- Page 1:
ADMINISTRATION GUIDE
- Page 5 and 6:
Copyright © 2005 Secure Computing
- Page 7 and 8:
Other Terms and Conditions This pro
- Page 9 and 10:
Table of Contents Chapter 1: Introd
- Page 11 and 12:
Table of Contents Enabling and disa
- Page 13 and 14:
Table of Contents Creating SNMP App
- Page 15 and 16:
Table of Contents About Sidewinder
- Page 17 and 18:
Table of Contents Configuring the S
- Page 19 and 20:
Table of Contents Active connection
- Page 21 and 22:
Table of Contents RIP with the Side
- Page 23 and 24:
Who should read this guide What is
- Page 25 and 26:
Chapter title Description Chapter 1
- Page 27 and 28:
Online help Where to find additiona
- Page 29 and 30:
C HAPTER 1 Introduction About this
- Page 31 and 32:
Figure 1-2. Protecting multiple net
- Page 33 and 34:
The Type Enforced environment Table
- Page 35 and 36:
Figure 1-3. Example of domain separ
- Page 37 and 38:
Additional Sidewinder G2 operating
- Page 39 and 40:
Proxy software and access control A
- Page 41 and 42:
Additional Sidewinder G2 operating
- Page 43 and 44:
Additional Sidewinder G2 operating
- Page 45 and 46:
Additional Sidewinder G2 operating
- Page 47 and 48:
C HAPTER 2 Administrator’s Overvi
- Page 49 and 50:
Figure 2-1. Sidewinder G2 administr
- Page 51 and 52:
Figure 2-2. Admin Console Login win
- Page 53 and 54:
Figure 2-3. Feature Notification wi
- Page 55 and 56:
About the top portion of the Admin
- Page 57 and 58:
Admin Console conventions Admin Con
- Page 59 and 60:
Figure 2-5. File Editor window Abou
- Page 61 and 62:
Figure 2-7. Backup File window Ente
- Page 63 and 64:
Remote administration using Secure
- Page 65 and 66:
Remote administration using Secure
- Page 67 and 68:
Remote administration using Secure
- Page 69 and 70:
Figure 2-10. sshd Server Configurat
- Page 71 and 72:
Administering Sidewinder G2 using T
- Page 73 and 74:
C HAPTER 3 General System Tasks Abo
- Page 75 and 76:
Figure 3-1. System Shutdown window
- Page 77 and 78:
Setting up and maintaining administ
- Page 79 and 80:
Figure 3-3. Administrator Informati
- Page 81 and 82:
Changing passwords Setting the syst
- Page 83 and 84:
Using system roles to access type e
- Page 85 and 86:
Configuration file backup and resto
- Page 87 and 88:
What is backed up and restored What
- Page 89 and 90:
Configuration file backup and resto
- Page 91 and 92:
Activating the Sidewinder G2 licens
- Page 93 and 94:
From a workstation that has Web acc
- Page 95 and 96:
Figure 3-8. Firewall License: Compa
- Page 97 and 98:
Figure 3-10. Firewall License: Enro
- Page 99 and 100:
Protected host licensing and the Ho
- Page 101 and 102:
Figure 3-11. Determining which VPN
- Page 103 and 104:
Table 3-3. Sidewinder G2 servers Se
- Page 105 and 106:
Configuring the synchronization ser
- Page 107 and 108:
Figure 3-14. Scanner: Advanced tab
- Page 109 and 110:
Figure 3-15. Scanner: Signature tab
- Page 111 and 112:
Configuring the shund server Figure
- Page 113 and 114:
Figure 3-18. IDS Configuration: Shu
- Page 115 and 116:
Figure 3-20. Software Management: I
- Page 117 and 118:
Loading and installing patches 5. C
- Page 119 and 120:
Loading and installing patches 3. S
- Page 121 and 122:
Modifying the burb configuration 2.
