Académique Documents
Professionnel Documents
Culture Documents
Administrators Guide
Smoothwall Advanced Firewall, 2008 FP5-G3, Administrators Guide, 1st Edition, March 2011 Smoothwall Ltd. publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Advanced Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall Ltd. For more information, contact: docs@smoothwall.net This document was created and published in the United Kingdom. 2001 2011 Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Advanced Firewall contains graphics taken from the Open Icon Library project http:// openiconlibrary.sourceforge.net/ Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom info@smoothwall.net www.smoothwall.net USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries: 1 800 959 3760 0870 1 999 500 +44 870 1 999 500 1 888 899 9164 0870 1 991 399 +44 870 1 991 399
Fax
Contents
Chapter 2
1s
Ed i
ti
on
Overview of Advanced Firewall .................................................................... 1 Who should read this guide?........................................................................ 2 Other Documentation and User Information ............................................... 2 Support ........................................................................................................... 2 Annual Renewal............................................................................................... 2
Contents
Chapter 3
Chapter 4
ii
1s
Ed i
ti
VPN................................................................................................................ 13 Email.............................................................................................................. 14 SMTP ............................................................................................................. 14 POP3.............................................................................................................. 15 Content........................................................................................................... 15 Anti-spam....................................................................................................... 15 Quarantine ..................................................................................................... 15 Configuration Guidelines ............................................................................ 15 Specifying Networks, Hosts and Ports........................................................... 15 Using Comments............................................................................................ 16 Creating, Editing and Removing Rules .......................................................... 16 Connecting via the Console........................................................................ 17 Connecting Using a Client.............................................................................. 17 Connecting Using Web-based SSH ............................................................... 18 Secure Communication ............................................................................... 18 Unknown Entity Warning................................................................................ 18 Inconsistent Site Address............................................................................... 18
on
Ports.............................................................................................................. 38 Creating a Ports Rule..................................................................................... 38 Creating an External Alias Rule.................................................................. 39 Editing and Removing External Alias Rules................................................... 40 Port Forwards from External Aliases.............................................................. 40 Creating a Source Mapping Rule................................................................ 40 Editing and Removing Source Mapping Rules............................................... 41 Managing Internal Aliases........................................................................... 41 Creating an Internal Alias Rule ...................................................................... 42 Editing and Removing Internal Alias Rules .................................................... 42 Working with Secondary External Interfaces ............................................ 43 Configuring a Secondary External Interface .................................................. 43 Blocking by IP .............................................................................................. 47 Creating IP Blocking Rules ............................................................................ 47 Editing and Removing IP Block Rules............................................................ 48 Configuring Advanced Networking Features ............................................ 49 Enabling Traffic Auditing ............................................................................ 50 Dropping Traffic on a Per-interface Basis ................................................. 51 Working with Port Groups........................................................................... 51 Creating a Port Group.................................................................................... 52 Adding Ports to Existing Port Groups............................................................. 52 Editing Port Groups........................................................................................ 53 Deleting a Port Group .................................................................................... 53
Chapter 7
1s
Chapter 6
About Zone Bridging Rules......................................................................... 55 Creating a Zone Bridging Rule ................................................................... 55 Editing and Removing Zone Bridge Rules ................................................ 57 A Zone Bridging Tutorial ............................................................................. 57 Creating the Zone Bridging Rule.................................................................... 58 Allowing Access to the Web Server ............................................................... 58 Accessing a Database on the Protected Network.......................................... 58 Group Bridging............................................................................................. 59 Group Bridging and Authentication ................................................................ 59 Creating Group Bridging Rules ...................................................................... 59 Editing and Removing Group Bridges............................................................ 61
Ed i
ti
on
Chapter 5
Contents
Configuring Reflective Port Forwards ............................................................ 67 Outbound Access ........................................................................................ 67 Port Rule Modes ............................................................................................ 68 Preset Port Rules........................................................................................... 68 Creating a Port Rule....................................................................................... 68 Editing a Port Rule ......................................................................................... 69 Viewing a Port Rule........................................................................................ 70 Source Rules.................................................................................................. 70 Configuring the Default Source Rule Settings................................................ 71 Managing External Services ....................................................................... 72 Assigning Rules to Groups......................................................................... 73 Working with User Portals .......................................................................... 75 Creating a Portal ............................................................................................ 75 Configuring a Portal ....................................................................................... 77 Accessing Portals........................................................................................... 80 Editing Portals................................................................................................ 80 Deleting Portals.............................................................................................. 81 Web Proxy..................................................................................................... 81 Configuring and Enabling the Web Proxy Service ......................................... 82 About Web Proxy Methods ............................................................................ 85 Configuring End-user Browsers ..................................................................... 86 Instant Messenger Proxying ....................................................................... 87 Monitoring SSL-encrypted Chats ............................................................... 90 SIP Proxying................................................................................................. 90 Types of SIP Proxy ........................................................................................ 90 Choosing the Type of SIP Proxying ............................................................... 91 Configuring SIP.............................................................................................. 91 FTP Proxying................................................................................................ 92 Configuring FTP Proxying .............................................................................. 92 About Transparent and Non-transparent FTP Proxying................................. 94 SNMP............................................................................................................. 94 Censoring Content....................................................................................... 95 DNS................................................................................................................ 95 Adding Static DNS Hosts ............................................................................... 95 Enabling the DNS Proxy Service ................................................................... 96 Managing Dynamic DNS................................................................................ 96 Censoring Instant Message Content.......................................................... 98 Configuration Overview.................................................................................. 98 Managing Custom Categories........................................................................ 98 Setting Time Periods.................................................................................... 100 Creating Filters............................................................................................. 101 Creating and Applying Message Censoring Policies ................................... 102 Editing Polices.............................................................................................. 103 Deleting Policies........................................................................................... 103 Managing the Intrusion System................................................................ 104
iv
1s
Ed i
ti
on
Chapter 8
Chapter 9
1s
Ed i
ti
About the Default Policies............................................................................ 104 Deploying Intrusion Detection Policies......................................................... 104 Deploying Intrusion Prevention Policies....................................................... 105 Creating Custom Policies............................................................................. 107 Uploading Custom Signatures ..................................................................... 108 DHCP........................................................................................................... 109 Enabling DHCP............................................................................................ 110 Creating a DHCP Subnet ............................................................................. 110 Editing a DHCP subnet ................................................................................ 113 Deleting a DHCP subnet.............................................................................. 113 Adding a Dynamic Range ............................................................................ 113 Adding a Static Assignment ......................................................................... 113 Adding a Static Assignment from the ARP Table......................................... 114 Editing and Removing Assignments ............................................................ 114 Viewing DHCP Leases................................................................................. 114 DHCP Relaying............................................................................................ 115 Creating Custom DHCP Options.................................................................. 115
on
Contents
Creating the Tunnel on the Secondary System ........................................... 136 Checking the System is Active..................................................................... 138 Activating the IPSec tunnel .......................................................................... 138 IPSec Site to Site and PSK Authentication.............................................. 138 Creating the Tunnel Specification on Primary System................................. 138 Creating the Tunnel Specification on the Secondary System ...................... 140 Checking the System is Active..................................................................... 141 Activating the PSK tunnel............................................................................. 141 About Road Warrior VPNs......................................................................... 141 Configuration Overview................................................................................ 141 IPSec Road Warriors.................................................................................. 142 Creating an IPSec Road Warrior.................................................................. 143 Supported IPSec Clients ........................................................................... 146 Creating L2TP Road Warrior Connections .............................................. 146 Creating a Certificate ................................................................................... 146 Configuring L2TP and SSL VPN Global Settings......................................... 147 Creating an L2TP Tunnel............................................................................. 148 Configuring an iPhone-compatible Tunnel ................................................... 149 Using NAT-Traversal.................................................................................... 150 VPNing Using L2TP Clients....................................................................... 151 L2TP Client Prerequisites ............................................................................ 151 Connecting Using Windows XP/2000 .......................................................... 151 Installing an L2TP Client .............................................................................. 151 Connecting Using Legacy Operating Systems............................................. 156 VPNing with SSL ........................................................................................ 156 Prerequisites ................................................................................................ 156 Configuring VPN with SSL ........................................................................... 156 Managing SSL Road Warriors................................................................... 158 Managing Group Access to SSL VPNs........................................................ 158 Managing Custom Client Scripts for SSL VPNs........................................... 159 Generating SSL VPN Archives .................................................................... 159 Configuring SSL VPN on Internal Networks................................................. 160 Configuring and Connecting Clients............................................................. 160 VPN Zone Bridging .................................................................................... 164 Secure Internal Networking....................................................................... 164 Creating an Internal L2TP VPN.................................................................... 165 Advanced VPN Configuration ................................................................... 167 Multiple Local Certificates ............................................................................ 167 Creating Multiple Local Certificates.............................................................. 167 Public Key Authentication ............................................................................ 169 Configuring Both Ends of a Tunnel as CAs.................................................. 169 VPNs between Business Partners ............................................................... 170 Extended Site to Site Routing ...................................................................... 171 Managing VPN Systems ............................................................................ 172 Automatically Starting the VPN System ....................................................... 172 Manually Controlling the VPN System ......................................................... 173 Viewing and Controlling Tunnels.................................................................. 174
vi
1s
Ed i
ti
on
VPN Logging................................................................................................ 175 VPN Tutorials.............................................................................................. 175 Example 1: Preshared Key Authentication................................................... 175 Example 2: X509 Authentication.................................................................. 177 Example 3: Two Tunnels and Certificate Authentication.............................. 179 Example 4: IPSec Road Warrior Connection ............................................... 180 Example 5: L2TP Road Warrior ................................................................... 183 Working with SafeNet SoftRemote ........................................................... 184 Configuring IPSec Road Warriors................................................................ 184 Using the Security Policy Template SoftRemote ......................................... 185 Creating a Connection without the Policy File.............................................. 186 Advanced Configuration............................................................................... 189 SMTP Settings............................................................................................ 191 SMTP Relay Settings................................................................................... 191 Anti-malware Settings .................................................................................. 192 Transparent SMTP Interfaces Settings........................................................ 193 External Mail Relay ...................................................................................... 193 Non-standard SMTP Checking .................................................................... 193 Internal Domains........................................................................................ 194 Outgoing ..................................................................................................... 195 Archiving..................................................................................................... 195 The Email Queue........................................................................................ 196 POP3 Proxy................................................................................................. 197 POP3 Proxy Configuration........................................................................... 198 Anti-malware ................................................................................................ 198 Customize Malware Message ...................................................................... 198 Interfaces ..................................................................................................... 199 Content........................................................................................................ 199 Footers......................................................................................................... 199 Attachments ................................................................................................. 200 Anti-spam.................................................................................................... 201
Chapter 11
Chapter 12
1s
Ed i
ti
on
Chapter 10
Contents
Archiving Email.......................................................................................... 220 Creating Archive Rules ................................................................................ 220 Editing Archive Rules................................................................................... 220 Deleting Archive Rules................................................................................. 220 Managing the Email Queue ....................................................................... 221
Chapter 13
Chapter 14
viii
1s
Ed i
ti
on
Generating Reports...................................................................................... 248 Saving Reports............................................................................................. 248 About Recent and Saved Reports................................................................ 248 Changing Report Formats............................................................................ 249 Managing Reports and Folders.................................................................... 249 Report Permissions...................................................................................... 250 Making Reports Available to Other Portals .................................................. 250 Scheduling Reports ................................................................................... 251 Managing Report Data ............................................................................... 253 Storing Report Data Remotely ..................................................................... 253 Managing Disk Space ................................................................................ 255 About Disk Usage ........................................................................................ 255 Monitoring Log Insertion............................................................................... 256 Optimizing, Emptying and Pruning Databases............................................. 257 Backing up Data........................................................................................... 257 Restoring Data ............................................................................................. 258 About Migrating from Earlier Versions ......................................................... 258 Working with Crystal Reports................................................................... 258 Installing the Crystal Reports Client ........................................................ 258 Overview of the Crystal Reports Client ........................................................ 259 Using Custom Templates............................................................................. 260 Retrieving Logs ............................................................................................ 260 Opening Crystal Reports-compatible Reports.............................................. 260 Retrieving Information and Opening Reports............................................... 261 Uninstalling the Crystal Reports Client......................................................... 261
1s
Chapter 15
Ed i
ti
on
ix
Contents
Chapter 16
1s
Ed i
IPsec Logs ................................................................................................... 283 Email Logs ................................................................................................... 284 IDS Logs ...................................................................................................... 285 IPS Logs....................................................................................................... 286 IM Proxy Logs .............................................................................................. 287 Web Proxy Logs........................................................................................... 288 User Portal Logs .......................................................................................... 289 Configuring Log Settings .......................................................................... 290 Configuring Other Log Settings.................................................................... 291 Managing Automatic Deletion of Logs ......................................................... 292 Configuring Groups ................................................................................... 293 Creating Groups........................................................................................... 293 Editing a Group ............................................................................................ 293 Deleting a Group.......................................................................................... 294 Configuring Output Settings..................................................................... 294 About Email to SMS Output ......................................................................... 295 About Placeholder Tags............................................................................... 295 Configuring Email to SMS Output ................................................................ 296 Testing Email to SMS Output....................................................................... 296 Output to Email ............................................................................................ 297 Generating a Test Alert................................................................................ 297
ti
on
Appendix A
Appendix B
1s
Authentication............................................................. 335
Overview ..................................................................................................... 335 Verifying User Identity Credentials............................................................... 335 About Authentication Mechanisms............................................................... 335 Other Authentication Mechanisms ............................................................... 336 Choosing an Authentication Mechanism...................................................... 336 About the Login Time-out............................................................................. 336 Advanced Firewall and DNS...................................................................... 336 A Common DNS Pitfall................................................................................. 337 Working with Large Directories................................................................ 337 Active Directory.......................................................................................... 338 Active Directory Username Types................................................................ 338 Accounts and NTLM Identification ............................................................... 338 Programmable Drill-Down Looping Engine............................................. 339 Example Report Template ........................................................................... 340 Example Report ........................................................................................... 340 Report Templates, Creation and Editing...................................................... 340
xi
Configuring the Hostname ........................................................................... 313 Configuring Administration and Access Settings .................................. 314 Configuring Admin Access Options.............................................................. 314 Referral Checking ........................................................................................ 315 Configuring External Access........................................................................ 316 Editing and Removing External Access Rules............................................. 317 Administrative User Settings........................................................................ 317 Hardware..................................................................................................... 318 UPS Settings................................................................................................ 318 Enabling UPS Monitoring............................................................................. 319 Managing Hardware Failover .................................................................... 322 How does it work?........................................................................................ 322 Prerequisites ................................................................................................ 323 Configuring Hardware Failover .................................................................... 323 Administering Failover.................................................................................. 326 Testing Failover............................................................................................ 327 Configuring Modems ................................................................................. 327 Installing and Uploading Firmware .......................................................... 329 Diagnostics................................................................................................. 329 Configuration Tests...................................................................................... 329 Generating Diagnostics................................................................................ 330 IP Tools........................................................................................................ 331 WhoIs........................................................................................................... 331 Analyzing Network Traffic ............................................................................ 332 Managing CA Certificates.......................................................................... 332 Reviewing CA Certificates............................................................................ 333 Importing CA Certificates ............................................................................. 333 Exporting CA Certificates............................................................................. 333 Deleting and Restoring Certificates.............................................................. 334
Ed i
ti
on
Contents
Appendix C
Viewing Reports, Exporting and Drill Down Reporting................................. 340 Changing Report Formats............................................................................ 341 Changing Report Date Ranges.................................................................... 342 Navigating HTML Reports............................................................................ 342 Interpreted Results....................................................................................... 343 Saving Reports............................................................................................. 343 Changing the Report.................................................................................... 343 Investigating Further (Drill down) ................................................................. 344 Creating Template Reports and Customizing Sections ............................... 345 Ordering Sections ........................................................................................ 345 Grouped Sections ........................................................................................ 346 Understanding Groups and Grouped Options.............................................. 346 Feed-Forward Reporting.............................................................................. 347 Iterative Reporting........................................................................................ 347 Group Ordering ............................................................................................ 348 Grouping Sections........................................................................................ 348 Creating Feed-forward and Iterative Groups................................................ 348 Exporting Options......................................................................................... 349 Reporting Folders ...................................................................................... 350 Creating a Folder ......................................................................................... 353 Renaming Folders........................................................................................ 353 Deleting Folders........................................................................................... 353 Scheduling Reports ................................................................................... 353 Portal Permissions..................................................................................... 354 Reporting Sections .................................................................................... 354 Generators and Linkers................................................................................ 354 General Sections.......................................................................................... 355 Network Interfaces ....................................................................................... 356 The Anatomy of a URL................................................................................. 356 HTTP Request Methods, HTTPS Interception and Man in the Middle......... 357 Guardian Status Filtering ............................................................................. 358 Search Terms and Search Phrases............................................................. 358 Filtering by Search Terms ............................................................................ 359 URL Extraction and Manipulation................................................................. 360 Origin Filtering.............................................................................................. 362
Appendix D
Appendix E
xii
1s
Ed i
ti
on
Appendix F
External Self-Managed SMTP Email Server............................................. 369 External Mail Server using POP3 Collection ........................................... 370 Basic Hosting Arrangement...................................................................... 373 Extended Hosting Arrangement ............................................................... 374 More Advanced Hosting Arrangement..................................................... 375
Glossary Index
1s
Ed i
ti
on
xiii
Contents
xiv
1s
Ed i
ti
on
An overview of Advanced Firewall Who should read this guide Support information.
Introduction
Chapter 1
In this chapter:
Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. Advanced Firewall provides: Perimeter firewall multiple Internet connections with load sharing and automatic connection failover User authentication policy-based access control and user authentication with support for Microsoft Active Directory, Novell eDirectory and other LDAP authentication servers Load balancer the ideal solution for the efficient and resilient use of multiple Internet connections. Internal firewall segregation of networks into physically separate zones with user-level access control of inter-zone traffic
Email Security: anti-spam, anti-malware, mail relay and control. VPN Gateway site-to-site, secure remote access and secure wireless connections.
Support
All Smoothwall products include unlimited email and telephone support for 30 days from the date of purchase of the software licence. For more information, visit: http://www.smoothwall.net/support/
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. Annual renewal is a single yearly payment that covers the issue of subscriptions, security patches and Feature Packs for Advanced Firewall for a period of 12 months. For more information, contact your Smoothwall representative or visit http://www.smoothwall.net/
Chapter 2
Note: The following sections assume that you have registered and configured Advanced Firewall as To access Advanced Firewall:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your Advanced
Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. For more information, see Secure Communication on page 53. 2 Accept Advanced Firewalls certificate. The following screen is displayed:
1s
Enter admin. This is the default Advanced Firewall administrator account. Enter the password you specified for the admin account when installing Advanced Firewall.
Ed i
In the browser of your choice, enter the address of your Advanced Firewall, for example:
ti
on
The following sections give an overview of Advanced Firewalls default sections and pages.
Info
The info section contains the following sub-sections and pages:
1s
Pages control summary about
Main
The control page is the default home page of your Advanced Firewall system. It displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports. For more information, see Chapter 15, About the Control Page on page 263. Displays a number of generated reports. For more information, see Chapter 15, The about page is where Advanced Firewall product, registration and trademark information as well as acknowledgements are displayed. For more information, see Chapter 15, About the About Page on page 264.
Ed i
The navigation bar displayed at the top of every page contains links to Advanced Firewall's sections and pages.
ti
on
Reports
Pages reports recent and saved scheduled custom Description
Where you generate and organize reports. For more information, see Chapter 14, Lists recently-generated and previously saved reports. For more information, see Chapter 14, Saving Reports on page 248. Sets which reports are automatically generated and delivered. For more information, see Chapter 14, Scheduling Reports on page 251. Enables you to create and view custom reports. For more information, see Appendix B, Understanding Templates and Reports on page 339.
Alerts
Pages alerts alert settings Description
Determine which alerts are sent to which groups of users and in what format. For more information, see Chapter 15, Alerts on page 264.
Realtime
Pages system firewall ipsec
Description
Logs
Pages system Description
1s
portal im proxy
traffic graphs Displays a realtime bar graph of the bandwidth being used by each interface,
A realtime view of the system log with some filtering options. For more information, see Chapter 15, System Information on page 273. A realtime view of the firewall log with some filtering options. For more information, see Chapter 15, Firewall Information on page 274. A realtime view of the IPSec log with some filtering options. For more information, see Chapter 15, IPsec Information on page 275. A realtime view of activity on user portals. For more information, see Chapter 15, Portal Information on page 276. A realtime view of recent instant messaging conversations. For more information, see Chapter 15, Instant Messaging on page 276. including IPsec interfaces, with traffic passing down it. For more information, see Chapter 15, Traffic Graphs on page 277.
Simple logging information for the internal system services. For more information, see Chapter 15, System Logs on page 279.
Ed i
Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, see Chapter 15, Configuring Alert Settings on page 268.
ti
on
5
Chapter 2 Advanced Firewall Overview Networking Pages firewall ipsec ids ips im proxy web proxy user portal log settings Description
Displays all data packets that have been dropped or rejected by the firewall. For more information, see Chapter 15, Firewall Logs on page 281. Displays diagnostic information for VPN tunnels. For more information, see Chapter 15, IPsec Logs on page 283. Displays network traffic detected by the intrusion detection system (IDS). For more information, see Chapter 15, IDS Logs on page 285. Displays network traffic detected by the intrusion detection system (IDS). For more information, see Chapter 15, IPS Logs on page 286. Displays information on instant messaging conversations. For more information, see Chapter 15, IM Proxy Logs on page 287.
Settings
Pages database settings database backup groups
Description
Networking
The networking section contains the following sub-sections and pages:
Filtering
Pages Description zone bridging Used to define permissible communication between pairs of network zones. For
1s
output settings
Settings to manage the database storing Advanced Firewall report data. For more information, see Chapter 14, Managing Report Data on page 253. Enables you to back-up and restore data stored by add-on modules in the logging and reporting database. For more information, see the add-on module administrator guides.
Where you create groups of users which can be configured to receive automated alerts and reports. For more information, see Chapter 15, Configuring Groups on page 293. Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, see Chapter 15, Configuring Output Settings on page 294.
more information, see Chapter 6, About Zone Bridging Rules on page 55.
Ed i
Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, see Chapter 15, Configuring Log Settings on page 290.
ti
Displays information on access by users to portals. For more information, see Chapter 15, User Portal Logs on page 289.
on
Displays detailed analysis of web proxy usage. For more information, see Chapter 15, Web Proxy Logs on page 288.
Smoothwall Advanced Firewall Administrators Guide Pages group bridging ip block Description
Used to define the network zones that are accessible to authenticated groups of users. For more information, see Chapter 6, Group Bridging on page 59. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking Rules on page 47.
Routing
Pages subnets Description
rip sources
ports
Used to create rules to set the external interface based on the destination port. For more information, see Chapter 4, Ports on page 38.
Interfaces
Pages interfaces
1s
internal aliases external aliases connectivity ppp secondaries
Description
Configure and display information on your Advanced Firewalls internal and external interfaces. For more information, see Chapter 3, Managing Network Interfaces on page 21.
Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet without the need for physical switches. For more information, see Chapter 4, Managing Internal Aliases on page 41. Used to create IP address aliases on static Ethernet external interfaces. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. For more information, see Chapter 4, Creating an External Alias Rule on page 39. Used to create external connection profiles and implement them. For more information, see Chapter 3, Creating a Connection Profile on page 24. Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see Chapter 3, Creating a PPP Profile on page 30.
Used to configure an additional, secondary external interface. For more information, see Chapter 4, Working with Secondary External Interfaces on page 43
Ed i
Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. For more information, see Chapter 4, Sources on page 36.
ti
Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Chapter 4, Using RIP on page 34.
on
Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Chapter 4, Creating Subnets on page 33.
Firewall
Pages port forwarding source mapping advanced Description
Used to forward incoming connection requests to internal network hosts. For more information, see Chapter 7, Introduction to Port Forwards Inbound Security on page 63. Used to map specific internal hosts or subnets to an external alias. For more information, see Chapter 4, Creating a Source Mapping Rule on page 40 Used to enable or disable NAT-ing helper modules and manage bad external traffic. For more information, see Chapter 7, Network Application Helpers on page 66.
Outgoing
Pages sources groups ports Description
Used to assign outbound access controls to IP addresses and networks. For more information, see Chapter 7, Source Rules on page 70.
Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, see Chapter 7, Outbound Access on page 67. Used to define a list of external services that should always be accessible to internal network hosts. For more information, see Chapter 7, Managing External Services on page 72.
external services
Services
The services section contains the following sub-sections and pages:
1s
Settings
Create and edit groups of ports for use throughout Advanced Firewall. For more information, see Chapter 5, Working with Port Groups on page 51. Used to configure advanced network and traffic auditing parameters. For more information, see Chapter 5, Configuring Advanced Networking Features on page 49.
Ed i
Used to assign outbound access controls to authenticated groups of users. For more information, see Chapter 7, Assigning Rules to Groups on page 73.
ti
on
Authentication
Pages control Description
Used to view the current status of the authentication system, and to restart and stop the service. It also allows diagnostic tests to be performed against different areas of the authentication service. For more information, see Chapter 13, Authentication and User Management on page 223.
Used to set global login time settings. For more information, see Chapter 13, Used to customize group names. For more information, see Chapter 13, Managing Groups of Users on page 231.
user activity
ssl login
Used to customize the end-user login page. For more information, see Chapter
User Portal
Pages portals
Proxies
Pages web proxy Description
1s
groups user exceptions instant messenger sip
Description
This page enables you to configure and manage user portals. For more information, see Chapter 8, Working with User Portals on page 75. This page enables you to assign groups of users to portals. For more information, see Chapter 8, Assigning Groups to Portals on page 79.
This page enables you to override group settings and assign a user directly to a portal. For more information, see Chapter 8, Making User Exceptions on page 79.
Used to configure and enable the web proxy service, allowing controlled access to the Internet for local network hosts. For more information, see Chapter 8, Web Proxy on page 81. Used to configure and enable instant messaging proxying. For more information, see Chapter 8, Instant Messenger Proxying on page 87. Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. For more information, see Chapter 8, SIP Proxying on page 90.
Ed i
Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Chapter 13, Viewing User Activity on page 227.
ti
Used to add, import and export user profiles, for example: usernames and passwords, to and from the systems own local user database. For more information, see Chapter 13, Managing Local Users on page 223.
on
Enables you to manage temporarily banned user accounts. For more information, see Chapter 13, Managing Temporarily Banned Users on page 226
Used to configure and enable a proxy to manage FTP traffic. For more information, see Chapter 8, FTP Proxying on page 92.
SNMP
Pages snmp Description
Used to activate Advanced Firewalls Simple Network Management Protocol (SNMP) agent. For more information, see Chapter 8, SNMP on page 94.
Description
Used to configure access to third-party dynamic DNS service providers. For more information, see Chapter 8, Managing Dynamic DNS on page 96.
Message Censor
Pages policies
Intrusion System
Pages signatures Description
10
1s
filters time custom categories
Description
Enables you to create and manage filtering policies by assigning actions to matched content. For more information, see Chapter 8, Creating and Applying Message Censoring Policies on page 102. This is where you create and manage filters for matching particular types of message content. For more information, see Chapter 8, Creating Filters on page 101. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, see Chapter 8, Setting Time Periods on page 100. Enables you to create and manage custom content categories for inclusion in filters. For more information, see Chapter 8, Managing Custom Categories on page 98.
Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information, see Chapter 8, Uploading Custom Signatures on page 108.
Ed i
Used to provide a DNS proxy service for local network hosts. For more information, see Chapter 8, Enabling the DNS Proxy Service on page 96.
ti
Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information, see Chapter 8, Adding Static DNS Hosts on page 95.
on
DNS
Enables you to configure Advanced Firewalls intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information, see Chapter 8, Creating Custom Policies on page 107. Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information, see Chapter 8, Deploying Intrusion Detection Policies on page 104. Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information, see Chapter 8, Deploying Intrusion Prevention Policies on page 105.
Pages global
Description
dhcp leases
Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, see Chapter 8, Viewing DHCP Leases on page 114. Used to configure the DHCP service to forward all DHCP requests to another DHCP server, and re-route DHCP responses back to the requesting host.For more information, see Chapter 8, DHCP Relaying on page 115. Used to create and edit custom DHCP options. For more information, see Chapter
dhcp relay
System
The system section contains the following sub-sections and pages:
Maintenance
Pages updates Description
1s
dhcp custom options modules licenses
Used to display and install available product updates, in addition to listing currently installed updates. For more information, see Chapter 16, Managing Updates on page 299. Used to upload, view, check, install and remove Advanced Firewall modules. For more information, see Chapter 16, Managing Modules on page 301. Used to display and update license information for the licensable components of the system. For more information, see Chapter 16, Licenses on page 302.
Ed i
dhcp server
Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, see Chapter 8, Creating a DHCP Subnet on page 110.
ti
Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. For more information, see Chapter 8, Enabling DHCP on page 110.
on
DHCP
11
Used to create and restore archives of system configuration information. For more information, see Chapter 16, Archives on page 302. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, see Chapter 16, Scheduling on page 304. Used to configure your Advanced Firewall as a replication master or a replication slave. For more information, see Chapter 16, Replication on page 307.
Used to shutdown or reboot the system. For more information, see Chapter 16,
Pages
Description
interface and specify reports to display. For more information, see Chapter 16, Configuring the User Interface on page 310. Used to manage set Advanced Firewalls time zone, date and time settings. For more information, see Chapter 16, Setting Time on page 311. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, see Chapter 16, Configuring Registration Options on page 312. Used to configure Advanced Firewalls hostname. For more information, see Chapter 16, Configuring the Hostname on page 313.
Administration
Pages
12
1s
external access
admin options Used to enable secure access to Advanced Firewall using SSH, and to enable
administrative Used to manage user accounts and set or edit user passwords on the system. For users more information, see Chapter 16, Administrative User Settings on page 317.
Description
referral checking. For more information, see Chapter 16, Configuring Admin Access Options on page 314. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Advanced Firewall. For more information, see Chapter 16, Configuring External Access on page 316.
Ed i
user interface Used to set the host description of the system, select the behavior of the web
ti
Preferences
on
Used to access the Advanced Firewalls system console via a Java-based SSH shell. For more information, see Chapter 16, Shell Access on page 309.
Hardware
Pages ups Description
Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, see Chapter 16, UPS Settings on page 318. Used to specify what Advanced Firewall should do in the event of a hardware failure. For more information, see Chapter 16, Managing Hardware Failover on page 322. Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, see Chapter 16, Configuring Modems on page 327. Used to upload firmware used by USB modems. For more information, see Chapter 16, Installing and Uploading Firmware on page 329.
failover
modem
firmware upload
Pages
Description
configuration Used to ensure that your current Advanced Firewall settings are not likely to cause tests problems. For more information, see Chapter 16, Diagnostics on page 329. diagnostics ip tools whois traffic analysis
Used to create diagnostic files for support purposes. For more information, see Chapter 16, Generating Diagnostics on page 330.
Contains the ping and traceroute IP tools. For more information, see Chapter 16, Used to find and display ownership information for a specified IP address or domain name. For more information, see Chapter 16, WhoIs on page 331. Used to generate and display detailed information on current traffic. For more information, see Chapter 16, Analyzing Network Traffic on page 332.
Certs
VPN
The vpn section contains the following pages:
Pages control Description
1s
Page ca
Description
Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Chapter 16, Managing CA Certificates on page 332.
Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, see Chapter 9, Managing VPN Systems on page 172.
Ed i
ti
Diagnostics
on
13
Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, see Chapter 9, Working with Certificate Authorities and Certificates on page 121. Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, see Chapter 9, Managing Certificates on page 124. Used to configure global settings for the VPN system. For more information, see Chapter 9, Setting the Default Local Certificate on page 128. Used to configure IPSec subnet VPN tunnels. For more information, see Chapter 9, Site-to-Site VPNs IPSec on page 129.
certs
ipsec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information, see
ssl roadwarriors
Email
SMTP
14
1s
Pages relay internal domains outgoing archiving queue
t
Description
This is where you configure and enable email relay settings. For more information, see Chapter 10, SMTP Relay Settings on page 191. This is where you set the domains that SmoothZap will relay incoming email for. For more information, see Chapter 10, Internal Domains on page 194. This is where you set the IP address or subnets of machines on the local network that are to be allowed to relay mail through SmoothZap. For more information, see Chapter 10, Outgoing on page 195. Here you can specify the criteria used to determine which email messages are to be archived. For more information, see Chapter 10, Archiving on page 195. Here you can view summary information and statistics about the email relay queue. You can also manually flush the email queue if required. For more information, see Chapter 10, The Email Queue on page 196.
Ed i
Enables you to configure and upload custom SSL VPN client scripts. For more information, see Chapter 9, Managing Custom Client Scripts for SSL VPNs on page 159.
ti
l2tp roadwarriors
Used to create and manage L2TP road warrior VPN tunnels. For more information, see Chapter 9, Creating L2TP Road Warrior Connections on page 146.
on
POP3
Pages proxy Description
Here you configure and enable transparent POP3 proxying and AV scanning for incoming email. For more information, see Chapter 10, POP3 Proxy on page 197.
Content
Pages footers attachments Description
Here you can enter text you want to add to email managed by SmoothZap. For more information, see Chapter 10, Footers on page 199.
Pages anti-spam
Description
Quarantine
Pages Viewer Settings
Description
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required configuration settings.
