 76: Web/Secure Web: SmartFil
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
About the Keyword Search tab Chapte
Page 203 and 204:
Figure 81: Mail (Sendmail) MIME/Vir
Page 205 and 206:
Configuring MIME filtering rules Ch
Page 207 and 208:
Creating Mail (SMTP proxy) Defenses
Page 209 and 210:
Figure 84: Mail (SMTP proxy): Desti
Page 211 and 212:
Creating Citrix Application Defense
Page 213 and 214:
Configuring the FTP Enforcements ta
Page 215 and 216:
Configuring Virus/Spyware filtering
Page 217 and 218:
Creating IIOP Application Defenses
Page 219 and 220:
Configuring the H.323 Filter tab Ch
Page 221 and 222:
About the Service Name (SID): New S
Page 223 and 224:
Creating SOCKS Application Defenses
Page 225 and 226:
Figure 95: SNMP v1: OID Editing win
Page 227 and 228:
Creating Standard Application Defen
Page 229 and 230:
Configuring connection properties C
Page 231 and 232:
Configuring connection ports Chapte
Page 233 and 234:
7 CHAPTER Configuring Network Defen
Page 235 and 236:
Figure 100: Network Defense window
Page 237 and 238:
About the Network Defenses: TCP tab
Page 239 and 240:
Configuring the UDP Network Defense
Page 241 and 242:
Configuring the ICMP Network Defens
Page 243 and 244:
Configuring the ARP Network Defense
Page 245 and 246:
8 CHAPTER Creating Rules and Rule G
Page 247 and 248:
About the Duplicate Rule Name windo
Page 249 and 250:
Chapter 8: Creating Rules and Rule
Page 251 and 252:
Figure 110: Proxy Rule: Authenticat
Page 253 and 254:
Entering information on the Time ta
Page 255 and 256:
Figure 113: IP Filter Rules window
Page 257 and 258:
Figure 114: IP Filter Rules Source/
Page 259 and 260:
Figure 115: IP Filter Time tab Abou
Page 261 and 262:
Chapter 8: Creating Rules and Rule
Page 263 and 264:
Figure 117: Modify Groups window Ch
Page 265 and 266:
Selecting your active policy rules
Page 267 and 268:
Figure 120: IP Filter General Prope
Page 269 and 270:
9 CHAPTER Configuring Proxies In th
Page 271 and 272:
Chapter 9: Configuring Proxies Prox
Page 273 and 274:
Redirected proxy connections Chapte
Page 275 and 276:
Figure 123: Port redirection for in
Page 277 and 278:
Proxy Name Type and Port Descriptio
Page 279 and 280:
Proxy Name Type and Port Descriptio
Page 281 and 282:
Notes on selected proxy configurati
Page 283 and 284:
Notes on using the FTP proxy Chapte
Page 285 and 286:
HTTP/HTTPS considerations Chapter 9
Page 287 and 288:
Figure 124: News server in front of
Page 289 and 290:
About the T.120 proxy Chapter 9: Co
Page 291 and 292:
Chapter 9: Configuring Proxies Note
Page 293 and 294:
Figure 126: Proxies window About th
Page 295 and 296:
Figure 127: ica proxy Advanced tab
Page 297 and 298:
Configuring connection ports Chapte
Page 299 and 300:
10 CHAPTER Setting Up Authenticatio
Page 301 and 302:
Administrator authentication Chapte
Page 303 and 304:
Supported authentication methods Ch
Page 305 and 306:
SafeWord authentication Chapter 10:
Page 307 and 308:
Chapter 10: Setting Up Authenticati
Page 309 and 310:
Users, groups, and authentication C
Page 311 and 312:
Page 313 and 314:
Figure 131: SSO Cached Authenticati
Page 315 and 316:
Page 317 and 318:
Figure 133: Password Configuration
Page 319 and 320:
Entering information on the RADIUS
Page 321 and 322:
Adding or modifying a SafeWord serv
Page 323 and 324:
Figure 137: SNK Configuration windo
Page 325 and 326:
Entering information on the Windows
Page 327 and 328:
Entering information on the Single
