Freedom9 freeGuard Blaze 2100, User Manual

Page 1: ...freeGuard Blaze 2100 User Guide Version 3R2...

Page 2: ...ot allow copies to be made for others whether or not sold but all of the materials purchased can be sold given or loaned to another person Under the law copying includes translating this information i...

Page 3: ...ng the Power 2 2 Connecting the freeGuard Blaze 2100 to Other Network Devices 2 2 Configuring the freeGuard Blaze 2100 2 3 Configuring the Software 2 5 3 Security Zones and Interfaces 3 1 Security Zon...

Page 4: ...3 33 PPPoE Point to Point Protocol over Ethernet 3 33 4 System Management 4 1 Using the Console to Manage the freeGuard Blaze 2100 4 1 About Console Cable Requirements 4 2 Accessing the Console 4 2 R...

Page 5: ...Aliases 4 14 Deleting Aliases 4 15 Viewing Current Aliases 4 15 Configuring Domain Names 4 15 Deleting Domain Names 4 15 Configuring Host Names 4 16 Deleting Host Names 4 16 Using Network Time Protoco...

Page 6: ...g Management 6 3 Log Module Settings 6 3 Setting Log Modules 6 3 Disabling Log Module Settings 6 4 Viewing the log module settings 6 4 Viewing the Traffic and Event Log 6 5 Admin Mail Server 6 6 Confi...

Page 7: ...View the SNMP Community Settings 6 22 View the SNMP Statistics 6 23 Viewing the Interface Statistics 6 24 7 Virtual Private Networks 7 1 Virtual Private Networks 7 1 About IP Security IPsec 7 2 the Di...

Page 8: ...ts with Non Zero Reserved Fields 8 9 9 Policy Configuration 9 1 About Security Policies 9 1 About Traffic Flow Among Policies 9 1 About Security Policy Types 9 2 Configuring Policies 9 4 Creating Poli...

Page 9: ...ss Translation 10 1 Network Address Translation 10 1 Configuring Source Network Address Translation 10 2 About Port Address Translation PAT 10 2 Configuring Dynamic IP DIP Pools 10 3 Source NAT Config...

Page 10: ...X 509 Digital Certificates 12 1 PKI Basics 12 2 A typical Digital Certificate 12 3 Self signed certificate 12 4 CLI Commands 12 4 Generating a Self Signed Certificate 12 4 Creating a Certificate Requ...

Page 11: ...n IPsec VPN Prevention of 30 DoS and DDoS attacks Extensive Network Address Translation NAT features including one to one many to one many to many and port address translation PAT 802 1Q VLAN support...

Page 12: ...Values inside braces are required For commands that require a selection from a pre defined list of values each value in the list is separated by a pipe Variables appear in italic When a WebGUI command...

Page 13: ...U C T I O N About Document Conventions Version 3R2 Security Appliance User Guide 1 3 ILLUSTRATION CONVENTIONS Figure 1 1 shows the graphics used in illustrations in this guide Figure 1 1 Illustration...

Page 14: ...I NT R O DU C T I O N About Document Conventions 1 4 Security Appliance User Guide Version 3R2 1...

Page 15: ...serving these precautions can prevent injuries equipment failures and potential shutdown of the freeGuard Blaze 2100 WARNING Always assume the power supply for the freeGuard Blaze 2100 is connected to...

Page 16: ...e 2 1 prepare to proceed with the actual installation To install the freeGuard Blaze 2100 perform the tasks described in the following sections Connecting the Power Connecting the freeGuard Blaze 2100...

Page 17: ...eth0 interface is connected to a switch on your local area network LAN using another twisted pair Ethernet cable Figure 2 1 Connecting the freeGuard Blaze 2100 to other Network Devices CONFIGURING TH...

Page 18: ...interface on a laptop or desktop machine 3 To access the freeGuard Blaze 2100 console interface launch a terminal emulation program NOTE Hyper Terminal by Hillgraeve Inc is a suitable terminal emulat...

Page 19: ...HE A D M I N P A S S W O R D Because all Security Appliances are preconfigured with the same password you must change the admin password Use the set admin command to change the password set admin pass...

Page 20: ...interface command to bind the eth0 interface to the trust zone with an IP address and netmask of 10 0 0 1 24 set interface eth0 ip 10 0 0 1 24 set interface eth0 zone trust save G U I E X A M P L E C...

Page 21: ...o the eth1 interface you must configure network address translation NAT For additional information regarding NAT configurations refer to Chapter 10 Address Translation Use the set interface command to...

Page 22: ...ts on the LAN connected to the trust zone to browse the Internet using a web browser Use the set policy command to create a policy allowing any traffic going from the trust zone to the untrust zone se...

Page 23: ...G E T T I N G S T A R TE D Installing the freeGuard Blaze 2100 Version 3R2 Security Appliance User Guide 2 9 Policy set policy from trust to untrust any any any permit...

Page 24: ...G E T T IN G S T A R T E D Installing the freeGuard Blaze 2100 2 10 Security Appliance User Guide Version 3R2 2...

Page 25: ...Modes Advanced Interface Settings Authentication Using RADIUS Alternate Connection Methods SE CURITY ZONES Security zones are a logical grouping of physical and logical interfaces on an appliance A se...

Page 26: ...o subinterfaces have been added in the DMZ zone VLAN 200 and 210 The eth1 interface is configured in Untrust zone Policies can be written to allow or deny traffic between zones Figure 3 2 Security Zon...

Page 27: ...nes Figure 3 3 displays the security appliance with two security zones trust and untrust The trust zone is configured for the LAN and the untrust zone is configured for the WAN Security policies can n...

Page 28: ...se the set zone command with the name_str option to create a custom security zone set zone name name_str E X A M P L E C R E A T I N G T H E S A L E S S EC U R I T Y Z O N E set zone name sales save G...