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:
1s
On this page, you can preview release and/or delete email messages. For more information, see Chapter 12, Managing Quarantined Email on page 218. On this page, you configure quarantine settings. For more information, see Chapter 12, Configuring Quarantine on page 217.
Ed i
Here you configure protection against spam. For more information, see Chapter 10, Anti-spam on page 201.
ti
Anti-spam
on
Here you specify how SmoothZap should manage email attachments. For more information, see Chapter 10, Attachments on page 200.
15
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0 192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:
21 7070
Port Range
Using Comments
Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information.
Creating a Rule
To create a rule:
1 2
Enter configuration details in the Add a new rule area. Click Add to create the rule and add it to the appropriate Current rules area.
16
1s
137:139
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:
Ed i
A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:
ti
on
Editing a Rule
To edit a rule:
1 2 3 4
Find the rule in the Current rules area and select its adjacent Mark option. Click Edit to populate the configuration controls in the Add a new rule area with the rules current configuration values. Change the configuration values as necessary. Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1 2
Note: The same processes for creating, editing and removing rules also apply to a number of pages
You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured. See
Chapter 16, Configuring Admin Access Options on page 314 for more information.
When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application, such as PuTTY, or from the system > maintenance > shell page.
To connect using an SSH client:
1 2
Check SSH access is enabled on Advanced Firewall. See Chapter 16, Configuring Admin Access Options on page 314 for more information. Start PuTTY or an equivalent client.
1s
Ed i
ti
where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc.
on
17
Host Name (or IP address) Enter Advanced Firewalls host name or IP address.
Click Open. When prompted, enter root, and the password associated with it. You are given access to the Advanced Firewall command line.
Enter the username root, and the password associated with it. As a root user, you will access the Advanced Firewall command line.
Secure Communication
To remove this warning, your web browser needs to be told to trust certificates generated by Advanced Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browsers documentation for information on how to import the certificate.
18
1s
When you connect your web browser to Advanced Firewalls web-based interface on a HTTPS port for the first time, your browser will display a warning that Advanced Firewalls certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.
Ed i
ti
on
A certificate can only contain a single site name, and in Advanced Firewalls case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption.
1s
Ed i
ti
on
19
20
1s
Ed i
ti
on
Chapter 3
21
The following settings for your Advanced Firewalls internal interface are available:
Setting Default interface Heartbeat interface Description
A drop-down list of the current interfaces available. The network interface used by the hardware failover master and failover unit systems to communicate with each other. For more information, see Chapter 16, Managing Hardware Failover on page 322.
Primary DNS
If Advanced Firewall is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. If in doubt, leave this setting at the default value of 127.0.0.1, i.e. localhost. For more information, see Appendix A, Advanced Firewall and DNS on page 336.
Secondary DNS
Enter the IP address of the secondary DNS server, if one is available. If the primary DNS server setting is set to 127.0.0.1, i.e. localhost, leave this setting empty. If Advanced Firewall is not going to become your networks gateway, enter the gateway here.
Note: In nearly all setups, Advanced Firewall will be connected to an
Default gateway
external connection such as an ADSL router, leased line, or ISDN line. In this case, leave this field blank.
On the networking > interfaces > interfaces page, locate the interface from the Default interface dropdown list and, in the appropriate Settings area, enter the following settings:
Field IP address Netmask Explanation
Enter the IP address you want Advanced Firewall to use on your internal network. If required, enter the netmask Advanced Firewall should use on your internal network.
Browse to the bottom of the page. Click Save to save the changes and then click Restart to restart networking.
Note: Restarting the networking system can take some time and may interrupt some services.
After 15 seconds, in your browsers address field, enter the new IP address. When prompted, enter your user name and password. Advanced Firewall now uses the new IP address.
22
Virtual LANs
Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular network zone attached to a real NIC.
Creating a VLAN
To create a VLAN:
On the networking > interfaces > interfaces page, configure the following settings:
Setting Interface VLAN tag Description
Select the interface from the drop-down list of NICs available. Enter a tag in the range 1 - 4095 to create a separate network.
Note: We do not recommend using a VLAN tag of 1.
Click Add. The VLAN is added to the list of interfaces below where you can configure it.
Configuring a VLAN
To configure the VLAN:
In the Interfaces area, locate the VLAN and configure the following settings:
Setting Name VLAN tag Internal IP address Netmask MTU Description
Enter a name for the VLAN. Displays the tag you specified when first creating the VLAN.
Note: We do not recommend using a VLAN tag of 1.
Select to specify internal VLAN settings. Enter the IP address that this VLAN NIC will use on your internal network. Enter the network mask used in conjunction with the internal IP address to define the network that this VLAN NIC belongs to, Accept the default maximum transmission unit (MTU), or enter the value required in your environment.
Click Save to save your settings and click Restart to restart the network and implement the VLAN.
Note: Restarting networking can take some time and may interrupt some services.
Interfaces
Here you can review all the settings for your Advanced Firewall interfaces.
Tip:
Clicking the graph takes you to the relevant interface report. Text in blue denotes the current IP address and other information is different to the entered values. This is useful for showing IPs of external interfaces so they are not accidentally reconfigured to be internal ones.
23
Restarting Networking
Several key changes may have an effect on connectivity of Advanced Firewall. For this reason, most changes are only applied when networking is restarted.
To restart networking:
Click Restart.
Note: Restarting networking can take some time and may interrupt some services.
An Ethernet NIC routed to an Internet connection, not controlled by Advanced Firewall. An internal or external modem connected to the Internet via an ISP, controlled by Advanced Firewall. An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by Advanced Firewall.
Up to five different connections to the Internet can be defined, each stored in its own connection profile. Each connection profile defines the type of connection that should be used and appropriate settings.
Modem Profiles
A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices.
24
Select Empty from drop-down list and click Select. Enter a name for the connection profile. Choose the connection method from the drop-down list. Options include:
Static Ethernet for more information, see Configuring DHCP Ethernet for more information, see Configuring
PPP over Ethernet for more information, see Configuring a PPP over Ethernet PPTP over Ethernet for more information, see Configuring ADSL Modem for more information, see Configuring
a PPTP over
an ADSL/DSL Modem
on page 29.
Modem for more information, see Configuring a Dial-up Modem Connection
on page 30.
Auto connect on boot Custom MTU
By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here.
25
Chapter 3 Working with Connections Creating a Connection Profile Setting Automatic failover to profile Description
Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall
cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
Primary Enter an IP address that is known to be contactable if the external connection is failover ping IP operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Secondary Optionally, enter a secondary IP address that is known to be contactable if the failover ping IP external connection is operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Load balance Select to ensure that outbound NATed traffic is divided among the primary outgoing traffic external connection and any other secondary connections that have been added to
Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
3 4
Click Update to display further method-specific settings in the settings area. At this point, click Save as configuration using other pages may be necessary for some connection methods, for example PPP and modem profiles. To complete the connection profile, refer to the method-specific sections in the remaining sections of this chapter.
Configure the global settings and select Static Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update.
26
From the drop-down list, select the Ethernet interface for this connection. Enter the default gateway IP address as provided by your ISP. Enter the static IP address provided by your ISP. Enter the subnet mask as provided by your ISP. Enter the primary DNS server details as provided by your ISP. Enter the secondary DNS server details as provided by your ISP.
Click Save.
1 2
Configure the global settings and select DHCP Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the DHCP Ethernet settings area, configure the following settings:
Setting Interface DHCP Hostname MAC spoof Description
From the drop-down list, select the Ethernet interface for this connection. Optionally enter a DHCP hostname, if provided by your ISP. Enter a MAC spoof value if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier.
Click Save.
1 2
Configure the global settings and select PPP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the PPP over Ethernet settings area, configure the following settings:
Setting Service name Concentrator Interface Description
If required, enter the service name as specified by your ISP. If required, enter the concentrator name as specified by your ISP. From the drop-down list, select the Ethernet interface for this connection.
27
Chapter 3 Working with Connections Creating a Connection Profile Setting PPP Profile Description
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one.
Click Save.
1 2
Configure the global settings and select PPTP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the PPTP over Ethernet settings area, configure the following settings:
Setting Interface PPP Profile Description
From the drop-down list, select the Ethernet interface for this connection. From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
Enter the IP address assigned by your ISP. Enter the netmask assigned by your ISP. Enter the gateway assigned by your ISP Enter the dial telephone number as provided by your ISP.
Click Save.
the initial installation and setup or post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide.
To complete the connection profile:
1 2
Configure the global settings and select ADSL Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the ADSL Modem settings area, configure the following settings:
Setting Service name Concentrator Description
Leave this field blank. It is not required for this type of profile. Leave this field blank. It is not required for this type of profile.
28
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
Click Save.
installation and setup of Advanced Firewall. Alternatively, ISDN devices can be configured post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide.
To complete the connection profile:
1 2
Configure the global settings and select ISDN TA as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the ISDN settings area, configure the following settings:
Setting PPP Profile Description
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
Enter the telephone number for the ISDN connection. From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines. Select to force the second channel to remain open when its data rate falls below a worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput
rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, Advanced Firewall will automatically close it. Forcing the second channel to stay up will help prevent this from happening.
Minimum time Enter a minimum time, in seconds, if your ISDN connection experiences to keep second intermittent loss of data throughput for short periods of time. channel up This option is of use when the second channel data-rate falls below the threshold (sec)
Click Save.
29
1 2
Configure the global settings and select Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the Modem settings area, configure the following settings:
Setting PPP Profile Description
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
From the drop-down list, select the modem profile to use. See Configuring Modems on page 327 for more information on modem profiles. Enter the telephone number for the connection.
Click Save.
30
From the drop-down list, select Empty. Enter a name for the profile. Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time billing.
Dial on Demand for Select to ensure that the system dials for DNS requests this is normally the DNS desired behavior. Idle timeout
Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Enter 0 to disable this setting. Select to ensure that once this PPP connection has been established, it will remain connected, regardless of the value entered in the Idle timeout field. Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Enter your ISP assigned username. Enter your ISP assigned password. Choose the authentication method as specified by your ISP in this field. Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list. Specifies the DNS type used by your ISP.
Manual select if your ISP has provided you with DNS server addresses to
Persistent connection Maximum retries Username Password Method Script name Type
enter.
Automatic select if your ISP automatically allocates DNS settings upon connection. Primary DNS Secondary DNS
If Manual has been selected, enter the primary DNS server IP address. If Manual has been selected, enter the secondary DNS server IP address.
Modifying Profiles
To modify an existing connection, PPP or modem profile:
1 2 3
Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to modify and click Select. The profile details will now be displayed. Make changes to any of the fields, review the changes and click Save. following re-connection. The connection can be manually restarted on the main > control page.
Note: Any changes made to a profile that is used as part of a current connection will only be applied
31
Deleting Profiles
To delete an existing connection, PPP or modem profile:
1 2 3
Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to delete and click Select. The profile details will now be displayed. If you are certain that you wish to delete the selected profile, click Delete. close.
Note: Deleting a profile that is used as part of a current connection will cause the current connection to
32
Chapter 4
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway. To create a subnet rule:
Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Enter a network mask that specifies the size of the subnet when combined with the network field.
33
Chapter 4 Managing Your Network Infrastructure Using RIP Setting Gateway Description
Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Advanced Firewall is directly attached to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Enter a description of the rule. Select to enable the rule.
Comment Enabled
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Advanced Firewalls RIP service can: Operate in import, export or combined import/export mode Support password and MD5 authentication Export direct routes to the systems internal interfaces.
34
Select to enable the RIP service. From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled
devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information.
Direction
From the drop-down menu, select how to manage routing information. The following options are available:
Import and Export
The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled gateways.
Logging level
35
Chapter 4 Managing Your Network Infrastructure Sources Setting RIP interfaces Authentication Description
Select each interface that the RIP service should import/export routing information to/from. Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP devices.
Password Again Direct routing interfaces
If Password is selected as the authentication method, enter a password for RIP authentication. If Password is selected as the authentication method, re-enter the password to confirm it. Optionally, select interfaces whose information should also include routes to the RIP services own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and efficiently to each exported interface.
Click Save.
Sources
The sources page is used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
36
Enter the source IP or subnet range of internal network host(s) specified by this rule. For more information, see About IP Address Definitions on page 38 From the drop-down menu, select the internal interface that the source IP must originate from to use the external connection. From the drop-down menu, select the external interface that is used by the specified source IP or network for external communication. Alternatively, select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP, network and internal interface is routed via the primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not
Optionally, enter a description for the source rule. Select to activate the rule.
Click Add.
Removing a Rule
To remove one or more rules:
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1 2
Locate it within the Current rules region, select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Alter the configuration values as necessary, and click Add.
37
Ports
The ports page is where you route outbound traffic for selected ports through a particular external interface. For example, you can create a rule to send all SMTP traffic down a specific external interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel
down this list of ports if it does not first hit a sources rule. For more information, see Sources on page 36.
From the drop down menu, select the protocol the traffic uses. From the drop down menu, select the select the services, port range or group of ports.
38
If the service is user defined, enter the port number. Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter
External interface From the drop-down menu, select the external interface to use.
Enter a description of the rule. Select to enable the rule currently active.
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
To remove one or more rules:
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1 2
Select the rule in the Current rules area and click Edit. In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in the Current rules area.
39
From the drop-down list, select the external interface to which you want to bind an additional public IP address. Click to select the interface. Used to determine when the external alias is active. Options include:
All The external alias will always be active, irrespective of the currently active connection profile. Named connection profile The external alias will only be active if the named connection profile is currently active. This is particularly useful for creating aliases for connection profiles that are used as failover connections.
Alias IP Netmask
Enter the IP address of the external alias. This address should be provided by your ISP as part of an multiple static IP address allocation. Used to specify the network mask of the external alias. This value is usually the same as the external interface's netmask value. This value should be provided by your ISP. A field used to assign a helpful message describing the external alias rule. Determines whether the external alias rule is currently active.
Comment Enabled
Click Add. The external alias rule is added to the Current rules table.
40
Enter the source IP or network of hosts to be mapped to an external. For a single host, enter its IP address. For a network of hosts, enter an appropriate IP address and subnet mask combination, for example, enter 192.168.100.0/255.255.255.0 will create a source mapping rule for hosts in the IP address range 192.168.100.1 through to 192.168.100.255. For all hosts, leave the field blank.
From the drop-down list, select the external alias that outbound communication is mapped to. Enter a description of the rule. Select to enable the rule.
Click Add. The source mapping rule is added to the Current rules table.
of security implications and limitations that using this feature will impose on the rest of your network. Internal alias rules are used to create such bindings on an internal network interface, thus enabling it to route packets to and from IP addresses on a virtual subnet without the need for physical switches.
41
Note: No services will run on the alias IP. Note: Use of this feature is not normally recommended for the following reasons:
No physical separation Internal aliases should not be considered as a substitute for physically separating multiple networks. Network users can join a logical subnet by changing their IP address. No DHCP service DHCP servers cannot serve a logical subnet, as it is impossible for it to know which subnet (physical or logical) that the client should be on. No direct DNS or proxy access The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Requests for such services must be routed via the IP address of the physical interface this is not the case when an alias is in use. Generally, internal aliases should only be created in special circumstances.
From the drop-down menu, select the internal interface on which to create the alias. Enter an IP address for the internal alias. Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value). Enter a description of the rule. Select to enable the rule.
Click Add. The internal alias rule is added to the Current rules table.
42
From the drop-down list, select the interface you want to use as the secondary external interface. Click to select the interface. Enter the IP address. Enter the netmask. Enter the default gateway. Select to enable the interface
43
Chapter 4 Managing Your Network Infrastructure Working with Secondary External Interfaces Setting Primary failover ping IP Description
Optionally, specify an IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address cannot be contacted, all outbound traffic will be redirected to the primary connection. If a secondary failover IP has been entered, it must also fail before failover routing is activated.
Optionally, specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address and the primary failover ping IP cannot be contacted, all outbound traffic will be redirected to the primary connection.
Load balance outgoing traffic Optionally, select to add the currently selected secondary address to
the load balancing pool of connections. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent
Optionally, select to add the currently selected secondary address to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have themselves been added to the proxy load balancing pool. Note - If no load balance tick-box controls are selected, all traffic will be sent out of the primary external connection.
Weighting
Optionally, select to set the weighting for load balancing on the currently selected secondary address. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. For example: A connection weighted 10 will be given 10 times as much load as a connection weighted 1. A connection weighted 6 will be given 3 times as much load as a connection weighted 2. A connection weighted 2 will be given twice as much load as a connection weighted 1.
The weighting value is especially useful for load balancing external connections of differing speeds.
44
Click Save to save your settings and enable the secondary external interface.
45
Chapter 4 Managing Your Network Infrastructure Working with Secondary External Interfaces
46
Chapter 5
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode allowing traffic from certain source IPs or network addresses to always be allowed.
47
Source IP or network Enter the source IP, IP range or subnet range of IP addresses to block or
exempt. To block or exempt: An individual network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Destination IP or network
Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 19
Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible. Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it.
Select to log all activity from this IP. Optionally, describe the IP block rule. Select to enable the rule.
Click Add. The rule is added to the Current rules table. same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the
48
Select to prevent the system responding to broadcast ping messages, from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. Select to prevent the system responding to normal ping messages, from all network zones (including external). This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose.
Select to defend the system against SYN flood attacks. A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack.
Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries.
Select this option to block multicast messages on network address 224.0.0.0 from ISPs and prevent them generating large volumes of spurious log entries.
49
Chapter 5 General Network Security Settings Enabling Traffic Auditing Setting Connection tracking table size Description
Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the tables maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements. Occasionally, the default size, which is set according to the amount of memory, is insufficient use this field to configure a larger size.
SYN backlog queue size Select this option to set the maximum number of requests which may be
waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service. 3 Click Advanced to access the following settings:
Setting Block SYN+FIN packets Description
Select to automatically discard packets used in SYN+FIN scans used passively scan systems. Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged.
Enable TCP timestamps Select this option to enable TCP timestamps (RFC1323) to improve TCP
Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. Select this option to enable Explicit Congestion Notification (ECN) a mechanism for avoiding network congestion. Whilst effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.
50
Click Advanced to access the Traffic auditing area and configure the following settings:
Setting Description
Direct incoming traffic Select to log all new connections to all interfaces that are destined for the
firewall.
Direct outgoing traffic Forwarded traffic
Select to log all new connections from any interface. Select to log all new connections passing through one interface to another.
Note: Traffic auditing can potentially generate vast amounts of logging data. Ensure that the quantity of
Note: Traffic auditing logs are viewable on the info > logs > firewall page.
1 2 3
Navigate to the networking > settings > advanced page and click Advanced. Select the interface in the Drop all traffic on internal interfaces area. Click Save.
Note: Take care not to drop traffic from the interface that is used to administer Advanced Firewall.
51
In the Port groups area, click New and configure the following settings:
Setting Group name Name Port Description
Enter a name for the port group and click Save. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
For non-consecutive ports, create a separate entry for each port number.
Comment
Click Add. The port, ports or port range is added to the group.
1 2
Navigate to the networking > settings > port groups page. Configure the following settings:
Setting Port groups Name Description
From the drop-down list, select the group you want to add a port to and click Select. Enter a name for the port or range of ports you want to add to the group.
52
Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
Comment
Click Add. The port, ports or range are added to the group.
1 2 3 4
Navigate to the networking > settings > port groups page. From the Port groups drop-down list, select the group you want to edit and click Select. In the Current ports area, select the port you want to change and click Edit. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
1 2 3
Navigate to the networking > settings > port groups page. From the Port groups drop-down list, select the group you want to delete and click Select. Click Delete.
53
54
Chapter 6
Description
Defines whether the bridge is accessible one-way or bi-directionally. Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Defines what ports and services can be used across the bridge. Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to anyhost bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
1s
Ed i
Defines the two network zones between which the bridge exists.
ti
on
By default, all internal network zones are isolated by Advanced Firewall. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones.
55
Chapter 6 Configuring Inter-Zone Security Creating a Zone Bridging Rule To create a zone bridging rule:
From the drop-down menu, select the source network zone. From the drop-down menu, select the destination network zone. Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated
1s
Protocol Source IP
56
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: A single network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range: for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. Any network host in the source network, leave the field blank.
Ed i
from the source interface to the destination interface and not vice versa, ensure that this option is not selected.
ti
on
Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: A single network, enter its IP address, for example, 192.168.10.1. A range of network hosts, enter an IP address range, for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter a subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. To create a bridge to any network host in the destination network, leave the field blank.
Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol.
Note: This is only applicable to TCP and UDP. Port Comment Enabled
If User defined is selected as the destination port, specify the port number. Enter a description of the bridging rule. Select to enable the rule.
1s
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created,
neither zone can see or communicate with the other. In this example, we will create a DMZ that: Allows restricted external access to a web server in the DMZ, from the Internet. Does not allow access to the protected network from the DMZ. Allows unrestricted access to the DMZ from the protected network.
Contains local user workstations and confidential business data. Contains a web server.
Ed i
Or, leave the field blank to permit access to all ports for the relevant protocol.
ti
on
Service
From the drop-down list, select the services, port range or group of ports to which access is permitted.
57
A single zone bridging rule will satisfy the bridging requirements, whilst a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ.
Navigate to the networking > filtering > zone bridging page and configure the following settings:
Settings Source interface Protocol Comment Enabled Description
From the drop-down menu, select the protected network. From the drop-down list, select All. Enter a description of the rule. Select to activate the bridging rule once it has been added.
Navigate to the networking > firewall > port forwarding page and configure the following settings:
Setting Protocol Destination IP Source Description
Click Add.
Navigate to the networking > filtering > zone bridging page and configure the following settings:
Setting Source interface Protocol Source IP Description
1s
Comment Enabled 58
Enter the IP address of the web server 192.168.200.10. From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Enter a description, such as Port forward to DMZ web server. Select to activate the port forward rule once it has been added.
From the drop-down menu, select DMZ. From the drop-down menu, select TCP. Enter the web servers IP address: 192.168.200.10
Ed i
ti
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa.
on
Smoothwall Advanced Firewall Administrators Guide Setting Destination IP Service Port Comment Enabled Description
Enter the databases IP address: 192.168.100.50 Select User defined. The database service is accessed on port 3306. Enter 3306. Enter a comment: DMZ web server to Protected Network DB. Select Enabled to activate the bridging rule once the bridging rule has been added.
Click Add.
Group The group of users from the authentication sub-system that may access the bridge. Zone The destination network zone. Destination Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts. Service Defines what ports and services can be used across the bridge.
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use.
1s
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
Ed i
Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms:
ti
By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
on
Group Bridging
59
Chapter 6 Configuring Inter-Zone Security Group Bridging To create a group bridging rule:
From the drop-down menu, select the group of users that this rule will apply to. Click to select the group. Select the interface that the group will be permitted to access. Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to: A single network host in the destination network, enter its IP address, for example: 192.168.10.1. A range of network hosts in the destination network, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts in the destination network, enter an appropriate subnet range, for example: 192.168.10.0/ 255.255.255.0 or 192.168.10.0/24. Any network host in the destination network, leave the field blank.
60
1s
Protocol Service Port Comment
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. If applicable, enter a destination port or range of ports. If this field is blank, all ports for the relevant protocol will be permitted. Enter a description of the rule.
Ed i
ti
on
1s
Ed i
ti
on
61
62
1s
Ed i
ti
on
Chapter 7
It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other external network zone.
Port forward rules can be configured to forward traffic based on the following criteria:
1s
Criterion External IP Source IP Port Protocol Destination IP Destination port
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60.
Description
Forward traffic if it originated from a particular IP address, IP address range or subnet range. Forward traffic if it arrived at a particular external interface or external alias. Forward traffic if it was destined for a particular port or range of ports. Forward traffic if it uses a particular protocol. A port forward will send traffic to a specific destination IP. A port forward will send traffic to a specific destination port.
Ed i
Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.
ti
on
63
Chapter 7 Managing Inbound and Outbound Traffic Introduction to Port Forwards Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network
is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the networking > filtering > zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, i.e. a DMZ scenario.
1s
From the drop-down menu, select the interface that the port forward will be bound to. By default, a port forward is bound to the primary external connection. However, if you have a secondary external connection you can assign a port forward explicitly to it.
Select Protocol
64
t
Click to select the external interface specified. From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a TCP-based protocol, choose the TCP option.
Ed i
ti
on
Enter the IP address, address range or subnet range of the external hosts allowed to use this rule. Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server), leave this field blank.
Select to log all port forwarded traffic. Select to deploy intrusion prevention. See Chapter 8, Deploying Intrusion Prevention Policies on page 105 for more information. Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection.
1s
Comment Enabled
Click Add. The port forward rule is added to the Current rules table.
1 2
On the networking > firewall > port forwarding page, create a port forward rule to the first network host. See Creating Port Forward Rules on page 64 for more information. On the networking > firewall > port forwarding page, create another port forward rule using exactly the same settings except for the destination IP to the second network host. Advanced Firewall automatically balances the traffic between the hosts.
Ed i
Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Enter the IP address of the network host to which traffic should be forwarded. From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined. If User defined is selected as the destination service, enter a destination port. Leave this field empty to create a port forward that uses the source port as the destination port. If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target. Enter a description of the port forward rule. Select to enable the rule.
ti
User defined
If User defined is selected in the Source service drop-down menu, enter a single port or port range.
on
From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined.
65
Chapter 7 Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings
1s
66
t
IP information is embedded within FTP traffic this helper application ensures that FTP communication is not adversely affected by the firewall. IP information is embedded within IRC traffic this helper application ensures that IRC communication is not adversely affected by the firewall. When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
Ed i
traffic. For this reason, this option is not enabled by default.
ti
on
Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly.
When enabled, loads modules to enable passthrough of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality.
1 2 3
In the Network application helpers area, select the application(s) you require. Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. Click Save.
Using the Bad external traffic action option, you can drop traffic silently which enables you to stealth your firewall and make things like port scans much harder to do.
To manage bad external traffic:
1 2
Navigate to the networking > firewall > advanced page. From the Bad external traffic action drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to keep the default behavior, that is, reject the traffic and notify the sender. Click Save to implement your selection.
1 2
Navigate to the networking > firewall > advanced page. Select Reflective port forwards and click Save.
Outbound Access
The following sections discuss outbound port and source rules. Port rules are used to create lists of outbound communication rules that can be subsequently applied to individual hosts and networks using source rules.
1s
Ed i
By default, bad traffic is rejected and a No one here ICMP message is bounced back to the sender. This is what Internet hosts are meant to do.
ti
on
67
Reject only outbound requests to the named ports. Allow only outbound requests to the named ports.
Ports commonly associated with Microsoft Windows such as SMB (NetBIOS), Active Directory etc. Ports associated with many common exploits against a variety of programs and services, including many ports associated with malware attacks
In addition, the following preset rules are included and cannot be customized:
Preset port rules Allow all Reject all Description
68
1s
Ed i
Services common to most user computers, including web browsing (HTTP and HTTPS), email (POP3), DNS etc.
ti
on
Description
From the drop-down menu, select Empty and click Select. Enter a name for the port rule. This name will be displayed in the Port rules drop-down list and where ever the rule can be selected. Select to reject listed ports. Select to allow listed ports. Select if you want to log outbound requests rejected by this rule. Select if you want to log but not reject outbound requests. Select to block access to eDonkey and eMule P2P variants. Select to block access to the Gnutella and GnutellaNet P2P networks. Select to block access to the KaZaA P2P network.
Block DirectConnect Select to block access to the DirectConnect file sharing network.
Click Save. The port rule is added to the Port rules drop-down list. Various P2P applications are port-aware and use a number of evasive techniques to circumvent regular outbound access controls. Advanced Firewall is able to detect such activity when these options are activated, and ensure that P2P communication is completely blocked.
Note: The dedicated P2P blocking options are provided due to the nature of certain P2P software.
1s
Setting Protocol Service Port Comment Enabled
Description
From the drop-down menu, select a network protocol to add to the port rule. From the drop-down menu, select the service, port, port range or group of ports you want to allow or deny, depending on the rule you are creating. Select User defined to be able to specify a specific port number in the User defined port or range field. Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. A port range is specified using from:to notation, for example: 1024:2048. Enter a description of the rule. Select to enable the rule.
Ed i
Select to block the use of the BitTorrent protocol for P2P file transfers.
ti
on
Note: This generates a lot of data and should be used with care.
69
2 3 4
Choose the port rule that you wish to edit from the Port rules drop-down list. Click Select to display the port rule and make any changes to the port rule settings using the controls in the Port rules region. Click Save in the Port rules region.
Select the port rule that should be deleted using the Port rules drop-down list from the Port rules region. Click Delete.
In the Port rules region, choose a set of port rules using the Port rules drop-down list. Click Select. The set of port rules and associated configuration are displayed in the Port rules and Current rules regions.
Source Rules
When the source IP of an outbound packet originates from a host that is defined in a source rule, Advanced Firewall checks that the packet does not break the port rules assigned to the host. If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed port, the packet is allowed.
Note: Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules
cannot be stacked.
70
1s
Source rules are used to assign outbound access controls to IP addresses and networks. Each source rule associates a particular host or network with a preset or customized port rule.
Ed i
ti
on
From the drop-down list, select the port rule to be applied to outbound packets originating from a source IP that has no matching source rule configured. This value is usually set to one of the preset catch-all port rules, either Allow all or Reject all. Selecting Allow all enables all hosts that are not matched by a source rule to initiate any kind of outbound communication. Selecting Reject all prevents all outbound communication from all non-matching hosts. Best practice is to select Reject all. Select to log all traffic rejected by the default or current list of source rules. Select to allow all traffic that would normally be rejected by the default port rule and log all traffic information in the firewall logs.
Click Save. In the Add a new rule area, configure the following settings:
Setting Description
1s
Rejection logging Stealth mode Port rule Comment
Source IP or network Enter the source IP or network that the selected port rule will affect.
To apply the port rule to: A specific host, enter its IP address. A range of network hosts, enter an IP address range, for example, entering the value 192.168.10.10:50 will encompass the range of addresses from 192.168.10.10 to 192.168.10.50. A subnet, enter a source IP and network mask, for example, 192.168.10.0/255.255.255.0 will encompass the range of range of addresses from 192.168.10.0 to 192.168.10.255.
From the drop-down list, select the port rule to apply. Enter a description of the rule.
Ed i
ti
on
71
Chapter 7 Managing Inbound and Outbound Traffic Managing External Services Setting Enabled Description
Click Add. The source rule is added to the Current rules table.
1s
Rejection logging Stealth mode
72
t
Select Empty from the drop-down list. Enter a name for the rule. Select the protocol used by the service. From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined. If User defined is selected in the Service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Select to log all traffic rejected by the external services rule Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs.
Ed i
ti
on
You can prevent local network hosts from using external services by creating appropriate source and port rules to stop outbound traffic.
Enter the IP address of the external service to which the rule applies. Enter a description of the rule. Select to enable the rule.
Click Add. The external service rule is added to the Current rules region:
2 3 4
Select Enable authenticated groups. Locate the authentication group in the Group rules region and choose its port rule from the adjacent Port rule drop-down list. Click Save.
1s
Ed i
ti
The groups page is used to assign outbound access controls to authenticated groups of users. Each group rule associates a particular authenticated group of users with a preset or customized port rule.
on
73
Note: Group rules cannot be enforced in all circumstances. If a user has not actively authenticated
themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and group rules cannot be applied. In this case, only source rules will be applied. Group rules are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service.
74
1s
Ed i
ti
on
Chapter 8
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific group.
75
Chapter 8 Advanced Firewall Services Working with User Portals To create a user portal and make it available to users:
In the Portals area, enter a name for the portal and click Save. Advanced Firewall creates the portal and makes it accessible on your Advanced Firewall system at, for example: http://
192.168.72.141/portal/
76
From the drop-down menu, select the group containing the users you want to authorize to use the portal. For more information on users and groups, see Chapter 13, Managing Groups of Users on page 231. From the drop-down menu, select the portal you want the group to access.
Portal
Click Add. Advanced Firewall authorizes the group to use the portal. The next step is to configure the portal to enable authorized users to use it to download files, manage web access and display reports.
Configuring a Portal
The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports, block other users from accessing the web, download VPN client files and receive a welcome message.
Browse to the info > reports > recent and saved page, locate the report you want to publish on a portal and click Permissions. A dialog box containing report details opens, for example:
2 3 4
From the Add access drop-down list, select the portal where you want to publish the report and click Add. Click Close to close the dialog box. Browse to the services > user portal > portals page and, in the Portals area, configure the following settings:
Setting Portals Description
From the drop-down list, select the portal on which you want to make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
Setting Enabled Top reports displayed on portal home page Description
Select Enabled. From the drop-down list, select the number of reports you want to display on the portals home page. Advanced Firewall will display the most often viewed reports.
77
Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal.
Browse to the services > user portal > portals page and, in the Portals area, configure the following settings:
Setting Portals Description
From the drop-down list, select the portal on which you want to authorize groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting Enabled Allow control of groups Description
Select Enabled. Select this option and, in the list of groups displayed, select the group(s) containing the users that the group is authorized to block from accessing the web. To select consecutively listed groups, hold down the Shift key while selecting. To select non-consecutively listed groups, hold down the Ctrl key while selecting.
Browse to the bottom of the page and click Save to save the settings.
Browse to the services > user portal > portals page and, in the VPN connection details area, configure the following settings:
Setting Description
SSL VPN client archive download Select this option to make the archive available for download on
the portal home page. See Chapter 9, Generating SSL VPN Archives on page 159 for information on how to create the archive. 2 Browse to the bottom of the page and click Save to save the settings.