- Page 123 and 124:
Modifying the Configuration tab Mod
- Page 125 and 126:
About the Aliases: New/ Modify Netw
- Page 127 and 128:
Modifying the static route About th
- Page 129 and 130:
About the SSL certificate fields fo
- Page 131 and 132:
Figure 3-26. UPS Configuration wind
- Page 133 and 134:
C HAPTER 4 Understanding Policy Con
- Page 135 and 136:
Figure 4-2. Example of active rules
- Page 137 and 138:
Policy configuration basics The fol
- Page 139 and 140:
Rule elements Network objects—Ne
- Page 141 and 142:
Figure 4-4. User Groups user group
- Page 143 and 144:
Rule elements If an organization re
- Page 145 and 146:
Example of a rule that uses a servi
- Page 147 and 148:
Application Defenses You can also c
- Page 149 and 150:
Proxy rule basics Table 4-4. Applic
- Page 151 and 152:
Proxy rule basics the user request
- Page 153 and 154:
Proxy rule basics Table 4-5 summari
- Page 155 and 156:
Table 4-7. Proxy rules for sample c
- Page 157 and 158: Table 4-9. Proxy rules for the adva
- Page 159 and 160: Mutually exclusive rules for Transp
- Page 161 and 162: Figure 4-7. IP Filtering on non-TCP
- Page 163 and 164: Figure 4-8. IP Filtering on TCP/UDP
- Page 165 and 166: Setting the IP Filter NAT port rewr
- Page 167 and 168: Figure 4-11. "Source port" NAT IP F
- Page 169 and 170: C HAPTER 5 Creating Rule Elements A
- Page 171 and 172: Creating users and user groups Mod
- Page 173 and 174: About the Group Information tab Abo
- Page 175 and 176: About the User Password tab Creatin
- Page 177 and 178: Figure 5-4. User Group Membership w
- Page 179 and 180: Figure 5-6. New Network Object wind
- Page 181 and 182: Entering domain information Figure
- Page 183 and 184: Figure 5-9. IP Address network obje
- Page 185 and 186: About the Netmap Members window Cre
- Page 187 and 188: Figure 5-12. Network Object: netgro
- Page 189 and 190: Creating service groups Figure 5-14
- Page 191 and 192: C HAPTER 6 Configuring Application
- Page 193 and 194: Viewing Application Defense informa
- Page 195 and 196: Figure 6-2. Application Defense: We
- Page 197 and 198: Creating Web or Secure Web Applicat
- Page 199 and 200: Creating Web or Secure Web Applicat
- Page 201 and 202: Figure 6-5. Web/Secure Web: HTTP Re
- Page 203 and 204: Figure 6-6. Web/Secure Web: MIME/Vi
- Page 205 and 206: Creating Web or Secure Web Applicat
- Page 207: Creating Web or Secure Web Applicat
- Page 211 and 212: Creating Mail Application Defenses
- Page 213 and 214: Figure 6-10. Mail Size tab Creating
- Page 215 and 216: Creating Mail Application Defenses
- Page 217 and 218: Figure 6-12. Mail MIME/ Virus tab A
- Page 219 and 220: Configuring MIME filtering rules Cr
- Page 221 and 222: Creating Citrix Application Defense
- Page 223 and 224: Creating FTP Application Defenses F
- Page 225 and 226: Figure 6-16. Application Defenses:
- Page 227 and 228: Creating Multimedia Application Def
- Page 229 and 230: Figure 6-18. Application Defenses:
- Page 231 and 232: Creating SOCKS Application Defenses
- Page 233 and 234: Creating SNMP Application Defenses
- Page 235 and 236: Figure 6-22. Example of OID numberi
- Page 237 and 238: Figure 6-24. Application Defense Gr
- Page 239 and 240: Configuring connection properties d
- Page 241 and 242: C HAPTER 7 Creating Rules and Group
- Page 243 and 244: Viewing rules and rule groups You c
- Page 245 and 246: Entering information on the Proxy R
- Page 247 and 248: Creating proxy rules 5. [Optional]
