Securepoint RC 100, Product Overview

Page 1: ...Securepoint 10 Securepoint ...

Page 2: ...ons proxies virus scanner spam filter and content filter If you purchase the Terra VPN Gateway you can easily upgrade to the Securepoint UTM product with a registration key At this yearly update costs are incurred For further informa tion contact our sales department vertrieb securepoint de UTM Products Terra UTM Gateway Piranja RC100 RC200 RC300 RC310 RC400 RC410 Securepoint 10 for Modular Server...

Page 3: ...RC 100 14 3 2 RC 200 15 3 3 RC 300 15 3 4 RC 400 16 4 Administration Interface 17 4 1 Connecting the Appliance 17 4 2 System Requirements for Client Computer 18 5 Securepoint Cockpit 18 5 1 Navigation Bar 19 5 2 License 19 5 3 System 20 5 4 Service Status 21 5 5 Appliance 23 5 6 Interfaces 23 5 7 IPSec 24 5 8 Downloads 24 5 9 Spuva User 24 5 10 SSH User 25 5 11 Web Interface User 25 5 12 DHCP Leas...

Page 4: ... 5 Logout 32 7 Menu Network 33 7 1 Server Properties 34 7 1 1 Server Settings 34 7 1 2 Administration 35 7 1 3 Syslog 36 7 1 4 SNMP 37 7 1 5 Monitor Agent AmdoSoft v4 Agent 38 7 1 6 Cluster Settings 39 7 2 Network Configuration 40 7 2 1 Interfaces 40 7 2 1 1 Add eth Interface 42 7 2 1 2 Add VLAN Interface 43 7 2 1 3 Add PPTP interface 45 7 2 1 4 Add PPPoE Interface 46 7 2 1 5 VDSL Interface hinzuf...

Page 5: ... 4 2 Ping 61 7 4 3 Routing Table 62 8 Menu Firewall 63 8 1 Portfilter 64 8 1 1 Create Rule 67 8 1 1 1 Infobox Function 68 8 1 1 2 Tab Time 69 8 1 1 3 Tab Description 69 8 1 2 Create Rule Group 70 8 1 3 Organize Rules and Groups 71 8 2 Hide NAT 72 8 3 Port Forwarding 74 8 3 1 Port Forwarding 75 8 3 2 Port Translation 76 8 4 Services 77 8 4 1 Delete and Edit Services 77 8 4 2 Services Information 78...

Page 6: ...lter 94 9 1 4 Block Extensions 96 9 1 5 Block Applications 97 9 1 6 Content Filter 98 9 1 6 1 Blacklist Categories 98 9 1 6 2 Whitelist 99 9 1 6 2 1 User 99 9 1 6 2 2 IP Addresses 100 9 1 6 2 3 Websites 101 9 1 7 Bandwidth 102 9 2 POP3 Proxy 103 9 3 Mail Relay 104 9 3 1 General 105 9 3 2 Relaying 106 9 3 3 Mail Routing 108 9 3 4 Greylisting 110 9 3 4 1 Whitelist IP address Net 111 9 3 4 2 Whitelis...

Page 7: ... 123 9 4 6 POP3 Settings 124 9 5 VNC Repeater 125 9 5 1 General 125 9 5 2 VNC Server ID 126 9 5 3 VNC Server IP 126 9 6 VoIP Proxy 127 9 6 1 General 127 9 6 2 Provider 128 9 7 IDS 129 9 8 Nameserver 130 9 9 Service Status 131 10 Menu VPN 132 10 1 IPSec Wizard 133 10 1 1 Site to Site 133 10 1 2 Site to End Roadwarrior 136 10 1 2 1 native IPSec 137 10 1 2 1 1 IKEv1 138 10 1 2 1 2 IKEv2 139 10 1 2 2 ...

Page 8: ... 6 Add User Tab WoL 159 11 2 External Authentication 160 11 2 1 Radius 160 11 2 2 LDAP Server 161 11 2 3 Kerberos 162 11 3 Certificates 163 11 3 1 Create CA 164 11 3 2 Create Certificates 165 11 3 3 Import CA and Certificate 166 11 3 4 Export CA and Certificate 166 11 3 5 Download SSL VPN Client 167 11 3 6 Delete CA and Certificate 168 11 3 7 Tab CRLs 169 12 Menu Extras 170 12 1 CLI 171 12 1 1 CLI...

Page 9: ...arch function 186 13 3 Tab Settings 187 13 4 Details of a Log Message 188 13 5 Raw Data 189 13 6 Colored Labeling of the Service in the Live Log 190 Part 2 User Interface 191 14 Login User Interface 192 14 1 The User Interface Sections 193 14 2 Change Password 194 14 3 Download SSL VPN Client 195 14 4 Spamfilter 196 14 4 1 Overview over the spam filter interface 196 14 4 2 Columns of the Table 198...

Page 10: ...ity Solutions 10 14 4 7 1 Filter 203 14 4 7 2 Tab General 204 14 4 7 3 Tab Virus 204 14 4 7 4 Tab Top Level Domain 205 14 5 SPUVA Login 206 14 6 Wake on LAN 207 14 7 Download Section 208 15 Zone Concept of the Securepoint Firewall 209 ...

Page 11: ...rd the network against destructive programs and to control the communication with the internet The Securepoint Unified Threat Management UTM offers a complete solution with comprehensive safety measures in respect of network web and e mail security The appliance offers firewall IDS and VPN functionality proxies automatic virus scanning web content and spam filtering clustering high availability un...

Page 12: ...Securepoint 10 Securepoint Security Solutions 12 Part 1 The Administration Interface ...

Page 13: ...bit s 100 Mbit s RC 200 25 to 50 400 Mbit s 260 Mbit s RC 300 50 to 100 1000 Mbit s 700 Mbit s RC 310 50 to 100 1000 Mbit s 1000 Mbit s RC 400 100 to 500 1000 Mbit s 1000 Mbit s RC 410 100 to 500 1000 Mbit s 1000 Mbit s machine CPU RAM HDD interfaces USB ports Piranja VIA C3 Eden 533 MHz 1 GB Compact Flash 512 MB 3 x 10 100 Ethernet ports 1 RC 100 VIA C7 1 GHz 1 GB 80 GB 3 x 10 100 Ethernet ports ...

Page 14: ...1 Piranja and RC 100 The Piranja and the RC 100 appliances have 3 Ethernet ports LAN 1 to LAN 3 one serial interface D Sub and two USB ports The three network ports are destined for different nets The interface eth0 is reached through LAN 1and is designated for the external network internet LAN 2 represents the second interface eth1 and is designated for the internal network The port LAN 3 uses th...

Page 15: ...fig 3 rear view of the Piranja respectively of the RC 100 port interface net LAN 1 eth0 external internet LAN 2 eth1 internal LAN 3 eth2 DMZ LAN 4 eth3 free disposal 3 3 RC 300 The RC 300 has 6 LAN ports Contrary to smaller dimensioned appliances the ports are numbered serially from right to left The ports at the machine are not labeled Take the attri bution from the figure fig 4 front view of the...

Page 16: ... 1 and LAN 3 are destined for the predefined networks The ports in the machine are not labeled Take the attribution from the figure fig 5 front view of the RC 400 schematic port interface net LAN 1 eth0 external internet LAN 2 eth1 internal LAN 3 eth2 DMZ LAN 4 eth3 free disposale LAN 5 eth4 free disposale LAN 6 eth5 free disposale LAN 7 eth6 free disposale LAN 8 eth7 free disposale LAN 1 LAN 3 LA...