78
Browse to the services > user portal > portals page and, in the Welcome message area, configure the following settings:
Setting Welcome message Description
Select to display the message on the portal. In the text box, enter a welcome message and/or any information you wish the user to have, for example regarding acceptable usage of the portal.
Browse to the bottom of the page and click Save to save the settings.
1 2
Browse to the services > user portal > groups page. Configure the following settings:
Setting Group Description
From the drop-down menu, select the group you want to allow access to the portal. For more information on groups, see Chapter 13, Managing Groups of Users on page 231. From the drop-down menu, select the portal you want the group to access.
Portal
Click Add. Advanced Firewall will allow members of the group to access the specified portal.
Browse to the services > user portal > user exceptions page.
Enter the username of the user you want to access the portal.
79
Chapter 8 Advanced Firewall Services Working with User Portals Setting Portal Description
From the drop-down list, select the portal you want the user to access.
Click Add. Advanced Firewall gives the user access to the portal.
Accessing Portals
The following section explains how to access a portal.
To access a portal:
1 2
In the browser of your choice, enter the URL to the portal on your Advanced Firewall system, for example: http://192.168.72.141/portal/ Accept any certificate and other security information. Advanced Firewall displays the login page for the portal, for example:
Enter a valid username and password and click Login. The portal is displayed, for example:
For more information, see the Advanced Firewall Portal User Guide.
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1 2 3 4
Browse to the services > user portal > portals page. From the Portals drop-down list, select the portal you want to edit. Make the changes you require, see Configuring a Portal on page 77 for information on the settings available. Click Save to save the changes.
80
Deleting Portals
The following section explains how to delete a portal.
To delete a portal:
1 2 3
Browse to the services > user portal > portals page From the Portals drop-down list, select the portal you want to delete. Click Delete. Advanced Firewall deletes the portal.
Web Proxy
Advanced Firewalls web proxy service provides local network hosts with controlled access to the Internet with the following features: Transparent or non-transparent operation Caching controls for improved resource access times Support for automatic configuration scripts Support for remote proxy servers.
81
82
Enter the amount of disk space, in MBytes, to allocate to the web proxy service for caching web content, or accept the default value. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the systems total storage capacity, up to a maximum of around 10 gigabytes approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages.
Remote proxy
In most scenarios this field will be left blank and no remote proxy will be used. Used to configure the web proxy to operate in conjunction with a remote web proxy. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers.
Remote proxy username Remote proxy password Max object size
Enter the remote proxy username if using a remote proxy with user authentication. Enter the remote proxy password when using a remote proxy with user authentication. Specify the largest object size that will be stored in the proxy cache. Objects larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users.
Specify the smallest object size that will be stored in the proxy cache. Objects smaller than the specified size will not be cached. The default is no minimum this should be suitable for most purposes. This can be useful for preventing large numbers of tiny objects filling the cache.
Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser
in any one request. The default is no limit. This can be used to prevent large uploads or form submissions.
Max incoming size Specify the maximum amount of inbound data that can be received by a
browser in any one request. This limit is independent of whether the data is cached or not. The default is no limit. This can be used to prevent excessive and disruptive download activity.
83
Select to enable transparent proxying. When operating in transparent mode, network hosts and users do not need to configure their web browsers to use the web proxy. All requests are automatically redirected through the cache. This can be used to prevent network hosts from browsing without using the proxy server. In nontransparent mode, proxy server settings (IP address and port settings) must be configured in all browsers. For more information, see About Web Proxy Methods on page 85.
Select to disable the proxy logging. Select to enable the web proxy service. Select to permit access to other network hosts over ports 81 and 441. This is useful for accessing remote a Smoothwall System, or other nonstandard HTTP and HTTPS services, through the proxy. In normal circumstances such communication would be prevented.
Note: By selecting this option, it is possible to partially bypass the admin
access rules on the system > administration > admin options page. This would allow internal network hosts to access the admin logon prompt via the proxy.
Do not cache
Enter any domains that should not be web cached. Enter domain names without the www. prefix, one entry per line. This can be used to ensure that old content of frequently updated web sites is not cached.
Exception local IP Enter any IP addresses on the local network that should be completely exempt addresses from authentication restrictions.
Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access.
Banned local IP addresses
Enter any IP addresses on the local network that are completely banned from using the web proxy service. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned.
Select to allow users to globally access the web proxy service without authentication. Select to allow users to access the web proxy service according to the username and password that they enter when prompted by their web browser. The username and password details are encoded in all future page requests made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in non-
transparent mode.
Core authentication
Select to allow users to access the web proxy service by asking the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the users status is returned by the authentication system as unauthenticated.
84
Groups allowed to Authenticated users can be selectively granted or denied access to the web use web proxy proxy service according to their authentication group membership.
Proxy access permissions are only applied if an authentication method other than No user authentication has been selected.
Automatic configuration script custom direct hosts
Enter any additional hosts required to the automatic configuration scripts list of direct (non-proxy routing) hosts. This is useful for internal web servers such as a company intranet server. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings.
Note: Browsers must be configured to access the automatic configuration
After enabling and restarting the service, the automatic configuration script location is displayed here.
Note: Microsoft Internet Explorer provides only limited support for automatic
configuration scripts. Tests by Smoothwall indicate a number of intermittent issues regarding the browsers implementation of this feature. Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality.
Manual web browser proxy settings Interfaces
After enabling and restarting the service, the proxy address and port settings to be used when manually configuring end-user browsers are displayed here. Select the interface for the web proxy traffic.
Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. of all data. This is useful when cache performance has been degraded by the storage of stale information typically from failed web-browsing or poorly constructed web sites. The web proxy will be restarted with any configuration changes applied.
Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy cache
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is convenient for the proxy end-users.
Transparent Proxying
If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all HTTP port 80 requests will be automatically redirected through the proxy cache.
85
If you are having problems with transparent proxying, check that the following settings are not configured in end-user browsers: Automatic configuration Proxy server.
Non-Transparent Proxying
If Advanced Firewalls web proxy service has not been configured to operate in transparent mode, all end-user browsers on local workstations in Advanced Firewall network zones must be configured. You can configure browser settings:
Manually Browsers are manually configured to enable Internet access. Automatically using a configuration script Browsers are configured to receive proxy configuration
settings from an automatic configuration script, proxy.pac. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on.
WPAD automatic script Browsers are configured to automatically detect proxy settings and a local
DNS server or Advanced Firewall static DNS has a host wpad.YOURDOMAINNAME added.
1 2 3
Start Internet Explorer, and from the Tools menu, select Internet Options. On the Connections tab, click LAN settings. Configure the following settings:
Method: Manual To configure:
1 2
In the Proxy server area, select Use a proxy server for your LAN Enter your Advanced Firewall's IP address and port number 800. This information is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Click Advanced to access more settings. In the Exceptions area, enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. Click OK and OK to save the settings. In the Automatic configuration area, select Use automatic configuration script. Enter the location of the script, for example: http://192.168.72.141/ proxy.pac. The location is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Ensure that no other proxy settings are enabled or have entries. Click OK and OK to save the settings.
3 4
5
Automatic configuration script
1 2
3 4
86
Smoothwall Advanced Firewall Administrators Guide Method: WPAD To configure: Note: This method is only recommended for administrators familiar with
configuring web and DNS servers. 1 2 3 In the Automatic configuration area, select Automatically detect settings. Click OK and OK to save the settings. On a local DNS server or using Advanced Firewall static DNS, add the host wpad.YOURDOMAINNAME substituting your domain name. The host must resolve to the Advanced Firewall IP. When enabled in end-user browsers, Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad.dat file. The file tells the browser what proxy settings it should use.
Note: PCs will have had to be configured with the same domain name as the A
record for it to work. However, Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000. They suggest that you should use a DHCP auto-discovery method using a PAC file. See the article for more information. This is contrary to some of our testing.
MSN connects through an HTTP proxy. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption, such as provided by Off-the-Record Messaging (http://www.cypherpunks.ca/otr/). However, using SSL Intercept, see below, Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL.
87
Chapter 8 Advanced Firewall Services Instant Messenger Proxying To configure the instant messaging proxy service:
88
Smoothwall Advanced Firewall Administrators Guide Setting Enable Message Censor Description
Select to enable censoring of words usually considered unsuitable. Advanced Firewall censors unsuitable words by replacing them with *s. For more information, see Censoring Instant Message Content on page 98.
Select this option to record instant message events, such as messages in and out, but to discard the actual conversation text before logging. Select this option to block file transfers using certain IM protocols. Currently, when enabled, this setting blocks files transferred using MSN, ICQ, AIM and Yahoo IM protocols.
Select to proxy and monitor Microsoft Messenger conversations. Select to proxy and monitor ICQ and AIM conversations. Select to proxy and monitor Yahoo conversations. Select to proxy and monitor GaduGadu conversations. Select to proxy and monitor conversations which use the Jabber protocol. Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information, see Monitoring SSL-encrypted Chats on page 90. Select to inform IM users that their message or file transfer has been blocked. This option does not work with the ICQ/AIM protocol. Select to inform IM users that their conversation is being logged.
Note: This option does not work with the ICQ/AIM protocol.
Blocked response
Optionally, enter a message to display when a message or file is blocked; or accept the default message. If multiple messages or files are blocked, this message is displayed at 15 minute intervals.
Optionally, enter a message to display informing users that their conversations are being logged. This message is displayed once a week. Settings here enable you to control who can instant message your local users.
Block unrecognized remote users Select this option to automatically add
a remote user to the white-list when a local user sends them an instant message. Once added to the white-list, the remote user and the local use can instant message each other freely. When this option selected, any remote users who are not on the whitelist are automatically blocked.
Number of current entries Displays the number of entries currently in the
89
Chapter 8 Advanced Firewall Services Monitoring SSL-encrypted Chats Setting White-list users Black-list users Enabled on interfaces Exception local IP addresses Description
To whitelist a user, enter their instant messaging ID, for example JohnDoe@hotmail.com. To blacklist a user, enter their instant messaging ID, for example JaneDoe@hotmail.com. Select the interfaces on which to enable IM proxying. To exclude specific IP addresses, enter them here.
Browse to the services > proxies > instant messenger page. Enable IM proxying and configure the settings you require. For full information on the settings available, see Instant Messenger Proxying on page 87. Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save. Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced Firewall CA certificate. Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. Advanced Firewall will now monitor and log the chats.
2 3 4
SIP Proxying
Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries voice data. RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason, Advanced Firewalls SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly. Advanced Firewalls SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT.
external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. Some clients will allow users to configure one SIP proxy this is invariably the registering proxy, others will allow for two proxies, one to which the client will register, and one which the client users for access, a pass-through.
Configuring SIP
To configure and enable the SIP proxy:
Select to enable the SIP proxy service. From the drop-down list, select the interface for the SIP proxy to listen for connections on. This is the interface on which you will place your SIP clients.
91
Log calls Maximum number of clients Diffserv mark for RTP packets
Select if you require individual call logging. Select the maximum number of clients which can use the proxy. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy. From the drop-down menu, select a Diffserv mark to apply to SIP RTP packets. This traffic can be traffic shaped with SmoothTraffic, if it is installed. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. This is useful because it is otherwise quite tricky to define RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. The standard mark is BE which is equivalent to doing nothing. Other marks may be interpreted by upstream networking equipment, such as that at your ISP, and can also be acted upon by SmoothTraffic, Smoothwalls Quality of Service (QoS) module if it is installed. In this way, traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users.
Transparent
The SIP proxy may be configured in both transparent and non-transparent mode. Select this option if you require a transparent SIP proxy. When operating transparently, the SIP proxy is not used as a registrar, but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP.
Exception IPs
Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below.
Click Save to enable and implement SIP proxying. use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewalls NAT.
Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to
FTP Proxying
Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible.
92
Select to enable the FTP proxy. Select to enable transparent proxying. For more information, see About Transparent and Non-transparent FTP Proxying on page 94. From the drop-down list select the port for FTP traffic.
Note: The port you select must be open for the FTP client. You
configure this on the system > administration > external access page. See Chapter 16, Configuring External Access on page 316 for more information.
Enable anti-malware scanning Remote FTP server white-list
Select to scan files for malware. Enter the hostname or IP address of any remote FTP servers you want to white-list. Enter one hostname or IP, colon and port per line, for example: ftp.company.com:21 or 1.2.3.4:21 If no information is listed, all hostnames on all ports will be accessible.
When proxying transparently, from the list available, select the interface(s) to use. Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying.
93
Enter Advanced Firewalls hostname or IP address. Enter the FTP proxy port configured on Advanced Firewall, either 21 or 2121. See Configuring FTP Proxying on page 92 for more information. Enter the username in the following format:
remoteusername@remoteftpserver
SNMP
Simple Network Management Protocol (SNMP) is part of the IETFs Internet Protocol suite. It is used to enable a network-attached device to be monitored, typically for centralized administrative purposes. Advanced Firewalls SNMP service operates as an SNMP agent that gathers all manner of system status information, including the following: System name, description, location and contact information Live TCP and UDP connection tables Detailed network interface and usage statistics Network routing table Disk usage information Memory usage information. In SNMP terminology, Advanced Firewall can be regarded as a managed device when the SNMP service is enabled. The SNMP service allows all gathered management data to be queried by any SNMP-compatible NMS (Network Management System) devices, that is a member of the same SNMS community. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other.
To enable and configure the SNMP service:
94
2 3
Select Enabled and enter the SNMP community password into the Community text field. The default value public is the standard SNMP community. Click Save. management tool is required. For specific details about how to view all the information made accessible by Advanced Firewalls SNMP service, please refer to the product documentation that accompanies your preferred SNMP management tool.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP
Note: To access the SNMP service, remote access permissions for the SNMP service must be
configured. For further information, see Chapter 16, Configuring Administration and Access Settings on page 314.
Censoring Content
Advanced Firewall enables you to censor content in: Instant messages, for more information, see Censoring Instant Message Content on page 98 Web forms, for more information, see Chapter 15, Censoring Web Form Content on page 212.
DNS
The following sections discuss domain name system (DNS) services in Advanced Firewall.
service is enabled.
To add a static DNS host:
95
Enter the IP address of the host you want to be resolved. Enter the hostname that you would like to resolve to the IP address. Enter a description of the host. Select to enable the new host being resolved.
Click Add. The static host is added to the Current hosts table.
Select each interface that should be able to use the DNS proxy and click Save. process of Advanced Firewall, the system will use the DNS proxy for name resolution.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
96
Many of these service providers offer a free of charge, basic service. 1 Navigate to the services > dns > dynamic dns page.
From the drop-down list, select your dynamic DNS service provider. Select if your service provider is no-ip.com and the system is behind a web proxy. Select to specify that sub-domains of the hostname should resolve to the same IP address, for example domain.dyndns.org and sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be selected from
Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service provider.
Enter the domain registered with the dynamic DNS service provider. Enter the username registered with the dynamic DNS service provider. Enter the password registered with the dynamic DNS service provider. Enter a description of the dynamic DNS host. Select to enable the service.
Click Add. The dynamic host will be added to the Current hosts table.
97
Click Force update. changed, and may suspend the user accounts of users they deem to be abusing their service.
Note: Dynamic DNS service providers do not like updating their records when an IP address has not
Configuration Overview
Configuring an instant message censor policy entails: Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists, for more information, see Managing Custom Categories on page 98 Configuring time periods during which policies are applied, for more information, see Setting Time Periods on page 100 Configuring filters which classify messages by their textual content, for more information, see Creating Filters on page 101 Configuring and deploying a policy consisting of a filter, an action, a time period and level of severity, see Creating and Applying Message Censoring Policies on page 102.
98
Browse to the services > message censor > custom categories page.
Enter a name for the custom category. Enter the phrases you want to add to the category. Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) Advanced Firewall matches exact phrases without
Firewall uses fuzzy matching to take into account that number of spelling mistakes or typographical errors when searching for a match. 3 Click Add. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the services > message censor > filters page.
1 2 3 4
Browse to the services > message censor > custom categories page. In the Current categories area, select the category and click Edit. In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
99
1 2 3
Browse to the services > message censor > custom categories page. In the Current categories area, select the category or categories and click Remove. At the top of the page, click Restart to apply the changes.
From the drop-down lists, set the time period. Select the weekdays when the time period applies. Enter a name for the time period. Optionally, enter a description of the time period.
Click Add. Advanced Firewall creates the time period and makes it available for selection on the services > message censor > policies page.
1 2 3 4
Browse to the services > message censor > time page. In the Current time periods area, select the time and click Edit. In the Time period settings, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
100
1 2 3
Browse to the services > message censor > time page. In the Current time periods area, select the period(s) and click Remove. At the top of the page, click Restart to apply the changes.
Creating Filters
Advanced Firewall uses filters to classify messages according to their textual content. Advanced Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom categories of phrases for use in filters, for more information, see Creating Custom Categories on page 98.
To create a filter:
Enter a name for the filter. Optionally, enter a description of the filter. Select the categories you want to include in the filter.
Click Add. Advanced Firewall creates the filter and makes it available for selection on the services > message censor > policies page.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
101
2 3 4
In the Current filters area, select the filter and click Edit. In the Custom phrase list area, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1 2 3
Browse to the services > message censor > filters page. In the Current filters area, select the filter(s) and click Remove. At the top of the page, click Restart to apply the changes.
Browse to the services > proxies > instant messenger page and, in the Instant Messaging proxy area, configure the following settings:
Setting Enabled Enable Message Censor Description
Check that instant messaging proxying is enabled. Select this option to enable censoring of words usually considered unsuitable.
102
From the drop-down menu, select a filter to use. For more information on filters, see Creating Filters on page 101. From the drop-down menu, select a time period to use, or accept the default setting. For more information on filters, see Setting Time Periods on page 100. From the drop-down menu, select one of the following actions:
Block Content which is matched by the filter is discarded. Censor Content which is matched by the filter is masked but the message is
From the drop-down list, select a level to assign to the content if it violates the policy. See Chapter 15, Configuring the Inappropriate Word in IM Monitor Alert on page 272 for more information.
Comment Enabled
Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall applies the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1 2 3 4
Browse to the services > message censor > policies page. In the Current policies area, select the policy and click Edit. Edit the settings as required, see Creating and Applying Message Censoring Policies on page 102 for information on the settings available. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Policies
You can delete policies which are no longer required.
103
Chapter 8 Advanced Firewall Services Managing the Intrusion System To delete policies:
1 2 3
Browse to the services > message censor > policies page. In the Current policies area, select the policy or policies and click Remove. At the top of the page, click Restart to apply the changes.
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your Smoothwall representative if you need more information.
Browse to the services > intrusion system > intrusion detection page.
104
From the drop-down list, select the policy you want to deploy. See About the Default Policies on page 104 for more information on the policies available. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network, see Chapter 8, Creating Custom Policies on page 107.
From the drop-down list, select the interface on which you want to deploy the policy. Enter a description for the policy Select this option to enable the policy.
Click Add. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.
1 2 3
Browse to the services > intrusion system > intrusion detection page. In the Current IDS policies area, select the policy you want to remove. Click Remove. Advanced Firewall removes the policy.
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your Smoothwall representative if you need more information. Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks, undesired access and denial of service.
To deploy an intrusion prevention policy:
Browse to the services > intrusion system > intrusion prevention page.
105
From the drop-down list, select the policy you want to deploy. See About the Default Policies on page 104 for more information on the policies available. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network, see Chapter 8, Creating Custom Policies on page 107.
Comment Enabled
Enter a description for the policy Select this option to enable the policy.
3 4
Click Add. Advanced Firewall lists the policy in the Current IPS policies area. Browse to the networking > firewall > port forwarding page and configure a port forwarding rule with IPS enabled to deploy the policy. For more information on port forwarding, see Chapter 7, Creating Port Forward Rules on page 64.
1 2 3
Browse to the services > intrusion system > intrusion prevention page. In the Current IPS policies area, select the policy you want to remove. Click Remove. Advanced Firewall removes the policy.
106
Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to speed the process.
107
Enter a name for the policy you are creating. Enter a description for the custom policy. From the list, select the signatures you want to include in the policy. For information on how to add custom signatures, see Uploading Custom Signatures on page 108.
Click Add. Advanced Firewall creates the policy and lists it in the Current policies area. The policy is now available when deploying intrusion detection and intrusion prevention policies. For more information, see Deploying Intrusion Detection Policies on page 104 and Deploying Intrusion Prevention Policies on page 105.
Click Browse to locate and select the signatures file you want to upload. Click Upload to upload the file. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the services > intrusion system > policies page.
Note: Use custom signatures with caution as Advanced Firewall cannot
108
Smoothwall Advanced Firewall Administrators Guide Setting Use syslog for Intrusion logging Oink code Description
Select this option to enable logging intrusion events in the syslog. If you have signed-up with Sourcefire to use their signatures, enter your Oink code here. Click Update to update and apply the latest signature set. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the services > intrusion system > policies page.
Note: Updating the signatures can take several minutes.
For more information, visit http://smoothwall.net/support/oinkcode/ 3 Click Save. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the services > intrusion system > policies page. For information on deploying intrusion policies, see Deploying Intrusion Detection Policies on page 104 and Deploying Intrusion Prevention Policies on page 105.
there are detection or prevention policies which use custom signatures, the signatures will be deleted from the policies.
To delete custom signatures:
1 2
On the services > intrusion system > signatures page, click Delete. Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall deletes the signatures.
DHCP
Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities: Support for 2 DHCP subnets Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet Automate the creation of static assignments using the ARP cache
109
Enabling DHCP
To enable DHCP:
Select to enable the DHCP service. Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. Select to set the DHCP service to operate as a relay, forwarding DHCP requests to another DHCP server. Select to enable logging.
110
From the drop-down menu, select Empty and click Select. Enter a name for the subnet. Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example: 192.168.10.0. Define the subnet range by entering a network mask, for example 255.255.255.0. Enter the value that a requesting network host will receive for the primary DNS server it should use. Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use. Enter the value that a requesting network host will receive for the default gateway it should use.
111
Chapter 8 Advanced Firewall Services DHCP Setting Enabled Primary WINS Description
Determines whether the DHCP subnet is currently active. Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small Microsoft Windows networks. Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small Microsoft Windows networks. Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Secondary WINS
Primary NTP
Enter Advanced Firewalls IP address and clients can use its time services if enabled. See Chapter 16, Setting Time on page 311 for more information.
Secondary NTP
Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Enter Advanced Firewalls IP address and clients can use its time services if enabled. See Chapter 16, Setting Time on page 311 for more information.
Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient. and being granted, impractically long DHCP leases. The default value is usually sufficient.
Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting,
TFTP server Network boot filename Domain name suffix Automatic proxy config URL Custom DHCP options
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Specify to the network booting client which file to download when booting off the above TFTP server. Enter the domain name suffix that will be appended to the requesting host's hostname. Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. Any custom DHCP options created on the services > dhcp > dhcp custom page are listed for use on the subnet. For more information, see Creating Custom DHCP Options on page 115.
Click Save. is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration
112
1 2 3 4
Navigate to the services > dhcp > dhcp server page. From the DHCP Subnet drop-down list, select the subnet and click Select. Edit the settings displayed in the Settings area. Click Save.
1 2 3
Navigate to the services > dhcp > dhcp server page. From the DHCP Subnet drop-down list, select the subnet and click Select. Click Delete.
1 2 3
Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select. In the Add a new dynamic range, configure the following settings:
Setting Description
Start address Enter the start of an IP range over which the DHCP server should supply dynamic
addresses from. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
End address
Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. For example, enter 192.168.10.15. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
Comment Enabled
Enter a description of the dynamic range. Select to enable the dynamic range.
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
2 3
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. Scroll to the Add a new static assignment area and configure the following settings:
Setting Description
MAC address Enter the MAC address of the network hosts NIC as reported by an appropriate
network utility on the host system. This is entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.g. 12 34 56 78 9A BC or
12:34:56:78:9A:BC IP address Comment Enabled
Enter the IP address that the host should be assigned. Enter a description of the static assignment. Select to enable the assignment.
Click Add static. The static assignment is added to the Current static assignments table.
1 2 3 4 5
Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. Scroll to the Add a new static assignment from ARP table area: Select one or more MAC addresses from those listed and click Add static from ARP table. Click Save.
114
Select Show free leases and click Update. The following information is displayed:
Field IP address Start time End time Description
The IP address assigned to the network host which submitted a DHCP request. The start time of the DHCP lease granted to the network host that submitted a DHCP request. The end time of the DHCP lease granted to the network host that submitted a DHCP request. The hostname assigned to the network host that submitted a DHCP request. The current state of the DHCP lease. The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available.
MAC address The MAC address of the network host that submitted a DHCP request. Hostname State
DHCP Relaying
Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host.
To configure DHCP relaying:
Connect to Advanced Firewall and navigate to the services > dhcp > dhcp relay page.
2 3
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the services > dhcp > global page.
115
Browse to the services > dhcp > dhcp custom options page.
From the drop-down list, select the code to use. The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
Option type
Enter a description for the option. This description is displayed on the services > dhcp > dhcp server page. Optionally, enter any comments relevant to the option. Select to enable the option.
Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 110.
116
Chapter 9
Certificate management Full certificate management controls built into the interface, with import
1s
Tunnel controls Internal VPNs Logging
What is a VPN?
A VPN, in the broadest sense, is a network route between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as road warriors. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces.
Ed i
Mobile user VPN support using Microsoft Windows 2000 and XP, as well as older versions of Windows. No client software required; the software is part of the Windows operating system. Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote, as well as others. Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the users computer/laptop. Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). and export capabilities in a number of formats. Self-signed certificates can be generated. Individual controls for all VPN tunnels. Support for VPNs routed over internal networks. Comprehensive logging of individual VPN tunnels.
ti
on
Advanced Firewall contains a rich set of Virtual Private Network (VPN) features:
117
There are several technologies which implement VPNs. Some are wholly proprietary, others are open standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well established and open Internet standard. Many implementations of this standard exist, and generally all vendors of network security products will have an offering in their product portfolio. VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users, road warriors, to their office network. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world.
Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. Encrypt all data presented to the VPN tunnel into secure data packets. Route all data received from the tunnel to the correct computer on the LAN. Allow VPN tunnels to be managed.
Administrator Responsibilities
Specify the tunnel define the tunnel on each VPN gateway. Configure authentication define a secure means for each VPN gateway to identify the other. Manage tunnels control the opening and closing of tunnels.
1s
118
Ed i
Usually referred to as PSK, this is a simplistic authentication method based on a password challenge. For more information, see PSK Authentication on page 119.
ti
Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted.
on
A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks:
An industry strength and internationally recognized authentication method using a system of digital certificates, as published by the ITUT and ISO standardization bodies. For more information, see X509 Authentication on page 119. In addition to using X509, all users of L2TP road warrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated.
Username/password
X509 Authentication
In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport.
1s
PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. Whilst it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse.
The simplicity of PSK is both its strength and its weakness. Whilst PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also require multiple tunnels to use the same password highly undesirable if your organization intends to create multiple road warrior VPN connections.
Information about who the certificate was issued to, their country, company name etc.
Ed i
To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the others password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established.
ti
PSK Authentication
on
A more in depth examination of the PSK and X509 authentication methods can be found in the following sections, including recommendations for the usage of each.
119
Chapter 9 Virtual Private Networking About VPN Authentication Information Issuer Certificate ID Validity period Description
Information about the CA that created and signed the certificate. An alternative identifier for the certificate owner in abbreviated form. The start and expiry dates, during which time the certificate is valid.
Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA. However, it is not yet clear whether the certificate is a forgery to prove absolute authenticity, X509 utilizes public-key cryptography. Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys, one called a private key and the other called a public key. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. It is computationally infeasible to derive either key from the other. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret by its owner, and the public key is freely accessible to all, any message successfully decrypted using the public key can only have originated from the private key owner. This concept is exploited by CAs to sign all certificates they create, thus proving that the certificate is genuine.
120
1s
However, this only proves that the CA genuinely issued the certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. This is solved by one further stage of encryption, this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key).
Ed i
To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key. The encrypted content is inserted into the certificate, much like a watermark or other security feature is added to a passport by a government. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. If the signature can be successfully decrypted and matches the issuer details declared in the certificate, the certificate is proven to be authentic.
ti
on
Configuration Overview
The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior VPNs, internal VPNs and management in great depth. As an overview to these sections, these are the steps required to create a typical site-to-site VPN connection: 1 2 3 4 5 6 7 8 9 10 On the master Advanced Firewall system, create a local Certificate Authority. For details, see Creating a CA on page 121. Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system. Install the master Advanced Firewalls certificate as its default local certificate. Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. Import the CA certificate on the remote Advanced Firewall system, as exported by step 5. Import and install the remote Advanced Firewall systems certificate, as exported by step 5. Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. Bring the connection up. Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on page 55.
Creating a CA
To create your own certificates for use in VPN tunnel authentication, you require access to at least one CA. It is possible to purchase certificates from an externally managed CA, but this can be inconvenient and costly. This section explains how to create a CA using Advanced Firewall. If you already have a CA on your network, it may be useful to use that, in which case refer to Importing Another CA's Certificate on page 123.
1s
Ed i
ti
on
121
Chapter 9 Virtual Private Networking Working with Certificate Authorities and Certificates To create a CA:
Description
Enter an easily identifiable name. Enter an administrative email address. Enter an organizational identifier. Enter a departmental identifier. Enter a locality or town. Enter a state or province. Enter a two letter country code. From the drop-down menu, select the length of time that the CA will remain valid for. of days the CA will be valid.
122
1s
State or province Life time
User defined (days) If User defined is selected as the life time value of the CA, enter the number
Ed i
ti
on
Once a CA has been created, you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats:
To export the CA certificate:
Navigate to the vpn >vpn > ca page and configure the following settings:
Setting Name
Click Export and choose to save the file to disk from the dialog box launched by your browser. You can deliver the certificate to another system without any special security requirements since it contains only public information.
1s
Export format
Description
In the Installed Certificate Authority certificates area, locate and select the local CA certificate. From the drop-down list, select the format in which to export the certificate authoritys certificate. The following formats are available:
CA certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Select this format if the certificate is to be used on another Smoothwall System.
CA certificate in BIN A binary certificate format, select if the certificate is to be used on a system which requires this format. Consult the systems documentation for more information.
Ed i
ti
Once a CA has been created, you can use it to create digital certificates for network hosts. You can also export the CAs own certificate to other systems which can use it to authenticate digital certificates issued by the CA.
on
123
This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA.
Note: The certificate must be in PEM format to be imported. To import the CA's certificate:
1 2 3 4
Navigate to the vpn > ca page. In the Import Certificate Authority certificate area, click Browse. Locate and open the CAs certificate that you wish to import. Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area.
2 3
In the Delete local Certificate Authority region, select Confirm delete. Click Delete Certificate Authority.
Once the local CA has been deleted, the Create local Certificate Authority region will be displayed. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region.
1 2 3
Navigate to the vpn > ca page. Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. Click Delete. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it.
Managing Certificates
The following sections explain how to create, view, import, export and delete certificates in Advanced Firewall.
Creating a Certificate
Once a local Certificate Authority (CA) has been created, you can generate certificates. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires its own certificate.
124
1s
Ed i
Note: Deleting the local CA will invalidate all certificates that it has created.
ti
on
It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways, i.e. all other Advanced Firewall systems.
To create a new signed certificate:
Scroll to the Create new signed certificate area and configure the following settings:
Setting ID type
1s
ID value Common name Email Organization Department
Description
From the drop-down menu, select the certificatess ID type. The options are:
No ID Not recommended but available for inter-operability with other VPN
gateways.
Host & Domain Name Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name. IP address Recommended for site-to-site VPNs whose gateways use static IP
addresses.
Email address Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended.
Enter an ID value. For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road warrior this is usually the users email address. Enter a common name for the certificate, for example Head Office. Enter an email address for the individual or host system that will own this certificate. Enter an organizational identifier for the certificate owner. Enter a departmental identifier for the certificate owner.
Ed i
ti
on
125
Chapter 9 Virtual Private Networking Managing Certificates Setting Locality or town State or province Country Life time Description
Enter a locality or town for the certificate owner. Enter a state or province for the certificate owner. Enter a two letter country code. From the drop-down menu, select the length of time that the certificate will remain valid for. number of days the certificate will be valid for.
User defined (days) If User defined is selected as the life time value of the certificate, enter the
Click Create signed certificate. The certificate is listed in the Installed signed certificates area.
You can review the content of a certificate. Reviewing certificates can be useful for checking certificate content and validity.
To review a certificate:
1 2 3
Click the certificate name. The content is displayed in a new browser window, for example:
Exporting Certificates
Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner.
To export a certificate:
Navigate to the vpn > certs page and scroll to the Installed signed certificates area.
126
1s
Ed i
Locate the certificate that you wish to view in the Installed signed certificates region.
ti
on
Reviewing a Certificate
Select the certificate you want to export and configure the following settings:
Setting Export format Description
From the drop-down menu, select the format in which to export the certificate. The following formats are available:
Certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections.
Certificate in DER A binary certificate format for use with non-Advanced
Advanced Firewall VPN gateways. 3 Click Export. Choose to save the certificate file (a .pem or .der file) to disk in the dialog box launched by your browser software. The certificate will be saved to the browsers local file system in the specified format. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
PKCS#12 is a container format used to transport a certificate and its private key. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors.
