CyberGuard SnapGear, User Manual

Page 1: ...Gear Firewall VPN Appliance User Manual Revision 1 9 1 March 12 2004 SnapGear A CyberGuard Company 7984 South Welby Park Drive 101 Salt Lake City Utah 84084 Email support snapgear com Web www snapgear...

Page 2: ...Appliance s Internet Connection Settings 17 Set up the PCs on your LAN to Access the Internet 18 SnapGear PCI Appliances 22 Install your SnapGear Appliance in a Spare PCI Slot 22 Install the Network...

Page 3: ...Basic Intrusion Detection and Blocking 88 Advanced Intrusion Detection 90 8 Web Cache 95 Web Cache Setup 96 Network Shares 97 Peers 100 Set up LAN PCs to Use the Web Cache 100 9 Virtual Private Networ...

Page 4: ...cs 161 Advanced 163 Technical Support 166 Appendix A IP Address Ranges 167 Appendix B Terminology 168 Appendix C System Log 175 Access Logging 175 Creating Custom Log Rules 177 Rate Limiting 180 Admin...

Page 5: ...elds your computers from outside threats The SnapGear appliance checks and filters data packets to prevent unauthorized intruders gaining access The SnapGear appliance s NAT masquerading firewall mean...

Page 6: ...ppliance is recommended for Security conscious businesses that wish to separate firewall and VPN issues from server desktop operating systems Businesses that wish to eliminate the soft center For envi...

Page 7: ...h in the same range as the LAN as no NAT masquerading is being performed see the chapter entitled Firewall for more information One IP address is used to manage the SnapGear appliance via the SnapGear...

Page 8: ...This document uses different fonts and typefaces to show specific actions Warning Note Text like this highlights important issues Bold text in procedures indicates text that you type or the name of a...

Page 9: ...iance Power adaptor Installation CD Printed Quick Install guide Cabling including o 1 normal straight through UTP cable blue color o 1 crossover UTP cable either gray or red color Front panel LEDs The...

Page 10: ...this LED is on and not flashing an operating error has occurred LAN Activity Flashing Network traffic on the LAN network interface WAN Activity Flashing Network traffic on the Internet network interfa...

Page 11: ...t modem COM1 and possibly DMZ SME570 SME575 only as well as LAN status LEDs Internet status LEDs the reset button and power inlet The lower LAN Internet status LED indicates the link condition where a...

Page 12: ...eT LAN port to connect to the local Ethernet network Rear panel Ethernet link and activity status LEDs DMZ link features SME570 SME575 only 10 100BaseT DMZ port Real panel Ethernet link and activity s...

Page 13: ...g status The two LEDs closest to the network port are network activity upper and network link lower The two other LEDs are power upper and heart beat lower Figure 1 3 Label Activity Description Power...

Page 14: ...thernet port that connects to the LAN or Internet using a cable or ADSL modem Ethernet LEDs link activity Environmental features Status LEDs Power Heart Beat Operating temperature between 0 C and 40 C...

Page 15: ...how to configure your PCs network settings using the examples given for Windows PCs as a guide Installing your SnapGear appliance into a well planned network is easy However network planning is outsid...

Page 16: ...efore it is connected You may choose to use the SnapGear appliance s initial network settings as a basis for your LAN settings Connect the supplied power adapter to the SnapGear appliance Connect the...

Page 17: ...Internet Protocol TCP IP and click Properties or in 95 98 Me TCP IP your network card name if there are multiple entries and click Properties Figure 2 1 Select Use the following IP address and enter t...

Page 18: ...nce User name root Password default Note If you are unable to connect to the Management Console at 192 168 0 1 or the initial username and password are not accepted press the black Reset Erase button...

Page 19: ...LAN already configured Select this if you wish to use the SnapGear appliance s initial network settings IP address 192 168 0 1 and subnet mask 255 255 255 0 as a basis for your LAN settings You may sk...

Page 20: ...s the address of 192 168 0 1 The IP address will later be used as the gateway address for the PCs on your LAN To gain access through this gateway the PCs on your LAN must have an IP address within the...