Page 17: ... your internet browser and insert the following value into the address field https 192 168 175 1 11115 If you have changed the IP address at the installation replace the IP address 192 168 175 1 with the new one The dialog LOGIN appears fig 6 Login dialog At the field Username insert admin At the field Password insert insecure or the new password if you change it during the installation process Af...

Page 18: ...rst screen shown after login to the trusted area displays an overview of the hardware and services status Besides it contains the navigation bar information of the license active connections and available downloads This view is always open All further configuration options and settings will be conducted in popup windows After editing the settings the popup windows will be closed and the cockpit in...

Page 19: ...s the respective dropdown menu fig 8 navigation bar of the cockpit 5 2 License In this area you have an overlook of the firewall software updates and license name description Firewall Type Name of the firewall software Version Version of the firewall software Licensed to Name and if applicable company of the license owner License valid till Validation of the license The date is given in US America...

Page 20: ...pe of processor RAM Utilization of the memory graphical and in percentage SWAP Utilization of the swap file graphical and in percentage Uptime How long the system is running since the last reboot Current TCP Connections Number of current TCP connections Current UDP Connections Number of current UDP connections Start Configuration Name of the start configuration Running Configuration Name of the ru...

Page 21: ...am HTTP Proxy Hypertext Transfer Protocol Proxy The proxy interconnects the client of the internal network with the server in the internet It can block HTTP requests by means of content and it can test websites for viruses VoIP Proxy Voice over IP Proxy Offers internet telephony VNC Repeater Virtual Network Computing Offers to control a remote computer DynDNS Client Dynamic Domain Name Services Cl...

Page 22: ...TP SSL VPN Server Secure Socket Layer Virtual Private Network Server Offers SSL secured VPN connections to the firewall IGMP Proxy Internet Group Management Protocol Offers the spreading of packets to multiple recipients Virusscanner Virus scan service for POP3 and HTTP CTASD Server Commtouch Anti Spam Daemon Service for spam identification from the company Commtouch Kerberos The Kerberos authenti...

Page 23: ... interfaces ethx are shown name description eth0 Ethernet adapter for connection to the internet At the appliance indicated as LAN 1 eth1 Ethernet adapter for connection to the internal Network At the appliance indicated as LAN 2 eth2 Ethernet adapter to attach a demilitarized zone DMZ At the appliance indicated as LAN 3 ppp0 A virtual interface to connect the firewall to the internet with PPPOE W...

Page 24: ...rt description are shown The filename is a hyperlink which you can use to download the file directly fig 16 available downloads in the user interface 5 9 Spuva User This table lists the users and their IP address which have signed in via SPUVA Securepoint User VerificationAgent The SPUVA gives users individual rights on computers in the DHCP environment The user authenticates against SPUVA and get...

Page 25: ...nistration interface and the user interface fig 19 users which are logged on the administration or user interface 5 12 DHCP Lease The DHCP Dynamic Host Configuration Protocol server assigns dynamic IP addresses to the user of the internal network if this service is activated This IP address is reserved for the user for a defined time In this section the reserved addresses are listed with the user ...

Page 26: ...st 24 hours The measurement is taken every 5 minutes fig 21 graphical display of the data traffic 5 13 1 Traffic Settings With the button Settings your can configure which interfaces are displayed in this area The dialog Interface Traffic Settings shows two lists The left one shows the available inter faces and the right one the interfaces which are displayed in the cockpit Highlight an inter face...

Page 27: ...agram opens a new window which shows the graph in higher resolution It also shows details of the traffic fig 23 details of the data traffic of the interface eth1 You can enlarge a section of the graph by raising a selection rectangle in the lower diagram You can reset the selection by clicking Reset Zoom fig 24 enlarged section ...

Page 28: ...d only describes the relative di alog fig 25 help symbol in the title bar 5 15 Administrator IP At the bottom of the web browser window the user name and the IP address of the logged on administrator are shown A click on the double arrow in the lower left corner hides or shows the bar fig 26 name and IP address of the logged on user fig 27 hides or shows the data 5 16 Refresh At the right side of ...

Page 29: ...he menu item configuration name description Configuration management The configuration management shows a list of all saved configuration files Here you can export print or delete the configuration Furthermore you can load and import configurations set a start configu ration or save current settings in a new file Reboot System Stops the system and starts it again Halt System Stops the system but d...

Page 30: ...ion name This confi guration is loaded when the appliance is turned on for example after reboot The heart symbol labels the current running configuration The signs behind the configuration names are buttons for functions which can be used for every configuration The buttons Save as and Import are located below the list button function description export Exports the configuration and saves it in DA...

Page 31: ...d automatically in the current running configuration You can also save the new settings in an existing configuration or in a new one Click on the button Save as The dialog Save as appears Select an existing configuration from the dropdown box or enter a new name for the configuration Click on Save fig 31 save the configuration ...

Page 32: ...32 import external configuration 6 2 Reboot System The second point of the dropdown menu restarts the appliance After reboot the start confi guration will be loaded If no configuration is set as a start configuration you have to set one before the reboot 6 3 Halt System This point stops the system The system will neither be rebooted nor new shuted down 6 4 Factory Defaults Reset the system to fact...

Page 33: ...ion fig 33 dropdown menu of the menu item network name description Server Properties Appliance basic settings Administrator IP addresses time zone and log server IP address Network Configuration Network settings Setting of IP addresses and subnets of interfaces DSL connec tion DynDNS service routing and DHCP server Zone Configuration Assign interfaces to zones and create new zones Network Tools To...

Page 34: ...e field Servername Enter the IP address of the Domain Name Service server into the field Primary Na meserver If you use a second name server enter its IP address into the field Secondary Na meserver Enter the IP adress or the host name of a time server into the filed NTP Server and select your time zone in the dropdown box Timezone You can limit the numbers of TCP IP connections The number must ra...

Page 35: ...nets the appliance can be admini strated from To add an IP address or a net click the button Add Host Net The dialog Add Host IP appears Enter a host name or an IP address If you want to allow the access for a subnet you have to use the bitcount notation For example 192 168 176 0 24 Click Add You can delete entries in the list by clicking the trash can icon beneath the entry fig 35 tab Administrat...

Page 36: ...he logging data in Syslog format can be stored on a server So you can analyse logging data at a later time To add a server for protocol data click on Add Syslog Server The dialog Add Syslog Server appears Enter the IP address or the host name into the input field and click Add You can delete a server in the list by clicking the trash can icon beneath the entry fig 36 tab syslog of the Server Setti...

Page 37: ...a SNMP client and the SNMP service must be installed on the remote computer The host must also know the Community String Activate the SNMP Version you want to support You can support both versions at the same time Set a keyword into the field Community String Advice the remote user of this key word At the bottom of the section Enable access from networks enter an IP address you want to allow the a...

Page 38: ... network The controller software for the automatic monitoring has to be purchased from the company AmdoSoft Systems It is no rule necessary for this data traffic Go to the point Network on the navigationbar and click on the entry Server Proper ties in the dropdownmenu In the dialog Server Properties switch to the tab Monitoring Agent Enter the IP address of the computer where the AmdoSoft Controll...

Page 39: ...sages of the master to the slave in the field Delay between advertisment packets Decide how many messages may be missing before the master is detected as crashed Type the number in the second field Enter a number into the field Cluster ID to identify the cluster formation Enter a keyword for the encryption of the status messages into the field Cluster Se cret The option Switch to master if possibl...

Page 40: ...This contains the IP addresses of the several interfaces entries in the routing table access data of the internet service provid er maybe data of a dynamic address service and settings ot the DHCP server 7 2 1 Interfaces The tab Interfaces shows a list of all available interfaces with the related IP address and zone fig 40 list of available interfaces ...