Page 29: ...cified security zone set zone name_str block E X A M P L E E N A B L E I N T R A Z O N E B L O C K I N G ON T H E S A L E S S E C U R I T Y Z O N E set zone sales block save G U I E X A M P L E E N A...

Page 30: ...s for each zone Zone name The name assigned to the interface Zone ID The ID number assigned to the zone Type The security settings on the zone Intrazone block On or off Interfaces bound Lists all phys...

Page 31: ...red on the corresponding physical interface of the appliance Figure 3 6 displays the location of the Ethernet interfaces on the freeGuard Blaze 2100 Figure 3 6 Ethernet interface locations This sectio...

Page 32: ...r additional information You can use additional set interface commands to bind the interface to a different zone or to set the interface mode to either NAT enabled route or Transparent mode BINDING IN...

Page 33: ...llowing then click Apply Zone Name Trust CONFIGURING SUBINTERFACES A subinterface is a logical interface that uses an 802 1q tag to identify membership to a specific VLAN on a physical interface After...

Page 34: ...120 on the physical interface eth0 Assign the subinterface to the trust zone with the IP address 192 168 100 1 24 set interface eth0 120 ip 192 168 100 1 24 set interface eth0 120 zone trust save G U...

Page 35: ...d port address translation PAT through security policies For information on configuring NAT through security policies refer to Chapter 10 Address Translation CONFIGURING NAT ENABLED MODE Interfaces co...

Page 36: ...ure 3 7 set interface eth0 nat save G U I E X A M P L E C ON FI G U R I N G N A T E N A B L E D M O D E 1 Network Interface Edit for eth0 2 Enter the following then click Apply Interface Mode NAT CONF...

Page 37: ...interface eth1 route save G U I E X A M P L E C ON FI G U R I N G R O U T E M O D E 1 Network Interface Edit for eth0 2 Enter the following then click Apply Interface Mode Route 3 Network Interface Ed...

Page 38: ...P Shows the IP address from which the interface can be managed Management Options Ping ssh http https snmp Mode NAT route transparent Use the get interface command to display information on a specific...

Page 39: ...est IP MAC address information changed in the header allowing the freeGuard Blaze 2100 to be deployed in complex networks un obtrusively In Transparent mode the freeGuard Blaze 2100 can be deployed de...

Page 40: ...y will be needed to deny ANY All from the Untrust to Trust zone In Figure 3 9 if Workstation A makes a request to www yahoo com the workstation performs a DNS query for www yahoo com the return addres...

Page 41: ...within the appliance and cannot be modified In addition to configuring the br0 management interface a default route is required to be configured in order for the freeGuard Blaze 2100 to communicate to...

Page 42: ...cer The freeGuard Blaze 2100 can be placed directly between the VLAN switch trunk and the external VLAN router it can then intercept recognize various VLAN tagged packets and apply zone based policies...

Page 43: ...ity to filter various source dest address s zones based on the VLAN ID CLI Configuration set interface eth0 ip 0 0 0 0 0 set interface eth0 transparent set interface eth0 zone trust set interface eth1...

Page 44: ...nce set zone name Lab set zone name Sales set address Finance webserver 192 168 200 10 32 set address Accounting SQLServer 192 168 100 100 32 set transparent vlan Engineering tag 100 zone Engineering...

Page 45: ...2100 in order to accommodate their network needs These bypass functions are global and will be applied to both the ingress and egress interfaces NOTE For detailed information on the transparent comma...

Page 46: ...erse the freeGuard Blaze 2100 The default behavior of the freeGuard Blaze 2100 is to bypass i e drop such packets G U I E X A M P L E B Y P A S S D O S A N D D D O S C H E C K I N G I N T R A N S P A...

Page 47: ...appliance Use the set interface command with the mtu option to set the MTU size for a specific interface set interface interface name mtu size E X A M P L E S E T T I N G T H E M T U S I Z E ON T H E...

Page 48: ...cess Control MAC addresses Use the get arp command to view the current ARP table entries get arp C L E A R I N G C U R R E N T A R P E N T R I E S Use the clear arp command to clear a specific entry o...

Page 49: ...M EO U T T O 1 8 0 0 S E C O N D S 1 Network ARP 2 Enter the following then click Apply ARP Cache Entry Timeout Seconds 1800 ENABLING INTERFACE MANAGEMENT Use the set interface interface name with th...

Page 50: ...ation Dial In User Service RADIUS authenticates the local users and remote users on a company network RADIUS works as a client server system that keeps the authentication information for users remote...

Page 51: ...thentication 5 The RADIUS server verifies the username and password and if they are correct sends a RADIUS Challenge message to the security appliance 6 The security appliance sends the Challenge mess...

Page 52: ...security appliance is 1812 RADIUS Timeout The time interval the security appliance must wait before sending another authentication request if the previous request had not been answered The default RAD...

Page 53: ...r radius command with the timeout option set auth server auth_name radius timeout value NOTE The acceptable value for the RADIUS timeout is in the range of 3 180 seconds C O N F I G U R I N G T H E R...

Page 54: ...ip_addr dom_name V I E W I NG T HE R A D I U S C O N F I GU R A T I O N To view the RADIUS configuration on the security appliance use the get auth server command and view all settings or by ID get a...

Page 55: ...igure 3 12 shows a primary and secondary RADIUS server using the following attributes Figure 3 12 Configuring a Primary and Secondary RADIUS Server Auth_name security Primary RADIUS server IP 10 0 0 2...

Page 56: ...ON FI G U R I N G A P R I M A R Y A N D S E C ON D A R Y R A D I U S S ER V ER 1 System Authentication Add Authentication Server 2 Enter the following RADIUS information and click Apply Type Name Tes...

Page 57: ...are the same physical connection but access control billing and type of service are handled on a per user basis Some security devices support a PPPoE client allowing compatibly with DSL Ethernet Direc...