Page 21: ...r if unsure Analog modem If connecting using a regular analog modem enter the details provided by your ISP DSL modem If connecting using an ADSL modem select Auto detect ADSL connection type and enter...

Page 22: ...y to your LAN hub using the straight through Ethernet cable blue To access the Internet the PCs on your network must all be set up to use the SnapGear appliance as their default gateway This can be do...

Page 23: ...settings when they start up If your network does not have a DHCP server you may either manually set up each PC on your network or set up the SnapGear appliance s DHCP server Note If you only have seve...

Page 24: ...e s DHCP server Launch Internet Explorer or your preferred web browser and navigate to the IP address of the SnapGear appliance s LAN connection The SnapGear Management Console will display Select DHC...

Page 25: ...nted with multiple connections right click on Local Area Connection or appropriate network connection and select Properties Select Internet Protocol TCP IP and click Properties or in 95 98 Me TCP IP y...

Page 26: ...Network and Dialup Connections Local Area Connection possibly followed by a number Properties and ensure the adapter is listed in the Connect using field Set up your PC to Connect to the SnapGear Mana...

Page 27: ...al Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figure 2 7 Select Use the followin...

Page 28: ...epted press the Reset button on the SnapGear appliance s rear panel twice wait 20 30 seconds and try again Pressing this button twice within two seconds returns the SnapGear appliance to its factory d...

Page 29: ...o free IP addresses that are part of the subnet range of your LAN as well as your LAN s subnet mask and DNS server address and gateway address used by PCs on your LAN Note Please contact your network...

Page 30: ...onnections Right click on Local Area Connection or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties Figur...

Page 31: ...other for your PC Note It is highly recommended that you reserve the IP address to be used by the SnapGear Management Console using the SnapGear appliance s MAC address In bridged mode this will be th...

Page 32: ...or appropriate network connection for the newly installed PCI appliance and select Properties Select Internet Protocol TCP IP and click Properties and click Properties Figure 2 12 Check Obtain an IP a...

Page 33: ...h the rear panel Reset button enabled This allows the SnapGear appliance s configuration to be reset to factory defaults From a network security standpoint it may be desirable to disable the Reset swi...

Page 34: ...e the connection once your Internet connection has been established Connections Under the Connections tab each of the network ports of your SnapGear appliance is displayed alongside its Device Name an...

Page 35: ...ion mode see Network address translation in the Advanced section of this chapter this will typically be part of a private IP range such as 192 168 0 1 255 255 255 0 Ensure DHCP assigned is unchecked I...

Page 36: ...thernet ports or bridging between PPPoE ports The first step is setting up a host to host IPSec VPN connection Information regarding setting up a host to host VPN connection can be found in the IPSec...

Page 37: ...ive it some time to power up If fitted ensure the Ethernet link LEDs are illuminated on both the SnapGear appliance and modem device Internet Connection Methods Select your Internet connection type fr...

Page 38: ...ction is idle DHCP connections may require a hostname to be specified but otherwise all settings are assigned automatically by your ISP For Manually Assign Settings connections enter the IP Address Ne...

Page 39: ...bridge between ports you will have to select either Bridged LAN or Bridged DMZ as is appropriate When bridging has been enabled a Bridge br0 port will appear in the Connections menu You may configure...

Page 40: ...or the telecommunications network may temporarily fail Physically connect modem device Attach the modem serial cable to the SnapGear appliance s serial port COM1 Note To connect to an ISDN line the Sn...

Page 41: ...llowing options Field Description Idle timeout By default the SnapGear appliance dials on demand i e when there is traffic trying to reach the Internet and disconnects if the connection is inactive i...

Page 42: ...used to provide better security for your LAN If you place a publicly accessible server on your LAN and an attacker compromises the server then the attacker will immediately have direct access to your...

Page 43: ...eactivated Set up the connection in the same manner to your primary LAN connection as detailed in the LAN section of this chapter Bridged LAN See the Bridged Internet section earlier in this chapter D...

Page 44: ...Internet connection for failover Set up a secondary backup Internet connection SnapGear appliance models with a DMZ port SME570 SME575 can use broadband cable DSL direct connection as both their prima...