Page 41: ... 1 eth0 n ethn 0 ethn 1 ethn n virtual address is bonded to real interface ADSL and VDSL ppp0 ppp1 pppn high availability environment cluster0 cluster1 cluster2 clustern virtual address is bonded to real interface OpenVPN tun0 tun1 tun2 tunn virtual interface The minimum of three interfaces are ethernet interfaces with the name eth0 eth1 and eth2 Furthermore one virtual interface tun0 is predefine...

Page 42: ...bnet mask in the field Mask If the DHCP server should assign an IP address to this interface activate the check box DHCP Client You can define the maximum packet size in the field MTU Maximum Transmission Unit Usually you can leave the default value 1500 If the interface should answer to pings activate the checkbox Allow Ping Select the speed of the interface from the dropdown field Speed In the r...

Page 43: ...organization into units groups or by spatial properties like floor or build ings Actually you need one interface for every network VLAN interfaces of the appliance are vir tual interfaces that are bound to one physical interface So you can conduct all virtual LANs at one interface Every VLAN has an ID which is append at the packets as a tag On the basis of thee tags a VLAN supporting switch can di...

Page 44: ...n IP address will be assigned to the interface by the DHCP server If so ac tivate the checkbox DHCP Client Define the maximum size of a data packet and enter the value in the field MTU Max imum Transmission Unit In normal case you can leave the default value 1500 If the interface should answer pings activate the checkbox Allow Ping Select the speed of the interface from the dropdown field Speed Se...

Page 45: ...e the external interface It will be replaced by the PPTP inter face after completion Enter an Local Ethernet IP Address and Mask the IP address and the subnet mask of the interface The field Modem IP Address expects the IP address which is assigned to you by the internet service provider Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not cre...

Page 46: ...elect in the field Interface to which physical Interface the PPPoE interface should be bound This should be the external interface It will be replaced by the ppp interface after completion Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not create a DSL provider yet select the entry new to add a provider Enter the required data into the field...

Page 47: ...interface should be bound This should be the external interface Select a VLAN ID for the Interface At completion an eth interface will be created with the selected ID for example eth0 7 In the field VDSL Interface a name is predetermined Select a provider from the dropdown field DSL Provider which is used to connect the internet If you did not create a DSL provider yet select the entry new to add ...

Page 48: ...ce The espe cialness of the high availability bond is that all appliances get the same virtual IP addresses Because the redundant machines are running in standby mode and their cluster IPs are not up there will be no IP address conflict The real IP addreses so called management IPs are used to send advertisement packages in terms of their status between the appliances DSL modem switch A external n...

Page 49: ...the virtual IP address of the appliance in the field Cluster IP Enter the subnet mask into the field Mask In the section Spare IPs enter the management IP address es of the spare ma chine s Type the IP address and the related subnet macks into the fields IP and Mask and click Add The IP address will be shown in the list With the trashcan beneath the IP address you can delete the relative entry Sel...

Page 50: ...ed or deleted For editing click the wrench symbol The dialog Change Interface appears Change the settings and save the new properties with Save For deleting click the trashcan symbol Click Yes at the conformation prompt The entry will be deleted 7 2 2 Routing Routing entries define via which gateway a destination has to be reached The default route defines that all destinations are reachable via t...

Page 51: ...can symbol Click Yes at the confirmation prompt The entry will be deleted 7 2 2 2 Add Default Route Click Add default route The dialog Add Default Route appears Enter as Gateway the IP address of the internal interface The fields Destination Network and Destination Mask are predefined The value Weighting defines the priority of the route This statement is relevant if you use two or more internet c...

Page 52: ...g and click Add route The dialog Add Route appears Select in the field Type if the route applies to all networks and computers or just for several ones For all select without Source Otherwise select with Source and enter the IP address and the subnet mask of the concerned network or host in the fields Source Network and Source Mask Enter the Gateway which should be used for reaching the destinatio...

Page 53: ...ovider 7 2 3 1 Edit or Delete DSL Provider In the list of all saved DSL providers on the tab DSL Provider a wrench symbol and a trash can symbol are positioned beneath the entries With these buttons the entries can be edited or deleted For editing click the wrench symbol The dialog Edit DSL Provider appears Change the settings and save the new properties with Save For deleting click the trashcan s...

Page 54: ...ame Type your login data into the field Login Enter your password into the field Password and retype it in the field Confirm pass word If you activate the checkbox Default Route a standard route will be set automatically Select a time in the field Separation At this time the appliances disconnect the inter net connection If you choose 0 the appliance does not force a disconnection fig 55 create DS...

Page 55: ...if you want to administrate the firewall from the external net If you use the DynDNS services the client transmits at every dial in its current IP address to the DynDNS service provider The current IP address is stored by the provider The provider links your static hostname with your current IP address In this way it is assured that your host is always available by the host name The appliance tran...

Page 56: ...ider into the fields Login and Password Enter the address of the DynDNS server into the field Server In the field MX enter the domain for the e mail reception for example securepoint de Select the interface which should be used for this connection from the field Interface mostly a ppp interface fig 57 create a DynDNS entry 7 2 4 2 Delete a DynDNS Entry To delete a DynDNS Entry click on the trashca...

Page 57: ... IP address range The DHCP server will assign IP addresses to the clients from this range The range must be a part of the local subnet Consider that the first address xxx xxx xxx 1 is mostly assigned to the default gateway Hence it cannot be part of the DHCP address pool Furthermore reserve a couple of IP addresses for computer and server which need static IP addresses to warrant the correct worki...

Page 58: ...way the clients receive IP addresses and network in formation dynamically although the DHCP server stands in another subnet In the section Interface define the interfaces from which net the DHCP queries should be received and to which they should be forwarded Select the interface from the dropdownbox and click on Add Interface Define the IP address of the central DHCP server in the list IP Address...

Page 59: ...t to use interfaces in the same zone you have to add a new zone Type a name for the new zone in the field Name in the section Add Zone Select an interface which should be allocated to the zone from the dropdown field In terface Click Add Zone to save the settings Note If you want to change allocated interfaces use the tab Interfaces in the menu Net work à Network Configuration fig 60 dialog for ad...

Page 60: ...etects if a computer is reachable in the network routing table Shows the routing entries of the appliance 7 4 1 Lookup The name of this function is deduced from the command nslookup The function queries the nameserver which IP address belongs to a defined host name This is called name resolu tion The inversion search to detect the hostname of an IP address is not supported Enter a hostname into th...

Page 61: ...r the computer is reachable If the computer is not reachable the function shows the message undefined The query also fails if the computer is configured to not answer Pings Enter a hostname or an IP address into the field Please enter a host Click on the icon Ping If the computer answers the times the resond packages needed are shown and the average time of all packages Furthermore the list shows ...

Page 62: ...nt Security Solutions 62 7 4 3 Routing Table The command Routing Table shows the routing table of the appliance You don t have to enter data Click the button Routing Table All entered routes will be listed fig 63 output of the routing table ...

Page 63: ...nslation The internal addresses will be translated to the external address Port Forwarding Request from the internet to defined ports will be transmitted to defined internal or DMZ computers by the firewall Services To define exact rules in the portfilter you use applicable services In this section all services are listed with their used ports and protocols You can edit them or add new ones Servic...

Page 64: ... the properties networks user services and time You can define if traffic which matched with a created rule will be logged By default traffic will be stopped if no rule is set which allows the traffic fig 65 overview of all created rules Note You can also define IP Table rules in the category Advanced Settings see chapter 12 6 5 On the tab Templates use the Application securepoint_firewall and the...

Page 65: ...first three packets of a new connection will be logged After a minute the next three packets will be logged o Long à All packets will be logged The rule can be limited temporarity days and time A short description can be set With the wrench symbol beneath the rule you can call a dialog for editing the rule With the trashcan symbol beneath the rule you can delete the rule Rules can be dissarranged ...