To export a certificate in the PKCS#12 container format:
3 4 5
Enter and confirm a password in the Password and Again fields. Click Export certificate and key as PKCS#12. Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your browser software. The PKCS#12 file will be saved to the browser's local file system. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
Importing a Certificate
Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. This is the normal process for secondary Advanced Firewall systems, for example, branch office systems connecting to a head office that has a Advanced Firewall system and CA.
1s
In the Installed signed certificates region, locate and select the certificate that you wish to export.
Ed i
ti
on
127
Chapter 9 Virtual Private Networking Setting the Default Local Certificate To import a certificate:
Navigate to the vpn > certs page. In the Import certificates area, configure the following settings:
Setting Password Import PKCS#12 filename Import PEM filename Description
Enter the password that was specified when the certificate was created.
To import a certificate in PKCS#12 format:
1 2 1 2
Click Browse and navigate to and select the certificate file. Click Import certificate and key from PKCS#12.
To import a certificate in PEM format:
Click Browse and navigate to and select the certificate file. Click Import certificate from PEM.
Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area.
1 2 3
Click Delete. The signed certificate will be removed from the Installed signed certificates region.
128
1s
One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. The default local certificate should be the certificate that identifies its host.
Ed i
In the Installed signed certificates region, locate and select the certificate that you wish to delete.
ti
Deleting a Certificate
on
Smoothwall Advanced Firewall Administrators Guide To set the default local certificate:
Recommended Settings
For Advanced Firewall to Advanced Firewall connections, the following settings are recommended for maximum security and optimal performance:
Setting Encryption Authentication type Hashing algorithm Selection
1s
In the Default local certificate region, select the hosts certificate from the Certificate drop-down list and click Save. This certificate will now be used by default in all future tunnel specifications, unless otherwise specified.
Ed i
AES ESP SHA
ti
on
129
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Perfect Forward Secrecy Compression Selection
On the Advanced Firewall at head office, browse to the vpn > vpn > ipsec subnets page.
Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For Advanced Firewall
to Advanced Firewall connections, many settings can be left at their default values. However, for maximum compatibility with other VPN gateways, some settings may require adjustment. This section describes each parameter that can be configured when creating an IPSec tunnel. For more VPN tutorials, see VPN Tutorials on page 175. 2 Configure the following settings:
.
1s
Setting Name Enabled Local IP
130
t
Description
Enter a descriptive name for the tunnel connection, for example: New York to London. Select to enable the connection. Enter the IP address of the external interface used on the local Advanced Firewall host.
Note: This field should usually be left blank to automatically use the default
Ed i
external IP (recommended).
ti
on
Local network Specify the local subnet that the remote host will have access to.
This is specified using the IP address/network mask format, e.g. 192.168.10.0/ 255.255.255.0.
Local ID type
From the drop-down list, select the type of the ID that will be presented to the remote system. The choices available are:
Default local Certificate Subject Uses the subject field of the default local certificate
User specified Email address Uses a user specified email address as the local User specified Certificate Subject Uses a user specified certificate subject as the local
Local ID value This field is only used if the local ID type is a User specified type (this is typically
1s
Remote network Remote ID type
Remote IP or hostname
In most cases, you can leave this field blank because its value will be automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). Enter the IP address or hostname of the remote system. The remote IP can be left blank if the remote peer uses a dynamic IP address. This should specify the remote subnet that the local host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.20.0/ 255.255.255.0.
From the drop-down menu, select the type of ID that the remote gateway is expected to present. The choices are:
Remote IP (or ANY if blank Remote IP) The remote ID is the remote IP address, or any
domain name that it should expect the remote gateway to present as ID.
User specified IP address Allows the user to specify a custom IP address that it
Ed i
Note: User specified types are mostly used when connecting to non-Advanced
Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting.
ti
on
131
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Remote ID value Authenticate by Description
Enter the value of the ID used in the certificate that the remote peer is expected to present. From the drop-down list, select the authentication method. For more information on PSK and X509 authentication, About VPN
Preshared key Enter the preshared key when PSK is selected as the authentication method. Preshared key Re-enter the preshared key entered in Preshared key field if PSK is selected as the again authentication method. Use compression
Select to compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example streaming video.
Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known. Enter a descriptive comment for the tunnel, for example: London connection
.100 to Birmingham .250.
Optionally, click Advanced. they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections.
Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although
1s
Perfect Forward Secrecy
132
This is used in non-standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 167. Select which interface will be used for this connection either on external or internal interfaces. PRIMARY means the connection will be on the external interface. Select to enable the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
Ed i
For any tunnel with a high proportion of encrypted or already-compressed traffic, compression is not recommended. For non-encrypted, uncompressed traffic compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways.
ti
on
Select the authentication type used during the authentication process. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures
authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
AES 256 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
1s
Phase 1 hash algo Phase 2 cryptographic algo
Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superseded by Twofish. CAST This algorithm uses a DES-like crypto system with a 128 bit key (also
Select the hashing algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.
Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options.
Ed i
AES 128 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES.
ti
168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
on
Select the encryption algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
133
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Phase 2 hash algo Description
Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Set the length of time that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Set the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
Key life
Key tries
Set how frequently the Internet Key Exchange keys are re-exchanged.
134
1s
Ed i
Select to disable re-keying. This can be useful when working with NAT-ed end-points.
ti
on
Prerequisite Overview
Before you start, you must do the following: 1 2 3 4 5 6 Create a CA on the local system for information on how to do this, see Creating a CA on page 121 Create certificates for the local and remote systems using Host and Domain Name as the ID type, for information on how to do this, see Creating a Certificate on page 124.
Export the remote certificate in the PKCS#12 container format, for information on how to do this, see Exporting in the PKCS#12 Format on page 127.
Once the above steps have been completed, proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections.
1s
Setting Name Enabled Local IP Local network Local ID type
On the primary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Description
Ed i
Leave empty.
Import and install the certificate as the default local certificate on the remote system, for information on how to do this, see Importing a Certificate on page 127.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. It will be automatically generated as the default external IP address at connection time Specify the local network that the secondary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/ 255.255.255.0. From the drop-down list, select Default local Certificate ID. This will identify the primary system to the secondary system by using the host and domain name ID value in the primary systems default local certificate.
ti
Export the CA certificate in PEM format, for information on how to do this, see Exporting
on
Install the local certificate as the default local certificate on the local system, for information on how to do this, see Importing a Certificate on page 127.
135
Chapter 9 Virtual Private Networking IPSec Site to Site and X509 Authentication Example Setting Local ID value Description
Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process.
If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank. Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/ 255.255.255.0.
From the drop-down list, select User specified Host & Domain Name. Enter the ID value (the hostname) of the secondary systems default local certificate. From the drop-down list, select Certificate provided by peer. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials.
The advanced settings are left to their default values in this example. The next step is to create a matching tunnel specification on the remote system.
On the secondary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Description
1s
Click Add to create the tunnel specification and list it in the Current tunnels area:
136
Ed i
Leave empty. Leave empty.
Preshared Key
Leave empty.
Select to reduce bandwidth consumption. This is useful for low bandwidth connections, however, it will require more processing power. Do not select. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Enter a descriptive comment. For example, Tunnel to Branch Office.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. It will be automatically generated as the default external IP address at connection time.
ti
on
Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
Local ID type
From the drop-down list, select Default local Certificate ID. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary systems default local certificate.
Local ID value
Leave empty.
Remote IP or hostname
Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. Enter the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
Remote network
Remote ID type
1s
Remote ID value Authenticate by Preshared Key Preshared Key again Use compression Initiate the connection Comment
t
2
Click Add. All advanced settings can be safely left at their defaults.
Ed i
Leave empty. Leave empty.
From the drop-down list, select User specified Host & Domain Name. This matches the primary systems certificate type of Host and Domain Name, as listed in Prerequisite Overview on page 135. Enter the ID value (the hostname) of the primary systems default local certificate. From the drop-down list, select Certificate provided by peer. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials.
Select if you selected it on the primary system. Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. Enter a descriptive comment, for example, Tunnel to Head Office.
ti
on
Its value will be automatically retrieved by Advanced Firewall during the connection process.
137
Chapter 9 Virtual Private Networking IPSec Site to Site and PSK Authentication
1 2 3 4
On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
Next, the secondary system should initiate the VPN connection. 1 2 On the secondary system, navigate to the vpn > control page.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
On the primary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Description
1s
Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls.
138
Ed i
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. Leave blank so that it is automatically generated as the default external IP address at connection time.
ti
on
Specify the local network that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/ 255.255.255.0.
Local ID type
From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary systems external IP address. Leave empty. It will be automatically generated as Local IP was chosen as the local ID type.
This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/ 255.255.255.0.
Remote ID type
1s
Preshared Key again Use compression Initiate the connection Comment
Preshared Key
Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the Current tunnels area. The next step is to create a matching tunnel specification on the remote system.
Ed i
Enter a passphrase.
From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondarys IP address (if one was specified). Enter the local IP address of the secondary system.
From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Re-enter the passphrase to confirm it. Select this option if you wish to reduce bandwidth consumption. It is useful for low bandwidth connections but requires more processing power. Do not select this option. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Enter a description, for example: Tunnel to Birmingham Branch
ti
Specify the network on the secondary system that the primary system will be able to access.
on
If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank.
139
Chapter 9 Virtual Private Networking IPSec Site to Site and PSK Authentication
On the secondary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Local network Description
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. Leave blank so that it is automatically generated as the default external IP address at connection time. Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary systems external IP address.
Local ID type
Local ID value
Remote IP or hostname
1s
Remote ID type Remote ID value Authenticate by Preshared Key Preshared Key again Use compression Initiate the connection Comment
Remote network
Click Add. All advanced settings can be safely left at their defaults.
140
Ed i
Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Specify the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary's IP address (if one was specified). Enter the local IP address of the secondary system.
From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Enter the same passphrase as was entered in the Preshared Key field on the primary system. Re-enter the passphrase to confirm it. Select this option if compression was enabled on the primary system. Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system. Enter a descriptive comment, for example, Tunnel to Head Office.
ti
on
1 2 3 4
On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
Next, the secondary system should initiate the VPN connection. 1 2 On the secondary system, navigate to the vpn > control page.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Advanced Firewall supports two different VPN protocols for creating road warrior connections:
L2TP L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP road warriors must connect to the same internal network. IPSec IPSec road warrior connections use the same technology that Advanced Firewall uses to
create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to any internal network.
Note: Road warrior configuration tutorials are provided in VPN
1s
This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network.
Ed i
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
ti
Configuration Overview
Typically, a road warrior connection is configured as follows: 1 Create a certificate for each road warrior user, usually with the user's email address as its ID type.
on
Tutorials on page 175.
141
2 3 4 5 6 7
Decide which VPN protocol best suits your road warrior's needs L2TP for Win 2000/XP, IPSec for all others. Decide which internal networks and what IP ranges to allocate to road warriors. Create the tunnel specification on the Advanced Firewall system. Install the certificate and any necessary client software on the road warrior system and configure. Connect. Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information, see Chapter 6, Configuring InterZone Security on page 55. When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal network. When connected, the road warrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly.
Each user requires their own tunnel, so create as many tunnels as there are road warriors.
Each connection can use different types of cryptographic and authentication settings. Client software will need to be installed on road warrior systems. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. This includes overriding the default local certificate.
142
1s
Before creating a road warrior connection using IPSec, check the following list to assess whether it is the right choice:
Ed i
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on the local network. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections, individually specified for each IPSec road warrior.
ti
Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.
on
Enter a descriptive name for the tunnel. Select to activate the tunnel once it has been added. Enter the IP address and network mask combination of the local network. For example, 192.168.10.0/255.255.255.0.
Note: It is possible to restrict (or extend) the hosts that a road warrior can see
1s
Client IP Local ID type Local ID value Remote ID type Remote ID value
Enter a client IP address for this connection. The IP address must be a valid and available address on the network specified in the Local network field. From the drop-down list, select the local ID type. Default local Certificate Subject is recommended for road warrior connections. If you chose a User Specified ID type, enter a local ID value. From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is recommended as it allows the road warrior to present any form of valid ID. Enter the value of the ID used in the certificate that the road warrior is expected to present.
Ed i
192.168.2.10/3
on its assigned internal network by changing this setting. For example, if you wish to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/ 255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255.
ti
on
143
Chapter 9 Virtual Private Networking IPSec Road Warriors Setting Authenticate by Description
From the drop-down list, select one of the following options: To use the road warrior's certificate, select it. To use a certificate created by a different CA, choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management.
Preshared Key, select to use the global preshared key as defined on the vpn > vpn
> global.
Use compression Select to reduce bandwidth consumption (useful for low bandwidth
Local certificate This is used in less standard X509 authentication arrangements. For more
Interface
Used to specify whether the road warrior will connect via an external IP or an internal interface.
Perfect Forward This enables the use of the PFS key establishment protocol, ensuring that Secrecy previous VPN communications cannot be decoded should a key currently in use
be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
144
1s
Authentication type
Provides a choice of ESP or AH security during the authentication process. For further details, see below. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
Ed i
ti
on
Enter a descriptive comment, for example: IPSec connection to Joe Blogg's on .240.
Smoothwall Advanced Firewall Administrators Guide Setting Phase 1 cryptographic algo Description
This selects the encryption algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a 168-
bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES.
governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
CAST This algorithm uses a DES-like crypto system with a 128 bit key (also known as CAST-128 or CAST5).
1s
Phase 2 cryptographic algo Phase 2 hash algo Key life
This selects the hashing algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility. hashing standard. Recommended for maximum security.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's
This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. This selects the hashing algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended.
Ed i
Twofish This algorithm is based on Blowfish, and is a former NIST AESfinalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
ti
Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superseded by Twofish.
on
145
Chapter 9 Virtual Private Networking Supported IPSec Clients Setting Key tries Description
This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
Sets how frequently the Internet Key Exchange keys are re-exchanged. Turns off re-keying which can be useful for example when working with NATed end-points.
Click Add at the bottom of the page to add the tunnel to the list of current tunnels. for a site-to-site IPSec connection. For details on the operation of each advanced control, see Section 5.1 Introduction to Site to Site VPNs.
Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those
Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: SafeNet SoftRemote LT SafeNet SoftRemote 10 SafeNet SoftRemote 9
This section covers the steps required to create an external road warrior connection using L2TP. Such connections have the following features: All connections share the same, globally specified subnet. Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. Very easy to configure.
Creating a Certificate
The first task when creating an L2TP road warrior connection is to create a certificate. For further information, see Creating a Certificate on page 124. A road warrior certificate is typically created using the user's email address as the certificate ID.
146
1s
Ed i
ti
on
Click Save.
1s
Setting L2TP and SSL VPN client configuration settings L2TP settings
Enter primary and secondary DNS settings. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. If applicable, enter primary and secondary WINS settings.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. From the drop-down list, select the internal network that L2TP road warriors will be connected to.
Ed i
ti
on
147
Description
Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP. Select to activate the tunnel once it has been added. Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the tunnel. Re-enter the password to confirm it. From the drop down list, select one of the following options:
Certificate presented by peer If the certificate was created by a different CA,
3
148
Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.
1s
Username Password Again Authenticate by L2TP client OS Comment Advanced Local certificate Interface
choose this option. Authenticating by a named certificate is recommended for ease of management.
Common Name's organization certificate The peer has a copy of the public part
of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peers public certificate. From the drop-down list, select the L2TP clients operating system. Enter a descriptive comment. Click Advanced to access more options. From the drop-down list, select the default local certificate to provide the Advanced Firewalls default local certificate as proof of authenticity to the connecting road warrior. Select PRIMARY.
Ed i
Click Advanced to display all settings and configure the following settings:
ti
on
Note: Before you start, please be aware of the following limitation in IPSec preshared key (PSK)
1s
Ed i
ti
on
not have any L2TP or IPSec road warriors, as they use certificates for authentication
149
3 4
Click Save and browse to the vpn > vpn > l2tp roadwarriors page. Configure the following settings:
Setting Name Enabled Client IP Username Password Again Comment Authenticate by L2TP client OS Description
Select to activate the tunnel once it has been added. Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the tunnel.
6 7
On the iPhone-compatible device, navigate to settings > general > network > vpn. Select Add VPN Configuration and configure the following settings:
Setting Server Account RSA SecurID Password Secret Send All Traffic Proxy Description Description
1s
Select Save to save the tunnel configuration. The tunnel is now ready for use.
Using NAT-Traversal
Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems.
150
Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area.
Ed i
key entered in step 2. Set to OFF. Set to OFF.
Re-enter the password to confirm it. Optionally, enter a description of the tunnel.
Preshared key (iPhone compatible) Select this option to use the preshared
Enter a description for the tunnel. Enter Advanced Firewalls external IP address. Enter the username as entered in step 4. Enter the password as entered in step 4. Enter the PSK as configured in step 2. Set to ON on for routing to other VPNs.
ti
on
Enter a descriptive name for the tunnel. For example: CEO's iPhone.
IPSec normally uses Protocol 50 which embeds IP addresses within the data packets standard NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. In this situation, the VPN cannot work. However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN gateway devices.
Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect
to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above.
Note: NAT-T is a VPN gateway feature, not a NATing feature.
To connect to an L2TP tunnel, a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle.
The above update will already be installed if you are running Windows XP SP2 or above, or Windows 2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see http://windowsupdate.microsoft.com/ One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store.
connection to be configured as part of a logon script. For details, see Advanced VPN
1s
Ed i
This section explains the configuration process for supported Microsoft operating systems.
ti
on
151
When started, the SmoothTunnel L2TP Client Wizard first ensures that the Q818043 hotfix is installed. If it is not, the program issues a warning. Assuming the hotfix is installed, it will then guide the user through the steps of configuring the connection to the Advanced Firewall system.
To install the L2TP client:
Run the SmoothTunnel L2TP Client Wizard on the road warrior system.
View the license and click Next to agree to it. The following screen is displayed:
Click Browse and open the CA certificate file as exported during the certificate creation process. Click Next. The following dialog opens:
Click Browse to locate and select the road warrior's host certificate file. This must be a PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next.
152
1s
Ed i
ti
on
Ensure that the Launch New Connection Wizard option is selected and click Install.
The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched.
Click Next.
1s
Ed i
ti
on
153
10
154
1s
Select Virtual Private Network connection and click Next. The following screen is displayed:
Ed i
ti
on
11
13
Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is enabled. connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted.
Note: Certain anti-malware and worm detection software may generate alerts when L2TP client
1s
12
Ed i
ti
on
155
An installed default local certificate, see Setting the Default Local Certificate on page 128 for more information.
156
1s
Ed i
The following section explains how to configure Advanced Firewall for VPNing with SSL.
ti
on
Prerequisites
Browse to the vpn > vpn > global page.Configure the following settings:
1s
Transport protocol SSL VPN netmask
Setting
SSL VPN network address Accept the default network address or enter a new one.
Ed i
Description
Select to enable SSL VPN on Advanced Firewall. Select the network protocol. The following options are available:
TCP (HTTPS) Select to run the SSL VPN connection over TCP on port
443, the standard HTTPS port. This protocol is preferd for compatability with filters between the client and the server.
UDP (1194) Select to run the SSL VPN connection over UDP on port 1194. This protocol is is prefered for performance.
SSL VPN users, when they connect, get an IP address on a virtual interface, within Advanced Firewall. The IP range must not be one not used for any physical network. If the default subnet, 10.110.0/24, is taken by any existing network, configure this setting to use range not taken on the network.
Note: Because connected clients are placed on a virtual network, all
machines they access must also have a route to this network. Accept the default network netmask or enter a new one.
ti
on
157
Chapter 9 Virtual Private Networking Managing SSL Road Warriors Setting Force clients to use SSL VPN as gateway Description
Select to configure Advanced Firewall to force the client to send all its traffic through the SSL VPN connection. Advanced Firewall can force all connected clients to route through it, which is generally better as it enforces the policy on the server end.
Select to override the default IP or hostname that the client will be configured to use as its gateway. Usually, the client is configured to use Advanced Firewalls primary external IP address as its gateway. However, if dynamic DNS is used, this will not work. Therefore, you have the option to set a different gateway.
Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. See the sections that follow for more information.
Note: On Windows Vista, to ensure that a user gets full VPN connectivity, add the user to the built-in
2 3
From the Select group drop-down list, select the group you want to disable from using SSL VPN and then click Select. Advanced Firewall displays SSL VPN group settings. De-select the Enable option and click Save. Advanced Firewall disables access.
158
1s
By default all groups are allowed to use SSL VPN. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access.
Ed i
ti
on
Click Save to save the settings, and, at the top of the page, click Restart to apply the settings.
Repeat the steps above for any other groups you want to disable from using SSL VPN.
Uploading Scripts
To upload scripts:
1 2
3 4 5
When prompted, browse to and select the script. Click Upload preconnect script. Advanced Firewall uploads the script, displays the size of the script and a message confirming a successful upload.
Removing Scripts
To remove scripts:
1 2
4 5
Advanced Firewall removes the script and displays a message confirming a successful removal. Repeat the steps above to remove connect and disconnect scripts as required.
1 2
On the vpn > vpn > global page, configure the SSL VPN settings. For information on how, see Configuring VPN with SSL on page 156. If you do not want to include custom scripts in the archive, you can generate the archive now. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. See step 4 for what to do next. If you want to include scripts in the archive, browse to the vpn > vpn > ssl roadwarriors page and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs on page 159.
1s
To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Remove preconnect script.
In the Select group area, accept the default settings to remove any uploaded scripts from all groups, or, from the Select group drop-down list, select the group from which the script(s) will be specifically removed. Click Select.
Ed i
Repeat the steps above to upload connect and disconnect scripts as required.
ti
To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Browse.
on
In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or, from the Select group drop-down list, select the group to which the script(s) will be specifically deployed. Click Select.
159
Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 75. See Configuring and Connecting Clients on page 160 for information on how to install the SSL VPN software on clients.
Note: An archive can be used for both internal and external use. See Configuring
SSL VPN on
1 2 3
Click Advanced and, in the SSL VPN internal interfaces area, select the interface on which to deploy the SSL VPN. Click Generate client archive. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. on page 156 for more information on external use.
Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL
160
1s
Once saved, distribute the archive to users who require secure access to the internal wireless interface. You can use the Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 75.
Ed i
On the vpn > global page, configure the SSL VPN settings, see Configuring VPN with SSL on page 156.
ti
Advanced Firewalls SSLVPN functionality can be deployed to secure internal wireless interfaces.
on
Extract the client archive, see Configuring VPN with SSL on page 156, to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following screen opens:
1s
Ed i
ti
on
161
Accept the default components and click Next to continue. The following screen opens:
162
1s
Accept the default destination folder or click Browse to select a different destination. Click Install to continue. The following screen opens:
Ed i
ti
on
In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is displayed:
1s
Ed i
ti
on
163
Chapter 9 Virtual Private Networking VPN Zone Bridging Setting Password Description
In the system tray, right click on OpenVPN GUI and select Disconnect.
This part of the manual explains how Advanced Firewall can be used to provide secure internal networking using VPN technology. An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below: Secure wireless access Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organizations internal network. Advanced Firewall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. Hidden network access It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
164
1s
Ed i
ti
on
In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel, ensure that appropriate zone bridging rules are configured.
1s
Enable NATTraversal Enable Dead Peer Detection
In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an internal network interface.
NAT-T is enabled by default and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled. Used to activate a keep-alive mechanism on tunnels that support it. This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page. If this feature is not used, it can take any time up to the re-keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of Advanced Firewall VPN gateways, it is recommended that this feature is enabled.
Ed i
ti
on
165
Copy TOS (Type Of When selected, TOS bits are copied into the tunnel from the outside as VPN Service) bits in and traffic is received, and conversely in the other direction. This makes it out of tunnels possible to treat the TOS bits of traffic inside the network (such as IP phones)
in traffic shaping rules within SmoothTraffic and traffic shape them. If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region.
5 6
Create a certificate for the L2TP client. See Creating a Certificate on page 124. Browse to the vpn > vpn > l2tp roadwarriors page and configure the following settings:
Setting Name Enabled Client IP Username Password Again Description
Enter a descriptive name for the tunnel. Select to activate the tunnel once it has been added. Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the connection. Re-enter the password to confirm it. To dedicate this connection to a specific user, choose the users certificate from the drop-down list. To allow any valid certificate holder to use this tunnel, choose Certificate provided
by peer option.
7 8
Click Advanced and, from the Local certificate drop-down list, select Default. Click Add. Advanced Firewall lists the tunnel in the Current tunnels area. To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 151.
166
1s
Authenticate by Comment
L2TP client OS From the drop-down list, select the L2TP client's OS.
If your organization anticipates supporting many road warrior connections, authenticating by a specific certificate is recommended for ease of management. Enter a descriptive comment.
Ed i
ti
If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness.
on
Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Regional branch office ID This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN. Branch office ID This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch.
1s
The same concept can be applied to any situation where autonomous VPN management is required. To continue the above example, many of the offices within one particular country require a number of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates):
Head office ID This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region.
Ed i
ti
on
167
2 3 4 5 6 7
Create a local Certificate Authority, see Creating a CA on page 121. Create signed certificates for the master and secondary Advanced Firewall systems, see Managing Certificates on page 124.
Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs IPSec on page 129. Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see Exporting Certificates on page 126. Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate on page 123.
2 3 4 5 6
Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate on page 123.
Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on page 128. Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to Default see Site-to-Site VPNs IPSec on page 129. Test the VPN connection. The next step is to create an additional CA on the secondary Advanced Firewall system. This additional CA will be used to create another local certificate for the secondary Advanced Firewall system, as well as certificates for any further site-to-site or road warrior connections that it will be responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:
1 2 3
On the secondary system, navigate to the vpn > ca page. Create a new local Certificate Authority, see Creating a CA on page 121. Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 124. Create a new signed certificate for any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate (created by the previous step) as the Local certificate. Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. Create the remote tunnel specification (this could be a road warrior client or another site-to-site gateway).
4 5 6 7
168
1s
Ed i
Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate on page 127.
ti
on
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall system, firstly to create the primary site-to-site link.
Note: The use of public key authentication should not be considered as a direct replacement for a
On both systems, navigate to the vpn > certs page. Export the local certificates from both Advanced Firewall systems using the PEM format, see Exporting Certificates on page 126. Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate on page 127. Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the second Advanced Firewall system's host certificate in the Authenticate by drop-down list. Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select the first Advanced Firewall system's host certificate in the Authenticate by drop-down list. The tunnel can now be established and authenticated between the two Advanced Firewall systems. In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and road warrior connections by using its own CA to create additional certificates.
1s
Ed i
ti
on
169
1 2 1 2
On the system, navigate to the vpn > certs page. Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's Certificate on page 123. Next, configure the local tunnel specification in co-operation with the other organization. This is most likely to be an IPSec site-to-site connection, though it is possible that you could connect to their network as a road warrior. In either case, full consultation between both organizations is required to decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:
1 2
Connect to Advanced Firewall on the Advanced Firewall system and navigate to the vpn > ipsec subnets page. In the local tunnel specification, choose Default local cert subject or Default local cert subject alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified values if the other VPN gateway is not directly compatible with Advanced Firewall's communication of certificate subjects. Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any default local certificate that might be configured. Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that Advanced Firewall will authenticate Certificate B when is presented by the other organizations VPN gateway. Choose the remote ID type from the Remote ID type drop-down list that was entered during the creation of Certificate B using the commercial CA. Confer with the other organization regarding all other configuration settings and ensure that they authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall as connection time.
3 4
5 6
170
1s
Ed i
ti
Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
on
Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.
A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote network settings: Local network 192.168.10.0/255.255.255.0 Remote network 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel A. Any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination Tunnel C from Site B will ensure this.
1s
Ed i
ti
on
171
With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the definition of the remote end of Tunnel C.
The following sections document how to: Control VPNs Open and close tunnels
172
1s
Ed i
ti
on
2 3
In the Automatic control region, select Start VPN sub-system automatically. Click Save.
1 2
Navigate to the vpn > control page. Click Restart in the Manual control region.
1 2
Navigate to the vpn > control page. Click Stop from the Manual control region.
1 2 3
Navigate to the vpn > control page. Click Refresh in the Manual control region. View the current status from the Current status information field. There are two possible system statuses:
1s
The following sections explains how to start, restart, stop and view the status of the VPN system.
Ed i
ti
on
173
Running The VPN system is currently operational; tunnels can be connected. Stopped The VPN system is not currently operational; no tunnels can be connected.
IPSec Subnets
Name The name given to the tunnel. Control: Up Open the tunnel connection
IPSec road warrior connections are shown in the IPSec road warriors region of the vpn > control page. The information displayed is: Name The name given to the tunnel. Up Open the tunnel connection Down Close the tunnel connection. Internal IP The IP address of the local tunnel end. Remote IP The IP address of the other end of the tunnel.
174
1s
Control:
Ed i
ti
on
Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the vpn > control page. The information displayed is:
Control Up Open the tunnel connection Down Close the tunnel connection.
Internal IP The IP address of the local tunnel end. External IP The IP address of the other end of the tunnel.
VPN Logging
VPN log entries can be found in the information > logs > ipsec page and the information > logs > system page.
This first example begins with a simple two network VPN using shared secrets.The following networks are to be routed together via a VPN tunnel:
We will use Preshared Key authentication initially. This is the easiest to setup.
Configuring Network A
There is no need for a CA or any certificates. On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter is not listed, leave it at its default value:
Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Description
1s
Tunnel 1 Set to the opposite ends remote network value. Local IP 200.0.0.1 192.168.12.0/24 Remote IP (or ANY if blank Remote IP)
Ed i
ti
The following tutorials cover the creation of the main types of VPN tunnels. The examples build on each other, i.e. the configuration settings in an example builds on that of the previous.
on
VPN Tutorials
175
Chapter 9 Virtual Private Networking VPN Tutorials Parameter Authenticate by Preshared Key Preshared Key again Description
Configuring Network B
Here a single tunnel is created:
Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Authenticate by Preshared Key Preshared Key again Description
Set to the opposite ends remote network value. Local IP 100.0.0.1 192.168.0.0/24
In order for traffic to flow down the tunnel, you must create a zone bridge.
To create the zone bridge:
For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Testing
Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should come up immediately. If this does not happen please refer to Appendix C, Troubleshooting VPNs on page 363. To actually test that the VPN is routing, ping a host on the remote network from a machine on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote
system ID type and the remote system external IP in the Remote system ID Value.
176
1s
On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional.
Ed i
Preshared Key loudspeaker loudspeaker
ti
on
Tunnel 1
Configuring Network A
Begin by going to the ca page and setting up the CA. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization:
Parameter Common Name Organization
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create.
1s
Parameter ID Type ID Value Common Name Parameter ID Type ID Value Common Name Organization
Switch to the certificates page, and create the local certificate. It requires ID information:
Description
Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12. Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active.
177
Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstations hard disk. You will need this file later.
Ed i
Description
ti
on
Tunnel 1 Set to the opposite end's remote network value. Default local cert subject alt. name 200.0.0.1 192.168.12.0/24 Host & Domain name tunnelb.mycompany.com Certificate presented by peer
2 3
On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes. Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel configuration should look like this:
Parameter Name Description
1s
Local ID type Remote network Remote ID type Remote ID value Authenticate by
Local network
Remote IP or hostname
Testing
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages.
178
Ed i
Tunnel 1 100.0.0.1
Set to the opposite end's remote network value. Default local cert subject alt. name 192.168.0.0/24 Host & Domain name tunnel.mycompany.com Certificate presented by peer
ti
Configuring Network B
on
In Extended Site to Site Routing on page 171, we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Network B to route to Network C, and vice versa.
Network A Configuration
1s
Parameter ID Type ID Value Common Name Organization Parameter Local subnet Parameter Name Local subnet Local ID type
Modify the existing tunnel to Network B. All settings are unchanged except:
Description
Notice how this subnet mask now covers all subnets in the VPN. Now we create a new tunnel to Advanced Firewall C:
Description
Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate:
Description
Host & Domain name tunnelc.mycompany.com Advanced Firewall C Cert My Company Ltd
192.168.0.0/16
Remote IP or hostname
Ed i
Tunnel 2 192.168.0.0/16 250.0.0.1
ti
on
179
Chapter 9 Virtual Private Networking VPN Tutorials Parameter Remote network Remote ID type Remote ID value Authenticate by Description
Network B Configuration
Modify the tunnel as follows:
Parameter Remote subnet Description
Network C Configuration
Tunnel 2 100.0.0.1
In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network.
180
1s
Ed i
192.168.0.0/16
ti
on
192.168.0.0/16
The road warrior is required to assume an internal IP on Network As local network, in this case: 192.168.0.5:
Network A Configuration
Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need the CA file, ca.pem.
1s
Common Name Organization
Parameter
Description
IPSec road warrior 192.168.0.0/16 Default local cert subject 192.168.0.5 Remote IP (or ANY if blank Remote IP) Certificate provided by peer
Ed i
ti
on
181
SoftRemote Configuration
This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. Full details, including detailed screen shots, are given in Working with SafeNet SoftRemote on page 184. After installing the client, begin by going to the Certificate Manager and importing the ca.pem and the computercert.p12 certificate. In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and will save a lot of time configuring the client. If you use different settings to those described in this tutorial, compression for example, then you will have to modify those settings. The following fields need to be filled in after importing the policy template. In road warrior:
Parameter Gateway IP Address Subnet Mask Description 100.0.0.1
192.168.0.0 255.255.0.0
Parameter
In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Testing
To bring up the connection, the simplest way is to ping a host on the network behind the gateway. After a few retries, you should see the task bar icon change to show a yellow key. This indicates that the tunnel is up. Your client computer will then appear to be connected to the local network behind the VPN gateway. This works both ways; a machine on the local network can connect to the road warrior. You should be able to browse web servers, and so on. Also, because the tunnel covers all three local networks, you should be able to connect to all three.