- Page 249 and 250: Figure 7-4. Proxy Rule: Time tab Cr
- Page 251 and 252: Figure 7-5. Proxy Rule: Application
- Page 253 and 254: Figure 7-6. IP Filter Rules window
- Page 255 and 256: About the IP Filter Source/ Dest ta
- Page 257 and 258: Figure 7-8. IP Filter Time tab Crea
- Page 259 and 260:
Creating and managing rule groups C
- Page 261 and 262:
Figure 7-10. Modify Groups window A
- Page 263 and 264:
Figure 7-11. Active Rules window Ab
- Page 265 and 266:
Figure 7-13. IP Filter General Prop
- Page 267 and 268:
C HAPTER 8 Configuring Proxies Abou
- Page 269 and 270:
Proxy basics Important: Network att
- Page 271 and 272:
Redirected proxy connections Config
- Page 273 and 274:
Figure 8-2. Address redirection for
- Page 275 and 276:
Standard Sidewinder G2 proxies Prox
- Page 277 and 278:
Proxy Name Type and Port Descriptio
- Page 279 and 280:
Proxy Name Type and Port Descriptio
- Page 281 and 282:
Notes on selected proxy configurati
- Page 283 and 284:
Notes on using the FTP proxy Notes
- Page 285 and 286:
Sun RPC proxy considerations Notes
- Page 287 and 288:
Figure 8-5. News server behind the
- Page 289 and 290:
Notes on selected proxy configurati
- Page 291 and 292:
Notes on selected proxy configurati
- Page 293 and 294:
Notes on selected proxy configurati
- Page 295 and 296:
Proxy Name—Displays the name of t
- Page 297 and 298:
Figure 8-7. ica proxy Advanced tab
- Page 299 and 300:
Configuring connection ports Settin
- Page 301 and 302:
C HAPTER 9 Setting Up Authenticatio
- Page 303 and 304:
Administrator authentication Authen
- Page 305 and 306:
Supported authentication methods Su
- Page 307 and 308:
Supported authentication methods Wh
- Page 309 and 310:
Authentication process overview Aut
- Page 311 and 312:
Users, groups, and authentication C
- Page 313 and 314:
Configuring authentication services
- Page 315 and 316:
Figure 9-1. SSO Cached Authenticati
- Page 317 and 318:
Figure 9-3. LDAP configuration wind
- Page 319 and 320:
Figure 9-4. Password Configuration
- Page 321 and 322:
Adding or modifying a RADIUS server
- Page 323 and 324:
Figure 9-7. SecurID Configuration w
- Page 325 and 326:
Figure 9-8. SNK Configuration windo
- Page 327 and 328:
Adding or modifying a Windows domai
- Page 329 and 330:
Configuring SSO b. In the Edit Logi
- Page 331 and 332:
Setting up authentication for servi
- Page 333 and 334:
Setting up authentication for admin
- Page 335 and 336:
Allowing users to change their pass
- Page 337 and 338:
. Select Manual Proxy Configuration
- Page 339 and 340:
C HAPTER 10 Domain Name System (DNS
- Page 341 and 342:
What is DNS? In a hosted DNS config
- Page 343 and 344:
Figure 10-1. Mail exchanger example
- Page 345 and 346:
Enabling and disabling your DNS ser
- Page 347 and 348:
Managing your current DNS configura
- Page 349 and 350:
Configuring hosted DNS servers Figu
- Page 351 and 352:
Figure 10-6. DNS Server Configurati
- Page 353 and 354:
Entering information on the Advance
- Page 355 and 356:
Figure 10-7. DNS Zones window Confi
- Page 357 and 358:
About the Zone List window About th
- Page 359 and 360:
Figure 10-8. Master Zone Attributes
- Page 361 and 362:
Adding a forward lookup sub-domain
- Page 363 and 364:
Figure 10-9. Master Zone Contents t
- Page 365 and 366:
Adding a new forward lookup entry C
- Page 367 and 368:
Reconfiguring DNS Reconfiguring DNS
- Page 369 and 370:
Figure 10-10. Reconfigure transpare
- Page 371 and 372:
About the Reconfiguring DNS: Sidewi