Page 45: ...ch to a dialout Internet connection when you primary broadband Internet connection is unavailable from the Connections menu select the appropriate Failover Internet configuration for the COM Modem por...

Page 46: ...gure a broadband Internet connection Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the SnapGear appliance These routes are additional t...

Page 47: ...t refer to http www zebra org Advanced The following figure shows the advanced IP configuration Figure 3 8 Hostname The Hostname is a descriptive name for the SnapGear appliance on the network DNS Pro...

Page 48: ...querading allows insiders to get out without allowing outsiders in By default the Internet port is setup to masquerade Masquerading has the following advantages Added security because machines outside...

Page 49: ...ll point to your Internet IP address no matter how often it changes Whenever its Internet IP address changes the SnapGear appliance will alert the dynamic DNS service provider so the domain name recor...

Page 50: ...e to respond to multiple IP addresses on its LAN Internet and DMZ ports For Internet and DMZ aliased ports you must also setup appropriate Packet Filtering and or Port forwarding rules to allow traffi...

Page 51: ...ng provides a level of control over the relative performance of various types of IP traffic The traffic shaping feature of your SnapGear appliance allows you to allocate High Medium or Low priority to...

Page 52: ...modem connected to the SnapGear appliance The SnapGear appliance s dialin facility establishes a PPP connection to the remote user or site Dialin requests are authenticated by usernames and passwords...

Page 53: ...enable the SnapGear appliance s COM port or internal modem for dialin Under Networking select Network Setup From the Connections menu locate the COM port or Modem on which you want to enable dialin an...

Page 54: ...database is used to verify the username and password received from the dialin client Local means the dialin user accounts created on the SnapGear appliance You will need to created user accounts as de...

Page 55: ...Account are shown in the following table Field Description Username Username for dialin authentication only The name is case sensitive e g Jimsmith is different to jimsmith Password Password for the...

Page 56: ...Dialin Setup 52 The following figure shows the user maintenance screen Figure 4 3...

Page 57: ...count select the account in the Account List and check Delete under the Delete or Change Password for the Selected Account heading If changes to the user account are successful the change is shown on...

Page 58: ...ce using the standard Windows Dial Up Networking software Set up a new dial out connection on the remote PC to dial the phone number of the modem connected to the SnapGear appliance COM port After the...

Page 59: ...MSCHAP 2 authentication you also need to check the Require encrypted password checkbox Leave all other Advanced Options unchecked Select the TCP IP network protocols from the Allowed network protocol...

Page 60: ...the Password that was set up for the SnapGear appliance dial in account Windows 2000 XP To configure a remote access connection on a PC running Windows 2000 XP click Start Settings Network and Dial up...

Page 61: ...elect Dial up to private network as the connection type and click Next to continue Figure 4 8 Tick Use dialing rules to enable you to select a country code and area code This feature is useful when us...

Page 62: ...r you This is a security feature that will not allow any other users who log onto your machine to use this remote access connection Figure 4 10 Enter a name for the connection and click Finish to comp...

Page 63: ...emote access login screen will appear as in the next figure If you did not create a desktop icon click Start Settings Network and Dial up Connections and select the appropriate connection and enter th...

Page 64: ...mask on the LAN or DMZ port see the chapter entitled Network Connections DHCP Server Configuration The DHCP server allows the automatic distribution of IP gateway DNS and WINS addresses to hosts runni...

Page 65: ...Time in seconds The lease time is the time that a dynamically assigned IP address is valid Enter the IP address or range of IP addresses see the appendix entitled IP Address Ranges to be issued to DH...

Page 66: ...sses to hand out if this value is 0 Enable Disable Each subnet can be enabled or disabled by clicking on the Enable or Disable button under the Enable Disable heading Edit The settings for each subnet...

Page 67: ...addresses the added option to Unreserve the address Unreserving the address will allow it to be handed out to any host The Status field will have three possible states These include Reserved the addr...