Page 58: ...0 1 24 set interface ethernet1 zone untrust set pppoe interface ethernet1 set pppoe username name_str password pswd_str To test your PPPoE connection set pppoe enable get pppoe G U I E X A M P L E T O...

Page 59: ...S E CU R IT Y Z O NE S AN D I N T E R F ACE S Alternate Connection Methods Version 3R2 Security Appliance User Guide 3 35 Select Interface PPPoE...

Page 60: ...SE C U R I T Y Z O N E S A N D I N TE R FA C E S Alternate Connection Methods 3 36 Security Appliance User Guide Version 3R2 3...

Page 61: ...e 2100 Additional System Management Tasks Using Network Time Protocol NTP Using Domain Name Service DNS Using Ping Using Traceroute US ING THE CONSOLE TO MANA GE TH E FRE EGUARD BLAZE 21 00 You must p...

Page 62: ...interface For administration console access you must connect the null modem cable included in the packaging to configure the freeGuard Blaze 2100 To access the console 1 Connect the female 2x5 header...

Page 63: ...assword NOTE Information for long commands might display incorrectly if the console window is resized to larger than 80 character columns RE ENABLING THE CONSOLE INTERFACE To re enable the console int...

Page 64: ...S O L E T I M E O UT T O 1 5 M I N U T E S set console timeout 15 save EXITING THE CONSOLE To exit the console type exit US ING SSH TO MANA GE TH E FREE GU ARD BLAZE 2100 For secure remote management...

Page 65: ...A C E 1 Network Interface Edit for ethernet0 2 Select the following then click Apply Management Option SSH E X A M P L E E N A B L E S S H O N A V L A N I N T E R F A C E E T H 0 1 0 0 set ssh enabled...

Page 66: ...rity zones Perform asset recovery Reset the device to its default settings Update the firmware Load configuration files Clear all active sessions of additional read only users CHANGING YOUR ADMINISTRA...

Page 67: ...N G I N G T HE A D M I N R P A S S W O R D 1 System Admin Administrators 2 Enter the following password information and click Apply Select the admin r user Type old password Type new password Confirm...

Page 68: ...nce This can be obtained from your sales representative 2 Place a copy of the latest software for the appliance into the root directory of the TFTP server program 3 Make sure a TFTP server is running...

Page 69: ...OR SECONDARY After you upload the new software image to the appliance you must set the image as the primary or secondary software image Use the set image command to set the software as primary or sec...

Page 70: ...0 3 mttflash txt G U I E X A M P L E S A V I N G T H E C O N F I G U R A T I O N F I L E F OR E X P O R T 1 System Configuration 2 TFTP Server Address 192 168 0 3 3 File Name mttflash txt 4 Select the...

Page 71: ...ess perform a hardware reset which erases the firmware and system settings Although the reset deletes the system configuration file you can access the appliance using the default login credentials Per...

Page 72: ...e through the freeGuard Blaze 2100 management interface This section includes the following topics Viewing System Information Creating Aliases Deleting Aliases Viewing Current Aliases Configuring Doma...

Page 73: ...etting vendor id 01 vendor name vendor vendor contact vendor manufacture code 00 manufacture date 2006 02 28 12 21 00 UTC product model Security Appliance product serial number 0001 02 0606 0074 ether...

Page 74: ...temp controller passed test phy control dev passed test rtc device passed test external tcam passed test fiber ext loopback passed test copper ext loopback passed G U I E X A M P L E V I E W I N G S...

Page 75: ...alias command get alias CONFIGURING DOMAIN NAMES To configure the freeGuard Blaze 2100 to respond to a specifically configured domain use the set domain command set domain name_str E X A M P L E C ON...

Page 76: ...DELETING HOST NAMES To delete a previously configured host name use the unset hostname command unset host USING NETWORK TIME PROTOCOL NTP The freeGuard Blaze 2100 uses Network Time Protocol NTP to upd...

Page 77: ...P R I M A R Y N T P S E R V E R I P A S 2 0 7 2 4 5 1 4 3 1 4 7 1 System Date Time 2 Enter the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can use a fully qualified...

Page 78: ...2 4 5 1 4 3 1 7 1 System Date Time 2 Remove the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can configure multiple NTP server IP addresses to ensure the freeGuard Bl...

Page 79: ...clock timezone number E X A M P L E C O N F I G U RI N G T H E C L O C K T I M E Z O N E T O P A C I F I C T I M E ZO NE G MT 8 set clock timezone 8 save G U I E X A M P L E C ON FI G U R I N G T HE...

Page 80: ...D R E S S A S 2 0 6 1 3 2 8 1 2 set dns host dns2 206 13 28 12 save G U I E X A M P L E S E T T I N G T HE S E C ON D A R Y D N S H O S T I P A D D R E S S A S 2 0 6 1 3 2 8 1 2 1 Interface DNS 2 Ente...

Page 81: ...m G U I E X A M P LE P I N G W W W Y A H O O C OM 1 System Tools 2 Enter the following then click Apply Diagnostic Tool Ping Ping www yahoo com US ING TRACEROUTE You can use traceroute to trace packet...

Page 82: ...SY ST EM MA N AGEM E N T Using Traceroute 4 22 Security Appliance User Guide Version 3R2 4...

Page 83: ...enting Network Port Attacks Additional Attack Detection and Prevention Viewing Attack Settings NE TWORK AT TACKS Attackers invade a protected network for any of the following reasons To gather informa...

Page 84: ...g evidence of the attack DE TECTING AN ATTACK To prevent hackers from exploiting a network the appliance uses stateful inspection to dynamically filter and secure all network connections Stateful insp...

Page 85: ...rmation launch a man in the middle attack or create a DoS by adding or restoring default routes Netbus Attack Affects Windows 95 98 and NT operating systems A netbus attack allows hackers to install a...

Page 86: ...on a network This causes the real machine on the network to think that it sent the packet to itself causing a resource slowdown SYN Flood Uses packets that have an unreachable source address to estab...