Page 66: ...roups Shows all entries which have the given group as source Destination Network Groups Shows all entries which have the given group as destination Service Groups Shows all entries which use the given group as service Objects and Services Source Network Objects Shows all entries which have the given object as source Destination Network Objects Shows all entries which have the given object as desti...

Page 67: ...ld be accepted or denied Select in the field Logging which logging mode should be used In the field QoS Quality of service you can limit the bandwidth At Rule Routing you can define which gateway should be used for packages of this rule For example IPSec connections must always communicate over the same inter face This setting is important if you use several internet connections Note For source an...

Page 68: ... mouse cursor rolls over an entry in the list an infobox appears which shows de tails of the entry It shows which objects or services are elements of the related group You can enable this function by deactivating the checkbox Disable Infobox fig 68 group elements with IP address and zone affiliation ...

Page 69: ...ime and an ending time for every day at which the rule should be limited The top dropdown field belongs to the beginning time and the bottom dropdown field belongs to the ending time fig 69 add new rule tab time 8 1 1 3 Tab Description On the tab Description you can enter an explanation for the rule Click on the tab Description Click into the text field and enter a description Click Save to store ...

Page 70: ...s of one scope to one group you can arrange the portfilter clearly Click on the button Append Group in the dialog Portfilter The dialog Append Group appears Enter a name for the new group in the field Groupname Click on Add The new will be added to the Portfilter at the bottom position You can move the rule into the group via Drag Drop fig 71 add rule group ...

Page 71: ...h opens with a right mouse click fig 72 context menu of the portfilter dialog The context menu offers the possibility to create rules and groups at defined positions So you don t have to move them after creation Switch the status of a highlighted rule by using the option Toggle Active The option Toggle Group changes the status of all rules in a group The context menu also includes the options Edit...

Page 72: ...instead of their own one You can define an IP address or an interface If you use a dynamic IP insert the DSL inter face The Destination must be set to declare in which case the Hide NAT is to be used Network objects are used for source and destination To create Hide NAT rules you maybe have to create network objects before The option Include means that the Hide NAT will be used The Exclude option ...

Page 73: ...al network Under Interface set the interface which should be used If you have a static IP address select eth0 If you use a dynamic IP address deploy the DSL interface ppp0 If the rule should be used for all destinations select the entry any in the field Destina tion Position defines the position in the Hide NAT rule table The rules are executed se quential excepting the Exclude rules which are exe...

Page 74: ...warding and Port Translation Both functions define the destination of packages which reach the firewall at a defined port Port Forwarding direct packages arriving at the defined port to a determined computer Port Translation replaces the port of an ariving package with a self defined port fig 75 list of port forwarding and port translation rules ...

Page 75: ...ll icon The window Port Forwarding appears which displays all forwarding rules Click Add to create a new forwarding The dialog Add Port Forwarding appears Select Port Forwarding as type Under Source select from which network the query is coming Under Interface define which interface is used by the query For Destination select a network object to which the query should be forwarded Under External P...

Page 76: ... displays all forwarding rules Click Add to create a new port translation rule The dialog Add Port Forwarding appears Select Port Translation as type Under Source select from which network the query is coming Under Interface define which interface is used by the query For Destination select a network object to which the query should be forwarded Under External Port select the service and hence the...

Page 77: ...nge This is listed in the section Services The list contains a lot of services You can add new services edit and delete services 8 4 1 Delete and Edit Services Click the trashcan symbol beneath the service to delete it Confirm the security query with Yes Click the wrench symbolbenaeth the service to edit it Make modifications in the appearing dialog Click Save fig 78 list of available services ...

Page 78: ...rvices if the mouse cursor rolls over it You can enable this function by unchecking the checkbox Disable Infobox The infobox shows not only the name and the service group affiliation of the service but also if the service is used in a firewall rule In this case the rule number and a summary of the rule are shown fig 79 infobox for services ...

Page 79: ... which is used by the service If you choose the icmp protocol you have to select an ICMP Control Message too If the service uses a specified port insert this port in the field Destination Port If the service uses a port range select Port Range at the field Type Insert the start an end port of the range into the fields Port Range Start and Port Range End Store the new service with Save fig 80 add s...

Page 80: ...obox can be displayed which shows the prop erties of the service You can enable this feature by unchecking the checkbox Disable Info box fig 82 infobox shows properties of a service You also can retrieve information of service groups Select a service group from the dropdown box Click on the information symbol beneath the dropdown box An infobox appears The infobox shows the name of the service gro...

Page 81: ...ck on the rightwards arrow button between the tables The service will be move from the left table into the right table Highlight a service you want to delete in the right table Click on the leftwards arrow button between the tables The highlighted service will move from the right table to the left table You can delete the whole group by a click on the trashcan symbol beneath the dropdown box Confi...

Page 82: ...ection Service Groups The dialog Add service group appears Enter a name for the new service group and click Add Select the just created service group from the dropdown box The message No member in service group appears in the right table because no service is added yet Add services to the new group like described in the previous article fig 85 enter name for the new service group ...

Page 83: ...ed exactly Click the on the menu item Firewall in the navigation bar Click in the dropdown menu on the entry Network Objects The window Network Objects appears In this window all available network objects are listed The table can be ordered by the values of the separate columns Behind the objects are buttons for editing and deleting the related object You can add objects with the buttons at the bo...

Page 84: ...a network object if the mouse cursor rolls over it You can enable this function by unchecking the checkbox Disable Infobox The infobox shows not only the name and the object group affiliation but also if the object is used in a firewall rule In this case the numbers and a summary of the rules are shown fig 87 information of network objects ...

Page 85: ...te an object for a network or for a com puter Host Under IP Address enter the according IP address of the computer Under the dropdown field Zone select the zone which the computer is associated with Network Under IP Address enter the IP address of the network Select from the dropdown field Netmask the compatible netmask Im the field Zone enter the zone of the network Select which NAT IP should be ...

Page 86: ...r You can also create network objects for users This way you can set rules for several users The only condition for this is that the users are SPUVA Securepoint Security User Verifica tion Agent user and employ the agent to log onto the system The user must be listed in the user administration under the menu item Authentication in the entry Users Click Add User The dialog Add User appears Under Na...

Page 87: ...Add Interface The dialog Add Interface appears Enter a name for the new object in the field Name Under Type select StaticAddress or DynamicAddress If you have chosen StaticAddress you have to enter the static IP address in the field IP Address Under Zone select the zone of the interface Store your settings with Save fig 93 object of interface with dynamic address fig 94 object of interface with st...

Page 88: ...le Network Objects all available network objects are listed In the table Network Group Member all network objects are listed which are ele ments of the selected network object group You can add network objects to the selected group by highlighting objects in the left table and click on the rightwards arrow button The selected network objects will be moved to the right table You can delete network ...

Page 89: ...ows the name IP address subnet mask zone and NAT IP fig 96 object information 8 7 2 Network Group Information You can also retrieve information of network groups Select a network group from the dropdown box Click on the information symbol behind the dropdown box The infobox appears The infobox shows the name of the network group and if the group is used in a firewall rule In this case the numbers ...

Page 90: ...services fig 98 dropdown menu applications name description HTTP Proxy General settings of the proxy Furthermore virus scanning filtering of internet addresses and website content POP3 Proxy Spam filtering and virus scanning of e mails Mail Relay Settings of the mail server Spamfilter Properties Settings of the spam filter VNC Repeater Forwarding of remote control programs VoIP Proxy Settings of t...