Page 68: ...s both static and dynamic addresses to be given out on the LAN just as running a DHCP server would To enable this feature specify the server which is to receive the forwarded requests in Relay Host Th...

Page 69: ...l filters packets at the network layer determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for your priva...

Page 70: ...ment Console web administration pages Web Admin to machines on your local network Disallowing all services is not recommended as this will make future configuration changes impossible unless your Snap...

Page 71: ...establish secure connections to the SnapGear Management Console web administration pages from SSL enabled browsers Figure 6 2 Note Changing the web server port number is recommended if you are allowin...

Page 72: ...nclude the new port number in the URL to access the pages For example if you change the web administration to port number 88 the URL to access the web administration will be similar to http 192 168 0...

Page 73: ...y clicking Upload Alternately you can create self signed certificates internally on the SnapGear unit by following the link to the SSL Certificate page SSL Certificate Setup You can create self signed...

Page 74: ...r internal masqueraded servers to offer services to the outside world Destination NAT rules are used for port forwarding Source NAT rules are useful for masquerading one or more IP addresses behind a...

Page 75: ...ty The SnapGear appliance will perform a DNS lookup and fill in the IP Address field If the DNS hostname is invalid you may need to wait while the DNS lookup times out Warning The DNS lookup is only p...

Page 76: ...vice group is shown in the following figure Figure 6 5 A service group can be used to group together similar services For example you can create a group of services that you wish to allow and then use...

Page 77: ...Packet Filtering page to change the order The rules are evaluated top to bottom as displayed on the Packet Filtering page Adding or modifying a rule is shown in the following figure Figure 6 6 The Ac...

Page 78: ...ance performs Source NAT on traffic where the incoming interface is LAN and the outgoing interface is WAN See the Advanced section of the chapter entitled Network Connections for information on config...

Page 79: ...ices this need not be the same as the Destination Service used to match the packet but often will be Generally leave Create a corresponding ACCEPT firewall rule checked unless you want to manually cre...

Page 80: ...rnet To Source Service The service to replace Source Services this need not be the same as the Source Service used to match the packet but often will be 1 to 1 NAT This creates both a Source NAT and D...

Page 81: ...ually create filter rules through Rules Rules The Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules To access this page click Rules in t...

Page 82: ...lled before accessing the Internet ZoneAlarm To enable any of these access controls or content filtering select Access Control then under the Main tab check Enabled and click Apply User authentication...

Page 83: ...out web proxy access will see a screen similar to the figure below when attempting to access external web content Figure 6 8 Note Each browser on the LAN will now have to be set up to use the SnapGear...

Page 84: ...d be similar refer to their user documentation for details on using a web proxy From the Internet Options menu select Tools From the LAN Settings tab select LAN Settings Figure 6 9 Check Use a proxy s...

Page 85: ...d or Allowed by the Source LAN IP address or address range the Destination Internet host s IP address or address range or the Destination Host s name See Appendix A for more information on IP address...

Page 86: ...address URL that contains text entered in the Block List e g entering xxx will block any URL containing xxx including http xxx example com or www test com xxx index html The Allow List also enables ac...

Page 87: ...Content Filtering enter your activated License key then continue on to set reporting options and which categories to block Click Apply once these options have been set up to enable content filtering...

Page 88: ...tified either through User Accounts see User Authentication earlier in this chapter or the IP Address of their machine Click View Reports to connect to the central content filtering server You will be...

Page 89: ...achines your LAN that are not running the ZoneAlarm Pro personal firewall software Running personal firewall software on each PC offers an extra layer of protection from application level operating sy...

Page 90: ...outside world which are monitored for connection attempts Clients attempting to connect to these dummy services can be blocked Advanced Intrusion Detection uses complex rulesets to detect known method...

Page 91: ...other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitored to identify suspect behaviour and help to deal with intruders...

Page 92: ...ection attempts Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt and the access attempt is denied Because network scans often...

Page 93: ...e between 0 and 2 o represents an immediate blocking of probing hosts Larger settings mean more attempts are permitted before blocking and although allowing the attacker more latitude these settings w...

Page 94: ...ng a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but another fails and so on Advanced Intrusion Detection can also detect mal...