Page 87: ...ecific port attacks in the set policy command All Back orifice Ini killer Netbus Netspy Priority Ripper Senna spy Small server Seb seven Striker NOTE In addition you set the global port attack option...

Page 88: ...attacks refer to Figure 5 1 for an example of a DoS attack You can configure options on the appliance to apply various rate limits to ICMP TCP and UDP traffic Figure 5 1 Example of a DoS Attack Rate l...

Page 89: ...cy Attack Settings Edit Zone for unturst 2 Enter the following then click Apply ICMP flood attack threshold 1000 CONFIGURING UDP FLOOD PREVENTION To configure the rate limit for UDP datagrams in a spe...

Page 90: ...H O L D 1 Policy Attack Settings Edit Zone for untrust 2 Enter the following then click Apply SYN flood attack threshold 5000 CONFIGURING FIN FLOOD PREVENTION Setting a rate limit for FIN packets all...

Page 91: ...zone set zone untrust screen ip frag attack threshold 1000 save G U I E X A M P L E S E T T I N G T H E I P F R A GM E N T T H R E SH OL D 1 Policy Attack Settings Edit Zone for untrust 2 Enter the f...

Page 92: ...f IRDP Teardrop attack TCP no flags set Ping of Death Smurf attack TCP no flags set Unknown IP protocol UDP bomb VIEWING ATTACK SETTINGS To view the current attack settings per zone use the get zone c...

Page 93: ...T I O N Viewing Attack Settings Version 3R2 Security Appliance User Guide 5 11 G U I E X A M P L E V I E W I N G A T T A C K S E T T I N GS O N U N T R U S T Z O N E 1 Network Zone Edit for untrust 2...

Page 94: ...A T T A C K D E T E C T I O N A N D P R E V E N T IO N Viewing Attack Settings 5 12 Security Appliance User Guide Version 3R2 5...

Page 95: ...hrough a zone is considered an individual event Since the security appliance will be used to protect network infrastructures it becomes extremely important to record all events showing a possible secu...

Page 96: ...ssages that include error conditions that may exist on the security appliance Critical Messages Events that could affect functionality of the security appliance Alert Messages Events that require imme...

Page 97: ...SETTING LOG MODULE S To enable logging for a specific software module use the set log module command with the software module option the desired logging level and message destination set log module m...

Page 98: ...DULE SETTINGS To disable the software module settings use the unset log module command unset log module module level all informational notification warning error critical alert emergency debug destina...

Page 99: ...the 2Mb limit is reached the security appliance will over write the oldest event logs and replace them with newer events All messages logged will include date and time To view the event log you will...

Page 100: ...l logs G U I E X A M P L E V I E W T HE T R A F F I C A N D E V E N T L O G S 1 Reports System Log Events Shows the current log messages stored in the flash ADMIN MAIL SERVER CONFIGURE THE SECURITY AP...

Page 101: ...ver name REMOVING E MAIL ADDRESSES FROM THE ADMIN MAIL SERVER To remove an e mail address so messages are no longer sent to that e mail address use the unset admin mail address with the mail addr1 mai...

Page 102: ...B O T H T R A F F I C A N D EV E N T M E S SA GE S T O B E S E N T U S I N G S Y SL O G T O A S ER V ER A T I P A D D R E S S 1 0 0 0 2 0 0 W I T H T HE F A C I L I T Y O F L O C A L 0 1 Logging Sysl...

Page 103: ...ption Jun 02 Month and Day Stamp Displays the month and day when the message was generated 12 13 54 Time stamp Displays the time stamp when the message was generated The format is as follows HH MM SS...

Page 104: ...13 Interface group 1 3 6 1 2 1 2 RFC 2233 Address Translation group 1 3 6 1 2 1 3 IP group 1 3 6 1 2 1 4 RFC 2011 ICMP group 1 3 6 1 2 1 5 RFC 1213 TCP group 1 3 6 1 2 1 6 RFC 2012 UDP group 1 3 6 1 2...

Page 105: ...Translation Group Table 6 2 System Group Object Name Value Type sysDescr DisplayString sysObjectID OBJECT ID sysUpTime TimeTicks sysContact DisplayString sysName DisplayString sysLocation DisplayStri...

Page 106: ...Counter32 ipInHdrErrors Counter32 ipInAddrErrors Counter32 ipForwDatagrams Counter32 ipInUnknownProtos Counter32 ipInDiscards Counter32 ipInDelivers Counter32 ipOutRequests Counter32 ipOutDiscards Co...

Page 107: ...smMaxSize INTEGER Table 6 7 IP Route Table Object Name Value Type ipRouteDest IpAddress ipRouteIfIndex INTEGER ipRouteMetric1 INTEGER ipRouteMetric2 INTEGER ipRouteMetric3 INTEGER ipRouteMetric4 INTEG...

Page 108: ...r Guide Version 3R2 6 IP NET TO MEDIA Table 6 8 shows the IP Net to Media Table Table 6 8 IP Net to Media Table Object Name Value Type ipNetToMediaIfIndex INTEGER ipNetToMediaPhysAddress PhysAddress i...

Page 109: ...ter32 icmpInRedirects Counter32 icmpInEchos Counter32 icmpInEchoReps Counter32 icmpInTimestamps Counter32 icmpInTimestampReps Counter32 icmpInAddrMasks Counter32 icmpInAddrMaskReps Counter32 icmpOutMs...

Page 110: ...tcpRtoMin Integer32 tcpRtoMax Integer32 tcpMaxConn Integer32 tcpActiveOpens Counter32 tcpPassiveOpens Counter32 tcpAttemptFails Counter32 tcpEstabResets Counter32 tcpCurrEstab Counter32 tcpInSegs Cou...

Page 111: ...e Value Type udpInDatagrams Counter32 udpNoPorts Counter32 udpInErrors Counter32 udpOutDatagrams Counter32 Table 6 13 UDP Listener Table Object Name Value Type udpLocalAddress IpAddress udpLocalPort I...