182
1s
Ed i
Description
In My Identity:
192.168.0.5
ti
on
Network A Configuration
Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need the CA file, ca.pem.
1s
Common Name Organization
Parameter
L2TP road warrior Certificate provided by peer 192.168.0.6 road warrior microphone
Ed i
ti
on
183
Username Password
Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.
In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the L2TP interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote.
184
1s
Ed i
ti
on
Parameter
Description
zone. It will be possible to route to other subnets, including VPN-connected ones. This also means that other machines in the network can see the client, just as if it was plugged in directly.
Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This
includes the encryption settings, and overriding the default local certificate.
1 2
After installation, open the Certificate Manager. In the Root CAs tab, import a CA .PEM from Advanced Firewall.
Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values, saving you from the chore of doing it yourself. For completeness, we will also describe how you would setup the client without the policy. Import the Security Policy template, policytemplate.spd, which can be found in the extras folder on the installation CD. After importing this policy, a single connection, named road warrior will become available.
1s
Ed i
In the My Certificates tab, import a .P1. Enter the export password, and a short time later the certificate should appear in the list. Select the certificate, and click Verify (on the right). You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). This indicates the certificate is valid.
ti
NAT-T is handled automatically by this client. No extra configuration is required. Check the log messages in the client to see if NAT-T mode is being used as expected.
on
We also recommend that the LT versions of this software be used, which do not incorporate Zone Alarm. Configuration of Zone Alarm will not be covered in this manual.
185
Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients, i.e. those described above, only a handful of settings must be entered. In the road warrior section:
6 7
Enter the Remote Subnet, Mask and the gateways hostname (or IP address). In the My Identity section, enter the Internal Network IP Address.:
Enter the Internal Network IP Address. All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in D.1, then you will have to modify those particular settings. For instance, if you are using compression, then you will have to enable it in the client.
9 10
Save the settings, and close the Security Policy Editor. To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest way to do this is by pinging a host on the remote network. After a series of Request timed out messages you should start to get packets back, indicating that the VPN is up (you will also notice the system tray icon change).
186
1s
Ed i
ti
on
Before creating the connection, you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. 1 Select Global Policy Settings from the Options menu. A window will appear, and you should tick the box marked Allow to specify internal network address.
Choose Secure Gateway Tunnel from the Connect using drop-down list, and select an ID Type of Any. You should then enter either a Gateway IP Address or Gateway Hostname.
Next, move to the My Identity node. Select the certificate you imported earlier. The ID types default, the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter should be disabled, and Internet Interface set to Any.
1s
Ed i
Now go back to the tree control on the left and choose the New Connection node. You can rename this to something more appropriate, like road warrior. In this node, configure the remote Subnet address and Mask.
ti
on
187
In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified when the tunnel was created.
Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In this page you can select compression or not, as well as key life settings.
188
1s
Ed i
ti
Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm. Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is necessary to ensure the tunnel is always re-keyed.
on
Advanced Configuration
Using the configuration previously described, the selected certificate will be required by the client in order to obtain a connection. This method is usually desired, but in other cases an Authenticate by setting of Certificate provided by peer can be more useful, especially if the client certificates are not installed onto the VPN gateway server. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For example, if you wish to restrict the connected road warriors so that they can only contact a specific IP address, for example 192.168.2.10, then you could set the Local network parameter to 192.168.2.10/32. Note that this setting is a network address, so you must always specify a network mask, even if that network mask covers only a single host. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones, the Local network setting can likewise be expanded to cover them. Visit https://support.smoothwall.net/ for information on setting up other clients.
1s
Ed i
ti
Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are available through the tool bar icon.
on
189
190
1s
Ed i
ti
on
Chapter 10
Email Settings
In this chapter: Overview of Advanced Firewalls email pages and settings.
SMTP Settings
Advanced Firewalls SMTP settings enable you to configure email relaying using SMTP. For more information on SMTP in general, see Appendix D, Email Protocols on page 367. The following sections document the settings available.
Click Advanced to view all settings. The following settings control email relaying:
Setting Enable mail relay Description
191
Used to specify the maximum email size, in Mb, that Advanced Firewall will accept. Any emails above this limit will be rejected. Min = 1 MB Default = 10 MB Max = Unlimited
Maximum bounce size Specifies the maximum size of an email which is used in a bounce email.
Used to specify the amount of time an email will be held in the queue if it cannot be sent. Advanced Firewall will periodically attempt to re-send all email that is held in the queue. Min = 5 hours Default = 5 days Max = 5 days
Anti-malware Settings
Advanced Firewall can scan relayed email for malware and take appropriate action as specified by the anti-malware settings configured here.
Setting Enable anti-malware scanning Action to perform on malware: Description
Activates anti-malware scanning for relayed email. Determines what to do if malware is found in relayed email.
Drop (discard) email
Send a warning email to the recipient, with the original email as an attachment.
Allow email delivery
192
Specify which interface(s) SMTP traffic will be transparently captured from. Enter any IP addresses, subnets or ranges that should not be transparently proxied.
Once SMTP traffic has been captured, Advanced Firewall will apply all anti-malware and antispam checks that are enabled, and relay the email accordingly. Outgoing SMTP traffic will be queued and relayed as if the client had sent the email directly to Advanced Firewall.
Select to enable Advanced Firewall to send outgoing email to another relay within an existing email infrastructure. The IP address or hostname of the relay. The username, if required by the remote relay. The password, if required by the remote relay.
MX record for the recipient domain. To alter your domain's MX record, you will need to access your domains DNS server settings. Refer to your email server documentation and/or your email provider to find out how to alter the MX record. It should be set to your Smoothwall Systems external IP address.
Setting Use strict HELO checks Sender domain validity Description
Ensure validity of the initial communication between a connecting SMTP client and the Advanced Firewall email relay. Check that the sender domain is formatted correctly and has a real IP address. IP addresses.
Recipient domain validity Check that all recipient domains are formatted correctly and have real
193
Email Settings Internal Domains Setting External sender domain spoofing Description
Check if the sender of incoming email is falsely using an internally relayed domain in their from address. Emails are rejected if the senders email address purports to be from a domain listed on the incoming page, but the senders IP address cannot be found on the outgoing page.
Internal Domains
On the internal domains page, you specify which incoming email messages will be accepted and relayed by Advanced Firewall. Only messages to addresses whose domain names are listed here will be accepted by Advanced Firewall.
To access settings:
Domain to relay for The name of the domain that Advanced Firewall will accept email for. For
example, for Advanced Firewall to accept email for people at Smoothwall, enter: smoothwall.net
Relay IP
The IP address of the email server that the incoming email is relayed to. In most cases this will be an internal IP, usually the email server behind your Smoothwall System.
Activates anti-malware scanning for email accepted by Advanced Firewall for the specified domain. This option appends the text entered in the email > content > footers page below to all outgoing email except HTML and signed email.
Note: HTML emails are normally sent in two parts: an HTML part and a text
part. The footer will be appended to the text part even if the Append to HTML emails option is selected.
194
Smoothwall Advanced Firewall Administrators Guide Setting/field Comment Enabled Current domains Description
A useful description for a particular domain, for example, Inbound relay domain for smoothwall.net. Enables incoming email relaying for the specified domain. Lists the domains for which Advanced Firewall will accept and relay email.
Outgoing
On the outgoing page, you specify which IP address or subnets of machines on the local network that are allowed to relay mail through Advanced Firewall.
To access outgoing relay settings:
The IP address or subnets of machines on the local network that are to be allowed to relay mail through Advanced Firewall For example:
192.168.10.10
Comment Enabled
A useful description for a particular IP or subnet, for example, Outbound relaying for smoothwall.net. Select to enable outbound email relaying for the specified IP or subnet.
Current allowed addresses Lists the addresses from which outgoing email can be sent.
Archiving
On the archiving page you specify what email you want archived based on domain information, a specific email address, by sender or recipient.
195
Specify the email address that matched email is forwarded to. Specify that matching of the domain or address should be performed against the recipients email address. Specify that matching of the domain or address should be performed against the senders email address. A useful description for a match rule, for example, email archiving for company domain. Used to enable email archiving for the archive rule.
196
The total number of email messages waiting in the queue. The amount of data in KB currently held in the queue. The total number of unique senders for all email messages in the queue. The total number of unique recipients for all email messages in the queue. Requests Advanced Firewall attempt to re-send all queued email. Updates the page and displays the current status of the queue.
The mail queue viewer provides a view of all email currently waiting in the queue.
POP3 Proxy
On the pop3 proxy page, you enable and configure transparent POP3 proxying. Advanced Firewall's transparent POP3 proxying captures POP3 traffic without the user's knowledge, and automatically scans it for malware, viruses and unsolicited content. This ensures that email downloaded from POP3 servers is subjected to scanning without requiring every employee to install expensive email anti-malware software on their workstations. For general information on POP3, see Appendix D, About POP3 on page 368.
197
Anti-malware
Setting Enable anti-malware scanning Description
The malware name in the body of the email alert. The sender's email address. The recipient's email address. The date that the email was sent. The subject of the email.
198
Smoothwall Advanced Firewall Administrators Guide Setting Show connection data Description
The IP addresses of both the client connecting to download email and the POP3 server.
Interfaces
Here you set which internal interfaces will transparently proxy POP3 traffic.
Setting Interface name Description
work.
IP exception list
Content
Advanced Firewalls content pages manage email footer information and attachments.
Footers
You configure footer content settings, such as standard email disclaimers, on the footers page.
To access the footer settings:
When enabled, this option appends the text entered in the text box below to outgoing HTML email messages.
199
This option appends the text entered in the text box below to outgoing email messages which have a digital signature attached. When you select this option, the footer is appended to signed emails in a way which maintains the fingerprint.
Per-domain footers
The settings here enable you to specify which footer to use with which domain.
Internal domain From the drop-down list, select the domain and click Select. If a domain does not have a specific footer, the default domain is
used.
Append the following text to outgoing email Enter the footer text you want
to append.
Attachments
You configure how Advanced Firewall handles relayed email attachments on the attachments page.
To access attachment settings:
Navigate to email > content > attachments page. The following settings are available:
Setting Remove All Compressed archives Executables Vector graphics Time and bandwidth wasting Music and audio Description
Removes all attachments from relayed email. Removes compressed attachments, such as tar and zip files, from relayed email. Removes files that can be executed, such as msi and exe files, from relayed email. Removes vector graphic files, such as svg and wmf files, from relayed email. Removes files deemed to contain time wasting content, such as iso and p2p files, from relayed email. Removes files containing music and audio, such as midi and mp3 files, from relayed email. relayed email.
Documents capable of macros Removes files that can run macros, such as doc and xls files, from Video Standard Web content
Removes files containing video, such as mov and mpeg files, from relayed email. Removes files containing Web content, such as asp and php files, from relayed email.
200
Anti-spam
Advanced Firewalls anti-spam service manages spam filtering.
To access the anti-spam page:
201
Select to enable spam filtering for relayed email. Determines what Advanced Firewall should do with relayed email deemed to be spam. The options are:
Drop (discard) email Discard the email discarded email is not relayed. Redirect mailbox Send the email to the mailbox as specified in the Redirect
mailbox field.
Mark subject as spam Add ***SPAM*** to the subject of the email and relay
it.
Allow email delivery Relay the email and take no action. Note: All of the actions above are transparent to the sender; that is, no
rejection notices are sent. This is because it is a common spammer tactic to harvest email addresses by sending known bad email and awaiting the rejection notices. Rejection notices not only confirm email addresses as valid, they also inform spammers which anti-spam system you have in place. Therefore, Advanced Firewall does not provide options for sender notification for spam.
Apply action above Advanced Firewall calculates a statistical probability that the email it is spam score scanning is spam. The probability of a message being spam varies, and the
options here enable you to customize the level at which an email will be treated as spam. Various refinements to the algorithm used by Advanced Firewall to optimize for speed or resources will affect the accuracy of this probability. For most configurations, we recommend a spam threshold of 80%; that is, email which is more than 80% likely to be unwanted will be treated as spam. Select the threshold above which email will be considered spam.
90 The most easily identified spam will be filtered out, but a significant
see below, we recommend that you set the spam threshold to 90.
Redirect mailbox
Enter the address of the mailbox you want to redirect email to.
202
Select to enable spam filtering for POP3 email. Determines what to do with POP3 email deemed to be spam. The options are:
Replace spam with warning Send an automatic warning to the recipient and do
deliver it.
Allow email delivery Deliver the email and take no action. Note: All of the actions above are transparent to the sender; that is, no
rejection notices are sent. This is because it is a common spammer tactic to harvest email addresses by sending known bad email and awaiting the rejection notices. Rejection notices not only confirm email addresses as valid, they also inform spammers which anti-spam system you have in place. Therefore, Advanced Firewall does not provide options for sender notification for spam.
Spam threshold
Advanced Firewall calculates a statistical probability that the email it is scanning is spam. The probability of a message being spam varies, and the options here enable you to customize the level at which an email will be treated as spam. Various refinements to the algorithm used by Advanced Firewall to optimize for speed or resources will affect the accuracy of this probability. For most configurations, we recommend a spam threshold of 80%; that is, email which is more than 80% likely to be unwanted will be treated as spam. Select the threshold above which email will be considered spam.
90 The most easily identified spam will be filtered out, but a significant
see below, we recommend that you set the spam threshold to 90.
203
Tuning
The following tuning settings are available for spam filtering:
Setting Spam check optimization mode Description
individual email is often considered immaterial. We strongly recommend that accuracy options only be decreased in favour of speed in order to alleviate specific bursts of traffic or increase throughput on loaded networks. The following options are available:
Most Accurate This option filters spam very accurately. Advanced Firewall
will bypass the global fingerprint cache and check each email against the latest spam filter information. This can introduce network latency and decrease performance, however it is the most resiliant to bursts of spam traffic across the Internet.
More Accurate This option filters spam accurately. This option has the same
advanced parsing options as the most accurate option but uses a global fingerprint cache to allow for a local comparison to alleviate the network latency of the most accurate option.
Note: This option offers high levels of accuracy at increased speed, but
using a range of options which tend to provide the most accurate determination of spam whilst using the smallest amount of system resources.
Note: This option is only recommended for machines which have limited
subjected to only a limited subset of spam recognition techniques. Scanning techniques which are either time-intensive, or prone to network latency are ommited in order to provide the highest possible throughput .
Note: This option is only recommended for systems which are heavily loaded
Determines how often Advanced Firewall checks for spam rule updates.
204
many times to allow for attachments and HTML emails. In order for these emails to be properly scanned, we recommend that Advanced Firewall be configured to scan attachments.
Home Regions
Option Home region Description
Here you can specify regions from which Advanced Firewall scores email less aggressively for spam. You can select from the following regions:
Australia and Oceania European Union South America Asia Europe North America
SMTP Graylisting
Graylisting is an anti-spam feature designed to detect messages that have not been sent by a genuine email server.
Note: In order for graylisting to work, Advanced Firewall must be operating as the MX record for the
recipient domain. To alter your domain's MX record you will need to access your domains DNS server settings. Refer to your email server documentation and/or your email provider to find out how to alter the MX record. It should be set to your Smoothwall Systems external IP address. Only incoming email will be graylisted, outgoing email will be allowed automatically. To understand how graylisting works, it is necessary to understand how email sent by a spammer differs from that sent by a genuine email server. Most email servers employ a re-send mechanism to try and deliver any failed messages. This approach ensures that the email server pro-actively manages email delivery, and does not annoy users simply because of an intermediary network failure or temporary email server outage. Most spammers will not go to the trouble of re-sending mails that have been rejected they are mostly concerned with the volume of spam that they can send to easy targets. Graylisting uses this to its advantage by initially rejecting all incoming email. If the remote SMTP client retries after a short while, the email is allowed because it most likely originates from a genuine sender. All senders deemed genuine are added to the graylist, and are not subjected to initial blocking for subsequent mails.
Setting Enable graylisting Description
Provides spam protection by detecting messages that have not been sent by a genuine email server.
205
Email Settings Anti-spam Setting Graylist delay (minutes) Maximum age (weeks) Description
From the drop-down list, select the time in minutes that must pass before resent incoming email will be relayed. From the drop-down list, select the time in weeks that a graylisted sender will remain on the graylist. After this time has elapsed, the sender will again be subjected to an initial block. In most cases, senders will be re-added to the graylist because their email server will employ its re-send mechanism again.
Enter the hostnames, separated by commas, of RBL blocklists that you wish Advanced Firewall to use.
With automatic whitelisting enabled, any email sent through Advanced Firewall will be added to the white list.
Note: Advanced Firewall matches partial domains, If a domain like nhs.gov.uk is added to a whitelist, then all emails such as: user@southampton.nhs.gov.uk and bob@leeds.nhs.gov.uk will be matched. This extends all the way up to a single domain, like uk.
Displays the number of entries on the automatic white list. Click to clear the automatic whitelisted address list.
Enter the email addresses and domains of email senders whose messages Advanced Firewall should always accept.
Recipient addresses and Enter the email addresses and domains of recipients of messages domains Advanced Firewall should always accept.
206
Enter the email addresses and domains of email senders whose messages Advanced Firewall should always treat as spam.
Recipient addresses and Enter the email addresses and domains of recipients of messages domains Advanced Firewall should always treat as spam.
207
208
Chapter 11
From the drop-down list, select the external interface that will accept SMTP traffic. From the drop-down list, select SMTP (25). Optionally, enter information on the configuration. Select to enable the configuration
Click Add. The SMTP access rule is added to the list of current rules.
209
5 6 7
Configure the relay settings for incoming email. See Chapter 10, Internal Domains on page 194 for information on the settings available. Click Add. The configuration is listed in the Current domains area. Go to the email > smtp > outgoing page.
8 9
Configure the relay settings for outgoing email. See Chapter 10, Outgoing on page 195 for information on the settings available. Click Add. The configuration is listed in the Current allowed addresses area.
210
10
11 12
Configure the settings for email relaying. See Chapter 10, SMTP Settings on page 191 for information on the settings available. Click Save and restart to implement email relaying.
211
2 3
Configure the POP3 settings you require for your environment, see Chapter 10, POP3 Proxy on page 197 for more information on the settings available. Click Save and restart to implement Advanced Firewall POP3 proxying.
212
Configuring Footers
Advanced Firewalls footer page manage email footer information.
To configure footers:
2 3
Select the footer options you want to use, see Chapter 10, Footers on page 199 for information on the options available. Click Save to implement the footer content.
Managing Attachments
To manage attachments:
2 3
Select the attachment options you want to use, see Chapter 10, Attachments on page 200 for information on the options available. Click Save to implement the attachment options.
213
214
Chapter 12
Administering Email
In the this chapter: Managing anti-malware and anti-spam subscriptions Managing spam and quarantining email Archiving email and managing the email queue.
1 2
Navigate to system > maintenance > licenses page. Click Refresh subscription information to get the latest information.
On the system > maintenance > licenses page, in the Licenses area, click Update signatures now. Advanced Firewall gets the latest information available and updates the signatures.
215
2 3
Configure the anti-spam options, see Chapter 10, Anti-spam on page 201 for more information on the options available. Click Save to implement the options.
216
Note: You must have administrator or SMTP quarantine permissions to access the SMTP quarantine
pages. Permissions are set on the system > administration > administrative users page. The following sections explain how to configure and manage email quarantine,
Configuring Quarantine
Each email message received by Advanced Firewall is given a spam score which indicates the probability that the message is spam. The higher the score, the higher the probability. You can use this score to determine whether to quarantine or drop the message.
To configure quarantine:
Select this option to quarantine email messages which have a higher spam score than specified in the Quarantine above spam score option. From the drop-down list, select the spam score above which messages will be quarantined. Select this option to drop email messages which have a higher spam score than specified in the Drop above spam score option. From the drop-down list select the spam score above which messages will be dropped.
217
Administering Email Placing Email in Quarantine Setting Subscribed quarantine users' email addresses Description
Enter the email addresses of the users whose email you want to manage for spam. Enter one email address per line. Users whose email addresses are subscribed to the quarantine receive a summary email each day listing all quarantined messages. If any messages are incorrectly quarantined, the user can preview and release them via a link in the daily email.
From the drop-down list, select the maximum amount of disk space to be used to hold quarantined email.
Note: If the size limit is reached, Advanced Firewall deletes messages
From the drop-down list, select how long to keep quarantined email before dropping it. Advanced Firewall prunes quarantined email every hour and deletes messages which are older than the age specified.
1 2
Browse to the email > quarantine > viewer page. In the Quarantined emails area, locate the message and click Preview.
218
By default, Advanced Firewall displays main header information and the message in plain text. Click on All headers and text/html to view or hide their contents.
Releasing Messages
To release a message:
1
Tip:
Browse to the email > quarantine > viewer page. Select the message and click Release. Advanced Firewall sends the message to the recipient. You can also release a message when previewing it.
Deleting Messages
To delete a message:
Browse to the email > quarantine > viewer page. Select the message and click Delete. Advanced Firewall deletes the message.
219
Archiving Email
Advanced Firewall enables you to archive email based on domain information, a specific email address, by sender or recipient. When a match is found, Advanced Firewall archives the email by Blind Carbon Copying (BCC-ing) it to the specified email address. The archive email address can be different for each match.
2 3
Enter the criteria to use to identify email to be archived. See Chapter 10, Archiving on page 195 for information on the settings available. Click Add. The archive rule is added to the Current archives list.
1 2 3
Browse to email > smtp > archiving page. In the Current archives list, select the rule and click Edit. The rules settings are displayed in the Add domain or address to archive area. Make the changes you require and click Edit. The rule is updated in the Current archives list.
1 2
Browse to email > smtp > archiving page. In the Current archives list, select the rule and click Remove. Advanced Firewall deletes the rule.
220
For information on queue details, see Chapter 10, The Email Queue on page 196. 2 3 Click Refresh page to ensure you have the current contents to review. Click Manually flush mail queue to flush the queue. Advanced Firewall flushes the queue.
221
222
Chapter 13
223
Adding Users
To add a user to the local user database:
Enter the user account name. Enter the password associated with the user account. Passwords must be a minimum of six characters long. Re-enter the password to confirm it. From the drop-down menu, select a group to assign the user account to.
Click Add. Advanced Firewall saves the information and lists the user in the Current users area.
1 2
Navigate to the services > authentication > local users page. Review the Current users area of the page. Users are listed alphabetically by username.
1 2 3 4
Navigate to the services > authentication > local users page. In the Current users area, locate and select the user you wish to edit. Click Edit user. Once this button has been clicked, the user will be suspended, and physically removed from the user list. The user's details are displayed in the Add a user area. Edit the users details as required. For more information, see Adding Users on page 224.
224
Click Add. Advanced Firewall updates the information and re-lists the user in the Current users area. user, his/her information is permanently lost.
Note: Once you click Edit, the user is effectively removed from the user list. If you do not re-add the
must include the comma to separate the columns. If the password is in clear text, i.e. not encrypted, it will automatically be encrypted when the user is added. We recommend that you test importing a few users to confirm that you are getting the results you expect.
To import users to the local user database:
1 2 3
Navigate to the services > authentication > local users page. In the Import users area, click Browse, navigate to and select the text file containing the user information and click Open. Click Import users. Advanced Firewall imports the user information into the local user database.
An example line in the export file might resemble something like the following:
testuser:$apr1$Np4hD...$2eNu.nSQuj8b2apdZufcz0e To export a group of users:
1 2 3
Navigate to the services > authentication > local users page. In the Export users area, from the Select group drop-down list select the group containing the users you want to export and click Export users users. Select the Save to disk or equivalent option from the dialog box displayed by your browser and click its OK, Save or equivalent button. The exported users will be saved to a text file called users.txt. Files exported in this format can be imported back into the local user database using the import facility.
Deleting Users
To delete users:
225
2 3
In the Current users area, locate and select the user or users you want to delete. Click Delete user(s). Advanced Firewall deletes the user(s).
1 2 3 4 5
Navigate to the services > authentication > local users page. Locate and select the user or users you wish to move in the Current users area of the page. In the Current users area, locate and select the user or users you want to move. From the Group to move users to drop-down list, select the group to move the user or users to. Click Move user(s). Advanced Firewall moves the user(s).
Enter the user name of the account you want to ban. Optionally, enter a comment explaining why the account has been banned. From the drop-down lists, select when the ban expires. Click to enable the ban.
Click Add. Advanced Firewall lists the ban in the Current rules area and enforces the ban immediately.
226
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban in force. See Chapter 14, Managing Block Pages on page 185 for more information. There is also a ban option on the services > authentication > user activity page, for more information, see Viewing User Activity on page 227.
Tip:
1 2
Navigate to the services > authentication > temporary bans page. In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban.
1 2
Navigate to the services > authentication > temporary bans page. In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have expired.
Advanced Firewall displays the number of users currently logged in, who is logged in and which users have either recently logged themselves out or been logged out by Advanced Firewall because of inactivity. Recently logged out users are listed for 1 hour. For more information, see Configuring Authentication Settings on page 233.
227
Chapter 13 Authentication and User Management Authenticating Users with SSL Login
From the drop-down list, select the number of users to display and click Show. Advanced Firewall displays the specified number in the User activity area. Click to ban a user. Advanced Firewall copies the users information and displays it on the temporary ban page. For more information, see Creating a Temporary Ban on page 226. Click to log out a user immediately. Advanced Firewall logs the user out and lists him/her in the Recently logged out users area.
Note: Unless the user is using SSL Login as the authentication method, there is
Logout
228
2 3
In the SSL Login redirect interfaces area, select each interface that the SSL Login should be active on. Click Save. Advanced Firewall enables SSL Login for the selected interfaces.
1 2 3 4
On the services > authentication > ssl login page, locate the SSL Login redirect interfaces area. In the Exception local IP addresses field, enter an IP address, IP range or subnet that should not be redirected to the SSL Login. Repeat the step above on a new line for each further exception you want to make. Click Save.
229
Chapter 13 Authentication and User Management Authenticating Users with SSL Login
1 2 3
On the services > authentication > login page, click Browse adjacent to the Custom title image field. Browse to and select the file and click OK, Open or equivalent button. Click Upload. Advanced Firewall uploads the file and uses it on the SSL login page.
1 2 3
On the services > authentication > login page, click Browse adjacent to Custom background image. Browse to and select the file and click OK, Open or equivalent button. Click Upload. Advanced Firewall uploads the file and uses it on the SSL login page.
1 2 3
Browse to the services > authentication > login page. To remove the title image, click Remove. To remove the background image, click Remove.
Customizing Messages
It is possible to provide users with customized messages containing instructions.
To customize the login messages:
1 2 3 4
Navigate to the services > authentication > login page. To alter the first line in the login message, enter your custom message in Message line 1. To alter the second line in the login message, enter your custom message in Message line 2. Click Save.
In the web browser of your choice, enter your Advanced Firewall systems IP address and / login. For example: http://192.168.72.141/login or, using HTTPS, https://
192.168.72.141:442/login
230
About Groups
Advanced Firewalls uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organizations structure. Groups can be renamed by administrators to describe the users that they contain. Currently, Advanced Firewall supports up to 100 groups and by default, contains the following groups:
Group Unauthenticated IPs Description
The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated.
Note: This group cannot be renamed.
Default Users
Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to an Advanced Firewall group, i.e. users that can be authenticated, but who are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed.
Banned Users
This purpose of this group is to contain users who are banned from using an authentication-enabled service. The Banned Users group can be both renamed.
231
Chapter 13 Authentication and User Management Managing Groups of Users Group Network Administrators Description
This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions.
From the Number of groups drop-down list, select the number you require. available. If the number of groups you select requires more memory than is available to Advanced Firewall, Advanced Firewall will require you to select fewer groups.
Note: When you select the number of groups, Advanced Firewall calculates the amount of memory
Renaming a Group
All groups, except the Unauthenticated IPs and Default Users groups, can be renamed.
To rename a group:
Navigate to the services > authentication > groups page and configure the following settings:
Setting Existing name New name Description
From the drop-down list, select the group you want to rename. Enter the new group name.
232
In the Login timeout field, accept the default or enter the time out period. transparent NTLM or SSL Login. It also increase the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out.
Note: Setting a short login timeout increases the load on the machine, particularly when using
Click Save, navigate to the services > authentication > control page and click Restart. period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time-out.
Note: The behavior of some authentication mechanisms is automatically adjusted by the time-out
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur.
233
Verify the identity of a user who is trying to access network or Internet resources. If multiple directories exist, Advanced Firewall tries them in the order they are listed. If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of groups configured in the directory and maps them to the groups available in Advanced Firewall. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. For information on how authentication works and interacts with other systems, see Appendix A, Authentication on page 335. The following sections explain how to configure Advanced Firewall for use with directory servers.
Various directories which support the LDAP protocol, for more Apple Open Directory/Open LDAP information, see Configuring an LDAP Connection on page 238 Sun Directory
Fedora Directory Red Hat Directory Netscape Directory RADIUS
Remote Authentication Dial In User Service, for more information, see Configuring a RADIUS Connection on page 241.
234
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. have a Windows 2000 username, preventing the account from being used by the authentication service.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not
1 2
Navigate to the services > authentication > settings page. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Advanced Firewall displays the settings for Active Directory.
235
servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Appendix A, Advanced Firewall and DNS on page 336 for more information.
Server username
Enter the username of a valid account. Enter the username without the domain. The domain will be added automatically by Advanced Firewall. In a multi domain environment, the username must be a user in the top level domain. For more information, see Appendix A, Active Directory on page 338.
Enter the password of a valid account. Enter the Kerberos realm in capital letters. Select this option to configure Advanced Firewall to start looking for user accounts at the top level of the directory.
Tip:
In larger directories, it may be a good idea to use the Use custom search roots option, to narrow the user search root so Advanced Firewall does not have to look through the entire directory. See below for more information.
Select this option to specify where in the directory Advanced Firewall should start looking for user accounts and groups.
Custom user search root Enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local Note: When working with multi-domain environments, the user search root
so if there are more than 1 000 groups in the directory, a more specific group search root needs to be configured.
Comment Enabled
Optionally, enter a comment about the directory server and the settings used. Select this option to enable the connection to the directory server.
236
Accept the default, or enter the LDAP port to use. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory
server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed.
Discover Kerberos using DNS
Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the Active Directory by querying the DNS server that holds the Active Directory information. For this to work, Advanced Firewall needs to have a configured hostname in the Active Directory domain. For example: Active Directory domain: domain.local Advanced Firewall hostname: system.domain.local The hostname is needed so Advanced Firewall knows what domain to query for subdomains.
This setting applies when using Microsoft Windows NT4 or older installations. Enter the sAMAccountName to override the userPrincipleName. This setting applies when using NTLM authentication with Guardian. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or preWindows 2000 domain name, is not the same as the Active Directory domain. Here you can enter a NetBIOS domain name and set this as the value when joining the workgroup.
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Appendix A, Working with Large Directories on page 337.
237
Chapter 13 Authentication and User Management Configuring Authentication Settings Setting Extra realms Description
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. This can be useful if the Active Directory is in a state where orphaned domains are referenced or only certain subdomains are needed for user authentication.
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information.
1 2
Navigate to the services > authentication > settings page. In the Add directory server area, from the Directory server drop-down list, select the directory server you want to connect to and click Next. Advanced Firewall displays the settings.
238
Accept the default bind method, or from the drop-down list, select one of the following options:
TLS (with password) Select to use Transport Layer Security (TLS). Kerberos Select to use Kerberos authentication. Simple bind Select to bind without encryption. This is frequently used by
Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this:
cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation:
cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org Consult your directory documentation for more information.
Server password Kerberos realm User search root
If using Kerberos, enter the Kerberos realm. Use capital letters. Enter where in the directory, Advanced Firewall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local.
OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the user
search root so Advanced Firewall does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search root
239
Chapter 13 Authentication and User Management Configuring Authentication Settings Setting Group search roots Description
Enter where in the directory, Advanced Firewall should start looking for user groups. Usually this will be the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group
search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section.
Comment Enabled
Optionally, enter a comment about the connection. Select to enable the connection.
Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. For this to work, Advanced Firewall needs to have a configured hostname in the directory domain. For example: Directory domain: domain.local Advanced Firewall hostname: system.domain.local The hostname is needed so Advanced Firewall knows what domain to query for subdomains.
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line.
240
Smoothwall Advanced Firewall Administrators Guide Setting Extra group search roots Description
Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Appendix A, Working with Large Directories on page 337.
Extra realms
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS.
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information.
Prerequisites
Before you configure any settings: Configure the RADIUS server to accept queries from Advanced Firewall. Consult your RADIUS server documentation for more information.
241
In the Add directory server area, from the Directory server drop-down list, select RADIUS and click Next. Advanced Firewall displays the settings.
Enter the RADIUS servers domain name Enter the secret shared with the server. Accept the default port, or enter the port to use. IF the RADIUS server can provide group information, select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. The Filter-Id attribute must have the following format: GROUPn, e.g. GROUP5 or GROUP16. When not enabled, Advanced Firewall will use group information from the next directory server in the list. If there are no other directories in the list, Advanced Firewall will place all users in the Default Users group.
Try next directory server, if any Select this option if users in RADIUS are
242
Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Enabled
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information. For information on groups and directory servers, see Mapping Groups on page 243.