Page 95: ...by type such as DDOS exploit backdoor NETBIOS etc Each type in turn has many subtypes depending on the exact attack signature For example selecting NETBIOS will enable matching subtype signatures for...

Page 96: ...unchecked results will be output to the SnapGear appliance system log Advanced System Log Advanced Intrusion Detection currently only supports MySQL as the Database Type Enter the name table name of...

Page 97: ...With these tools installed web pages can be created that display analyze and graph data stored in the MySQL database from the SnapGear appliance running Advanced Instrusion Detection They should be in...

Page 98: ...t will be running as an IDS sensor on the SnapGear appliance and logging to the MySQL database on the analysis server The following are detailed documents that aid in installing the above tools on the...

Page 99: ...ad Internet objects over the available Internet connection when several users attempt to access the same web site simultaneously The objects will be available in the cache server memory or disk and qu...

Page 100: ...ts The maximum amount of memory you can safely reserve will depend on what other services the SnapGear appliance has running such as VPN or a DHCP server If you will be using a Network Share recommend...

Page 101: ...basic instructions for creating a network share under Windows XP Create a new user account Note We recommend that you create a special user account to be used by the SnapGear appliance for reading and...

Page 102: ...his folder and note the Share name you may change this to something easier to remember if you wish Select Permissions If you wish to secure the network share click Add and type the user name the accou...

Page 103: ...um size for the cache in Cache size Warning Cache size should not be more than 90 of the space available to the network share e g if you shared a drive with 1 gigabyte of available storage specify a C...

Page 104: ...hy Then the caches placed at the Parent level are queried if the replies from sibling caches did not succeed Enter the host or IP address of an ICP capable web cache peer in Host then select its relat...

Page 105: ...imilarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can also be deployed as a low cost way of securely linking two or more network...

Page 106: ...This may describe the purpose for the connection The remote PPTP server IP address to connect to A username and password to use when logging in to the remote VPN You may need to obtain this informati...

Page 107: ...raffic check the Make VPN the Default Route checkbox and click Apply This option is only available when the SnapGear appliance is configured with a single VPN connection only After adding a new VPN tw...

Page 108: ...up VPN user accounts on the SnapGear appliance and enable the appropriate authentication security Configure the VPN clients at the remote sites The client does not require special software The SnapGe...

Page 109: ...gure the PPTP VPN server The following figure shows the PPTP server setup Figure 9 3 To enable and configure your SnapGear appliance s VPN server select PPTP VPN Server from the VPN menu on the SnapGe...

Page 110: ...stablish a PPTP connection to the network The remote client must be set up to use the selected authentication scheme MSCHAPv2 is the most secure SnapGear recommends the use of MSCHAPv2 plus data encry...

Page 111: ...e remote users can establish VPN tunnels to the SnapGear appliance PPTP server user accounts must be added Note PPTP Accounts are distinct from those added through Users in the System menu and those a...

Page 112: ...r the remote VPN user Confirm Re enter the password to confirm As new VPN user accounts are added they are displayed on the updated Account List To modify the password of an existing account Select th...

Page 113: ...liance see Dynamic DNS in the Network Connections section Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking connec...

Page 114: ...e SnapGear appliance VPN server in the VPN Server field This may change if your ISP uses dynamic IP assignment Click OK and then click Finish Figure 9 6 Right click the new icon and select Properties...

Page 115: ...ression and Use Default Gateway on Remote Network are all selected and click OK Figure 9 7 Your VPN client is now set up and ready to connect Windows 2000 Log in as Administrator or with Administrator...

Page 116: ...Figure 9 9 Select Connect to a private network through the Internet and click Next This displays the Destination Address window Figure 9 10 Enter the SnapGear PPTP server s IP address or fully qualif...

Page 117: ...a Connection Name for the VPN connection such as your company name or simply Office Click Next If you have set up your computer to connect to your ISP using dial up select Automatically dial this ini...

Page 118: ...of your computer informed you that you are connected You can now check your e mail use the office printer access shared files and and computers on the network as if you were physically on the LAN Note...