Page 112: ...unter32 snmpInGetResponses Counter32 snmpInTraps Counter32 snmpOutTooBigs Counter32 snmpOutNoSuchNames Counter32 snmpOutBadValues Counter32 snmpOutGenErrs Counter32 snmpOutGetRequests Counter32 snmpOu...

Page 113: ...the SNMP listening port on the security appliance dot3StatsFCSErrors Counter32 dot3StatsSingleCollisionFrames Counter32 dot3StatsMultipleCollisionFrames Counter32 dot3StatsSQETestErrors Counter32 dot...

Page 114: ...ith Type System Location Lab Type Listen Port 161 Type Trap Host 162 3 SNMP Community Edit 4 Enter the following SNMP Community settings and click Apply Type Name public Type Host 192 168 1 1 ENABLING...

Page 115: ...ost IP address to be entered set snmp community string host host OID CONFIGURING THE SNMP LISTENER PORT To configure the SNMP listener port use the set snmp port command and specify the SNMP listener...

Page 116: ...G THE SNMP SYSTEM CONTACT To delete the SNMP system contact use the unset snmp contact command unset snmp contact VIEWING THE SNMP SETTINGS To view the SNMP settings use the get snmp command with the...

Page 117: ...nt SNMP statistics cli get snmp statistics In pkts 0 Out pkts 0 In bad versions 0 In bad community names 0 In bad community uses 0 In asn parse errors 0 In bad types 0 In too bigs 0 In no such names 0...

Page 118: ...NG THE INTERFACE STATISTICS To view the interface statistics for a specific physical interface use the get counter command and specify the specific interface get counter statistics interface interface...

Page 119: ...deny 1000 in no route 0 in no sa with policy 0 in policy permit 6 in no dip 0 in bad policy 0 in ipsec sa fail 0 in ipsec crypto err 0 in ipsec esp only 0 in ipsec esp na 0 in ipsec esp auth 0 in ips...

Page 120: ...Appliance 6 26 Security Appliance User Guide Version 3R2 6 G U I E X A M P L E V I E W T H E I N T E R F A C E S T A T I S T I C S F O R T H E E T H 0 I N T ER FA C E 1 Reports Counters Hardware 2 Se...

Page 121: ...Implementations Configuring Internet Key Exchange Advanced VPN Configuration Options VIRTUAL PRIVAT E NETWORKS Businesses can use a Virtual Private Network VPN to communicate and transfer information...

Page 122: ...on of IPsec is seen in VPN deployments IPsec can be broken down into two different modes and protocols The modes include Transport and Tunnel and the protocols include AH and ESP T R A N S P O R T M O...

Page 123: ...ing Transport Mode T U N N E L M O D E In tunnel mode refer to Figure 7 3 all data is encrypted including the IP header All of the original data is encapsulated into a new IP payload and includes a ne...

Page 124: ...n code HMAC Table 7 1 explains MD5 and SHA 1 Table 7 1 MD5 and SHA 1 Description The ESP protocol ensures privacy encryption source authentication and content integrity authentication ESP includes the...

Page 125: ...the Diffie Hellman DH group This value is secure so that the original message can be sent over an insecure medium without sending the secret message along with it There are a total of three DH groups...

Page 126: ...d Blaze 2100 appliances requires the following configuration The static IP address is assigned to the eth1 interface on each of the appliances The trusted networks connect to the eth0 interface of the...

Page 127: ...rs to configure one side of a manual key VPN tunnel Refer to the CLI Reference Guide and Command Descriptions for additional manual key parameters Table 7 2 Required Manual Key VPN Parameters Paramete...

Page 128: ...parameters in this command Refer to the CLI Reference Guide and Command Descriptions for additional policy parameters key authentication_key Authentication Key Hexadecimal value 32 characters in leng...

Page 129: ...Follow these steps to configure the required VPN tunnels in Figure 6 2 Define your security zone and interface IP service Specifies the services enabled to pass through the VPN tunnel tunnel Action t...

Page 130: ...E Y V P N I M P L E M E N T AT I O N N E W Y O R K O FFIC E Refer to Figure 7 4 and Figure 7 5 for the following example of a manual key VPN implementation Interfaces set interface eth0 zone trust se...

Page 131: ...N T AT I O N N E W Y O R K O FFIC E Interfaces 1 Network Interface Edit for ethernet0 2 Enter the following then click Apply Zone Name Trust IP Address Netmask 192 168 100 1 24 Interface Mode NAT 3 Ne...

Page 132: ...1 Outgoing interface eth1 Local SPI 1230 Remote SPI 1230 Encryption Algorithm aes 128 Hex Key 1111222233334444 Authentication Algorithm sha 1 Hex Key 11112222333344445555666677778888 Routing 1 Networ...

Page 133: ...Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address San Francisco Destination Address NYO Service Any Tunnel VPN From SF E X A M P L E M A N U A L...

Page 134: ...untrust sfo New York any tunnel vpn sfo_nyo set policy top name vpnfrom_newyork from untrust to trust New York sfo any tunnel vpn sfo_nyo save G U I E X A M P L E M A N U A L K E Y V P N I M P L E M...

Page 135: ...ddress Netmask 192 168 100 0 24 Zone Untrust VPN 1 VPN Manual Key Edit 2 Enter the following then click Apply Tunnel Name to_newyork Gateway IP 4 4 4 1 Outgoing interface eth1 Local SPI 1230 Remote SP...

Page 136: ...one Trust Destination Zone Untrust Source Address SFO Destination Address New York Service Any Tunnel VPN From SF 3 Policy Configuration Edit 4 Enter the following then click Apply Enable Policy Locat...

Page 137: ...N uses a pre shared secret to allow the creation of a VPN tunnel between two or more VPN appliances During the IKE negotiation phase the pre shared secret creates keys that encrypt and decrypt packets...