Page 91: ...tivated as a transparent proxy Transparent means that the proxy isn t visible for the user You needn t insert the proxy settings in the browser The firewall conducts the packets to the proxy automat ically But if you don t insert the proxy setting in the browser the user authentication fails and protocols like HTTPS and FTP must be activated by rules Under Exceptions enter subnets and IP addresses...

Page 92: ...99 HTTP proxy settings tab general When you define exception for HTTP proxy the relevant computers will access the internet directly if an accordant rule exists The exceptions must be defined by source and destination IP addresses fig 100 define exceptions for the HTTP proxy ...

Page 93: ...y by clicking the wrench symbol You can delete the entry by clicking the trashcan symbol Enter a file extenstion leading by a dot in the field under the left table and click Add Extension to add an entry The right list shows websites which are excluded by the virus scanner You can edit the entry by clicking the wrench symbol You can delete the entry by clicking the trashcan symbol Enter a website ...

Page 94: ...ing the checkbox URL Filter Activate the option Use lists with authentication to block sites from the blacklist un iversally You can edit the entries by clicking the related wrench symbol You can delete the entries by clicking the related trashcan symbol Add entries to the lists by entering an address into the field under the tables and click the button Add Blacklist or Add Whitelist You can block...

Page 95: ...9 Menu Applications Securepoint 10 Securepoint Security Solutions 95 fig 102 HTTP proxy dialog tab URL filter ...

Page 96: ...supported You can also block suffixes like jpeg or mpeg Suffixes must be given with alleading dot Enter the file extension in the field at the bottom of the window Don t forget the leading dot For example mp3 Click on Add Extension The extension is added to the list To delete an extension from the list click on the trashcan symbol at the end of he re lated row fig 103 HTTP proxy tab block extensio...

Page 97: ...TP proxy Possibly you have to modify the rule set to prevent the communication of these programs The applications are predefined The section remote support includes the programs Tem viewer and Netviewer In the section messaging the most popular chat programs are prede fined You can also block messaging programs which are not listed with the option Block other IM Select a program from the list Acti...

Page 98: ...keywords are weighted by their directness If the sum of key words exceeds a defined limit Naughtylesslimit the website will be blocked The higher the Naughtylesslimit the more improbable is the blocking of a website Select the categories you want to block Activate the related checkbox Define the threshold Naughtylesslimit Consider that a low threshold could block many sites which don t meet condit...

Page 99: ...ers who are listed in this table can call up websites without being limited by the content filter Switch to the tab Whitelist Select the tab Users Enter the login name of the user who should be excluded from the content filtering Click the button Add User To delete a user from the list click the trashcan symbol in the related row fig 106 contentfilter of the HTTP proxy section whitelist tab user ...

Page 100: ...e IP addresses are assigned statically Switch to the tab IP Addresses Enter the IP address which should be excluded from the content filtering Click the button Add IP To edit an entry click on the wrench symbol beneath the related entry To delete an entry click on the trashcan symbol beneath the related entry fig 107 content filter of the HTTP proxy section whitelist tab IP addresses ...

Page 101: ...y trustable websites Some entries are factory provided Switch to the tab Websites Enter addresses of websites which should be excluded by the content filtering Click the button Add Website To edit an entry click the wrench symbol beneath the related entry To delete an entry click the trashcan symbol beneath the related entry fig 108 content filter of the HTTP proxy section whitelist tab websites ...

Page 102: ...ckbox Enable Bandwidth Con trol Select a global limitation or a limitation per host Activate the related radio button Enter a global limit in kilobit per second in the field Global Bandwidth Enter a host limit in kilobit per second in the field Bandwidth per Host The host just gets this bandwidth even if the global bandwith is not reached yet fig 109 limit the bandwidth in the HTTP proxy ...

Page 103: ...a mailserver in the internet The e mails are checked for viruses and spam and are send to the mail client Select at Virusscanning the value On to activate the virus scanning Select at Spamfilter the value On to activate the spam filter Choose the net in which the Transparent Proxy should be activated Store your settings with Save fig 110 set properties for the POP3 proxy ...

Page 104: ...ezeichnung Erklärung General General settings for spam filter virus scanner e mail administrator and maximum e mail size Relaying Allowed relaying hosts and domains Mail Routing Defines which mail server supports which domain Greylisting Mechanism against spam e mails Domain Mapping Changes the domain of e mails Advanced Settings for protecting the mailserver against attacks ...

Page 105: ...dress Limit the maximum size of an e mail Enter a value in kilobyte in the field Maximal E Mail Size in KByte maximum is 10 000 000 KByte If you don t want to limit the e mail size set the value to 0 If you want to use a Smarthost activate the checkbox Enable Smarthost Enter the IP address or the host name of the external mail server in the field Smar thost If the external mail server requires an ...

Page 106: ... server also uses the firewall for sending e mails you have to enter it s IP address You have the possibility to use relay blocking lists In these lists computers are registered which are known for sending spam e mails With these lists mailservers could be blocked which are listed misleadingly or their misuse was a long time ago You can also enable SMTP authentication for local users The selected ...

Page 107: ...None To From Connect in the dropdown field Option In the field Action choose between Relay forward Reject block and OK ac cept Click Add To add a host click Add Host The dialog Add Host or IP Address appears Enter a host name or an IP address into the field Host or IP Address In the field Action choose between Relay Reject and OK Click Add fig 114 add domain fig 115 add IP address ...

Page 108: ...validation activate one checkbox Validate E mail addresses against Mailserver with You can use the addresses of the LDAP directory or the SMTP server checks the ex istence of the addresses Furthermore you can upload a file with e mail addresses The validation can be made against this file with the option Validate E mail addresses against Mailserver with local file The file contains one e mail addr...

Page 109: ...n e mails of a domain to a defined mail server click the button Add SMTP Routing The dialog Add SMTP Routing appears Enter a domain into the field Domain Enter a host name or an IP address of the mail server into the field Mailserver Click Add fig 117 add route for the mail relay ...

Page 110: ... normal mail server will do When the mail comes the second time the relay will accept it Enable the greylisting by activating the checkbox Enable Greylisting The mail relay stores the combination of server sender and recipient automatically if the mail arrived a second time Enter in the field Auto Whitelisting the number of days the combination should be stored Define the time interval between the...

Page 111: ...will be forwarded at the first delivery attempt In the section IP Address Net you can exclude e mails from the greylisting which come from defined IP addresses and networks Enter an IP address into the field at the bottom of the window Select the related subnet mask from the dropdown field Click Add IP Address Net The IP address will be saved in the whitelist fig 119 Whitelist IP Addreses Net ...

Page 112: ...comes from defined domains The specifcatons are only made in second and top level domains Enter a domain in the field at the bottom of the window Click the button Add Domain The domain will be saved in the whitelist fig 120 Whitelist Domain Note The domain isn t the domain of the e mail address but the domain of the mail server which delivers the e mail ...

Page 113: ...ient E mails which are delivered to this recipient will be excluded from the greylisting fig 121 exclude e mail recipients from the greylisting 9 3 4 4 Whitelist E mail Sender Exclude e mails from defined sender from the greylisting Enter the e mail address from a sender into the field at the bottom of the window Click Add E mail Sender E mails which are delivered from this sender will be excluded...

Page 114: ...er must only be configured for one domain For example bob myhost com becomes to bob myhost de fig 123 domain mapping settings To add a domain mapping rule click the button Add Domain Mapping The dialog Add Domain Mapping appears Enter the domain of the incoming e mail in Source Domain Enter the new domain in Destination Domain Click Add fig 124 add a domain mapping rule ...

Page 115: ... Applications Securepoint 10 Securepoint Security Solutions 115 9 3 6 Advanced This section offers settings that protect the mail relay with a basic mechanism fig 125 protecting mechanism on the tab advanced ...