1 2
Navigate to the services > authentication > settings page. In the Directory servers area, select the directory server you want to move and click Up or Down until the servers are in the order you require.
1 2
Navigate to the services > authentication > settings page. In the Directory servers area, select the directory server you want to remove and click Remove. Advanced Firewall removes the server.
Mapping Groups
Once you have successfully configured a connection to a directory you can map the groups Advanced Firewall retrieves from the directory to apply permissions and restrictions to the users in the groups.
To map directory groups to Advanced Firewall groups:
After configuring the connection to the directory, see About Advanced Firewall and Directory Servers on page 233, go to the services > authentication > groups page. fixed.
Note: Only directory servers containing groups that are mapped will be displayed. RADIUS groups are
In the Available groups tree, navigate to and highlight the group you want to map and click Select. Advanced Firewall lists the group in the Mapped groups area. By default, Advanced Firewall maps all groups to the Unauthenticated IPs group. For more information on groups, see About Groups on page 231. From the Mapped group drop-down list, select the group you want to map the group to and click Save. Repeat the step above to map any other groups required.
3 4
243
Remapping Groups
It is possible to change group mappings.
To remap groups:
1 2 3
Navigate to the services > authentication > groups page and in the Mapped groups area, locate the directory server group you want to remap. From the Mapped group drop-down list, select the Advanced Firewall group you want to remap the directory server group to. Tick the Mark check box. Click Save. Advanced Firewall remaps the group.
See the sections below for information on restarting, stopping and reviewing the service.
Navigate to the services > authentication > control page and click Restart.
Note: It is a good idea to only restart the authentication system at a convenient time for network users.
244
1 2
Navigate to the services > authentication > control page. Click Refresh in the Manual control area. The current status will be displayed in Current status field and can be either Running or Stopped.
Running Diagnostics
To check that the authentication system is operating correctly, diagnostic tests can be run.
To run authentication diagnostics:
On the services > authentication > control page, click Run. Advanced Firewall runs the tests and displays the results.
Test Checking forward DNS Checking reverse DNS Description
Authentication service self test Checks to see if the authentication service can be contacted.
Available when using Kerberos, Advanced Firewall that the hostname resolves to a single address. Available when using Kerberos, and the Checking forward DNS test has succeeded, Advanced Firewall checks that the address resolves to the same hostname. Checks that the directory server can be contacted.
Tip:
Checks that the user account used when configuring the connection exists.
Checking whether clock is set Available when using Kerberos, checks that the machines clock is to within 5 minutes of directory set to within 5 minutes of the directory servers clock. server's clock Checking user account password Checking whether group list can be retrieved
Checks that the user password used when configuring the connection is correct. Checks that group information can be retrieved.
Tip:
If this test fails, check that the search roots specified are correct.
245
246
Chapter 14
Reporting
In this chapter: Working with Advanced Firewall reports Managing report data databases How to install and work with Smoothwalls Crystal Reports client.
Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every aspect of Advanced Firewall.
To access reporting:
247
Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
2 3
Tip:
Click on a folder containing the report you want to generate. Click on the report to access its options. Advanced Firewall displays the options available. Click Advanced to see a description of the report, access advanced options and portal publication permissions. For more information on publishing reports, see Chapter 8, Making Reports Available on page 77. If applicable, set the time interval for the report and enter/select any option(s) you require. Click on the reports title or icon to generate the report. Advanced Firewall displays the report.
4 5
Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1 2
Generate the report, see Generating Reports on page 248. In the Save as field, enter a name for the report and click Save. You can access the report on the info > reports > recent and saved page.
248
Navigate to the info > reports > recent and saved page.
Locate the report you want to change and click on the format you want to change the report to. The following formats are available:
Format csv excel pdf pdfbw tsv Description
The report will be generated in comma separated text format. The report will be generated in Microsoft Excel format. The report will be generated in Adobes portable document format. The report will be generated in black and white in Adobes portable document format. The report will be generated in tab separated text format.
Creating Folders
You can create a folder to contain reports on the info > reports > reports page or in a folder or subfolder contained on the page.
To create a folder:
1 2 3
On the info > reports > reports page, determine where you want to create the folder, on the page or in an existing folder. Click the Create a new folder button. Advanced Firewall creates the folder. Enter a name for the folder and click Rename.
Deleting Folders
To delete a folder:
On the info > reports > reports page, locate the folder.
249
Click the Delete button. Advanced Firewall deletes the folder. delete the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then
On the info > reports > reports page, click on a folder in the Location bar.
From the drop-down list, click on the folder you want to go to. Advanced Firewall takes you to the folder.
Deleting Reports
To delete a report:
1 2
Navigate to the info > reports > recent and saved page. Locate the report and click the Delete button.
Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8, Making Reports Available on page 77.
250
1 2
Navigate to the info > reports > reports page. Locate the report you want to publish to other portals and click Automatic Access. The following dialog box opens:
3 4
In the Automatic Access area, from the Add access drop-down list. select the portal you want to publish the generated report on and click Add. Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.
Scheduling Reports
Advanced Firewall can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
251
Select the month and day on which to create and deliver the report. If the report is to be repeated, enter the date on which the first report should be created and delivered.
Time Repeat
Select the hour and minute at which to deliver the report. Scheduled reports can be generated and delivered more than once. Select from the following options:
No Repeat The report will be generated and delivered once on the specified date at the specified time. Daily Repeat The report will be generated and delivered once a day at the
Select to enable the scheduled report. Optionally, enter a description of the scheduled report. From the drop-down list, select the report. From the drop-down list, select how long to collate data for this report. Select this option if you want to save the scheduled report after it has been generated. The report will be available on the info > reports > recent and saved page. Enter a name for the scheduled report. Optionally, from the drop-down menu, select a portal to publish the report from. Select this option if you want to email the report to a group of users. From the drop-down list, select the group you want to deliver the report to. For more information, see Chapter 15, Configuring Groups on page 293.
Click Add. Advanced Firewall schedules the report and lists it in the Scheduled reports area.
252
Accept the default setting Local. For information on how to store report data in a remote database, see Storing Report Data Remotely on page 253.
Database
Pruning
Select if you want to prune entries in the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any enties from the database. Over a month Select to remove entries that are more than one month old and
repeat every month. 3 Click Save to save the database management settings.
253
On the remote, compatible system which will store the data, navigate to the info > settings > database settings page.
Select if you want to prune the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any entries from the database. Over a month Select to remove entries that are more than one month old and
repeat removalevery month. 3 On the local Advanced Firewall, navigate to the info > settings > database settings page and configure the following settings:
Setting Mode Description
Select Remote to store the data on a remote system and enter the IP address of the remote Smoothwall system.
254
must also be changed here in order for remote storage to continue functioning.
Pruning
Select if you want to prune the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any enties from the database. Over a month Select to remove entries that are more than one month old and
repeat removal every month. 4 Click Save. Advanced Firewall starts to store data on the remote system.
255
In this area, Advanced Firewall shows how much disk space is being used to store information by module and type of storage.
Note: If configured to store data in a remote database, see Storing
Report Data Remotely on page 253, Advanced Firewall will show N/A in the Database column. To find information on disk usage, access the info > settings > database page on the remote system.
Advanced Firewall updates the information every 60 minutes and all figures shown are approximate.
256
Browse to the info > settings > database backup page. Current information is displayed in the Log insertion process area.
Run the Reporting database health report, to determine the databases status before using any of the database management options documented in the following sections. See Chapter 14, Reporting on page 247 for more information on generating reports.
Optimizing a Database
Note: Optimizing a database can take a long time to complete and may have an impact on the systems
performance.
To optimize a database:
1 2
Browse to the info > settings > database backup page and click Optimize database. When prompted, click Continue to confirm. The database is optimized.
Emptying a Database
Note: Emptying a database removes all data from the database and can take a long time to complete. To empty a database:
1 2
Browse to the info > settings > database backup page and click Empty database. When prompted, click Continue to confirm. The database is emptied.
Pruning a Database
Note: Pruning a database can take a long time to complete and may have an impact on the systems
performance.
To prune a database:
1 2
Browse to the info > settings > database backup page and click Prune now. When prompted, click Continue to confirm.The database is pruned.
Backing up Data
It is possible to back up your report data in an archive. This enables you to restore data, for example, when recovering from hardware failure.
To back up data:
1 2
Browse to the info > settings > database backup page. In the Backup area, click Backup, the data is backed up in an archive and listed it in the Backup area.
257
In the Backup area, select the archive and click Download. When prompted, save the archive in a secure location for use if you need to restore data.
Restoring Data
The following section explains how to restore data.
Note: When you restore data, the database is not emptied. Therefore, if the database is not empty,
restoring data can cause duplicate data. We recommend that you always ensure that the database is empty to avoid duplicate data. See Emptying a Database on page 257 for information on how to empty a database.
To restore data:
1 2 3 4
Browse to the info > settings > database backup page. In the Upload area, click Browse. In the File Upload dialog box, navigate to where the backup archive stored, select it and click Open. Click Upload. The file is uploaded and listed it in the Backup area. Select the file and click Restore. The data is restored.
1 2 3
Insert your Advanced Firewall CD into your CD drive and, in Windows Explorer, browse to the Extras directory on the CD. Locate and double-click on Smoothwall Crystal Reports Client Setup.exe. The installation wizard starts. Accept all the default options and complete the wizard.
258
Click Windows Start, from the Programs group, select Crystal Reports Client. The Crystal Reports Client starts:
For information on working in the Crystal Reports Client, see the following sections.
Note: When you install the Crystal Reports Client, ODBC Data Sources for the proxy and filter logs are
created using the Microsoft Text Driver. These are named SW_CR_ProxyDataSource and SW_CR_FilterDataSource respectively.
The IP or hostname of Advanced Firewall containing the log files you want to use. The name of a user account authorized to access your Advanced Firewall. The password associated with the account. A drop-down list of time intervals you want the logs to cover. You can select logs for: the last day, week, month or year. Specifies that you want to access the information contained in the proxy logs on your Advanced Firewall. If you select this option, Crystal Report-compatible reports to manage bandwidth usage and basic log information become available below.
Filter logs
Specifies that you want to access the information contained in the filter logs on your Advanced Firewall. If you select this option, Crystal Report-compatible reports to manage denied pages and malware information become available below.
Retrieve Log
Retrieves and saves the information as a csv file in your local Documents and Settings folder. If you have selected Proxy logs, the file will be stored under:
Application Data\Smoothwall Crystal Reports Client\Log Files\Proxy.
If you have selected Filter logs, the file will be stored under:
Application Data\Smoothwall Crystal Reports Client\Log Files\Filter. csv
259
Chapter 14 Reporting Installing the Crystal Reports Client Option Open Report Description
Retrieves information from the selected log and displays it in the currently selected Crystal Reports-compatible report.
Note: You must have Crystal Reports installed and accessible for this to work.
From the File menu, select Open. The default directory structure is as follows: The Log files directory which contains the sub directories: Filter and Proxy The Templates directory which contains the sub directories: Filter and Proxy.
2 3
Place Crystal Reports templates for working with web filter logs in the Templates\Filter folder. Place Crystal Reports templates for working with proxy logs in the Templates\Proxy folder.
Retrieving Logs
Note: On a busy network, log files will be large and may take some time to retrieve and process. To retrieve logs:
1 2 3 4 5
Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Advanced Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve Logs. The Crystal Reports Client retrieves and saves the information as a csv file in your local Documents and Settings folder. If you have selected Proxy logs, the file will be stored under: Application Data\Crystal
Reports Client\Log Files\Proxy.
If you have selected Filter logs, the file will be stored under: Application Data\Crystal
Reports Client\Log Files\Filter.
260
1 2 3 4
Click Windows Start and, from the Programs group, select Crystal Reports Client. Select proxy log or filter log. Depending on the type of log you selected, choose one of the following: Bandwidth usage per user, Basic log view, Denied pages per user or Virus occurrences. Click Open Report. The report is opened in Crystal Reports. For information on working in Crystal Reports, see your Crystal Reports documentation.
1 2 3 4 5
Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Advanced Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve & Open. The Crystal Reports Client retrieves the information, starts Crystal Reports and displays the information. For information on working in Crystal Reports, see your Crystal Reports documentation.
Click Windows Start and, in the Programs group, select Crystal Reports Client and Uninstall. The following dialog opens:
Click Uninstall and, when the process is complete, click Close. The Crystal Reports Client is removed from your workstation and is no longer available.
261
Note: Uninstalling the Crystal Reports Client does not remove the ODBC Data Sources or the data
262
Chapter 15
The control page is the default home page of your Advanced Firewall system.
To access the control page:
The control page displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports.
For information on customizing the information displayed, see Chapter 16, Configuring the
1s
Ed i
ti
on
263
Chapter 15 Information, Alerts and Logging About the About Page To access the summary page:
A list of reports, which are generated by default, is displayed. For information on customizing the reports displayed, see Chapter 16, Configuring the User Interface on page 310.
Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
264
1s
Ed i
ti
on
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events, for example, an administrator login failure, or a series of events occurring over a particular time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS and power supply alerts. It is possible to specify two trigger conditions for some alerts the first acts as a warning alert, and, in more critical circumstances, the second denotes the occurrence of an incident.
Available Alerts
You access the alerts and their settings on the info > alerts > alerts page.
Alert VPN Tunnel Status Description
License expiry status warnings Generates messages when the license is due for renewal or has
Hardware Failover Notification Generates messages when a hardware failover occurs, or when
SmoothTunnel VPN Certificate Validates Advanced Firewall VPN certificates and issues warnings Monitor about potential problems, or impending expiration dates.
1s
Firewall Notifications Health Monitor Email Virus Monitor
UPS, Power Supply status warnings SmoothRule Violations System Resource Monitor
Ed i
expired. Monitored once an hour. failover machines are forced on and offline.
Monitored once an hour. Generates messages when server power switches to and from mains supply. Constant monitoring. Monitors outbound access activity and generates warnings about suspicious behavior. Constant Monitoring. These alerts are triggered whenever the system resources exceed predefined limitations. Monitored once every five minutes. Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Constant monitoring. L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected, or disconnected. Monitored once every five minutes. This alert is triggered whenever a critical system service changes statues, i.e. starts or stops. Monitored once every five minutes. Checks on remote services for activity. These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. Monitoring is constant.
ti
VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected, or disconnected. Monitored once every five minutes.
on
265
IM proxy monitored word alert Monitors instant messaging chats activity and generates warnings
These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. Monitored once every five minutes. Advanced Firewall Output systems. Constant Monitoring.
Output System Test Messages Catches test alerts generated for the purposes of testing the Inappropriate word in IM Monitor Administration Login Failures Intrusion System Monitor
Generates an alert whenever a user uses an inappropriate word or phrase in IM chat conversation
Update Monitoring SmoothZap Mail Queue Monitor System Boot (Restart) Notification
Enabling Alerts
266
1s
Ed i
Watches the email queue and informs if the number of messages therein exceeds a certain threshold. Monitored once an hour This alert is generated whenever the system is booted; i.e. is turned on or restarted. Monitored once every five minutes.
ti
These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. Constant Monitoring.
on
Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Constant Monitoring.
3 4
For each alert you want to send, select the delivery method: SMS or Email. Click Save.
1s
From the drop-down list, select a group of recipients and click Select. For information on creating a group, see Configuring Groups on page 293. By default, Advanced Firewall queue alerts in two minute intervals, and then distributes a merged notification of all alerts. Select this option to send the alert(s) individually as soon as they are triggered.
Ed i
ti
on
267
Enter the alerts unique ID into the Alert ID field and click Show. The content of the alert will be displayed on a new page.
1s
Number of days left (Warning) Number of days left (Critical)
Notification of expired Used to generate alerts when certificates have expired. certificates
Click Save.
t
Used to specify the number of days before a certificate expires that a warning alert is sent. Used to specify the number of days before a certificate expires that a critical alert is sent.
Ed i
ti
on
Monitor ports Enables outbound port access monitoring. for accesses Use the adjacent Warning threshold text field to enter the number of port accesses
that would generate an alert. Use the Destination port list to specify a comma separated list of outbound ports that this alert applies to.
Monitor Enables outbound IP address monitoring. Alerts will be generated if a rapid series Destination IP of outbound requests are made to the same destination IP. addresses Monitor Destination Ports
Enables outbound port monitoring. Alerts will be generated if a rapid series of outbound requests are made to the same destination port. Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity.
This alert is triggered whenever particular system resources exceed some predefined limitations. 1 Enter or choose appropriate settings for each of the following controls:
Click Save.
1s
Disk usage System memory usage
Setting
Description
Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period. A system operating at normal performance should record a load average of between 0.0 and 1.0. Whilst higher values are not uncommon, prolonged periods of high load (for example, averages greater than 3.0) may merit attention. Used to set a disk space usage percentage threshold, that generates an alert once exceeded. Low amounts of free disk space can adversely affect system performance.
Used to set a system memory usage percentage threshold, that generates an alert once exceeded. Advanced Firewall uses system memory aggressively to improve system performance, so higher than expected memory usage may not be a concern. However, prolonged periods of high memory usage may indicate that the system could benefit from additional memory.
Ed i
Click Save.
ti
on
Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity.
269
Monitor Source Detects suspicious inbound communication from remote IP addresses. (remote) IP addresses Alerts will be generated if a rapid series of inbound requests from the same
Detects suspicious inbound communication from remote ports. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. Detects suspicious inbound communication to local IP addresses. Alerts will be generated if a rapid series of inbound requests to the same local IP address is detected. Detects suspicious inbound communication to local ports. Alerts will be generated if a rapid series of inbound requests to the same local port is detected.
Click Save.
270
1s
Enter the URL of the web page you want retrieved and checked for keywords, for example: example.com/index.htm
Note: Omit http:// when entering the URL.
Ed i
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective
ti
on
Enter the number of times Advanced Firewall should try to retrieve the page. Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated. Other Services Checks that the specified port is open and offering a service.
Setting IP Address Port Protocol Description
Enter the IP address. From the drop-down list, select the protocol of the service you want to check for a response. Select Other to check that there is any response to connections on the associated port. Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert.
No of tries
Description
2 3 4
Enter keywords, port numbers and number of tries, if applicable. Select the protocol. Click Add for each service.
1s
Ed i
DNS Name Resolution Checks that a domain has not expired or been hijacked.
Used to set an average incoming data rate limit in Kbps if this is exceeded over a five minute period, an alert is triggered. Used to set an average outgoing data rate limit in Kbps. If this is exceeded over a five minute period, an alert is triggered. Used to specify whether alerts should be generated for a daily, weekly or monthly data limit.
ti
on
271
Chapter 15 Information, Alerts and Logging Alerts Setting Incoming data exceeds Description
Used to set an incoming data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list). Used to set an outgoing data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list). Used to set an total data threshold (in KB). An alert is generated if the specified amount of incoming and outgoing traffic is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list).
Click Save.
These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations.
To configure the alert:
1s
2
272
Generate alert for each message which exceeds the Message Censor severity threshold
Generate alert when users exceed the rate of inappropriate messages Number of inappropriate messages in 15 mins
Ed i
Description
Select to generate the alert when an inappropriate word is used in a message received from a remote user. Select to generate the alert when an inappropriate word is used in a message sent by a local user. Select to generate an alert when the Message Censor threshold is exceeded. For information on the Message censor threshold, see Chapter 8, Censoring Instant Message Content on page 98. From the drop-down list, select the threshold above which an alert will be generated. Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. Specify how many inappropriate messages to allow in a 15 minute period before generating an alert.
ti
on
Used to set the priority level threshold for IDS detected warnings that, once exceeded, generates an alert.
Click Save.
Monitor POP3 proxy for viruses Select to alert when malware is detected when downloading via
Monitor SMTP relay for viruses Select to alert when malware is detected when relaying via SMTP.
This alert is triggered the number of messages in the email queue exceeds a the specified threshold.
To configure and enable the alert:
1s
Setting
Threshold number of messages Enter the number of messages above which the alert is triggered.
Realtime
The realtime pages provide access to realtime information about your system, IPsec tunnels, the firewall and traffic.
System Information
The system page is a realtime version of the system log viewer with some filtering options.
Ed i
Description
ti
on
273
Chapter 15 Information, Alerts and Logging Realtime To access the system page:
From the Section drop-down list, select the component and click Update. If there is information on the component available in the system log, it is displayed in the Details area.
Firewall Information
The firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in the firewall log are from packets that have been blocked by Advanced Firewall.
274
1s
By default, all information in the system log is displayed and updated automatically approximately every second.
Ed i
ti
on
Enter a complete or partial IP address and/or port number in the fields and click Update.
IPsec Information
1
The ipsec page is a realtime version of the IPSec log viewer with some filtering options.
To access the ipsec page:
By default, all information in the log is displayed and updated automatically approximately every second.
To display information on a specific tunnel:
1s
From the drop-down list, select the tunnel. Enter the text you are looking for. 2 Click Update. If there is information available in the system log, it is displayed in the Details area.
Ed i
ti
on
275
Advanced Firewall displays and automatically updates the realtime information available on relayed and delivered email.
The portal page displays realtime information on users accessing Advanced Firewall portals.
To access the portal page:
For more information on portals, see Chapter 8, Working with User Portals on page 75.
Instant Messaging
The im proxy page is a realtime version of the im proxy log viewer with some filtering options.
276
1s
Ed i
Portal Information
ti
on
The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses.
Note: As most IM clients communicate with a central server, local conversations are likely to be
displayed twice as users are recognized as both local and remote. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. If nothing has been said for more than a minute, the remote username will be displayed in the normal style font. The local username is denoted in blue, the remote username is denoted in green. You can use the following settings to manage how the conversation is displayed.
Setting <html> ScrLk Description
2 3
In the Username or IP address field, enter the username or IP address. If there is information available in the web filter log, it is automatically displayed in the Details area. To show lines containing specific text, in the Show only lines containing field, enter the text. If the text is found, it is automatically displayed in the Details area.
Traffic Graphs
The traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface.
1s
Click to remove any html tags at the start or end of a conversation. Click to lock the conversation pane to the bottom of the conversation. I.e. when someone says something new the text will scroll off the top of the screen.
Ed i
ti
on
277
Chapter 15 Information, Alerts and Logging Logs To access the traffic graphs page:
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system, email and proxy information.
278
1s
The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an interface displays its current traffic.
Ed i
ti
on
System Logs
The system logs contain simple logging and management information.
To access system logs:
1s
Ed i
ti
on
279
The following filter criteria controls are available in the Settings area:
Control Description Authentication service Log messages from the authentication system, including service status messages and user authentication audit trail. DHCP server Log messages from the SmoothDHCP system. DNS Proxy Log messages from the DNS proxy service. Heartbeat Log messages from the hardware failover system. IM Proxy Log messages from the instant messaging proxy service. IPSec logs the VPN system including service status changes. Kernel Log messages from the core Advanced Firewall operating system. L2TP Logs L2TP service status messages. ISDN Log messages from external connections using a local ISDN device. Section Used to select which system log is displayed. The following options are available:
Message censor Displays information from the message censor logs. NTP Log messages from the network time system. PPP Log messages from the system, for external modem or dial-up connections. Routing service Logs routing including service status messages. SIP service Logs SIP-based VoIP service information. SNMP Logs Simple Network Management Protocol activity. SmoothD Log messages from the SmoothD super server. SSL VPN Log messages from the SSL VPN system. SmoothD Displays server log information. SSH Log messages from the SSH system.
Select the filtering criteria using the Settings area and click Update. A single column is displayed containing the time of the event(s) and descriptive messages.
280
1s
Month Day
SmoothMonitor Displays monitoring system information including service status and alert/report distribution audit trail.
System Simple system log messages, including startup, shutdown, reboot and service status messages. UPS Log messages from the UPS system, including service status messages. Update transcript Displays information on update history.
Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for.
Ed i
ti
on
Firewall Logs
The firewall logs contain information on network traffic. The firewall logs contain details about all data packets rejected by Advanced Firewall. In addition, the firewall logs can display port forwards, and all incoming, outgoing and forwarded data packets, if traffic auditing has been configured on the networking > firewall >advanced page.
To view the firewall logs:
The following filter criteria controls are available in the Settings area:
1s
Month Day Compression Source Src port Destination Dst port
Section
Control
Description
Used to select which firewall log is displayed. The content of each section is discussed below. Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for. Used to ghost repeated sequential log entries for improved log viewing. Enter an IP address and click Update to display log entries for that source address. This drop-down list is populated with a list of all source ports contained in the firewall log. Select a port and click Update to display log entries for that port.
Enter an IP address and click Update to display log entries for that destination address. This drop-down list is populated with a list of all destination ports contained in the firewall log. Select a port and click Update to display log entries for that port.
All rejected data packets. All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is enabled on the Networking > advanced page.
Ed i
ti
on
281
Forward audit All traffic passing through one interface to another if Forwarded traffic is
All traffic leaving from any interface if Direct outgoing traffic is enabled on the networking > settings > advanced page. rule if port forward logging is enabled on the networking > firewall > port forwarding page.
Port forwards All data packets from the external network that were forwarded by a port forward
SmoothRule - All data packets from the internal network zones that were rejected by an outbound rejects access rule.
Column Time In Out Protocol Source Src Port Dst port Destination
Description
The time that the firewall event occurred. The interface at which the data packet arrived. The interface at which the data packet left. The network protocol used by the data packet. The IP address of the data packet's sender.
1 2 3
Navigate to the info > logs > firewall page. Select a particular source or destination IP in Source and Destination columns. Click Lookup. A lookup is performed and the result displayed on the system > diagnostics > whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1 2 3
Navigate to the info > logs > firewall page. Select one or more source or destination IPs. Click Add to IP block list.
282
1s
The outbound port number used by the data packet. The IP address of the data packet's intended destination. The inbound port number used by the data packet.
Ed i
ti
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed:
on
SmoothRule - All data packets from the internal network zones that were logged but not rejected stealth by an outbound access rule.
The selected source and destination IPs will be automatically added to the IP block list which you can review on the networking > filtering > ip block page. See Chapter 5, Blocking by IP on page 47 for more information.
IPsec Logs
The ipsec logs page displays information on VPN tunnels.
To access IPsec logs:
2 3 4
Choose the tunnel you are interested in by using the Tunnel name control. To view the logs for all of the tunnels at once, choose ALL as the tunnel name. After making a change, click Update.
To export and download all log entries generated by the current settings, for all dates available, select Export all dates, and click Export.
Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages. To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.
1s
To export and download all log entries generated by the current settings, click Export.
Exporting Logs
The time the tunnel activity occurred. The name of the tunnel concerned. Log entries generated by the VPN system.
Ed i
ti
on
283
Email Logs
Advanced Firewall provides logs on SMTP relaying and POP3 proxying.
To access email logs:
1s
Export format Export all dates 284
Show only infected mail Show only email that is infected with malware.
Ed i
Select to:
In the Settings area, you choose whether you want to view logs on relay email or POP3 proxy email.
Choose the type of logs to view: SMTP relay logs or POP3 logs. Specify which month you wish to view logs for. Specify which day you wish to view logs for. Choose to show only mails from a particular address. Show only email to a particular address. Logs can be exported in the following formats:
Comma Separated Values The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view these reports.
Portable Document Format (.pdf) The information is exported in PDF. You
ti
on
Deferred means that the email could not be delivered and has been deferred for later delivery.
Note: If the same email shows up a number of times in a row, all but one will be
grayed out.
Unchecked
In the Spam column, Unchecked means that the email has been whitelisted or, for some other reason, has been excluded from being checked or that anti-spam settings have not been enabled.
Log Filtering
Exporting Logs
To export logs:
1 2 3
Filter the logs to show the information you want to export. Select the export format and if you want to export all dates.
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewalls intrusion detection system (IDS).
To view the IDS logs:
1s
Click Export. To save the exported log, use the browser's File, Save As option.
Ed i
Adjust the filter criteria in the Settings area and click Update.
ti
Log files are automatically displayed using the default or existing filter criteria in the Settings area.
on
In the Anti-malware column, Unchecked means that anti-malware protection is not enabled or the email has been whitelisted.
285
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewalls intrusion prevention system (IPS).
To view the IDS logs:
286
1s
Ed i
ti
on
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file transfers.
To view the IM proxy logs:
1s
Enter the name of a local user whose logged conversations you want to view. Select to display conversations associated with the local user name entered. Enter the name of a remote user whose logged conversations you want to view. Select to display conversations associated with the remote user name entered. Select to display smilies in the conversation. Select to make links in the conversation clickable. Here you can enter a specific piece of text you want to search for. Enables you to browse conversations by instant messaging protocol, user ID and date.
Ed i
ti
on
287
The following filter criteria controls are available in the Settings area:
1s
Day Year Source IP Ignore filter Enable ignore filter Domain filter Enable domain filter 288
Month
Control
Ed i
Description
Used to choose the month that proxy logs are displayed for. Used to choose the day that proxy logs are displayed for. Used to choose the year that proxy logs are displayed for. Used to display proxy logs from a specific source IP. Used to enter a regular expression that excludes matching log entries. The default value excludes common log entries for image, JavaScript, CSS style and other file requests. To enable the ignore filter, Enable ignore filter must be selected. Used to activate the ignore filter. Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL. For example, www.abc will match www.abc.com and www.abc.net but not match abc.net. It is possible to include regular expressions within the filter for example
(www.)?abc.com will match both abc.com and www.abc.com.
ti
on
Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are displayed in the Log area. The following columns are displayed:
Column Time Source IP Website Description
The time the web request was made. The source IP address the web request originated from. The URL of the requested web resources.
1s
Ed i
ti
on
289
In the Syslog logging area, select the logging you want to enable and configure the following settings:
Setting
1s
Remote syslog Syslog server 290
Description
To send logs to an external syslog server, select this setting. If you have selected the Remote syslog option, enter the IP address of the remote syslog server.
Ed i
ti
on
To set default log retention for all of the logs listed above, select one of the following settings:
1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Five months Rotate the log file monthly and keep the last 5 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Eight months Rotate the log file monthly and keep the last 8 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. Nine months Rotate the log file monthly and keep the last 9 months. Four months Rotate the log file monthly and keep the last 4 months.
3 4
Optionally, to set an individual retention period for specific logs, click Advanced and select the required retention period. Click Save. Advanced Firewall will log and retain the information you have specified and, if configured, send logs to the remote syslog server.
1s
Ed i
ti
on
291
To set default log retention for all of the logs listed in the table below, select one of the following settings:
1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Four months Rotate the log file monthly and keep the last 4 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Nine months Rotate the log file monthly and keep the last 9 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. Eight months Rotate the log file monthly and keep the last 8 months. Five months Rotate the log file monthly and keep the last 5 months.
3 4
1 2
Browse to the info > logs > log settings page. In the Automatic log deletion area, configure the settings:
Setting Delete old logs when free space is low Description
1s
Click Save. Advanced Firewall will now retain the logs as you have specified.
Click Advanced to see what other logs are available and to determine if you want to set individual log retention settings.
Amount of disk space to use for logging From the drop-down list, select the level at which
Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been used.
292
Ed i
ti
Select to automatically delete logs when the specified amount of disk space has been used. Advanced Firewall will delete logs.
on
Configuring Groups
The groups page is used to create groups of users which can be configured to receive automated alerts and reports.
Creating Groups
To create a group of users:
Click Save. Advanced Firewall creates the group. In the Add user area, configure the following settings:
Setting Name SMS number Comment Email address Enable HTML Email Description
1s
Setting
Description
From the Group name drop-down list, select Empty and click Select. Enter a name for the group.
4 5
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group. Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
To edit a group:
Ed i
Enter a user's name. If required, enter the users SMS number details Optionally, enter a description or comment. If required, enter the user's email address. Select if you want emailed reports to be sent in HTML format.
ti
on
293
2 3
Choose the group that you wish to edit using the Group name drop-down list. Click Select to display the group. Make any changes to the group using the controls in the Add a user and Current users areas.
Deleting a Group
To delete a group:
1 2 3
Browse to the info > settings > groups page. Select the group to be deleted using the Group name drop-down list. Click Delete.
294
1s
Ed i
ti
Reports and alerts are distributed according to Advanced Firewalls output settings. In order to send reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-to-SMS gateway systems.
on
Description
%%DESCRIPTION%% The description of the Advanced Firewall system (useful when using
For example, if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS.com, the following configuration would provide this: %%SMS%%@sampleSMS.com If the content of the message should be entered in the email message body, the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include detail of the system that the alert was generated by, the following examples would provide this:
%%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%% - From: %%HOSTNAME%% - From: %%HOSTNAME%% (%%DESCRIPTION%%) - From: %%DESCRIPTION%% -%%HOSTNAME%% :%%DESCRIPTION%% (%%HOSTNAME%%)
Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. Advanced Firewall can be configured to truncate messages in this mode, all characters past position 155 are removed and the text: .. + is appended to the message to indicate that truncation has occurred. A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. In situations where truncation
1s
%%--%%
Ed i
The hostname of the Advanced Firewall system (useful when using multiple firewall systems). multiple firewall systems).
A special placeholder that indicates that all text following it should be truncated to 160 characters. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option).
ti
on
To allow easy configuration of message formats for different service providers, Advanced Firewall uses placeholder tags that can be incorporated into an email template. The placeholder tags available are as follows:
295
is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To compensate for this, insert the special %%--%% placeholder at the start of the actual message content, so that any truncation is only applied to the actual alert content.