Page 138: ...N appliance IKE Identity IPv4 address e mail address or FQDN Phase 1 Exchange proposal to determine how to authenticate and secure the channel Mode Exchange Main or Aggressive DH Group 1 2 or 5 Protoc...

Page 139: ...NG AN IKE TUNNEL USING A PRE SHARED SECRET Setting up a VPN tunnel using IKE requires the following steps Define your security zone interface IP Create address objects for the local and remote end poi...

Page 140: ...2 168 100 1 24 set interface nat set interface eth1 zone untrust set interface eth1 ip 162 198 10 1 24 Addresses set address trust ny_local 192 168 100 0 24 set address untrust sf_destination 10 0 0 0...

Page 141: ...untrust to trust sf_destination ny_local any tunnel vpn sfo_nyo save G U I E X A M P L E N E W Y O R K O F F I C E U S I N G I K E Interfaces 1 Network Interface Edit for ethernet0 2 Enter the followi...

Page 142: ...llowing then click Apply Name encryptaesp1 Authentication Method PSK DH Group Group 5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 3 VPN Phase 2 Proposal Edit 4 Enter the following then click App...

Page 143: ...onfiguration Edit 2 Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address ny_local Destination Address sf_destination...

Page 144: ...nation 192 168 100 0 24 VPN set ike p1 proposal encryptaesp1 preshare group5 esp aes128 sha 1 set ike p2 proposal encryptaesp2 preshare group5 esp aes 128 sha 1 seconds 28800 set ike gateway to_newyor...

Page 145: ...pply Zone Name Trust IP Address Netmask 10 0 0 0 24 Interface Mode NAT 3 Network Interface Edit for eth1 4 Enter the following then click Apply Zone Name Untrust IP Address Netmask 4 4 4 1 24 Addresse...

Page 146: ...orithm SHA 1 3 VPN Phase 2 Proposal Edit 4 Enter the following then click Apply Name encryptaesp2 PSF PSF Group5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 Seconds 28800 5 VPN IKE Gateway Edit...

Page 147: ...ation Address ny_destination Service Any Tunnel VPN From SF 3 Policy Configuration Edit 4 Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination...

Page 148: ...k to New_York unset ike gateway to_newyork unset vpn sfo_nyo set ike gateway New_York address 162 198 10 1 main outgoing interface eth1 preshare password proposal encryptaesp1 set vpn sfo_nyo gateway...

Page 149: ...0 0 0 0 2 Trust Peer_lan 172 16 10 0 24 Untrust Local_lan 172 16 10 0 24 Trust Peer_lan 10 0 0 0 24 Untrust IKE Gateway GWA 10 0 0 100 preshared password GWB 172 16 10 100 preshared password Policies...

Page 150: ...route 0 0 0 0 0 interface br0 gateway 10 0 0 5 metric 1 set address trust local_lan 10 0 0 0 24 set address untrust peer_lan 172 16 10 0 24 set ike gateway gw1 address 172 16 10 100 main outgoing int...

Page 151: ...eth1 ip 0 0 0 0 0 set interface eth1 transparent set interface eth1 zone untrust set route 0 0 0 0 0 interface br0 gateway 172 16 10 5 metric 1 set address trust local_lan 172 16 10 0 24 set address...

Page 152: ...D option to set how many missed r u there message are allowed before the VPN tunnel is torn down the rebuilt set ike gateway name_str dpd always send set ike gateway name_str dpd interval number set i...

Page 153: ...ed by default on all IKE VPN tunnels To disable replay protection use the set vpn command with the no replay option set vpn name_str gateway gw_address no replay VIEW A VPN TUNNEL To view the current...

Page 154: ...get this information for a specific tunnel by specifying the tunnel name get ike gateway name_str V I E W I K E P H A S E 1 P R O P OS A L S To view the IKE phase 1 proposal information use the get i...

Page 155: ...Zero Reserved Fields S T A T IC R OU T E S An implicit or explicit route must be defined in the routing table for traffic to move between interfaces on the appliance The destination network interface...

Page 156: ...ptions to add a static route set route ip_addr mask gateway ip_addr interface interface name E X A M P L E A D D I N G A S T A T I C R O U T E In the network described in Figure 8 1 a static route is...

Page 157: ...y with the desired route changes E X A M P L E M OD I F Y I N G A S T A TI C R OU T E Modify the gateway on a previously created static route from 10 0 0 100 to 10 0 0 20 unset route 10 0 100 0 24 gat...

Page 158: ...name gateway ip_addr E X A M P L E S E T T I N G T H E D E F A U L T R OU T E Configure the default route on the appliance in Figure 8 1 to use the eth1 interface and a gateway of 4 4 4 1 which is th...

Page 159: ...S Static A Auto Exported I Imported R RIP P Permanent iB IBGP eB EBGP O OSPF E1 OSPF external type 1 E2 OSPF external type 2 IP Prefix Interface Gateway P Distance Metri 64 79 127 64 32 eth1 0 0 0 0 C...

Page 160: ...erred to as IP RIP is formally defined in two documents Request For Comments RFC 1058 and Internet Standard STD 56 As IP based networks became both more numerous and greater in size it became apparent...

Page 161: ...s only one instance of RIP running at one time on a freeGuard Blaze 2100 This section describes the following basic steps to configure RIP on a freeGuard Blaze 2100 Enable the RIP instance globally En...

Page 162: ...on G U I E X A M P L E R E J E C T D E F A U L T R O U T E L E A R N E D B Y R I P 1 Network Routing RIP 2 Enter the following RIP information then click Apply Select Reject Default Route Learned by R...

Page 163: ...es to IGRP and RIP If an interface is configured with secondary IP addresses and split horizon is enabled updates might not be sourced by every secondary address One routing update is sourced per netw...

Page 164: ...I N G Accepting Packets with Non Zero Reserved Fields 8 10 Security Appliance User Guide Version 3R2 8 nonzero values in the fields that must be zero This default behavior implements RIP v1 2 specific...