- Page 373 and 374:
Manually editing DNS configuration
- Page 375 and 376:
C HAPTER 11 Electronic Mail About t
- Page 377 and 378:
Overview of e-mail on Sidewinder G2
- Page 379 and 380:
Sendmail differences on Sidewinder
- Page 381 and 382:
Managing sendmail Managing sendmail
- Page 383 and 384:
Figure 11-2. Reconfigure Mail windo
- Page 385 and 386:
Figure 11-3. Sidewinder G2 mailerta
- Page 387 and 388:
Configuring advanced antispam optio
- Page 389 and 390:
Configuring the policy.cfg file Con
- Page 391 and 392:
About the COPY action Configuring a
- Page 393 and 394:
Configuring advanced anti-spam opti
- Page 395 and 396:
Redirecting mail to a different des
- Page 397 and 398:
Other sendmail features You can con
- Page 399 and 400:
Figure 11-5. Type of relayed messag
- Page 401 and 402:
Managing mail queues Managing mail
- Page 403 and 404:
C HAPTER 12 Setting Up Web Services
- Page 405 and 406:
Figure 12-3. Access to the internal
- Page 407 and 408:
Figure 12-5. Option 2: The Web prox
- Page 409 and 410:
Figure 12-7. Standard (transparent)
- Page 411 and 412:
Using the HTTP proxy 4. Create an H
- Page 413 and 414:
Using the Web proxy server Caching
- Page 415 and 416:
Figure 12-10. Web proxy server wind
- Page 417 and 418:
Figure 12-12. Web Proxy Server wind
- Page 419 and 420:
Configuring Web Proxy Server HTTP f
- Page 421 and 422:
Configuring browsers for the Web pr
- Page 423 and 424:
Internet Explorer 5.x/6.x Configuri
- Page 425 and 426:
1 C HAPTER 13 Configuring Virtual P
- Page 427 and 428:
Protecting your information What ar
- Page 429 and 430:
Sidewinder G2 VPN overview To preve
- Page 431 and 432:
Configuring hardware acceleration f
- Page 433 and 434:
Sidewinder G2 VPN overview Implemen
- Page 435 and 436:
Configuring the ISAKMP server Figur
- Page 437 and 438:
Configuring the Certificate server
- Page 439 and 440:
Understanding virtual burbs Underst
- Page 441 and 442:
Understanding virtual burbs You can
- Page 443 and 444:
Figure 13-5. Client Address Pools A
- Page 445 and 446:
Figure 13-6. Client Address Pools:
- Page 447 and 448:
Figure 13-1. Client Address Pools:
- Page 449 and 450:
Figure 13-2. Client Address Pools:
- Page 451 and 452:
Adding or modifying a client identi
- Page 453 and 454:
Configuring Certificate Management
- Page 455 and 456:
Single certificate versus Certifica
- Page 457 and 458:
About the Certificate Authorities t
- Page 459 and 460:
Figure 13-8. Remote Identities tab
- Page 461 and 462:
Figure 13-9. Firewall certificates
- Page 463 and 464:
Configuring Certificate Management
- Page 465 and 466:
Configuring Certificate Management
- Page 467 and 468:
Figure 13-11. SSL Certificates tab
- Page 469 and 470:
Figure 13-3. Load Certificate for P
- Page 471 and 472:
Figure 13-13. Import Remote Certifi
- Page 473 and 474:
Figure 13-14. Export Firewall Certi
- Page 475 and 476:
Configuring VPN Security Associatio
- Page 477 and 478:
Figure 13-16. Security Associations
- Page 479 and 480:
Configuring VPN Security Associatio
- Page 481 and 482:
Configuring password information on
- Page 483 and 484:
Entering Certificate + Certificate
- Page 485 and 486:
Entering Single Certificate informa
- Page 487 and 488:
Configuring VPN Security Associatio
- Page 489 and 490:
Example VPN Scenarios Example VPN S
- Page 491 and 492:
Example VPN Scenarios How it is don
- Page 493 and 494:
Example VPN Scenarios All clients
- Page 495 and 496:
Example VPN Scenarios c. Click New.