Page 116: ...ing Refers to the sending of mails to a lot of recipients at which the recipient addresses are composed randomly After a defined number of failed delivery attempts a pause of 1 second will be made This slows down the query of e mail addresses and it will be inefficient for the address collec tor 9 3 6 3 Limit max number of recipients Define a maximum number of recipients inside an e mail 9 3 6 4 L...

Page 117: ...sender address known spam text passages HTML content future dated sender data and so on 9 4 1 General Decide which spam filter mechanism you want to use The automatic filter uses a spam filter module of the company Commtouch The company services a consistently updated spam database The incoming e mails are checked against this database The Bayes filter checks on the basis of classified evaluated w...

Page 118: ...o Bias to define spam Multiplier for words in the ham database If there is much more spam than ham the values should be set to 1 Click Reset values to set the values back to default values If the checkbox E mail body invisible for the spam administrator is activated the spam administrator will only see the e mail header in the spam filter interface The content isn t visible for him Consider the re...

Page 119: ...or MIME Multipurpose Internet Mail Extensions type which is given in the e mail header Either Block all Attachments You can exclude attachment by the Whitelist Or Block specific Attachments You have to define the attachments to be checked in the blacklist This filter doesn t block the e mails It just removes the attachments If an attachment is removed a message is inserted into the mail You can ed...

Page 120: ...se prede fined types Switch to the tab MIME Types at the Whitelist or Blacklist section Click the button Predefined The dialog Add MIME Type appears Select a type by activating a radio button Choose a subtype from the relative dropdown list Click Add The MIME type will be added to the Whitelist or Blacklist fig 128 predefined MIME types ...

Page 121: ...mail will be indicated by a message in the e mail Activate Don t scan specific Attachments to exclude attachments from the virus scan by a Whitelist Use the Whitelist to define attachments which should not be scanned You can specify them by file extension or by MIME type You can write MIME types manually or select those from the predefined list see previous article fig 129 exclude attachments from...

Page 122: ...t activate the checkbox Don t block spam just mark You can edit the flag that is attached to the subject in the field Message in Subject Decide if incoming or outgoing e mails with a virus will be blocked or relayed with deleted virus Select the according radio buttons Decide if incoming or outgoing e mails with undesired attachment will be blocked or relayed with deleted attachment Select the acc...

Page 123: ...ress a domain or a host IP address host name E mails from Whitelist entries will be relayed without checking E mails from Blacklist entries will be blocked without checking Enter complete e mail addresses on the tab E Mail Whitelist and Blacklist Enter domains on the tab Domain Whitelist and Blacklist Enter host IP addresses or host names on the tab Host Whitelist and Blacklist fig 131 global Whit...

Page 124: ...Edit the tag in the field Edit message in subject when spam Decide on the left side if all mailboxes should be scanned for viruses or just specified ones If you select the option specific mailboxes enter the user names whose mailboxes should be scanned Decide on the right side if all mailboxes should be scanned for undesired attach ments or just specified ones If you select the option specific mai...

Page 125: ...e software is a client server application The remote computer acts as the server and the local computer as the client You have to enter the IP address or the host name of the remote computer and the port of the VNC repeater application to allow the traffic through the firewall 9 5 1 General Specify the ports which are used by the client viewer and the server Enter the port of the local VNC repeate...

Page 126: ...o add a Server ID type it into the field ID at the bottom of the dialog Click Add Click the trashcan symbol be neath an ID to delete it fig 134 tab VNC Server ID 9 5 3 VNC Server IP If the client initiates the connection the VNC proxy forwards the query to the IP address of the server To add a Server IP type it into the field IP at the bottom of the dialog Click Add Click the trashcan symbol be ne...

Page 127: ...e speech data 9 6 1 General Select the interface which is used by the SIP client to connect the proxy with the dropdown box Inbound Interface Select the interface which is used by the proxy to transfer the data to the internet from the dropdown box Outbound Interface Select the port on which the proxy expects data in field SIP Port default 5060 Adjust the RTP Port Range to the port range used by t...

Page 128: ...ovider Enter the data of the provider in this section Enter the name of the provider in the field Domain Enter the SIP proxy of the provider in the field Proxy Select the SIP proxy port of the provider in the field Proxy Port default 5060 fig 137 tab Provider of VoIP Proxy dialog ...

Page 129: ...tivities will be logged by the IDS The system checks the signature of every packet against known attack signatures which are stored in so called rules Notice Just activate rules which are applicable for your system Otherwise the IDS stresses the system unnecessary Select rules in the dialog IDS Activate the relative checkbox Store your settings with Save The IDS service will be restarted fig 138 s...

Page 130: ...ication or the requesting service Select the menu item applications from the navigationbar and click on nameserver in the dropdown menu The dialog Nameserver appears Enter the IP address of the external nameserver into the field at the bottom of the di alog Click Add IP Address to apply the nameserver to the list You can delete listed nameserver by using the thrashcan button Click Save to store th...

Page 131: ...ill change to the spare machine This setting is called Cluster Protection An active service shows a green On button An inactive service shows a red Off button Start a service by clicking the button On in the related row Stop a service by clicking the button Off in the related row Restart a service by clicking the button Restart in the releted row If you use a high availability environment set the ...

Page 132: ...crypted by the client and will be decrypted by the firewall and vice versa For transmitting the data several protocols are used The methods are varying in degree of safety and complexity fig 141 dropdown menu VPN name description IPSec Wizard Assistant for creating IPSec VPN connections IPSec Globals General settings for all IPSec connections IPSec Editing and deleting of IPSec connections L2TP Co...

Page 133: ... The local network of a central office with the local network of a branch A roadwarrior connection binds one or more computers with the local network For example An outdoor staff connects with the laptop to the network of the central office 10 1 1 Site to Site Click in the VPN dropdown menu on the entry IPSec Wizard The dialog IPSec Wizard à Create an IPSec connection appears Select the VPN type S...

Page 134: ...nDNS Click Next fig 143 define name and gateway You can decide between two authentication methods Either use the preshared key PSK method or you use the authentication via certificate The PSK is a password which is known by both connection partners Preshared Key Method Select the radio button Preshared Key Enter the preshared key PSK Decide which IKE Internet Key Exchange version you want to use a...

Page 135: ...5 authentication via certificate and IKEv2 Now enter the networks which should be interlinked by the VPN connection Under Local Network enter your local network Select the according net mask at Local Mask Under Destination Network enter the remote network Enter the according net mask at Destination Mask Activate the checkbox Automatically create firewall rules to create the firewall rules for the ...

Page 136: ... the entry IPSec Wizard The dialog IPSec Wizard à Create an IPSec connection appears Select the VPN type Roadwarrior à One or several computers can connect to the local network Click Next fig 147 select kind of connection Enter a name for the VPN connection in the field Connection name Click Next fig 148 name of the connection ...

Page 137: ...io button Native IPSec Click Next fig 149 select native IPSec Choose between the authentication methods preshared key and certificate Furthermore se lect the IKE version you want to use If you choose preshared key activate the radio button Preshared Key and enter the key into the field beneath If you choose certificate activate the radio button x 509 Certificate and select a serv er certificate fr...

Page 138: ...o into the field Local Network Select the related subnet mask from the dropdown box Local Mask Enter an IP address from the subnet into the field Roadwarrior IP address This IP will be assigned to the roadwarrior when it connects to the local network If you want to set up the firewall rules automatically activate the checkbox Automati cally create firewall rules Click Finish for exiting the wizard...