Page 119: ...figure the tunnel with those settings For most applications to connect two offices together a network similar to the following will be used Figure 9 12 To combine the Headquarters and Branch Office ne...

Page 120: ...lves to the IP address on the Internet port then the DNS hostname address option should be selected In this example select dynamic IP address The Maximum Transmission Unit MTU of the IPSec interface c...

Page 121: ...not being transmitted Configure a tunnel to connect to the headquarters office To create an IPSec tunnel click the IPSec link on the left side of the SnapGear Management Console web administration pag...

Page 122: ...llowing types of keying Main mode with Automatic Keying IKE automatically exchanges encryption and authentication keys and protects the identities of the parties attempting to establish the tunnel Agg...

Page 123: ...select the Preshared Secret option Select the type of private network that is behind the SnapGear appliance The following types of networks are supported Single network is selected when a single subne...

Page 124: ...default gateway for all traffic to the remote party Be the remote party s default gateway for all traffic is selected when the tunnel will be the default gateway for all traffic from the remote party...

Page 125: ...ml to determine what form it must take In this example enter branch office Leave the Enable IP Payload Compression checkbox unchecked If compression is selected IPComp compression is applied before en...

Page 126: ...ng when using SHA1 excluding any underscore characters This field appears when Manual Keying has been selected Encryption Key field is the ESP Encryption Key It must be of the form 0xhex where hex is...

Page 127: ...s of the remote party in The remote party s IP address field In this example enter 209 0 01 The Endpoint ID is used to authenticate the remote party to the SnapGear appliance The remote party s ID is...

Page 128: ...party This option will become available if the remote party has been configured to have a DNS hostname address Distinguished Name field is the list of attribute value pairs contained in the certifica...

Page 129: ...lish and uniquely identify the tunnel It must be of the form 0xhex where hex is one or more hexadecimal digits and be in the range of 0x100 0xfff This field appears when Manual Keying has been selecte...

Page 130: ...this new key is negotiated before the current key expires can be set in the Rekeymargin field In this example leave the Rekeymargin as the default value of 10 minutes The Rekeyfuzz value refers to th...

Page 131: ...nding on what has been configured previously Local Public Key field is the public part of the RSA key generated for RSA Digital Signatures authentication These fields are automatically populated and d...

Page 132: ...also supports extensions to the Diffie Hellman groups to include 2048 3072 and 4096 bit Oakley groups Perfect Forward Secrecy is enabled if a Diffie Hellman group or an extension is chosen Phase 2 ca...

Page 133: ...ure 9 19 In the Subnet Settings section a local and remote network combination can be added one at a time by entering subnets into the Add Local Network and Add Remote Network fields and then clicking...

Page 134: ...or start with a number In this example enter Branch_Office Leave checked the Enable this tunnel checkbox Select the Internet interface the IPSec tunnel is to go out on In this example select default g...

Page 135: ...ecked Click the Continue button to configure the Remote Endpoint Settings Remote endpoint settings page Enter the Required Endpoint ID of the remote party In this example enter the Local Endpoint ID a...

Page 136: ...page Set the length of time before Phase 2 is renegotiated in the Key lifetime m field In this example leave the Key Lifetime as the default value of 60 minutes Select a Phase 2 Proposal In this exam...

Page 137: ...he Connection field will be shown Note You may modify a tunnel s settings by clicking on its connection name Click Connection to sort the tunnel list alphabetically by connection name Remote party The...

Page 138: ...e 1 indicates that IPSec is negotiating Phase 1 to establish the tunnel Aggressive or Main mode packets depending on tunnel configuration are transmitted during this stage of the negotiation process N...

Page 139: ...AES Phase 2 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 2 negotiations This will include MD5 and SHA1 otherwise known as SHA Phase 1 Ciphers Loaded lis...

Page 140: ...ple the policy line has the PFS keyword If PFS is disabled then the keyword will not appear Whether IP Payload Compression is used In this example the policy line does not have the COMPRESS keyword si...