- Page 497 and 498:
The assumptions This VPN scenario a
- Page 499 and 500:
Example VPN Scenarios 2. In the Adm
- Page 501 and 502:
Example VPN Scenarios a. On the Cer
- Page 503 and 504:
C HAPTER 14 Configuring the SNMP Ag
- Page 505 and 506:
Figure 14-2. Community name within
- Page 507 and 508:
SNMP and Sidewinder G2 IPSEC_FAILU
- Page 509 and 510:
Figure 14-3. MIBs supported by the
- Page 511 and 512:
Defining a community name Setting u
- Page 513 and 514:
Communication with systems in an ex
- Page 515 and 516:
C HAPTER 15 One-To-Many Clusters Ab
- Page 517 and 518:
Overview DNS services must be conf
- Page 519 and 520:
Figure 15-2. Sample network configu
- Page 521 and 522:
Configuring One-To-Many b. In the P
- Page 523 and 524:
Configuring One-To-Many 3. In the R
- Page 525 and 526:
About the Modify Primary Address wi
- Page 527 and 528:
Understanding the One-To-Many tree
- Page 529 and 530:
Understanding the One-To-Many tree
- Page 531 and 532:
C HAPTER 16 High Availability About
- Page 533 and 534:
HA configuration options HA configu
- Page 535 and 536:
You can configure failover HA in on
- Page 537 and 538:
Configuring HA — DNS configuratio
- Page 539 and 540:
Configuring HA 8. Select the HA con
- Page 541 and 542:
Configuring HA Cluster ID—Select
- Page 543 and 544:
Joining a Sidewinder G2 to an exist
- Page 545 and 546:
Configuring HA 8. Click Next. The S
- Page 547 and 548:
Removing the primary from an HA clu
- Page 549 and 550:
Figure 16-3. Special HA and Interfa
- Page 551 and 552:
About the Common Parameters tab Man
- Page 553 and 554:
Changing the multicast address Mana
- Page 555 and 556:
Figure 16-2. Local Parameters tab A
- Page 557 and 558:
Managing an HA cluster Scheduling a
- Page 559 and 560:
Connecting directly to a secondary/
- Page 561 and 562:
C HAPTER 17 Alarm Events and Respon
- Page 563 and 564:
Table 17-1. Alarm event column desc
- Page 565 and 566:
Filter Name Description Configuring
- Page 567 and 568:
Configuring alarm events and event
- Page 569 and 570:
Figure 17-3. Event Response tab Abo
- Page 571 and 572:
Configuring alarm events and event
- Page 573 and 574:
Example alarm event scenario Exampl
- Page 575 and 576:
Sample Strikeback results Sample St
- Page 577 and 578:
Ignoring network probe attempts Ign
- Page 579 and 580:
Checking system status Checking sys
- Page 581 and 582:
Rlg0 7418 p2 IW+ 0:01.30.u (tcsh) t
- Page 583 and 584:
Network interfaces Checking network
- Page 585 and 586:
Checking network status ; Dig 2.1
- Page 587 and 588:
C HAPTER 18 Monitoring, Auditing, a
- Page 589 and 590:
Monitoring Sidewinder G2 status Fig
- Page 591 and 592:
Auditing on the Sidewinder G2 Audit
- Page 593 and 594:
Figure 18-3. Audit Viewing: View Mo
- Page 595 and 596:
Figure 18-4. Snapshot Audit Data wi
- Page 597 and 598:
Figure 18-5. Export Audit Data wind
- Page 599 and 600:
Figure 18-6. Audit Filtering tab Ab
- Page 601 and 602:
Filter Type Description Auditing on
- Page 603 and 604:
Example 2: Filtering for services a
- Page 605 and 606:
Field Description src_burb Specify
- Page 607 and 608:
Logging application messages using
- Page 609 and 610:
Generating and viewing reports usin
- Page 611 and 612:
Figure 18-7. Firewall Reports windo
- Page 613 and 614:
Report Type Description Generating
- Page 615 and 616:
Report Type Description Generating
- Page 617 and 618:
Using third party reporting tools U
- Page 619 and 620:
Using third party reporting tools 3
- Page 621 and 622:
A A PPENDIX A Command Line Referenc
- Page 623 and 624:
Sidewinder G2 area Commands Area De
- Page 625 and 626:
Sidewinder G2 area Commands Area De
- Page 627 and 628:
Sidewinder G2 area Commands Area De
- Page 629 and 630:
Sidewinder G2 area Commands Area De
- Page 631 and 632:
Working with files on the Sidewinde
- Page 633 and 634:
Changing a file’s type (chtype) W
- Page 635 and 636:
Understanding automatic (cron) jobs
- Page 637 and 638:
Understanding automatic (cron) jobs
- Page 639 and 640:
A A PPENDIX B Setting Up Network Ti
- Page 641 and 642:
Figure B-2. Sidewinder G2 as an NTP
- Page 643 and 644:
Figure B-4. NTP conflict: Sidewinde
- Page 645 and 646:
Configuring NTP on a Sidewinder G2
- Page 647 and 648:
A A PPENDIX C Configuring Dynamic R
- Page 649 and 650:
Overview All OSPF routers on a netw
- Page 651 and 652:
Figure C-3. Sidewinder G2 within OS
- Page 653 and 654:
Figure C-5. OSPF Properties tab Abo
- Page 655 and 656:
Figure C-6. OSPF Area tab Setting u
- Page 657 and 658:
Authentication Information window F
- Page 659 and 660:
Configuring "passive" OSPF Other im
- Page 661 and 662:
A A PPENDIX D Configuring Dynamic R
- Page 663 and 664:
RIP processing on the Sidewinder G2
- Page 665 and 666:
RIP with the Sidewinder G2 using tr
- Page 667 and 668:
If connection is lost between Route
- Page 669 and 670:
Figure D-4. RIP with the Sidewinder
- Page 671 and 672:
RIP with the Sidewinder G2 NOT usin
- Page 673 and 674:
Configuring RIP on the Sidewinder G
- Page 675 and 676:
Enabling/ disabling the routed serv
- Page 677 and 678:
A A PPENDIX E Setting Up SmartFilte
- Page 679 and 680:
Subscribing to the SmartFilter Cont
- Page 681 and 682:
Figure E-1. SmartFilter window: Gen
- Page 683 and 684:
Figure E-2. SmartFilter Advanced ta
- Page 685 and 686:
Editing the SmartFilter files Table
- Page 687 and 688:
Table E-2. Category Codes Editing t
- Page 689 and 690:
A A PPENDIX F Basic Troubleshooting
- Page 691 and 692:
Restoring access to the Admin Conso
- Page 693 and 694:
Backing up system files The Sidewin
- Page 695 and 696:
Performing an incremental backup Ba
- Page 697 and 698:
Table F-2. Sidewinder G2 restore sc
- Page 699 and 700:
Restoring system files Performing a
- Page 701 and 702:
Table F-3. Restore Script Commands
- Page 703 and 704:
To add hardware, follow these steps
- Page 705 and 706:
Re-imaging your Sidewinder G2 Syste
- Page 707 and 708:
If you forget your administrator pa
- Page 709 and 710:
Interpreting beep patterns Interpre
- Page 711 and 712:
What you hear What it means What yo
- Page 713 and 714:
Troubleshooting proxy rules To dete
- Page 715 and 716:
Starting the rule monitoring tool (
- Page 717 and 718:
Troubleshooting High Availability T
- Page 719 and 720:
Troubleshooting High Availability N
- Page 721 and 722:
Troubleshooting High Availability N
- Page 723 and 724:
Why did NTP stop? Troubleshooting N
- Page 725 and 726:
R EFERENCE Glossary ACE/Server A se
- Page 727 and 728:
Glossary BSD/OS The operation syste
- Page 729 and 730:
Glossary event response A response
- Page 731 and 732:
Glossary internal DNS Manages DNS i
- Page 733 and 734:
Glossary network-layer proxy Also k
- Page 735 and 736:
Glossary proxy A software agent tha
- Page 737 and 738:
Glossary SecureOS The UNIX-based op
- Page 739 and 740:
URL (universal resource locator) Gl
- Page 741 and 742:
A R EFERENCE Index A record (addres
- Page 743 and 744:
ackup_file_list 3-15 complete (full
- Page 745 and 746:
checking 3-12 creator A-12 current
- Page 747 and 748:
overview 1-12 IP sniffing 1-2 IP sp
- Page 749 and 750:
NNTP 8-19 nntp proxy 8-11 non-trans
- Page 751 and 752:
to operational kernel command 3-4 r
- Page 753 and 754:
smartfilter.site file E-9 SMTP 11-2
- Page 755 and 756:
certificate authority 13-27 certifi
- Page 758:
The Sidewinder G2 ® Security Appli