1 2
Browse to info > settings > output settings. In the Email to SMS Output System area, configure the following settings:
Setting SMTP server Sender's email address field Description
Truncate SMS messages to 160 Select if you want the content of SMS message body to be characters truncated to 160 characters or if your email-to-SMS gateway Enable SMTP auth Username Password
1s
SMS subject line SMS message body
Click Save.
1 2
In the Send test to: field, enter the cell phone number of the person who is to receive the test. Click Send test.
296
Ed i
SMS to address
Specify the formatting of the email's To: address according to the format required by your service provider.
This may be a regular email address, or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS.
service provider instructs you to do so. Select to use SMTP auth if required. If using SMTP auth, enter the username. If using SMTP auth, enter the password. Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider. This will often contain the %%SMS%% placeholder as many emailto-SMS gateways use the subject line for this purpose. Enter additional parameters and the content of the alert message. If the truncation is required from a particular point onwards, use the %%--%% placeholder to indicate its start position.
ti
This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
on
Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall.
Output to Email
To configure email settings:
1 2
Browse to info > settings > output settings. In the SMTP (Email) Output System area, configure the following settings:
Setting SMTP server Sender's email address Description
Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. Enter the sender's email address. This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
Click Save.
1 2
Configure Email to SMS output and/or SMTP (Email) output. Click Generate test alert.
1s
Ed i
ti
on
297
298
1s
Ed i
ti
on
Chapter 16
Managing Updates
Administrator's should use Advanced Firewall's update facility whenever a new system update is released. Updates are typically released in response to evolving or theoretical security threats, as and when they are discovered. System updates may also include general product enhancements, as part of Smoothwalls commitment to continuous product improvement. Advanced Firewall must be connected to the Internet in order to discover, download and install system updates. Smoothwalls support systems are directly integrated with Advanced Firewalls system update procedure, allowing the Smoothwall support department to readily track the status of your system.
299
Click to get a list of available updates. Any updates available will be listed in the Available updates area. Click to download all available updates. Once downloaded, the updates are listed in the Pending updates area. Click to clear any downloaded updates stored in the cache. Click to install all updates in the Pending updates area immediately Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the system > maintenance > shutdown page.
1 2 3 4 5 6
Navigate to the system > maintenance > updates page and click Refresh update list. In the Available updates list, locate the update and click Info. The Smoothwall updates web page opens. Download the update to a suitable location. On the system > maintenance > updates page, click Advanced. In the Install new update area, click Browse to find and open the update. Click Upload to upload and install the update file.
300
Managing Modules
Advanced Firewall's major system components are separated into individually installed modules. Modules can be added to extend Advanced Firewalls capabilities, or removed in order to simplify administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your Advanced Firewall serial number before they can be
installed and used. For further information, please consult your Smoothwall partner or, if purchased directly, Smoothwall. Advanced Firewall must be connected to the Internet in order to install modules.
To install a module:
In the Available modules area, locate the module and click Install. description carefully prior to installation.
Note: Some module installations require a full reboot of Advanced Firewall. Please read the module
Navigate to the system > maintenance > modules page and click Advanced.
301
2 3
In the Upload module file area, browse to and select the module. Click Upload. The module is uploaded and installed
Removing a Module
To remove a module:
1 2 3
Navigate to the system > maintenance > modules page. In the Installed modules area, locate the module and click Remove. Reboot Advanced Firewall on the system > maintenance > shutdown page.
Licenses
Advanced Firewall contains information on licenses and subscriptions.
To view license information:
Note: The information displayed depends on the Smoothwall product you are using.
Installing Licenses
You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License, installation and activation is an automated process, initiated via a secure request to Smoothwall licensing servers.
To install additional licenses:
1 2
Navigate to the system > maintenance > licenses page. Click Refresh license list. This will cause the available license information to be updated via the Internet, and any new licenses will be installed. modules. For more information, see the documentation delivered with your Smoothwall add-on module.
Note: The Subscriptions area is used to manage anti-malware signatures and blocklists used by add-on
Archives
The archives page is used to create and restore archives of system settings. Archives can be saved on removable media and used when restoring a Advanced Firewall system. They can also be used to create clones of existing systems.
Note: It is possible to automatically schedule the creation of backup archives. For further information,
About Profiles
You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive.
302
You can create and assign up to 20 profiles and generate their archives automatically. Profiles are also used to store settings for Smoothwall replication systems. For more information, see Replication on page 307.
Creating an Archive
To create an archive:
To create a new profile, from the drop-down list, select Empty and click Select. To reuse or modify an existing profile, from the drop-down list select the profile and click Select.
Enter a name for the profile. Enter a description for the archive. Select if you want to archive settings automatically. Select the components you want to archive or select All to select and archive all settings. Select the log files you want to archive or select All to select and archive all logs.
Downloading an Archive
To download an archive:
1 2
In the Archives area, select the archive. Click Download and save the archive to disk using the browser's Save as dialog box.
303
Restoring an Archive
To restore an archive:
1 2 3
In the Archives area, select the archive. Click Restore. The archive contents are displayed. Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
Uploading an Archive
This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s).
To upload an archive:
1 2 3
In the Upload area, enter the name of the archive and click Browse. Navigate to and select the archive. Click Upload to upload the archive.
Scheduling
You can configure Advanced Firewall to automatically discover and download system updates, modules and license upgrades using the scheduler. You can also use the scheduler to create and remotely archive automatic backups. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks.
304
From the drop-down list, select the day of the week that the tasks will be executed. From the drop-down list, select the time of day at which the tasks will be executed. Select to check for new system updates. Select to download available updates. Select to check for new modules. Select to discover and install license upgrades.
Click Save.
305
1 2 3 4
Navigate to the system > maintenance > scheduler page. In the Remote archive destinations area, click Export Public Backup Key. Install the public key on the remote SSH server for details on how to do this, please consult the administrator's guide of the SSH server in use. In the Remote archive destinations area, enter the following information:
Setting Name Username Description
Enter a name to identify this destination. Specify the user name of the account on the SSH server that will be used. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. Enter the path where archives are to be stored on the remote SSH server, for example: /home/mypath/ If left blank, Advanced Firewall uses the default home directory of the specified remote user.
Remote path
Set the IP address of the SSH server. Set the port number used to access the SSH server (normally port 22).
Transfer Speed Specify the maximum transfer speed when automatic archiving occurs. This Limit control is useful for preventing the automatic remote archiving system adversely
5 6 7
Click Add. Repeat the steps above to make other destinations available. In the Remote archival area, enter the following information:
Setting Day Hour Archive destination Description
The day of the week to carry out the archive. The hour of the day to carry out the archive. From the drop-down list, select a destination as configured in the Remote archive destinations area. page.
Archive profile From the drop-down list, select an archive profile as configured on the archives Enabled Comment
8 9
Click Add. Repeat the steps above to configure other archives for scheduled remote archive.
306
Editing Schedules
To edit a schedule:
In the appropriate area, select the destination or task and click Edit or Remove.
Replication
Using replication, you can configure Advanced Firewall as a replication master or a replication unit.
2 3
In the Master settings area, click Export Public Backup Key to generate a public key. In the Master settings area, enter the following information:
Setting Enabled Master Export public backup key Slave IP Profile Description
Select to enable replication. Select to set this Advanced Firewall as the master. Click Save. Click to generate the backup key. Enter the replication units IP address. From the drop-down list, select the profile containing the replication settings you want to implement on the replication unit. See the archives page for a list of which settings can be replicated. Enter a description for the replication unit. Select to enable the settings.
Comment Enabled
4 5
Click Add to add the replication unit to the list of current replication units. Install the key on any systems you want to configure as this master's replication units.
307
Ensure that SSH is enabled and can be contacted on the replication unit. unit archive when you install the replication unit. The old replication unit archive will not work.
Note: If you reinstall your replication master using a backup image, you must create a new replication
1 2 3 4
On your Advanced Firewall master system, on the system > maintenance > archives page, create an archive containing the replication settings you want to implement. On your Advanced Firewall replication unit system, on the system > maintenance > replication page, in the Settings area, select Enabled and Slave. Click Save. In the Slave settings area, click Browse and navigate to and select the archive containing the replication unit settings. Click Upload and On to implement the replication unit settings. and other timing constraints.
Note: Settings are not implemented immediately. There will be a delay depending on the network load
Select to shut down or reboot immediately. Select to shut down or reboot after a specified length of time. From the drop-down menu, select the length of time.
At the following time Select to shut down or reboot at a specified length of time.
From the drop-down menu, select the hour and minute at which to shut down or reboot. 3 Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
308
Shell Access
The web-based secure shell (SSH) remote access tool enables command line administration of the Advanced Firewall system through a web browser.
Note: In order to use this feature, SSH access must be enabled. See Chapter 16, Configuring Admin
The browser that is connected to the Advanced Firewall system is required to have a Java Virtual Machine capability installed. For details on setting your browser up in this way, consult your browser help system.
To use the shell tool:
2 3
Click on the shell window once the Java applet has loaded. Enter the following information:
Information User name Password Description
309
In the description field, enter a description to identify Advanced Firewall. This will be displayed in the title bar of the browser window.
Enable dropdown menus Select to enable drop-down menus in Advanced
Firewall.
Always show second tier menus Select to always show second tier menus. Show information bar Select to show information on the trail to the page you
are on.
Show the to-do list Select to show the to-do list on main > main > control
page.
Popup error box Select to display error messages in a popup window. In-page error report Select to display error messages on the web page. System Control page From the Report to show drop-down list, select the report you want
Determines what, if any, information is displayed in the System Services area on the main > main > control page.
310
Smoothwall Advanced Firewall Administrators Guide Setting System Summary page Description
From the Report to show drop-down list, select the report you want displayed on the info > reports > summary page.
Click Save.
Setting Time
Advanced Firewall's time zone, date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server, typically located on the Internet. Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of system clocks.
To set the time:
Select Set and use the drop-down lists to set the time and date.
311
Chapter 16 Managing Your System Setting System Preferences Setting Network time retrieval Description To automatically retrieve time settings:
1 2 3 4
Select Enabled in the Network time retrieval area. Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). Choose one of the following network retrieval methods:
Multiple random public servers select to set the time as the average time retrieved from five random time servers Selected single public server select from the drop-down list a public time
Advanced Firewall can be used to synchronize the system clocks of local network hosts by providing a time service.
To synchronize the network time service:
1 2 3 Click Save.
Enable network time retrieval. Select each internal network interface that the network time service should be available from.
312
By default Advanced Firewall sends information about your system to Smoothwall when registering and updating update, licence, subscription and addon module information. It also sends information when installing Smoothwall addon modules. When enabled and depending on which add-on modules are installed, the following information is sent: Enabled status for optional services The number of configured interfaces and whether they are internal or external Authentication service settings and the LDAP server type Guardian transparent mode and authentication service settings mode Manufacturer name and product name from dmidecode Main board manufacturer and main board product name from dmidecode.
Note: and no sensitive authentication information or passwords are sent. Provide filtering feedback information
When enabled, Advanced Firewall will periodically send information about the accuracy of the web filter, listing the domains of any web sites which could not be classified. Smoothwall will take every available measure to ensure data cannot subsequently be associated with your organization and no personal information is ever sent.
Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled, send registration and/or filtering information.
313
Chapter 16 Managing Your System Configuring Administration and Access Settings To change the hostname:
Enter a new value in the Hostname field and click Save. its Common Name field.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in
314
Smoothwall Advanced Firewall Administrators Guide To permit access to the console via SSH:
Note: Terminal access to Advanced Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in administrator, and not some third party web page, you can enable remote access referral checking. When enabled, administration requests are only processed if the referral URL contains the local IP address, the local hostname, or the external IP address where applicable. If the referral is not from a Advanced Firewall page, the request is ignored and reported in the general Smoothwall log file.
Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic
DNS address. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS address, the referral URL check must be disabled.
To enable referral checking:
1 2 3
Navigate to the system > administration > admin access page. Select Allow admin access only from valid referral URLs in the Remote Access area. Click Save.
315
From the drop-down list, select the interface that access is permitted from. If this is set to External, the currently active external interface will be accessible for administration purposes. Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted to use admin access. For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50. For a particular subnet of hosts, enter a subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24. If no value is entered, any source IP can access the system.
Select the permitted access method. Enter a description for the access rule. Select to activate access.
Click Add. The access rule is added to the Current rules table.
316
Note: Do not remove the default external access rule, it provides access to the default internal network.
Enter a name for the user account. Enter a password. Passwords are case sensitive and must be at least six characters long. Re-enter the password to confirm it.
317
1 2 3 4
Browse to the system > administration > administrative users page. In the Current users area, select the user and click Edit. Enter and confirm the new password in the Password and Again fields. Click Add to activate the changes.
Hardware
The following sections discuss UPS, failover, modem and firmware settings
UPS Settings
Advanced Firewall can be connected to a local Uninterruptible Power Supply (UPS) device to protect the system against power cuts. With this arrangement, local UPS status monitoring can be configured, and the system can be configured to automatically react when it detects that it is using UPS battery power. In this mode, it is also possible for Advanced Firewall to act as a UPS master, and broadcast power status messages to other appropriately configured UPS systems or devices so that they too can react to power changes. Alternatively, Advanced Firewall can be configured as a UPS device to an appropriately configured master UPS system or device. In this mode, the status of the UPS service will be updated over the network, whenever the UPS master device alerts the Advanced Firewall system. This mode also allows Advanced Firewall to react when it is informed that UPS battery power is being used.
318
network. For more information, see Connecting to a Network UPS on page 320. 3 Click Save.
319
Used to set the manufacturer, model or compatible setting for the local UPS device (refer to the UPS device's technical documentation if this is not readily known). Used to set the serial or USB port that the UPS device is attached to. Used to set the type of cable that connects to the UPS device (refer to the UPS device's technical documentation if this is not readily known).
1 2 3 4 5
Navigate to the system > hardware > ups page. Choose the manufacturer, model or compatible setting for the UPS device from the Select UPS type drop-down list. Choose the serial or USB port that the UPS device is attached to from the Select UPS COM port dropdown list. Choose the cable type that the UPS device is attached by from the Select UPS cable type drop-down list. Click Save.
The IP address of the 'master' UPS device. The numeric port number of the master UPS device's network service.
To configure a network UPS connection (with Advanced Firewall acting as a UPS device):
1 2 3 4
Navigate to the system > hardware > ups page. Enter the IP address of the UPS device into the Master IP Address field. Enter the port number that the UPS device uses into the Port field. Click Save.
Provides a combination of choices that configure different logging, shutdown and continue options in the event of a switch to battery power.
320
Used to forcibly shutdown the system once battery power falls below a set level (between 5% and 30%). This feature will only work with UPS devices that support UPS 'Smart' mode (refer to the UPS device's technical documentation to determine if functionality is supported).
1 2 3 4
Navigate to the system > hardware > ups page. Choose what action should be taken when using battery power using the Action to take drop-down list. If the UPS device operates in Smart mode, use the Force shutdown drop-down list to choose the battery power level that will trigger the Advanced Firewall system to be forcibly shutdown. Click Save.
The current status of the UPS device. The current status of the system's UPS monitoring service. The time of the last update. The model description of the UPS device. The serial number of the UPS device. The UPS device's cable connection type. The current load required from the UPS as a percentage of the total UPS output capacity. The amount of charge currently stored in the UPS device's battery. The estimated duration that battery power can be sustained whilst being used. The amount of time that the UPS device has used battery power for (if currently running on battery). The mains voltage. The mains frequency. The internal temperature of the UPS device. The last reason for switching to battery power. The last date and time that the UPS device's battery was used. The last date and time that the UPS device's switched from battery to mains.
321
1 2 3 4
Navigate to the system > hardware > ups page. Enter the port number that UPS devices can connect to into the Port field. Enter up to five IP addresses into the appropriate Slave IP Address fields. Each IP address should belong to a UPS device. Click Save.
information.
minutes behind configuration changes made to the master. If the master fails, it stops responding to the failover units heartbeat and the failover unit therefore determines that the primary system is no longer available. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover. The failover unit then enters a more responsive mode where it monitors the master for its revival. It remains in this mode for the length of dead time you have configured. This stage is designed principally to cope with intermittent failures within the communication system, such a heavily loaded master.
322
Once the dead time has expired, the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. Since part of this information includes the IP addresses for each of the master interfaces, the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed. When the master starts to respond again, be it minutes, days or weeks later, assuming that autofailback is enabled, the failover unit hands over control to the master, de-activates its configuration and services and returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work: A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces preferably using a crossover cable The master and slave should both use the same types of hard disk drives, RAM, and above all the same type and number of network interface cards The failover unit must be plugged into all the switches the master is plugged into SSH must be enabled on the master, see Chapter 16, Configuring Admin Access Options on page 314 for more information.
323
From the Heartbeat interface drop-down list, select a network interface to use for the heartbeat communication between the master and failover unit. network. It is critically important that this network is not congested and suffers as little latency as is possible. For these reasons, we strongly recommend that this connection be a crossover cable. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private
Click Save and Restart to save the setting and restart networking. networking.
Note: If Advanced Firewall is connected to the Internet, you must disconnect before you can restart
324
Select to enable failover. Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. The failover unit will hand over control to the master, deactivate its configuration and services and return to standby status. Set the interval after which the master and failover unit communicate to ensure the master is still working. The default is 1 second. In non-congested networks, we recommend a very short interval which is undetectable in terms of system performance.
Keep-alive internal
Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. Enter an IP address for the master.
Note: We recommend that this network be private and only used by the
Enter a netmask.
Note: We recommend that this network be private and only used by the
master and failover units. 6 7 Click Save. Browse to the system > maintenance > shutdown page, select Immediately and click Reboot. Wait a couple of minutes for the system to reboot and then log in again. The next step is to generate the failover archive to deploy on the failover unit.
325
Chapter 16 Managing Your System Managing Hardware Failover To generate a failover archive:
1 2 3
Navigate to the system > hardware > failover page and configure and save the failover settings. See Configuring the Master on page 324. Click Generate slave setup archive. Advanced Firewall generates the archive and prompts you to specify where to save it. Save the archive on some suitable removable media accessible by the slave. The next step is to use the archive to implement the failover settings on the failover unit. bytes is an average size.
Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50 M
Install Advanced Firewall using the quick install option. See the Advanced Firewall Installation and Setup Guide for more information. On the following screen:
2 3 4 5
Select Yes and press Enter. Select the type of media the archive is stored on and press Enter. You are prompted to insert the media. Insert the media and press Enter. Select the archive and press Enter. The failover settings are installed.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically enter standby mode.
Administering Failover
There are no noticeable differences between administering Advanced Firewall used as a master and one which is not used as a master. There should be little or no need to administer the failover unit on a day to day basis. However, from time to time, you will need to install updates.
326
Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master.
To access the settings on the failover unit, the address would be:
https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441. The address used, in the example above: 192.168.72.142, is the address of the master, as when in standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1 2
On the master, go to the system > hardware > failover page and click Enter standby mode. After a short period of time the failover unit will take over from the master. To restore operations to the master, on the active system, go to the system > hardware > failover page and click Enter standby mode. Operations will be transferred to the master. failover unit into standby mode.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but the master system has become available again after corrective action has been taken you can manually failback to the master.
To manually failback:
On the failover unit, go to the system > hardware > failover page and click Enter standby mode to restore the system to normal operation.
Configuring Modems
Advanced Firewall can store up to five modem profiles.
327
From the drop-down list, select Empty to create a modem profile. Enter a name of the modem profile. Select the serial port that the modem is connected to. usually connected at the default 115200 rate.
Computer to modem rate Select the connection speed of the modem. A standard 56K modem is Modem speaker on Dialing mode
Select to enable audio output during the modem dialing process, if the modem has a speaker. Select the dialing mode.
Tone Select if your telephone company supports tone dialing. Pulse Select if your telephone company supports pulse dialing.
Init Hangup Speaker on Speaker off Tone dial Pulse dial Connect timeout
Enter the commands required to initialize the modem. Enter the commands required to end a connection. Enter the commands required to turn the speaker on. Enter the commands required to turn the speaker off. Enter the commands required to turn tone dialing on. Enter the commands required to turn pulse dialing on. Enter the amount of time in seconds to allow the modem to attempt to connect.
328
2 3 4
Click Browse adjacent to Upload file field. Use the browser's Open dialog to find and open the mgmt.o firmware update file. Click Upload to upload the firmware update. activated.
Note: Once this process has been completed, the system must be rebooted before the new firmware is
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The configuration tests page is used to ensure that your current Advanced Firewall settings are not likely to cause problems. Components installed on your Advanced Firewall add tests to this page which, when run, highlight problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems.
To test your configuration:
329
Click Perform tests. The results are displayed in the Details area. port forward is to a port range, the first and last addresses will be tested. If a test fails, it is classified as a timeout if the destination takes longer than 1 second to respond, or as unreachable, as the test receives an error condition as a response. If a test is successful, the time taken for the destination to respond is displayed (or the average time in the case of a port range). If one or more port forwards in a range are successful and one or more other port forwards in the same range are unsuccessful then this is displayed as a warning.
Note: TCP port forwards are tested by attempting to connect to the destination IP address and port. If a
Generating Diagnostics
Advanced Firewall provides diagnostics facilities, typically used to provide Smoothwall support engineers with complete system configuration information to aid problem solving.
To generate a diagnostics file:
Select All to include all system components, or individually select the components you want to include in the diagnostics results. Select All to include all modules, or individually select the modules you want to include in the diagnostics results.
Click Generate. When prompted, save the results in a suitable location for review.
330
IP Tools
The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools:
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer (and therefore slower) connection. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. It is of course, more convenient to run them from this page.
Using Ping
To use Ping
2 3 4
Select the Ping option from the Tool drop-down list. Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. Click Run. The result of the ping command is displayed.
Using Traceroute
To use Traceroute:
1 2 3 4
Navigate to the system > diagnostics > ip tools page. Select the Traceroute option from the Tool drop-down list. Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. Click Run. The result of the traceroute command is displayed.
WhoIs
Whois is used to display ownership information for an IP address or domain name. A major use for this is to determine the source of requests appearing in the firewall or Detection System logs. This can assist in the identification of malicious hosts.
331
2 3
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. Click Run. The output of the whois command is as it would be if the command were run directly by the root user from the console of the Advanced Firewall system. It is of course, more convenient to run it from this page.
2 3 4
From the Interface drop-down list, select the interface. From the Time to run for drop-down list, select how long to analyze the traffic. Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and services have been used is presented, as well as specific information on connections made. It is possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received on web requests.
Managing CA Certificates
When Advanced Firewalls instant messenger proxy and/or Guardian are configured to intercept SSL traffic, certificates must be validated. Advanced Firewall validates the certificates by
332
checking them against the list of installed Certificate Authority (CA) certificates on the system > certs > ca page. The following sections describe how you can import new CA certificates, export existing CA certificates and edit the list to display a subset or all of the CA certificates available. For information on certificates used in VPNs, see Chapter 9, Virtual Private Networking on page 117.
Reviewing CA Certificates
By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs.
To review the certificates:
Browse to the system > certs > ca page. Advanced Firewall displays the certificates available. It also displays which certificates are valid and which are built-in, i.e. included in Advanced Firewall by default. To review a specific certificate, click on its name. Advanced Firewall displays it.For example:
Importing CA Certificates
To import CA certificates:
1 2 3
Navigate to the system > certs > ca page and locate the Import Certificate Authority certificate area Click Browse, navigate to the certificate and select it. Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the list.
Exporting CA Certificates
To export certificates:
333
From the Export format drop-down list, select one of the following options:
Option CA certificate in PEM CA certificate in BIN Description
Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. Export the certificate in a binary certificate format.
On the system > certs > ca page, select the certificate(s) and click Delete. Advanced Firewall removes the certificate(s).
To restore the built-in list:
On the system > certs > ca page, click Clear built-in deleted list. Advanced Firewall restores any builtin certificates which have been deleted from the list.
334
Appendix A
Authentication
In this appendix: authentication methods.
Overview
Advanced Firewall's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. Identity verification authenticate users by checking supplied identity credentials, e.g. usernames and passwords, against known user profile information. Identity confirmation provide details of known authenticated users at a particular IP address.
335
336
The above example is for a multi domain Active Directory installation, where the second OU is in the sub-domain sub1. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group.
337
Active Directory
The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication.
338
Appendix B
339
Example Report
340
In the building block metaphor a report template is the instructions alone, Advanced Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. It has the instructions and the pieces but is still not quite ready for a user to play with. This should leave the question so when does the model actually get built, the answer to which is reasonably simple, basically the construction of a rendered report requires the following steps to be undertaken, again using the building-block metaphor. 1 2 3 4 Retrieve assembly instructions. Collect necessary parts from warehouse. Place all the required pieces into a box along with its instructions. Assemble the model and present to the awaiting small child. A report template provides the first stage of this process, i.e. it is the instruction sheet for building the model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods, i.e. this renders the report out into HTML, PDF, Excel, CSV or other formats. These stages are always transparent to the user, but do deserve some explanation. The reports page lists the report templates or instruction sheets. The recent and saved page shows the list of boxed models ready for assembly, clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model.
341
From the report page, clicking on either the report template name, its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of contents view, the preview button here will regenerate a new report according to those date ranges. Note again, that both these actions will generate a new report, which may be saved accordingly.
342
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be apparent from the result itself. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared; URLs too can contain more information than is immediately apparent from viewing the URL. To activate the Advanced Firewalls advanced interpreter simply hover the mouse over the desired result, this will produce a tool-tip which contains more information about the result. For example:
In this example, the user has used the advanced interpreter to show the result for a YouTube video. The URL in question has been truncated to show only the immediately relevant information (the protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL, any associated parameters but has also retrieved the video title, description and thumbnail from the YouTube server. The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day. It is also important to note that a saved report is format-less and as such can be rendered to HTML, pdf, csv etc as desired. Saved reports are listed on the recent and saved page under the reporting section, and can be viewed, deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report.
343
with the report template used to generate this report already loaded. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. Whilst viewing a report there is an edit report button presented underneath the table of contents which leads to the custom page with the report template used to generate the viewed report already loaded. Note again that this is a copy of the report template and so may be manipulated as desired.
Note the list of related reports is determined by the report section and cannot be altered.
344
Report templates and customized sections are managed and manipulated from the custom page on your Advanced Firewalls interface. Creating templates is a matter of choosing, grouping and refining a number of sections into the correct set of instructions for the Advanced Firewalls reporting engine to interpret and use to extract and manipulate data from the Advanced Firewalls logs. A list of available sections is included on the custom page under the heading Available sections, existing template reports are also included in this list so that, once created they can be included into new report templates without having to redefine them. The available sections list is structured as a simple tree, with the sections belonging to each module categorized accordingly, the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. It should be noted that when a template report is included within another template report its options, and sections are copied into the template at the time of its inclusion. Subsequent modifications to the template will not update any other templates that include it. On the right of the available sections list is the included sections list, which shows a simplified form of the sections currently included in the template report being edited. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. Groups are shown as folders in the included sections list. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. Note multiple sections can be added at once, and that sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report and ordered to make logical sense to the reader. To reorder a section simply select it from the
345
Included sections list and press either move up or move down depending upon which direction you wish to move it. Note that sections cannot be moved outside of their containing folders.
Grouped Sections
Many of the underlying concepts in Advanced Firewalls reporting system are based around the notion of grouped sections. A section group is a logical construct which allows for logically connected sections to be collated together. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. Primarily grouping options is done to allow multiple, logically similar sections to share options. For example, the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user, a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. Both of these sections have a username field, these sections could be grouped together and share the username option, allowing for it to be entered only once when the report is generated. Groups also form the basis of both iterative reports and feed-forward reports, which are simply special cases of section groups. For iterative groups, the variable to iterate over can be chosen from the options common to the grouped sections. For feed-forward groups, a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. Groups can contain other groups, which may of course be standard groups, iterative or feedforward groups. They may also contain single sections. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview.
346
grouped parent, thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. Next to the override option is a small description denoting why the option is inherently disabled, and where the value comes from. This may be grouped, feed-forward or repeating, meaning that the value will be assigned by the parent group, the results of a feed-forward section or from one of the list provided in an iterating group. Options which are not grouped, fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. This may be any number of common user interface elements (checkboxes, select boxes, text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. Any overridden options will also be displayed and entered in this manner and, when provided will replace values as would be expected.
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired, rather than the complete picture. To allow for this the reporting template system in Advanced Firewall allows for a sections results to be used as the source of options for subsequent sections. To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall, or those which are configured for internal or external networking. This information provides limited details for the network interface such as its IP address and other details; however it does not show monthly usage statistics. The Individual Network Interfaces section can provide this information, but needs to be supplied with the name of the interface for which to provide details for. These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. In this example the Network Interfaces report can produce one or more Interfaces, which is one of the options for the Individual Network Interfaces section. By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Advanced Firewall, and then display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for example. For this reason it may be desired to repeat a section using mostly the same options, but with one particular option changed each time. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. Note that there is potential overlap here, and if the desired result is a list of all the local interfaces then feed-forwarding could be used instead. However, feed-forward would produce a list of all internal interfaces, as well as include the Network Interfaces report. Note that whilst it was covered first, feed-forward is actually a special case of iteration, where the list of values to be iterated over is produced as the list of answers from a particular report section.
347
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. There are exceptions to this rule however. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. Naturally a feeder must be included before the sections it is feeding, and therefore it is removed from the normal section ordering and placed above the grouped options list in the groups display.
Grouping Sections
To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Note that only sections at the same level in the included sections tree can be grouped together, although a group can contain any number of items including other groups. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Ungrouping a group will disband that group, moving all its contained sections to the same level on the included sections tree that the group previously occupied, the group folder will then be removed. Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from. Note, ungrouping sections will remove any properties that the group contains, and so may affect any feed-forward, iterative or grouped options.
348
example, the Network ARP Table section produces a list of interfaces which the connection is on. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. Some care should be taken when choosing sections to flow into each other, however generally results such as username should be taken to be suitable for feeding a username field. Additional caution should be taken when considering feed-forward reports as to the volume of data produced, along with the potential work load that this would require on Advanced Firewall. For example, a report which shows the top 20 groups within an organization, the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. However, this would result in the following execution tree. Group Activity Section 20 x User Activity Section 50 x URL Activity Section 100 URLs Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand URLs. It would also require the execution and calculation of the top URLs section up to a thousand times, assuming a reasonable time period for the calculation of each, such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it.
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined at a later stage to make the report template truly flexible. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. It is for this purpose that section options may be exported. In this particular example a domain activity section could be included in a report template, and have its Denied status checkbox enabled. Swapping to the export tab would show a list of all the available options for this report, choosing to export the username field prior to creating the report template would mean that the username
349
field is present for this template report on the reports tab on the Advanced Firewall main interface (info > reports > reports).
Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page), however it would also have the added effect of allowing a user to turn this option off when using the template, similarly typing a username into the sections username option (on the options tab) allows the template report to create a default username, which can be changed by the person using the report template.
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template.Report templates are structured into one of the following folders on a standard Advanced Firewall installation assuming that installation has the Guardian3 or module installed. Email Firewall and networking System Trends
350
Users
IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses Top users User analysis User analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines
Web content
Per category
Blogs
Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube News BBC News CNet CNN News Slashdot
351
Social bookmarking
Social networking Bebo Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter Sport BBC Sport ESPN Sport Web portals and search engines AOL Google Search engines Windows Live and MSN Yahoo Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option. This option contains an indented drop-down list of available folders, report templates can be placed in any folder as desired. Folders can be created or deleted from the reports page, which is the main location to use to find report templates and report folders. It also provides the ability to rename folders and edit and remove report templates.
352
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the top of the reports page which allows users to navigate the folder structure. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar, this will create a new folder called new folder with the ability to rename it. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note that report folder names must be unique at the same level.
Renaming Folders
Deleting Folders
Folders can be deleted from the reports page by pressing the red cross icon immediately below the folder image. Only empty folders can be deleted, so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder. Note, this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled. Options exported to the reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals available are: Daily each day at the time allocated Weekday each working day (Monday to Friday) at the allocated time Weekly every week at the allocated time on the same day of the week as the first report. Monthly every month at the allocated time on the same day of the month as the first report. Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
353
Scheduled reports can also be made available to particular portals using the report templates portal permissions. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by.
Portal Permissions
Reports can be made available to individuals who do not have access to the Advanced Firewall administrative interface via the Advanced Firewall user portal. This is achieved via a report, or report templates portal permissions. There are two variations to portal permissions which dictate exactly how a report might be used. Normal report permissions allow a user via the portal access to either a particular report, or a particular report template. Access in this context means that they are able to generate and view the report data. Automatic access allows a users reporting activity to be made available to other users via the portal. To clarify this, a report template will generate a report when it is used. When it is generated via the portal this report will by default only be available to the user who created it. Automatic access allows this report to be made automatically available to other users who share the authors portal, or to one or more other portals as desired. The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report, regardless of which portal that user was in.
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
354
Whilst all report sections generate results, and display those results in the final rendered report, some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. For example, the Guardian module provides a report section entitled Per user Client IP addresses. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. It will also show the timestamps that these hits occurred at. By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time period during which they were using it. This information is perhaps informative, but not particularly. However the results, Client IP address and Time-Period are both filters which can be applied to other reports, reports which might not be able to associate activity with a particular username. For example, the SmoothIM module provides tracking of Instant Message conversations, however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. The SmoothIM module however does record the IP address used in these conversations, so using a linker section such as the one described above would be able to feed from a username, to an IP address, to an IM conversation.