Page 329 and 330:
Setting up authentication for servi
Page 331 and 332:
Setting up authentication for Web s
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
11 CHAPTER DNS (Domain Name System)
Page 339 and 340:
About Sidewinder hosted DNS Chapter
Page 341 and 342:
Figure 140: Mail exchanger example
Page 343 and 344:
Advanced configurations Enabling an
Page 345 and 346:
Figure 141: Transparent DNS Configu
Page 347 and 348:
Chapter 11: DNS (Domain Name System
Page 349 and 350:
Entering information on the Forward
Page 351 and 352:
Adding an IP address Figure 146: DN
Page 353 and 354:
About the Zone List window About th
Page 355 and 356:
Figure 147: Master Zone Attributes
Page 357 and 358:
Adding a forward lookup sub-domain
Page 359 and 360:
Figure 148: Master Zone Contents ta
Page 361 and 362:
Adding a new forward lookup entry C
Page 363 and 364:
Table 26: DNS configuration options
Page 365 and 366:
Figure 150: Reconfiguring Sidewinde
Page 367 and 368:
About the Reconfiguring DNS: Sidewi
Page 369 and 370:
DNS message logging Chapter 11: DNS
Page 371 and 372:
12 CHAPTER Electronic Mail In this
Page 373 and 374:
Chapter 12: Electronic Mail Overvie
Page 375 and 376: Sendmail differences on Sidewinder
Page 377 and 378: Reconfiguring mail Figure 152: Reco
Page 379 and 380: Managing sendmail Figure 153: sendm
Page 381 and 382: Chapter 12: Electronic Mail Editing
Page 383 and 384: Figure 155: Spamfilter: Whitelist C
Page 385 and 386: Chapter 12: Electronic Mail Configu
Page 387 and 388: About the COPY action Chapter 12: E
Page 389 and 390: Chapter 12: Electronic Mail Configu
Page 391 and 392: Other sendmail features Creating a
Page 393 and 394: 5 Save the changes you made to file
Page 395 and 396: Allowing or denying mail on a user
Page 397 and 398: Chapter 12: Electronic Mail Managin
Page 399 and 400: 13 CHAPTER Setting Up Web Services
Page 401 and 402: Figure 158: Access to your Web serv
Page 403 and 404: Figure 161: Option 2: The Web proxy
Page 405 and 406: Setting up Web access using the HTT
Page 407 and 408: Using the Web proxy server Figure 1
Page 409 and 410: Configuring the Web proxy server Fi
Page 411 and 412: Figure 168: Web Proxy Server window
Page 413 and 414: Configuring Web Proxy Server HTTP f
Page 415 and 416: Configuring browsers for the Web pr
Page 417 and 418: Certain browsers on UNIX Chapter 13
Page 419 and 420: 14 CHAPTER Configuring Virtual Priv
Page 421 and 422: Protecting your information What ar
Page 423 and 424: Authenticating IKE VPNs Chapter 14:
Page 425: Configuring a VPN client Chapter 14
Page 429 and 430: Chapter 14: Configuring Virtual Pri
Page 431 and 432: Understanding virtual burbs Chapter
Page 433 and 434: Create the virtual burb Configure p
Page 435 and 436: About the Client Address Pools wind
Page 437 and 438: Adding or modifying a subnet addres
Page 439 and 440: Figure 178: Client Address Pools: F
Page 441 and 442: Adding or modifying a client identi
Page 443 and 444: Table 28: Supported X.500 Attribute
Page 445 and 446: Single certificate versus Certifica
Page 447 and 448: Adding a Certificate Authority Chap
Page 449 and 450: Figure 180: Remote Identities tab A
Page 451 and 452: Figure 181: Firewall certificates A
Page 453 and 454: Figure 182: Remote certificates def
Page 457 and 458: Selecting a new proxy certificate I
Page 459 and 460: Figure 185: Import Firewall Certifi
Page 463 and 464: Exporting both the certificate and