Page 139: ...adwarrior IP address if you want to give access to just one roadwarrior and enter the IP address into the field beneath If you want to give access to a couple of roadwarriors activate the radio button Ad dress Pool and enter the IP address of the address pool and the related subnet mask An IP address out of this pool will be assigned to the roadwarrior if it connects to the network If you want to ...

Page 140: ...PSec Activate the radio button IPSec Connection with L2TP Click Next fig 153 select L2TP Select the authentication method If you want to use a preshared key activate the radio button Preshared Key and en ter the key into the field beneath If you want to use a certificate activate the radio button x 509 Certificate and select a server certificate from the dropdown box Click Next fig 154 select the ...

Page 141: ...ers into the fields Prima ry and Secondary nameserver Click Next fig 155 define address pool and DNS server The last step offers the creation of L2TP users If you don t want to use this option click Finish and leave the wizard Enter the user name of the new user into the field Login name Enter the first name and the surname into the field Fullname Assign a password to the user in the field Passwor...

Page 142: ...eral settings for all IPSec VPN connections 10 2 1 General Settings On this tab you can activate the option NAT Traversal This function prevents the manipula tion of IPSec packets by address translation This could occur if the mobile user uses NAT devices himself fig 157 option NAT Traversal ...

Page 143: ...e keys The complexity of the protocol complicates the configuration of an IPSec connection especially if you use different end devices The new version of the IKE protocol IKEv2 defangs this complexity It allows a faster con nection establishment and a more stable connection By now this version is supported by several programs It is implemented in Microsoft Windows 7 too In this dialog the IP addre...

Page 144: ...stored name description tab General Local gateway ID ID of the appliance If you use the interface ppp0 eth0 the firewall ID is the IP address of the interface You can insert the hostname as well also the DynDNS name Remote host gateway remote VPN gateway or host Name or IP address Remote host gateway ID remote VPN gateway or host Name or IP address Enter the certificate of the remote host if the c...

Page 145: ...y and hash mode regards phase 1 and phase 2 DH Group Key length of the Diffie Hellmann key IKE life Duration of an IKE connection The period can vary between 1 and 8 hours Afterwards a new link connection is necessary for security reasons This starts automatically Keyingtries How many trials to initiate the connection time lag 20 seconds unlimited à unlimited trials three times à Three trials to i...

Page 146: ...a new link connection is necessary for security reasons This starts automatically tab Native IPSec Local Net Mask Local net which is connected with the remote net via VPN Remote Net Mask Remote net which is connected with the local net via VPN tab L2TP L2TP Subnet local subnet for L2TP connections Only useable with L2TP connections with MS Windows Vista or MacOSX if the client is positioned behind...

Page 147: ...as a virtual address to the external interface Under L2TP Address Pool adjust a L2TP address pool This must be set in the same subnet as the L2TP IP address The left field contains the start address and the right field the end address of the ad dress pool For the Maximum Transmission Unit MTU the default value 1300 should be re tained Under Authentication select the authentication mode You can sel...

Page 148: ...server Windows Internet Name Service if you use one This will be forwarded to the L2TP net work Switch to the tab NS WINS Enter the IP address of the primary and secondary Nameserver Enter the IP address of the primary and secondary WINS server if you use one Store your settings with Save fig 160 define IP adresses of DNS and WINS servers ...

Page 149: ...rface in the field Local PPTP IP An explicit PPTP interface doesn t exist The entered IP address will be bound as a virtual address to the external interface Under PPTP Address Pool adjust a PPTP address pool This must be set in the same subnet as the PPTP IP address The left field contains the start address and the right field the end address of the ad dress pool For the Maximum Transmission Unit...

Page 150: ...server Windows Internet Name Service if you use one This will be forwarded to the PPTP net work Switch to the tab NS WINS Enter the IP address of the primary and secondary Nameserver Enter the IP address of the primary and secondary WINS server if you use one Store your settings with Save fig 162 define IP addresses of DNS and WINS servers ...

Page 151: ...e the IP ad dress in this section it will also change in the section network configuration Enter the port of the SSL VPN in the field SSL VPN Port The default port 1194 is al ready set The SSL VPN uses the protocol udp You can change the protocol to tcp This is not recommended because a big overhead is produced Select a server certificate from the dropdown box SSL VPN Certificate This certifi cate...

Page 152: ... external authentication methods here fig 164 dropdown menu authentication name description Users User administration for creating new users and editing existing users Furthermore assigning group membership password etc External Authen tication Settings for external authentication via Radius or LDAP server Certificates Certificate administration for creating new certificates Also export and import...

Page 153: ... listed in order of their creation Existing users can be edited by clicking the wrench symbol or deleted by using the trash can symbol fig 165 list of existing users When the mouse cursor moves over an user an infobox appears which shows the user permissions and assigned VPN IP addresses of the related user You can activate this function by unchecking the checkbox Disable Infobox fig 166 user prop...

Page 154: ...e the designated group memberships by marking the according checkboxes It is allowed to check more than one box fig 167 general setting for a new user name binary description Firewall Admin 000000001 Administrator of the firewall VPN PPTP 000000010 PPTP VPN connection user VPN L2TP 000000100 L2TP VPN connection user Spam Filter User 000001000 Administrator of the spam filter SPUVA User 000010000 U...

Page 155: ...ddress on the tab VPN Switch to the tab VPN Assign an IP address which is used by the user in the L2TP or PPTP VPN tunnel This statement is optional Is the user SSL VPN user a tunnel IP address must be set This IP address must be an IP address of the subnet of the tun0 interface default 192 168 250 xxx The last part of the IP address must fulfill the following condition a multiple of 4 minus 2 For...

Page 156: ...PN package anyway You just have to hand the package to the SSL VPN user see chapter 14 3 To enable the preconfiguration activate the checkbox Enable VPN Client Select a user certificate from the dropdown box Certificate If no certificate is shown you have to create one first Select an IP address or a hostname in the field SSL VPN Gateway which is used by the SSL VPN service Either select a dynamic...

Page 157: ...il addresses must be set for the whole e mail address For example john smith example org Restriction to domains must be set with a leading at symbol For example example org Switch to the tab Spam Filter Restrict the display of the spam filter interface to several e mail addresses or do mains These settings are only relevant for users which are members of the group Spam Filter User Activate the che...

Page 158: ...rs special characters lower and uppercase letters and the minimal password length The password can only be changed in the user interface Switch to the tab Extras If the user is allowed to change the password check the checkbox User can change password Select the Minimum password length Decide which characters the password must contain numbers special characters lower and uppercase letters Store yo...

Page 159: ...this option is set for a user the user can start listed computer over the user interface The membership UserInterface is required Switch to the tab WoL Activate the checkbox Enable WoL Enter the name of the computer in to the first field below the list Select the interface from the dropdownbox the computer is connected to Enter the MAC address of the network adapter of the remote computer into the...

Page 160: ... you can also select authentication with the Kerberos service 11 2 1 Radius Enter the access data for the Radius server on the tab Radius Open the dialog External Authentication On the tab Radius insert the data of the Radius server Insert the hostname or the IP address of the server in the field IP address or host name Under Mutual secret key insert the password and retype it in the field Confirm...

Page 161: ...main into the field Server Domain Under User name insert your user name of the server Under User password insert your password and retype it in the field Confirm user password Store your settings with Save fig 174 acces data for the LDAP server If you use the LDAP authentication in combination with the services HTTP proxy or L2TP you have to create new groups in the Active Directory AD and users w...

Page 162: ...e group you want to give access into the field Workgroup Enter the domain name of the realm used into the field Domain Under AD Server enter the IP address of the computer which hosts the Kerberos service Enter the IP address of the used DNS server into the field Primary Nameserver Enter the administrator of the Kerberos server into the field User Enter the password of the Kerberos administrator i...