General Sections
The bulk of Advanced Firewalls reporting sections are reasonable easy to describe and are detailed quite well by their descriptions, there are however several big reports which defy such description and require a more in depth discussion, these will be covered later. Standard sections will show up in the available sections list in a manner similar to the following.
This shows the sections description, title and any results that are returned for use in the systems feed-forward ability.
355
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about the hardware, configuration and recent network activity for each interface. This report section lists the interfaces available on Advanced Firewall, including any internal NIC interfaces, External NIC interfaces, modems, VLANs and VPN interfaces. The options available to this interface allow you to discriminate between Internal, External and VPN interfaces as well as the ability to show or hide any disconnected interfaces. This section returns an interface which may be passed into a report section such as the Individual network interface report section.
As can be seen, a URL entered into the Advanced Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from. URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol, protocol and domain, domain and parameters or the parameters themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired. Separation is effectively done from the right hand side backwards, so any URL starting with / would be viewed as simply the parameters. A URL which starts with a character other than / and does not end with :// is viewed as being the domain.
356
A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol. Deciphering a URL can however be a none trivial task, especially due to some web sites, companies and organizations using a variety of load balancing techniques, curious URLs, subdomains and a variety of techniques which can only have been considered a good idea at the time. For example, StumbleUpon a Social bookmarking site exists not only at the domain www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the absence of www. However it also receives some of its content from cdn.stumble-upon.com and stumbleupon.stumble-upon.com. For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching.
These options can be turned on individually for the protocol, domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible.
Hence, searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT.
357
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports. A URL may contain one or more of the following status messages, those being Almost blocked, Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked This denotes any result whose score for phrase analysis was between 90 and 100
(the default score over which a result is blocked). This shows content which contained a number of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied This denotes sites which were blocked by the phrase or URL filtering in the Guardian
product. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. Note however that this can change the ordering of the results.
Exception The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc. Infected This shows content which was marked as being viral/malware. Modified Determines content which was modified as it passed through the Guardian filter. This
might be due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such as safe search.
358
Search terms are denoted as being either an individual word, or the entire phrase which was searched for. For example: Searching for babylon 5 earth destroyer would be considered to be three search words, babylon 5, earth and destroyer and one search phrase. Note that the search term reporting will treat any quoted strings as a single search word. Search words and phrases are assumed to be case insensitive, as the vast majority of searches are done regardless of capitalization, however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report. Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop words. Words such as and, of and the are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. The list of common search terms is taken to be the list of words omitted by the Google search engine, this list is as follows: i, a, about, an, are, as, at, be, by, com, de, en, for, from, how, in, is, it, la, of, on, or, that, the, this, to, was, what, when, where, who, will, with, und, the and www. Additional filtering options for username, group, client IP address and Guardian status are presented for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options.
This filtering is achieved by using the individual report sections Search term matching options presented under an individual sections advanced options. Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase. To search for blocked search terms this filter can be used in combination with the Guardian status filters.
359
This reporting section has a lot of reasonably complicated options, however only a few of them are relevant to the discussion of its operation, those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results, changing the number of results or any username, client IP address or group filter etc. The most important option for this report section is the URL, which in this example is a regular expression URL which refers to the BBC news web site. The protocol and domain fields in the URL in this example are reasonably straight forward, they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section. The parameters field however does contain two regular expression matches, the parts between the opening and closing brackets, ( ). The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL. In this example, there are two matches which are extracted from the URL, in this case, if a BBC news article URL is considered: http://news.bbc.co.uk/1/hi/technology/
7878769.stm
The two matches would provide technology and 7878679 as matches. Of these two parameters one is the section from the BBC news site this article is from, the other is the article name. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1, $2, $3 etc) to extract from the URL for the purposes of
360
identifying unique content, in this example we can see that the parameter match 2, would be used to uniquely identify this URL, being the value of 7878769 or the article number. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches, in this case, the top news articles.
Rebuild and include example URL As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. When this option is ticked, this reconstructed URL is included in the report alongside the match.
Note, some sites such as YouTube for example can host several different URLs for the same video ID. In these cases the reconstructed URL is a potential URL that might have been used, even if it is not the actual URL that was encountered. To elaborate on this matter both of the following URLs:
http://www.youtube.com/get_video?video_id=6rNgCnY1lPg http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg
are for the same video, and could be matched accordingly (giving two hits for this video), however the system would then have to construct a probable URL for the content, which would in this example reference either the .com or .co.uk address version.
Recognise common URLs This option allows the reporting system to recognise common URLs for
known sites. This includes the ability to extract a YouTube video name from a YouTube video ID, or the ability to extract a page title from a HTML pages header. In this example we can see that the option is enabled, thus for each of the reconstituted URLs the system would retrieve the HTML (.stm) page from the BBC News web site, extract the <title> section from the page header and include it in the report.
Domain match and Parameter match these options allow for additional information to be fed into the
searching and will replace particular matches in the URL with the appropriate values. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site.
Results title This report section is feed-forward enabled and can produce a list of regular
expression URLs to identify and extract matching content. However, the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results. For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. This can be straight text, or can reference one of the results feedforward values by means of a wildcard. In the above example, we can see that %matchtitle% is used as the value, which would present the feed-forward result of matchtitle as the title for any feed-forward sections. In this case, %matchtitle% would be the <title> extracted from the relevant HTML page. Alternatively values of %domainmatch%, %parametermatch% or %url% could be used. In this manner, the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no inbuilt understanding of the site. This
361
means that the section can easily be tailored to accommodate new web sites, or internal web sites which may be processed by Guardian but outside of the scope of the standard templates.
In this example the URL extraction section is being used to display the top 50 video results from the YouTube site. The URL once again contains a series of regular expression matches, this time the domain also includes a series of wildcards (.*) to accommodate YouTube being hosted via multiple domains, sub-domains and TLDs.
Origin Filtering
Advanced Firewall contains the ability to aggregate reports over several different machines, Several Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. When these results are aggregated onto a central reporting Advanced Firewall system they each contain a unique identifier to state where they came from. This identifier can be used to filter particular results to have originated from a particular machine, or class of machines.
The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations
derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.
362
Appendix C
Troubleshooting VPNs
In this appendix: Solutions to problems with VPNs.
Site-to-site Problems
Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. Failure to get a ping echo would indicate that: The remote Advanced Firewall is not running You have the wrong IP address for the remote Advanced Firewall There is a problem at your Internet Service Provider Advanced Firewall has ping disabled via the admin interface Verify IP addresses by checking the networking > interfaces > interfaces page for the appropriate Ethernet card.
To simplify the problem, attempt to get a connection with shared secrets before moving on to certificates. Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network addresses are mirrored. This is where most people make mistakes. Each node on the VPN network must have its own unique certificate. At least one field in the subject must be different. The subject is a composite of the information fields supplied when the certificate is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously fields like company name can be common to all certificates. A different local network address must be configured at both ends of the tunnel; they cannot both use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address. Be consistent with IDs. For example: Hosts on static IPs should use the hostname for the gateway as the ID. Hosts on dynamic IPs should use the administrator's email address. Road warriors should usually not use an ID, unless they are using an unusual client that requires one.
1s
Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel goes into OPEN mode but no packets will flow between the two networks, it is possible that one of the ISPs involved is blocking the ESP or AH packets.
Check the routing information displayed in Advanced Firewall's status page, there must be a default route (gateway).
Ed i
There is a network connection problem check routers, hubs and cables etc.
ti
on
All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software.
363
In a default configuration, Microsoft's L2TP client does not produce any log files. This can make diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key:
The following URL is Microsoft's own guide to debugging L2TP connection problems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Note: Smoothwall does not endorse manually editing the registry. Incorrectly altering registry values
364
1s
Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to disable it. After changing this value, the VPN service must be restarted. From the command line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y
Ed i
ti
on
In small, single subnet Windows networks, network browsing is facilitated via network broadcasts. In these small networks, network neighborhood will just work without any configuration required. If a road warrior were to connect in, though, it would be unable to browse the network unless the administrator has configured the network to enable it. This is because network broadcasts do not normally cross network boundaries, such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines, then the problem to be solved is the same. In the case of road warrior connections, the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page.
1s
Ed i
In more complex arrangements, such as two subnets of Windows machines with a VPN between the two, it is necessary to set-up either one WINS server and share it between the subnets, or have one on each and configure a replicating system between the two. Again, the problem to be resolved is identical to that which the administrator would face with two normally routed networks.
ti
For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is analogous to a DNS server for the Windows machines. Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN, they should be able to browse the office network, attach to printers and shares, etc.
on
For inexperienced Windows administrators, the following notes are provided to assist with configuring your network to enable network browsing across the VPN.
365
366
1s
Ed i
ti
on
Appendix D
Email Protocols
This appendix contains: General information on the SMTP and POP3 email protocols.
About SMTP
Because every email transferred using SMTP is initiated by an SMTP client process, it is easiest to describe an email's journey to its destination from the point of view of successive SMTP clients. In this sense, the term SMTP client can be used to refer to the user's mail client software, or any intermediary SMTP server that serves to transfer the mail to another SMTP server en route.
SMTP client finds the next SMTP server for onward mail transfer. SMTP client connects to the next SMTP server. SMTP client authenticates itself to the SMTP server. SMTP client informs SMTP server of recipient address. SMTP client transfers email to SMTP server. SMTP client disconnects from SMTP server. This process is repeated until the email arrives at its final destination. Note that step 1 (where the SMTP client finds the next SMTP server) is the only area where the behavior of a user's mail client differs from that of an SMTP server: User's mail client This SMTP client looks at the user's mail account settings to find the next SMTP server for onward mail transfer. SMTP server This SMTP client looks at the MX (Mail eXchange) record in the DNS record of the recipient domain to find the next SMTP server for onward mail transfer. When email is transferred between one server and another, it is said to have been relayed. Mail servers usually provide additional services such as POP3 or IMAP so that mail can be downloaded or viewed by end-users.
1s
To summarize, successive SMTP clients will act independently to transfer an email to its destination, by following these steps:
Ed i
When a user sends an email, their mail client software uses SMTP to connect and transfer the email to the SMTP server listed in their account settings. Once an email has been transferred in this manner, it will continue to be transferred by successive SMTP servers until it arrives at its final destination. Each successive transfer is initiated by the SMTP server that currently holds the email.
ti
on
Simple Mail Transfer Protocol (SMTP) is a protocol used to send and receive email between mail servers. The protocol specifies the control messages and means of interaction that allow email to be transferred between two mail servers.
367
About POP3
Such applications use POP3 to connect to a user's mail server and download email from their personal mailbox to their local system. Most mail clients can be configured to periodically check for email, as well as allowing users to manually request their mailbox to be checked.
368
1s
Ed i
ti
on
Post Office Protocol 3 (POP3) is a standard protocol designed for retrieving email from mail servers. All popular mail client applications support the POP3 protocol, including Eudora, Microsoft Outlook Express and Mozilla Thunderbird.
Appendix E
In such situations, it is common practice for the domain name servers (DNS) to have their mail exchange (MX) records for the appropriate domain to contain the IP address of the firewall. The firewall then uses a system of network translations to direct incoming email to the local SMTP server. In these scenarios, it is usually not necessary to make any changes to the existing DNS records to direct mail through Advanced Firewall. Advanced Firewall would be configured to relay mail from the firewall to the internal SMTP server.
For assistance in setting up the external DNS servers, see External Self-Managed SMTP Email
1s
Ed i
In many networks, the email server, running via SMTP, exists internally to the protected network, usually on a demilitarized zone (DMZ). In these cases, it is common to place Advanced Firewall between the outside world and the email server, usually on or as close to the firewall or gateway as is possible.
ti
on
369
Appendix E Deploying in an Existing Email Infrastructure External Mail Server using POP3 Collection
Since mail servers are prone to being unavailable for periods of time, a domain may have several MX records, each given a numeral value. By default, MX records will be processed lowest numbered first. That is to say, an email will be delivered to whichever server responds correctly, starting with the one with the lowest number. Assuming that the DNS MX record for example.com currently points at 123.123.123.123, it is necessary to break this arrangement and insert Advanced Firewall before it reaches the server 123.123.123.123. Assuming that Advanced Firewall is located at address 200.200.200.200, the primary MX record would be changed to point to 200.200.200.200. Advanced Firewall would then be configured on the email > smtp > incoming page to direct traffic to example.com to 123.123.123.123.
Where this is done, should Advanced Firewall be unavailable, email will be delivered immediately, albeit unchecked for spam and malware, to the original email server.
Increasingly, spam is being directed deliberately at the secondary MX record as opposed to the primary. This is because, in many situations, the secondary MX record has less aggressive antispam and anti-malware measures applied to its email. Of course, to combat such mechanisms the secondary and tertiary MX records could all be routed through a Advanced Firewall-enabled system.
370
1s
Ed i
Note: The technique described in the tip above can be very effective, however caution should be paid to
ti
on
Tip:
Since Advanced Firewall may be temporarily unavailable for one reason or another be it as the result of a minor network glitch or something more serious it is considered good practice to place the final destination, in this case 123.123.123.123, as a secondary or higher numbered MX record for the domain.
Note: In some situations, a mail server, such as Microsoft Exchange, may be using POP3 for mail
retrieval since the POP3 protocol is not strictly limited to client delivery. In these scenarios, Advanced Firewalls transparent pop3 proxy would allow for email to be processed on route to the mail server.
1s
Ed i
ti
on
371
Appendix E Deploying in an Existing Email Infrastructure External Mail Server using POP3 Collection
372
1s
Ed i
ti
on
Appendix F
Hosting Tutorials
In this appendix: examples of hosting using Advanced Firewall.
373
Appendix F Hosting Tutorials Extended Hosting Arrangement Destination port: POP3 (110) Comment: Mail Server .3 POP3
374
Smoothwall Advanced Firewall Administrators Guide External IP: 100.100.100.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: 100.100.10.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .4 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .4 POP3
375
Appendix F Hosting Tutorials More Advanced Hosting Arrangement Web Server .2 External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server .2. Web Server .3 External IP: 216.1.1.3, Internal IP: 192.168.1.3. Virtual Web Server .5 External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .6. Virtual Web Server .6 External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .5. Mail Server [ext. out] External IP: 216.1.1.7, Internal IP: 192.168.1.6, for
outgoing mail.
Mail Server [ext. in] External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to Mail Server [int] .3. To configure this scenario:
376
Smoothwall Advanced Firewall Administrators Guide Source IP: 216.1.1.4 Destination IP: 192.168.10.4 Source port: HTTP (80) Destination port: HTTP (80) Comment: Intranet Web Server .4 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.5 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.6 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .7 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .7 POP3
378
Glossary
Numeric
2-factor authentication
The password to a token used with the token. In other words: 2factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together.
Algorithm
In Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface.
ARP
(Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. Used by ARP to maintain the correlation between IP addresses and MAC addresses.
ARP Cache
A
Acceptable Use Policy
See AUP
Active Directory
Microsoft directory service for organizations. It contains information about organizational units, users and computers. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser.
(Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organizations email and Internet systems. The policy explains the organizations position on how its users should conduct communication within and outside of the organization both for business and personal use.
ActiveX*
B
Bandwidth Bandwidth is the rate that data can
be carried from one point to another. Measured in Bps (Bytes per second) or Kbps.
BIN A binary certificate format, 8-bit compatible version of PEM. Buffer Overflow An error caused when a
program tries to store too much data in a temporary storage area. This can be exploited by
379
Glossary
C
CA (Certificate Authority) A trusted network
entity, responsible for issuing and managing x509 digital certificates.
today. DES is scheduled for official obsolescence by the US government agency NIST.
DNS
Cipher
A cryptographic algorithm.
(Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa. Windows network that is responsible for allowing host access to a Windows domain's resources.
Dynamic token A device which generates one-time passwords based on a challenge/ response procedure.
E
Egress filtering The control of traffic leaving
your network.
D
Default Gateway
The gateway in a network that will be used to access another network if a gateway is not specified for use.
Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. ESP
(Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data.
Exchange Server A Microsoft messaging system including mail server, email client and groupware applications (such as shared calendars). Exploit A hardware or software vulnerability
that can be 'exploited' by a hacker to gain access to a system or service.
380
F
Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. FIPS Federal Information Processing Standards. See NIST. Firewall A combination of hardware and
software used to prevent access to private network resources.
suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.
IDS Intrusion Detection System Internet Protocol IPS Intrusion Prevention System
A 32-bit number that identifies each sender and receiver of network data.
IP Address
IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. IPSec (Internet Protocol Security) An
internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF).
G
Gateway A network point that acts as an entrance to another network. Green In Smoothwall terminology, green identifies the protected network.
H
Hacker A highly proficient computer
programmer who seeks to gain unauthorized access to systems without malicious intent.
K
Key A string of bits used with an algorithm to
encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext.
Kernel The core part of an operating system that provides services to all other parts the operating system. Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
HTTPS A secure version of HTTP using SSL. Hub A simple network device for connecting
networks and network hosts.
I
ICMP
(Internet Control Message Protocol) One of the core protocols of the Internet protocol
L
L2F (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
381
Glossary
L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. LAN
(Local Area Network) is a network between hosts in a similar, localized geography. (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company.
P
Password A protected/private string of
characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data.
Leased Lines
PEM (Privacy Enhanced Mail) A popular certificate format. Perfect Forward Secrecy
A keyestablishment protocol, used to secure previous VPN communications, should a key currently in use be compromised.
M
MAC Address
(Media Access Control) An address which is the unique hardware identifier of a NIC.
Phase 2
(Mail eXchange) An entry in a domain name database that specifies an email server to handle a domain name's email.
MX Record
Ping A program used to verify that a specific IP address can be seen from another. PKCS#12 (Public Key Cryptography
Standards # 12) A portable container file format for transporting certificates and private keys. (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates.
N
NAT-T (Network Address Translation
Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough.
PKI
Plaintext
Data that has not been encrypted, or ciphertext that has been decrypted. time settings and authentication requirements, to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization.
NTP
(Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers.
O
OU An organizational unit (OU) is an object used to distinguish different departments, sites or
382
Port A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the HTTP port. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to another interface and port
combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NATenabled router.
VPNs.
Red In Smoothwall, red is used to identify the Unprotected Network (typically the Internet). RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Road Warrior
An individual remote network user, typically a travelling worker 'on the road' requiring access to a organizations network via a laptop. Usually has a dynamic IP address.
Private Circuits See Leased Lines. Private Key A secret encryption key known
only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. A formal specification of a means of computer communication.
Protocol
Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
S
Security policy A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances.
In general, a computer that provides shared resources to network users.
Public Key
A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner.
Q
QOS (Quality of Service) In relation to leased
lines, QOS is a contractual guarantee of uptime and bandwidth.
Server
R
RAS (Remote Access Server) A server which
can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by
Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. Site-To-Site A network connection between
383
Glossary
two LANs, typically between two business sites. Usually uses a static IP address.
U
User name / user ID A unique name by which each user is known to the system.
Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. Spam Junk email, usually unsolicited. SQL Injection A type of exploit whereby
hackers are able to execute SQL statements via an Internet browser.
V
VPN
(Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet.
SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration.
A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame.
X
X509 An authentication method that uses the
exchange of CA issued certificates to guarantee authenticity.
Strong encryption
T
Triple DES (3-DES) Encryption
A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.
384
Index
A accessing 4 action to perform on malware 192 action to perform on spam 203 active directory extra realm 238, 241 group search root 237, 241 kerberos discover 237, 240 kerberos realm 236, 239 multiple user search roots 237, 240 netbios domain name 237 port 237, 240 sam account name 237 server password 236, 239 server username 236, 239 admin 3 admin options 12 administration 12 administration login failures 266 administrative users 12 adsl modem settings 28 advanced 8 AIM 89 aim 89 alerts 5, 265 administration login failures 265 email 297 email to sms 296 firewall notifications 265 hardware failover notification 265 hardware failure alerts 265 health monitor 265 inappropriate words in im 266 intrusion detection system monitor 266 l2tp vpn tunnel status 265 license expiry status 265 output system test messages 266 settings 5 smoothrule violations 265 smoothtunnel vpn certificate monitor 265 system boot (restart) notification 266 system resource monitor 265 system service monitoring 265 traffic statistics monitor 266 update monitoring 266 ups, power supply status warning 265 vpn tunnel status 265 allow email delivery 202 anti-malware 192, 198 action to perform on malware 192 enable scanning 192 anti-spam 15, 201 pop3 203 smtp 202 tuning 204 append footers 194 application helper 66 ftp 66 h323 passthrough support 67 irc 66 pptp client support 66 apply action above spam score 202 archive 220 archive address 196 archives 12 archiving 14, 195 archive address 196 match domain or address 196 match recipient 196 match sender 196 attachments 15, 200, 213 manage 213 authentication 9, 118, 223 choosing 336 diagnostics 233, 245 mechanisms 335 SSL login 228 time out 233 time-out 233 authentication system diagnostics 244 managing 244 restarting 244
1s
Ed i
ti
on
385
Index
status 245 stopping 244 automatic whitelisting 89 av 9 B banned users 231 BitTorrent 69 black-list users 90 blacklisting 207 bridging groups 59 rules 55 zones 55 C ca 13, 14 censoring 89 certs 14 ca 13 configuration tests 13 connection methods 24 dial-up modem 30 ethernet 24, 26 ethernet/modem hybrid 24 isdn modem 29 modem 24 connection profiles 24 creating 24 deleting 32 modem 24 modifying 31 connection tracking 50 connections 21 connectivity 7 console connecting via 17 content 15, 199 attachments 200 footers 199 control 4, 9, 13 control page 4 create 5 current allowed addresses 195 current domains 195 custom categories 10 custom signatures 108
disk usage 255 password 253, 254, 255 pruning 253 remote 253 settings 6 username 253, 254, 255 default gateway 22 interface 22 users 231 deferred email 285 denial of service 49 detection policies 104 dhcp 11 custom options 11 leases 11 relay 11 server 11 dhcp ethernet 27 settings 27 diagnostics 13, 233, 245 dial-up modem 30 DirectConnect 69 directory settings 233 prerequisites 234, 241 disk usage 255 dns 10, 95 dynamic 10 proxy 10 proxy service 96 static 10, 95 documentation 2 domain to relay for 194 DoS 49 drop (discard) email 202 E ECN 50 eDonkey 69 email archive 220 logging 284 logs 284 status 285 realtime information 276 email management administering 215 implementing 209 overview 191 email queue 196, 221 mails in 197
386
1s
Ed i
ti
on
F failover 13, 322, 323 failover unit 326 master 324 filtering 6 filters 10 firewall 5, 6 accessing browser 4 connecting 17 notifications 265 firmware upload 13 footers 15, 199, 213 configure 213 ftp 10, 66, 92 G gadugadu 89 global 11, 14 global settings 25 configuring 25 Gnutella 69 graylisting 205 graylisting settings delay 206
Ed i
manually flush 197 refreshing page 197 total size of 197 email queues number of unique senders 197 email to sms 296 enable anti-malware scanning 192 enable graylisting 205 enable relay host 193 enable spam filtering 203 enable transparent SMTP relay 192 ethernet 24 external access 12 aliases 7 external mail enable relay host 193 password 193 relay host 193 username 193 external mail relay 193 external sender domain spoofing 194 external services 8, 72 editing 73 removing 73
enable 205 maximum age 206 group bridging 7, 59 group search root additional 237, 241 groups 6, 8, 9, 231 banned users 231 default users 231 mapping 243 network administrators 232 renaming 232 unauthenticated ips 231 H h323 passthrough support 67 hardware 13 failover 323 hardware Failover 322 hardware failover notification 265 hardware failure alerts 265 health monitor 265 heartbeat 322 heartbeat interface 22 helo checks 193 hide conversation text 89 hostname 12 https 4 hybrid 24 I icmp 49 ICMP ping 49 ICMP ping broadcast 49 ICQ 89 ids 6, 10 igmp 49 IGMP packets 49 im 87 hide conversation text 89 proxy 5 im proxy 6 inappropriate words in im 266 information 4 instant messenger 9, 87 block file transfers 89 blocked response 89 blocked response message 89 censor 89 intercept ssl 89 logging warning 89 logging warning message 89
1s
ti
on
387
Index
protocols aim 89 gadugadu 89 icq 89 jabber 89 msn 89 proxy 87, 88 instant messenger proxy enable 88 enabled on interfaces 90 exception local IP addresses 90 interface name 193 interfaces 7, 199 internal aliases 7 internal domains 14 append footers 194 current domains 195 domain to relay for 194 malware scanning 194 relay ip 194 inter-zone security 55 intrusion detection 11 intrusion detection system 11 intrusion prevention 11 intrusion system 104 custom policies 107 detection policies 104 policies 104 prevention policies 105 intrusion system monitor 266 ip address defining 38 block 7 tools 13 ip exception list 193 ip or subnet to relay from 195 ips 6, 65 ipsec 5, 6 roadwarriors 14 subnets 14 irc 66 isdn modem 29 settings 29 isp 26 J jabber 89 K KaZaA 69
kerberos 237, 240 extra realms 238, 241 kerberos realm 236, 239 L l2tp roadwarriors 14 l2tp vpn tunnel status 265 license expiry status 265 licenses 11 local users 9 activity 227 adding 224 deleting 225 editing 224 exporting 225 importing 225 managing 223 moving 226 viewing 224 log settings 6 logging 284 logs 5 email 284 enable remote syslog 290 inserting 256 remote syslog server 290 retention 291 M mac spoof 27 mail relay about 368 mails in queue 197 main about 4 control 4 maintenance 11 malware message 198 malware scanning 194 manually flush mail queue 197 mark subject as spam 202 master 324 match domain or address 196 match recipient 196 match sender 196 maximum age 206 maximum bounce size 192 maximum email size 192 message censor 10 custom categories 10 filters 10
388
1s
Ed i
ti
on
time 10 Microsoft Messenger 89 modem 13, 24 settings 30 modem profile 24 modules 11 MSN 89 multicast traffic 49 multiple user search roots 237, 240 N netbios domain name 237 network administrators 232 interface 21 networking 6, 8 restart 24 source mapping 40 non-standard smtp checking 193 number of unique senders 197 O OpenVPN 156 outbound access port rules 67 source rules 70 outgoing 8, 14, 195 current allowed addresses 195 ip or subnet to relay from 195 output settings 6 output system test messages 266 P pages email
anti-spam 15 content 15 attachments 15 footers 15 pop3 15 proxy 15 smtp 14 archiving 14 internal domains 14 outgoing 14 queue 14 relay 14 info alerts 5 alerts 5 custom 5
logs 5 firewall 6 ids 6 im proxy 5, 6 ips 6 ipsec 6 system 5 web proxy 6 realtime 5 firewall 5 ipsec 5 portal 5 system 5 traffic graphs 5 reports reports 5 saved 5 scheduled reports 5 settings alert settings 5 database backup 6 database settings 6 groups 6 log settings 6 output settings 6 user portal 6 information 4 reports summary 4 main 4 networking 6, 8 filtering 6 group bridging 7 ip block 7 zone bridging 6 firewall 8 advanced 8 port forwarding 8 source mapping 8 interfaces 7 connectivity 7 external aliases 7 interfaces 7 internal aliases 7 ppp 7 secondaries 7 outgoing 8 external services 8 groups 8 ports 8 sources 8
1s
Ed i
ti
on
389
Index
routing 7 ports 7 rip 7 sources 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 control 9 groups 9 local users 9 settings 9 ssl login 9 temporary bans 9 user activity 9 dhcp dhcp custom options 11 dhcp leases 11 dhcp relay 11 dhcp server 11 global 11 dns 10 dns proxy 10 dynamic dns 10 static dns 10 ids 10 intrusion system detection 11 policies 11 prevention 11 signatures 10 message censor 10 proxies 9 ftp 10 im proxy 9 sip 9 web proxy 9 snmp 10 user portal 9 groups 9 portals 9 user exceptions 9 system administration 12 admin options 12 administrative users 12 external access 12 diagnostics 13 configuration tests 13
Ed i
diagnostics 13 ip tools 13 traffic analysis 13 whois 13 hardware 13 failover 13 firmware upload 13 modem 13 ups 13 maintenance 11 archives 12 licenses 11 modules 11 replication 12 scheduler 12 shell 12 shutdown 12 updates 11 preferences 12 hostname 12 registration options 12 time 12 user interface 12
390
1s
ti
on
vpn 13 ca 14 certs 14 control 13 global 14 ipsec roadwarriors 14 ipsec subnets 14 l2tp roadwarriors 14 ssl roadwarriors 14 password 193 passwords 3 permissive 68 policies 10, 11, 104 intrusion 104 pop3 15, 197 about 368 anti-spam 203 action to perform on spam 203 enable spam filtering 203 spam threshold 203 proxy 212 pop3 proxy anti-malware 198 configure 212 enable anti-malware scanning 198 enable transparent 198 interfaces 199 malware message 198
pop3 proxy configuration 198 port forwarding 8 port forwards 63 comment 65 creating 64 criteria 63 destination address 65 destination port 65 editing 66 enabled 65 external ip 65 ips 65 logging 65 protocol 64 removing 66 source IP 65 source port 65 user defined 65 port groups 8 port rules 67 creating 68 deleting 70 editing 69 modes 68 permissive 68 preset 68 restrictive 68 stealth 69, 71 viewing 70 portal 5, 9, 75, 276 access 80 configure 75 delete 81 edit 80 groups 79 user except 79 portals 9 ports 7, 8 ppp 7 ppp over ethernet settings 27 ppp profile 24 creating 30 pptp client support 66 pptp over ethernet settings 28 preferences 12 prevention policies 105 primary dns 22 proxies 9
dns 96 pop3 197 sip 90 proxy 15 ftp 92 pruning 253, 254, 255 Q quarantine mailbox 202 queue 14 R rbl settings user defined 206 realtime 5 redirect email 202 refreshing page 197 registration options 12 relay 14, 209 configure 209 relay host 193 relay ip 194 replication 12 reports 5, 117, 247 custom 5 database 253 reports 5 scheduled 5 restrictive 68 rip 7 routing 7 rule update frequency 204 rules archive 220 assigning 73 dynamic host 96 external access 316 external service 72 group bridging 59 internal alias 41 ip blocking 47 port 38 port forward 63 smtp access 209 source 70 source mapping 40 subnet 33 zone bridging 55 S sam account name 237
1s
Ed i
ti
on
391
Index
scan attachments 205 scheduled reports 5 scheduler 12 secondaries 7 secondary dns 22 selective ACK 50 sender domain validity 193 server password 236, 239 server username 236, 239 services authentication 9, 233 dhcp 11, 109 dns 10, 95 dns proxy 96 dynamic dns 96 ids 10 intrusion system 104 message censor 10 portal 9 rip 34 sip 90 snmp 10, 94 settings 6, 9 shell 12 shutdown 12 signatures 10 sip 9, 90 types 90 site address 18 smoothrule violations 265 smoothtunnel vpn certificate monitor 265 smtp 14, 191 about 367 anti-malware 192 anti-spam 202 allow email delivery 202 drop (discard) email 202 mark subject as spam 202 quarantine email 202 quarantine mailbox 202 spam threshold 202 archiving 195 email queue 196 internal domains 194 outgoing 195 relay 191 enable transparent SMTP relay 192 maximum bounce size 192 maximum email size 192 time to hold undeliverable mail 192 whitelisting 206
smtp settings anti-malware 192 graylisting 205 relay 191 smtp transparent ip exception list 193 snmp 10, 94 snmp 10 source mapping 8, 40 source rules 70 creating 71 editing 72 rejection logging 71 removing 72 settings 71 sources 7, 8 spam manage 209 spam check optimization mode 204 spam protection 216 spam threshold 202, 203 ssh 17 client 17 web-based 18 SSL 156 ssl login 9, 228 accessing the page 230 customizing 230 enabling 229 exceptions 229 ssl roadwarriors 14 static ethernet settings 27 stealth 69 subnets 7 subscription 215 subscriptions av update 215 summary 4 support 2 SYN backlog queue 50 SYN cookies 49 SYN+FIN packets 50 system 5 system boot (restart) notification 266 system resource monitor 265 system service monitoring 265 T TCP timestamps 50
392
1s
Ed i
ti
on
U unauthenticated ips 231 unchecked email 285 unknown entity 18 updates 11 ups 13 ups, power supply status warning 265 user activity 9, 227 identity 335 interface 12 user defined 206 user exceptions 9 user portal 6 username 193 users banned 231 default 231 local 223 network administrators 232 temporary ban 226 unauthenticated IPs 231
1s
Ed i
telephony settings 31 temporary ban 226 temporary bans 9 time 12 time out 233 time slots 10 time to hold undeliverable mail 192 time-out 336 total size of queue 197 traffic analysis 13 graphs 5 traffic audit 50 traffic statistics monitor 266 training 2 transparent smtp interface name 193 transparent smtp interfaces settings 193 tuning 204 rule update frequency 204 scan attachments 205 spam check optimization mode 204 tutorial vpn 175 zone bridging 57
V virtual lans 23 vlan 23 voip 90 vpn 13, 117 authentication 118 psk 119 x509 119 vpn tunnel status 265 W web proxy 6, 9 white-list users 90 whitelisting 206 whois 13 window scaling 50 Y yahoo 89
ti
on
Z zone bridge narrow 55 rule create 55 settings 56 tutorial 57 wide 55 zone bridging 6, 55
393
394
Index
1s t Ed i ti on
1s
Ed i
ti
on
395
1s
Copyright Smoothwall All rights reserved.
Ed i
ti
on