Page 465 and 466: About the Security Associations win
Page 469 and 470: Configuring password information on
Page 471 and 472: Entering Certificate + Certificate
Page 473 and 474: Entering Manual information on the
Page 475 and 476: Entering information on the Advance
Page 477 and 478:
Figure 191: VPN between two corpora
Page 479 and 480:
Figure 192: One VPN association per
Page 481 and 482:
Chapter 14: Configuring Virtual Pri
Page 483 and 484:
Figure 193: One VPN association for
Page 485 and 486:
Page 487 and 488:
Page 489 and 490:
15 CHAPTER Configuring the SNMP Age
Page 491 and 492:
Figure 195: Community name within a
Page 493 and 494:
Figure 196: MIBs supported by the S
Page 495 and 496:
Defining a community name Defining
Page 497 and 498:
Communication with systems in an ex
Page 499 and 500:
16 CHAPTER One-To-Many Clusters In
Page 501 and 502:
Considerations when using One-To-Ma
Page 503 and 504:
Configuring One- To-Many Chapter 16
Page 505 and 506:
Figure 201: One To Many Management
Page 507 and 508:
Chapter 16: One-To-Many Clusters Co
Page 509 and 510:
Chapter 16: One-To-Many Clusters Co
Page 511 and 512:
Chapter 16: One-To-Many Clusters Un
Page 513 and 514:
17 CHAPTER High Availability In thi
Page 515 and 516:
HA configuration options Chapter 17
Page 517 and 518:
You can configure failover HA in on
Page 519 and 520:
Configuring the heartbeat burbs Cha
Page 521 and 522:
Chapter 17: High Availability Confi
Page 523 and 524:
Page 525 and 526:
Page 527 and 528:
Removing a secondary/standby from a
Page 529 and 530:
Managing an HA cluster Features tha
Page 531 and 532:
Chapter 17: High Availability Manag
Page 533 and 534:
Changing the multicast address Chap
Page 535 and 536:
About the Local Parameters tab Chap
Page 537 and 538:
Chapter 17: High Availability Manag
Page 539 and 540:
18 CHAPTER Monitoring In this chapt
Page 541 and 542:
About the dashboard Viewing device
Page 543 and 544:
Figure 211: System information: Dis
Page 545 and 546:
Figure 213: Network Traffic: Interf
Page 547 and 548:
Viewing IPS attack and system event
Page 549 and 550:
Figure 218: Attacks by Service wind
Page 551 and 552:
Monitoring Sidewinder G2 status usi
Page 553 and 554:
finger Chapter 18: Monitoring Monit
Page 555 and 556:
dig Chapter 18: Monitoring Monitori
Page 557 and 558:
19 CHAPTER Auditing and Reporting I
Page 559 and 560:
Auditing on the Sidewinder G2 Chapt
Page 561 and 562:
Figure 221: Audit Viewing: View Mod
Page 563 and 564:
Chapter 19: Auditing and Reporting
Page 565 and 566:
Figure 224: Audit Veiwing: Filterin
Page 567 and 568:
Attack Description Application Defe
Page 569 and 570:
Attack Description Chapter 19: Audi
Page 571 and 572:
Example 2: Filtering for services a
Page 573 and 574:
Understanding audit messages Chapte
Page 575 and 576:
Page 577 and 578:
Generating reports using the Admin
Page 579 and 580:
Figure 226: Show Report window Tabl
Page 581 and 582:
Report type Description Chapter 19:
Page 583 and 584:
Report type Description Table 37: A
Page 585 and 586:
Generating reports using Sidewinder
Page 587 and 588:
Page 589 and 590:
20 CHAPTER IPS Attack and System Ev
Page 591 and 592:
About the IPS Attack Responses wind
Page 593 and 594:
Attack Description Application Defe
Page 595 and 596:
Chapter 20: IPS Attack and System E
Page 597 and 598:
Figure 230: Attack Responses: Setti
Page 599 and 600:
Figure 232: System Responses Modify
Page 601 and 602:
Event Description system critical a