Page 165: ...appliance is to deny traffic from one zone to another To permit communication from one zone to another you must configure a policy After you use the set policy command to create a policy the policy e...

Page 166: ...ECURITY POLICY TYPES You can configure three types of policies for the appliance Interzone Policy Refer to Configuring Interzone Policies Intrazone Policies Refer to Configuring Intrazone Policies Glo...

Page 167: ...U R I N G I N T R A ZO N E P O L I C I E S Intrazone policies control traffic to and from all hosts within the same zone By default all hosts configured in the same zone can communicate Therefore a p...

Page 168: ...S Global policies are not assigned to a specific zone and either allow or deny packets to all zones Use the set zone command and specify global as the zone to create a global policy set policy global...

Page 169: ...cies Creating a name or alias to the refer to the policy Parameter Description src_zone dst_zone The src_zone and dst_zone objects are used to define the direction of the policy and whether the traffi...

Page 170: ...4 4 4 set policy from untrust to trust any FTPtrust ftp permit save G U I E X A M P L E C R E A T E A P OL I C Y 1 Objects Add Address Object 2 Enter the following then click Apply Name FTP Trust IP...

Page 171: ...on Edit 2 Enter the following then click Apply Enable Policy Name ftpcorp Action permit Source Zone untrust Destination Zone trust Source Address any Destination 4 4 4 4 Service FTP REORDERING POLICES...

Page 172: ...on Address Any Service FTP By default the freeGuard Blaze 2100 software assigns a newly created policy a policy ID and adds it to the bottom of the policy list To restrict FTP traffic from trust to un...

Page 173: ...by specifying a policy number unset policy id number VIEWING POLICIES You can display policies using the get policy command get policy This displays all policies in the policy database with the excep...

Page 174: ...following information about the policy with the specified ID number get policy id 202 ID 202 Name Action permit Status enabled From trust To trust Src any Dst any Service any NAT off Schedule N A Use...

Page 175: ...et policy command with the log option set policy from src_zone to dst_zone src_addr dst_addr srvc permit deny reject For additional information about logging refer to Chapter 6 Logging CONFIGURING ADD...

Page 176: ...ned by an IP address and subnet mask set address zone name_str ip_addr mask NOTE The pre defined address object any refers to all hosts in that zone E X A M P L E C R E A T I N G A N A D D R E S S OBJ...

Page 177: ...bject 2 Enter the following then click Apply Name John IP Address Netmask 10 0 0 100 32 Zone Trust 3 Objects Add Address Object 4 Enter the following then click Apply Name Matt IP Address Netmask 10 0...

Page 178: ...ailServerNY 10 200 0 0 24 save G U I E X A M P L E M O D I F Y A N A D D R E S S O B J E C T 1 Objects Address Objects 2 Select the following then click Apply Remove MailServer 3 Objects Add Address O...

Page 179: ...s zone grp_name add adr_obj The following limitations apply to address groups Address groups cannot have the same name as an address object If the policy database references an address group you canno...

Page 180: ...O U P 1 Objects Add Address Object 2 Enter the following then click Apply Name Finance_Subnet IP Address Netmask 10 0 1 0 24 Zone Trust 3 Objects Add Address Object 4 Enter the following then click Ap...

Page 181: ...of the address objects out of an address group the address group name is not deleted ADDING COMMENTS TO ADDRESS GROUPS Use the set group command with the address and comment options to add a comment...

Page 182: ...ring Custom Service Objects Deleting Service Objects Modifying Service Objects Configuring Service Timeouts VIEWING PREDEFINED SERVICE OBJECTS To view predefined service objects use the get service co...

Page 183: ...rvice object first delete the object and then re create the object with the new settings E X A M P L E M OD I F Y I N G A C U S T OM S E R VI C E Change the destination port on Telnet_Custom to port 2...

Page 184: ...save You can use the following options to define the additional properties of the service Code Values and Type for ICMP Services Timeout Value CONFIGURING SE RVICE GROUPS You can use service groups to...

Page 185: ...PS Use the set group command with the service option to create a service group set group service name_str Use the set group command with the service and add options to add service objects to a service...

Page 186: ...ons to remove a specific service from the group unset group service name_str remove name_str To remove all services in the group use the clear option MODIFYING SERVICE GROUPS To modify a service group...

Page 187: ...oup that service group name is not deleted ABOUT SCHEDULE S A schedule is an object that defines the day and time a policy is action takes place This section describes how to create add view and delet...

Page 188: ...by referring to the schedule name once The once option is used to define a one time event start Use the start option and specify a day and time to allow traffic matching the policy to pass through sto...

Page 189: ...set policy command with the schedule option to add a schedule to a policy set policy from zone to zone src_adr dst_adr srvc schedule name_str day The day field requires an mm dd yyyy format start Use...

Page 190: ...day start 00 00 stop 23 59 comment Block weekend Internet access set policy from trust to untrust any any any deny schedule weekend save G U I E X A M P L E C RE A T E A R E C U R R I N G S C H E D U...

Page 191: ...e 9 27 DELETING SCHEDULES To delete a schedule use the unset scheduler command unset scheduler name_str VIEWING SCHEDULES Use the get scheduler command with the once recurrent or name options to view...

Page 192: ...P OL IC Y CO NF I G URA T IO N About Schedules 9 28 Security Appliance User Guide Version 3R2 9...

Page 193: ...NAT either on the interface or through the security policy database This chapter describes how to enable NAT through the security policy database For information on enabling NAT on the interface refer...

Page 194: ...u configure the policy without specifying a DIP pool ID the policy uses the source address of the egress interface as the translated address Use the set policy command with the nat src and dip id opti...

Page 195: ...e dip dip id start address end address Addresses in the DIP pool must be on the same subnet as the corresponding egress interface You can create multiple DIP pools created each identified with a diffe...