Page 141: ...cking Enable or Disable under the Tunnel List menu Delete One or more tunnel can be enabled or disabled by checking the checkbox to the right of the tunnel and clicking Delete under the Tunnel List me...

Page 142: ...tion tool on the SnapGear CD to extract these certificates ensure the cygwin1 dll library is in the same directory as the openssl application To extract the CA certificate enter the following at the W...

Page 143: ...an 4 characters long and this will be the same pass phrase entered when uploading the private key certificate into the SnapGear appliance The application will then prompt you to verify the pass phrase...

Page 144: ...te the certificate request openssl req config openssl cnf new keyout cert1 key out cert1 req Enter a PEM pass phrase this is the same pass phrase required when you upload the key to the SnapGear appli...

Page 145: ...ificates to the SnapGear appliance click the IPSec link on the left side of the SnapGear Management Console web administration pages and then click the Certificate Lists tab at the top of the window A...

Page 146: ...Certificate Type pull down menu Enter the Certificate Authority s Public Key certificate or CRL file in the Certificate File field Click the Browse button to select the file from the host computer CA...

Page 147: ...n set correctly on the SnapGear appliance Also ensure that the certificate is in PEM or DER format Enter the Local Private Key certificate in the Private Key Certificate field Click the Browse button...

Page 148: ...s enabled Possible Cause The tunnel is using Manual Keying and the encryption and or authentication keys are incorrect The tunnel is using Manual Keying and the SnapGear appliance s and or remote part...

Page 149: ...addresses Check that the CA has signed the certificates Symptom Tunnel is always Negotiating Phase 2 Possible Cause The Phase 2 proposals set for the SnapGear appliance and the remote party do not mat...

Page 150: ...cur for Manual Keying Symptom Dead Peer Detection does not seem to be working Possible Cause The tunnel has Dead Peer Detection disabled The remote party does not support Dead Peer Detection according...

Page 151: ...or your computer does not have its default gateway as the SnapGear appliance If you can ping the Internet IP address of the remote party but not the LAN IP address then the remote party s LAN IP addr...

Page 152: ...g a GRE tunnel that runs over the Internet it is possible for an attacker to put packets onto your network If you want a tunneling mechanism to securely connect to networks then you should use IPSec o...

Page 153: ...3 45 6 Local Internal Address 192 168 1 1 Click Add Click Add Remove under Remote Networks and enter Remote subnet netmask 10 1 0 0 255 255 0 0 Click Add The Brisbane end is now set up Figure 9 26 On...

Page 154: ...Add them through Add Remove under Remote Networks GRE over IPSec In this example we will bridge the 10 11 0 0 255 255 0 0 network between Brisbane and Slough endpoints described in the previous sectio...

Page 155: ...For a complete overview of all available options when setting up an IPSec tunnel please refer to the IPSec section earlier in this chapter Take note of the following important settings Set the local...

Page 156: ...to_bris Remote External Address 10 254 0 2 Local External Address 10 254 0 1 Local Internal Address Place on Ethernet Bridge Checked For the Brisbane end enter the IP addresses below Leave Local Inte...

Page 157: ...ace called greX created greX is the same as the Interface Name specified in the table of current GRE tunnels Also ensure that the required routes have been set up on the GRE interface This might not o...

Page 158: ...r ATM to create tunnels across the Internet backbone The SnapGear L2TP implementation can only run L2TP over Ethernet since it doesn t have an ATM adapter L2TP packets are encapsulated in UDP packets...

Page 159: ...configured and enabled on the SnapGear appliance as well as the L2TP server before Windows clients can connect The default way for the IPSec connection to be authenticated is to use x 509 RSA certifi...

Page 160: ...eb browser you will be able to click the top Set Date and Time button to synchronize the time on the SnapGear appliance with that of your PC Alternately you can manually set the Year Month Date Hour a...

Page 161: ...ensures that the SnapGear appliance s clock in UTC will be accurate soon after the Internet connection is established If NTP is not used the system clock will be set randomly when the SnapGear applia...

Page 162: ...ia the web interface and whether they can access the Internet via the SnapGear appliance s web proxy There is one special user root who has the role of the final administrative user This user has extr...