Page 603 and 604:
Figure 233: System Responses: Respo
Page 605 and 606:
Sidewinder G2 SNMP traps Chapter 20
Page 607 and 608:
Chapter 20: IPS Attack and System E
Page 609 and 610:
A APPENDIX Command Line Reference I
Page 611 and 612:
Sidewinder G2 area Commands Area De
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
About editing Sidewinder G2 files A
Page 623 and 624:
Changing file types in the operatio
Page 625 and 626:
etc/monthly Appendix A: Command Lin
Page 627 and 628:
CRL and certificate retrieval cron
Page 629 and 630:
B APPENDIX Setting Up Network Time
Page 631 and 632:
Figure 235: Sidewinder G2 as an NTP
Page 633 and 634:
Figure 237: NTP conflict: Sidewinde
Page 635 and 636:
Using command line: Appendix B: Set
Page 637 and 638:
C APPENDIX Configuring Dynamic Rout
Page 639 and 640:
Figure 238: Three OSPF protocol pha
Page 641 and 642:
Figure 240: Sidewinder G2 within OS
Page 643 and 644:
Figure 242: OSPF Properties tab Abo
Page 645 and 646:
Configuring the OSPF Area: Interfac
Page 647 and 648:
Configuring the OSPF Areas: Network
Page 649 and 650:
D APPENDIX Configuring Dynamic Rout
Page 651 and 652:
RIP processing on the Sidewinder G2
Page 653 and 654:
Appendix D: Configuring Dynamic Rou
Page 655 and 656:
RIP with Sidewinder G2 not using tr
Page 657 and 658:
Page 659 and 660:
Page 661 and 662:
Enabling/ disabling the routed serv
Page 663 and 664:
E APPENDIX Setting Up SmartFilter S
Page 665 and 666:
4 Click Evaluate this version. 5 Co
Page 667 and 668:
Figure 252: SmartFilter for Web and
Page 669 and 670:
Appendix E: Setting Up SmartFilter
Page 671 and 672:
F APPENDIX Basic Troubleshooting In
Page 673 and 674:
Restoring access to the Admin Conso
Page 675 and 676:
Appendix F: Basic Troubleshooting B
Page 677 and 678:
Restoring system files Appendix F:
Page 679 and 680:
8 [Conditional] If needed, change p
Page 681 and 682:
Appendix F: Basic Troubleshooting R
Page 683 and 684:
Adding hardware to an active Sidewi
Page 685 and 686:
Recovering when the licensed NIC fa
Page 687 and 688:
What to do if the boot process fail
Page 689 and 690:
If you forget your administrator pa
Page 691 and 692:
Interpreting beep patterns Table 45
Page 693 and 694:
Troubleshooting proxy rules Appendi
Page 695 and 696:
Appendix F: Basic Troubleshooting T
Page 697 and 698:
Understanding FTP and Telnet connec
Page 699 and 700:
Active firewall list: 10.10.10.7 St
Page 701 and 702:
Appendix F: Basic Troubleshooting T
Page 703 and 704:
Why did NTP stop? Appendix F: Basic
Page 705 and 706:
GLOSSARY ACE/Server A server made b
Page 707 and 708:
Glossary burb A set of one or more
Page 709 and 710:
Glossary external DNS External DNS
Page 711 and 712:
ISAKMP (internet security associati
Page 713 and 714:
ODBC (Open Database Connectivity) G
Page 715 and 716:
eference implementation An IETF ter
Page 717 and 718:
Glossary subnet A network addressin
Page 719 and 720:
INDEX A A record (address record) 3
Page 721 and 722:
B backup backup_file_list 51 comple
Page 723 and 724:
domains access 7 Admn 8 checking 49
Page 725 and 726:
Internet server 317 InterNIC 529 IP
Page 727 and 728:
networks connections report 527 int
Page 729 and 730:
R RADIUS authentication 281, 292 Re
Page 731 and 732:
Sidewinder G2 Enterprise Manager xx
Page 733 and 734:
user passwords 137 users changing p
Page 736:
The Sidewinder G2 ® Security Appli
show all

Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?