Page 196: ...src permit CONFIGURING SOURCE NAT MANY TO MANY WITH PORT ADDRESS TRANSLATION In a source NAT many to many NAT configuration all source IP addresses translate to an IP address dynamically taken from a...

Page 197: ...changing the destination port in one to one NAT and many to one NAT configurations Unlike port address translation which randomly assigns the port during translation port mapping uses a policy assign...

Page 198: ...ith the nat dst ip option to specify destination NAT in the policy set policy from zone to zone src_addr dst_addr port nat dst ip nat_addr permit CONFIGURING DESTINATION NAT ONE TO ONE WITH PORT MAPPI...

Page 199: ...licy from zone to zone src_addr dst_addr port nat dst ip nat_addr port prt_nbr permit CONFIGURING DESTINATION NAT MANY TO MANY Use the set policy command with the nat dst ip option to specify destinat...

Page 200: ...10 8 Security Appliance User Guide Version 3R2 10 the first address from the destination NAT range The translated addresses maintain consistency Refer to Figure 10 5 for an example Figure 10 5 Destin...

Page 201: ...sers when link and or node failures occur HA functionality interfaces with almost all subsystems of the product HA functionality includes three interacting state machines to provide heartbeat election...

Page 202: ...lays HA link information set unset ha config sync Enables or disables synchronization between members of the vsd group set ha preempt Used to preempt the primary node and take over the role of primary...

Page 203: ...ignated secondary set int eth0 ip 192 168 1 2 24 set int eth0 manage ip 192 168 1 102 24 set int eth1 ip 1 1 1 2 24 set int eth1 manage ip 1 1 1 102 24 NOTE manage ip on eth1 is only required to manag...

Page 204: ...The priority of the device sets whether the device will be primary or secondary The number closest to 1 will be designated primary On Node1 set ha priority 10 hb interval 1000 hb threshold 3 grat arp...

Page 205: ...A C E A N D W A N P O R T F OR N O D E 2 1 HA Configuration 2 Enter the following HA information then click Apply Select HA Interface eth0 Select WAN Port eth1 Type Peer ip 192 168 1 101 G U I E X A...

Page 206: ...User Guide Version 3R2 11 G U I E X A M P L E S E T H A C O N F I G U R A T I O N S Y N C H R O N I Z AT I O N 1 HA Config Sync 2 Select the HA Configuration Synchronization button G U I E X A M P L...

Page 207: ...Public Key Infrastructure and X 509 Digital Certificates PKI Basics CLI Commands ABOUT PUBLIC KEY INFRASTRUCT URE AND X 509 DIGITAL CERTIFICATES PKI is designed to be used with IPSec instead of PSK a...

Page 208: ...C S PKI arrangements enable users to be authenticated to each other and to use the information in identity certificates Users are certified by a third party also known as a Certificate Authority Figur...

Page 209: ...12 3 A TYPICAL DIGITAL CERTIFICATE The following figure shows a typical Digital Certificate Figure 12 2 Typical Digital Certificate The certificate contains Digital Certificate Version Serial Number S...

Page 210: ...ting a certificate on page 12 6 Using a Certificate for a VPN tunnel on page 12 6 For more information on CLI Commands see the CLI Reference Guide GENERATING A SELF SIGNED CERTIFICATE First we need to...

Page 211: ...in a PKCS10 certificate request based on the key pair generated get pki x509 pkcs10 1 The output of the command should provide the certificate request as follows BEGIN CERTIFICATE REQUEST MIIBCzCBtgIB...

Page 212: ...ed by the IP Address of the TFTP server where the file is available and the test crt should be replaced with the actual file name for the certificate USING A CERTIFICATE FOR A VPN TUNNEL The following...

Page 213: ...n 3R2 Security Appliance User Guide A 1 PRE DEFINED SERVICES A This appendix lists all of the pre defined services defined on the security appliance including the name protocol port group inactivity t...

Page 214: ...defined FTP Put 6 21 remote Default Pre defined GOPHER 6 70 info seeking Default Pre defined HTTP 6 80 info seeking Default Pre defined HTTPS 6 443 security Default Pre defined ICMP INFO 1 0 65535 oth...

Page 215: ...18 other Default Pre defined TCP ANY 6 0 65535 other Default Pre defined TELNET 6 23 remote Default Pre defined TFTP 17 69 remote Default Pre defined TRACEROUTE 1 0 65535 other Default Pre defined UDP...

Page 216: ...P R E DEF I N E D SER V IC ES A 4 Security Appliance User Guide Version 3R2 A...

Page 217: ...IP address network mask or other data Authentication Header AH A method that provides integrity and authentication but not privacy as IP data is not encrypted AH contains an authentication value base...

Page 218: ...est an IP address from the DHCP server This protocol reduces the work necessary to administer a large IP network Encryption The ability for a network device to translate data into a secret code Encryp...

Page 219: ...estination High Availability HA Provides the ability to service end users i e sessions with little or no interruption when failures occur Host Name A unique name that a host on a network is known as a...

Page 220: ...n of IPsec is seen in virtual private network VPN deployments IPsec enables VPNs to take advantage of authentication integrity and confidentiality Internet Security Association and Key Management Prot...

Page 221: ...255 0 10 0 0 0 24 refers to all hosts in the 10 0 0 0 subnet Network Address Translation NAT A standard that allows machines on a local area network LAN to use a set of IP addresses for internal use a...

Page 222: ...Protocol RIP One of the most commonly used interior gateway protocol IGP routing protocols on internal networks and to a lesser extent networks connected to the Internet which helps routers dynamical...

Page 223: ...is used to tag and identify the subinterface Subnet A network that shares a common address component Subnets are defined as all hosts whose IP addresses have the same prefix on a TCP IP network Subne...

Page 224: ...Users on the VLAN are identified using tags in the frame header and are often referred to in the IEEE standard 802 1Q Virtual Private Networking VPN An easy cost effective way for business to use the...