Page 163: ...ny of the configuration on the SnapGear appliance This access control can be granted to technical support users so they can attempt to diagnose but not fix any problems which occur Encrypted save rest...

Page 164: ...cess controls A user with this access control is permitted controlled access to the web through the SnapGear appliance s web proxy See the Access control and content filtering section in the chapter e...

Page 165: ...ics Diagnostic information and tests are provided through the SnapGear Management Console web administration pages Diagnostics To access this information click Diagnostics under System This page displ...

Page 166: ...System 162 Figure 10 3 Network tests Basic network diagnostic tests ping traceroute can be accessed by clicking the Network Tests tab at the top of the Diagnostics page...

Page 167: ...errors are red The pull down menu underneath the log output allows you to filter the log output to display based on output type Refer to Appendix C for details on configuring and interpreting log out...

Page 168: ...ogram that automates the upgrade procedure Be sure to read the release notes before attempting the upgrade The second is to download the binary image file bin This can then be transferred from a PC on...

Page 169: ...boot It will usually take around 10 seconds before it is up and running again Note that if you have enabled bridging the SnapGear appliance may take up to 30 seconds to reboot Reset button The simples...

Page 170: ...Technical Support Report page is an invaluable resource for the SnapGear technical support team to analyze problems with your SnapGear appliance The information on this page gives the support team imp...

Page 171: ...ddresses The third form allows the address range to span network and subnet boundaries All addresses including and between the two specified IP addresses are included in the range For example 192 168...

Page 172: ...to connect or if the SnapGear appliance or the remote party is behind a NAT device Authentication Authentication is the technique by which a process verifies that its communication partner is who it i...

Page 173: ...operate with the SnapGear appliance it must conform to the draft draft ietf ipsec dpd 00 txt DHCP Dynamic Host Configuration Protocol A communications protocol that assigns IP addresses to computers w...

Page 174: ...e to be modified then its hash would have changed and would no longer match the original hash value Hub A network device that allows more than one computer to be connected as a LAN usually using UTP c...

Page 175: ...public part of the public private key pair of the certificate resides on the SnapGear appliance and is used to authenticate against the CA certificate MAC address The hardware address of an Ethernet...

Page 176: ...ort term keys but he does not automatically get them just by acquiring the long term key Phase 1 Sets up a secure communications channel to establish the encrypted tunnel in IPSec Phase 2 Sets up the...

Page 177: ...ity than is available from a single DES pass UTC Coordinated Universal Time UTP Unshielded Twisted Pair cabling A type of Ethernet cable that can operate up to 100Mb s Also known as Category 5 or CAT...

Page 178: ...174...

Page 179: ...ance creates entries in the syslog var log messages or external syslog server of the following format Date Time klogd prefix IN incoming interface OUT outgoing interface MAC dst src MAC addresses SRC...

Page 180: ...re also some specific rules to detect various attacks smurf teardrop etc When outbound traffic from LAN to WAN is blocked by custom rules configured in the GUI the resultant dropped packets are also l...

Page 181: ...RC 10 0 0 2 DST 140 103 74 181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Creating Custom Log Rules Additional log rules can be configured...

Page 182: ...s 12 Jan 24 17 19 17 2000 klogd Internet PPTP access IN eth0 OUT MAC 00 d0 cf 00 07 03 00 50 bf 20 66 4d 08 00 SRC DST 1 2 3 4 LEN 48 TOS 0x00 PREC 0x00 TTL 127 ID 43470 DF PROTO TCP SPT 4508 DPT 1723...

Page 183: ...T eth1 It is possible to use the i and o arguments to specify the interface that are to be considered for IN and OUT respectively When the argument is used before the interface name the sense is inver...

Page 184: ...or day suffix The default is 3 hour limit burst number number is the maximum initial number of packets to match This number gets recharged by one every time the limit specified above is not reached u...

Page 185: ...thentication attempt failed for root from 10 0 0 2 Jan 30 03 18 40 2000 login Authentication successful for root from 10 0 0 2 Once again showing the same information as a web login attempt Boot Log M...