Page 163: ...ed The signed certificates will be distri buted to the users which connect to the local net via VPN The signature assures that the certificates are created by the firewall and not by anybody else For a complete authentication not only the remote station needs a certificate but also the firewall itself You have to create one certificate for the firewall and one certificate for each external user Yo...

Page 164: ...s where you can select the date The following three fields are reserved for the time hour minutes and seconds When the validation of the CA expires all certificates which are signed with this CA will become invalid too Enter a name for the CA into the field Name Select your country identifier from the field Country Enter your region into the field State Enter the name of your city into the field C...

Page 165: ...conds Enter a name for the certificate into the field Name Select your country identifier from the field Country Enter your region into the field State Enter the name of your city into the field City Enter the name of your company into the field Organisation Enter the department into the field Unit Enter you e mail address into the field E mail Select the CA to sign the certificate with Select an ...

Page 166: ...t fig 180 import dialog 11 3 4 Export CA and Certificate You also can export CAs and certificates You may select between PEM file format and the encrypted format PKCS 12 You ought to consider that the appliance only imports the PEM file format Switch to the corresponding tab CA or Certs At the end of every row you find the following icons The left icon exports the certificate or the CA as PEM file...

Page 167: ...gured configuration the CA and the relating cert Switch to the tab Certs Select the desired certificate and click on the following icon The dialog OpenVPN Client appears It asks for settings to configure the OpenVPN configuration Select a DynDNS Entry from the dropdown box Or enter an IP address into the field Alternative The option Redirect default gateway to remote site reroutes the whole intern...

Page 168: ...re as invalid so nobody can use them for authen tication anymore Note If you revoke a CA all certificates which are signed with this CA will be revoked too Switch to the corresponding tab CA or Certs Click on the Trash Can symbol at the end of the row Answer the security query with Yes The CA or the certificate will get the status Revoked The invalid files will be listed on the tab Revoked fig 182...

Page 169: ...rom other sites can be imported This files must have the CRL format Switch to the tab CRLs All CRLs of self created CAs and imported CRLs are show on this tab For export a CRL click the button with the disk symbol The browser will open a dialog in which you can select the saving path For import a CRL click the button with the label Import Enter the whole path of the file into the appearing dialog ...

Page 170: ...e Firewall Update the firewall software and the virus database Changelog Shows changes from one version to the previous version of the fire wall software Registration Upload the license file Manage Cockpit Select the shown section windows and their positioning in the cockpit Advanced Settings Opens a new browser window for configuration for experienced users Refresh All Reads the configuration dat...

Page 171: ...of the CLI Furthermore you can send commands directly to the firewall 12 1 1 CLI Log On this tab you can activate the logging of the CLI in and output The logging is disabled by default Send commands to the firewall are colored blue Answers of the firewall are colored green To enable the logging activate the checkbox Enable CLI Log The logging can always show the current entries To enable this fun...

Page 172: ...or this you have to use special CLI commands For further information on these commands check the CLI reference which is available on the Securepoint website Type the desired CLI command into the field CLI Confirm the sending of the command with Send Command The command and the answer of the firewall appear in the text window fig 186 send CLI command ...

Page 173: ... 1 Update the Firewall The version of the firewall software is given as a build number First check if a newer version is available An immediate update will not check the build number but rather updates the firewall with the same version number The update stops all services and restarts the firewall Therefore you should update the soft ware only if a newer version is available First click the butto...

Page 174: ...ngelog The function Changelog offers the possibility to show the changes of one version of the fire wall software to the previous version The published versions are listed in the dropdownbox Go on the point Extras in the navigation bar and click the entry Changelog in the dropdownmenu The dialog Changelog appears which shows the changes from the previous version to the actual version To show chang...

Page 175: ...icense file If you don t have a license yet you can follow the hyperlink in the dialog to access the Securepoint website and register your appliance Upload the license file like this Click Browse and select the license file from your file system Click Upload to upload the file fig 191 upload registration file ...

Page 176: ...d into three sections On the left the section Not displayed dialogs Lists positioned here are not dis played In the middle the section Display in Cockpit Left Shown lists will be displayed on the left side of the cockpit On the right the section Display in Cockpit Right Shown lists will be displayed on the right side of the cockpit You can move the list per Drag and Drop You can manage the lists n...

Page 177: ... the configuration For these reasons following message is shown by opening the new browser window fig 193 warning by clicking menu item advanced settings 12 6 1 Buttons If you made changes in this section the changes will not take effect till you update the appli cation the interface or the rule name description Update Applications Updates the applications and applies the changes Update Interface ...

Page 178: ...ou can disable the support of IKEv1 and IKEv2 for IPSec connections If you disable both servers IPSec connections cannot be established To disable a server click the related button Off To enable a server click the related button On fig 195 switch states of IKEv1 and IKEv2 servers ...

Page 179: ...nnections Activate the first checkbox to Accept all incoming IPSec Activate the checkbox Allow related connections to allow iptables to accept all packets of existing connections per connection tracking Store the settings with Save For applying the rules immediately click the button Update Rules fig 196 edit portfilter settings ...

Page 180: ...istence of a connection Several internet service providers don t support this checking For this you should disable the checking To disable the checking deactivate the checkbox Support LCP Echo for PPPoE Store your setting with Save For applying the changes immediately click the button Update Interface fig 197 enable disable the LCP echo request ...

Page 181: ... list Applications The firewall displays the depending templates in the dropdown field Templates Select the template you want to edit from the dropdown box Templates The template will be displayed in the section Template Content Adjust the template for your needs Store the changes with Save Template For applying the changes immediately click the button Update Applications fig 198 edit template ...

Page 182: ...The variables are shown in the window Entries To show the value of a variable click on the loupe symbol in the related row The value is shown in the window Entry Value Click trashcan symbol to delete the value Beneath the dropdown box Applications is an entry field To add a variable enter the name of the new variable in this field and click Add Entry The changes are saved immediately and exist unt...

Page 183: ...ebserver for the user interface By default the port of the webserver for SSL encrypted connections is 443 Enter the desired port into the field or use the arrow buttons to select the desired port Store your changes with Save For applying the changes click the button Update Applications fig 200 change the port of the webserver ...

Page 184: ...s all data of the appliance and rebuilds the cockpit So you can update data in the cockpit which are changed per CLI and not in the administra tion interface 12 8 Refresh Cockpit This function reloads all data of the cockpit and rebuilds the cockpit The button in the navigation bar has the same function ...

Page 185: ... highlighted in different colors Furthermore the logs can be filtered name description Day Shows the day of occurrence In the Live Logging the current date Shows the protocol or the action additionally Time Shows the time in hours minutes and seconds hh mm ss Service Shows which service is affected Content Detailed log message fig 201 entries in the live log ...

Page 186: ... you look for something special use the filter function You find the filter function centered above the event table The function works only when the logging is active Stop a running logging Select a pattern from the dropdown box Filter pattern o Time Filters the entries by time o Service Filters the entries by service o Content Filters the entries by message text Enter a search pattern into the ri...

Page 187: ... show all entries which don t match the search pattern To enable this option activate the checkbox Inverse filter on the tab Settings By default the option Scroll automatically to the bottom is activated New entries are appended to the list So this option always shows the newest entries 13 3 Tab Settings Here you can invert the filter The filter will show all entries which don t match the given se...

Page 188: ...he automatic scrolling is disabled you can navigate through the log by the arrow keys on the keyboard If you press the enter key on a marked entry a window with details of the log message is shown This is also shown if you make a double click on an entry with the mouse fig 203 details of a log message ...

Page 189: ... messages You can also display the Syslog messages Click on the button Show raw data The raw data of the current logging are shown The logging is still running in the background You can also download the raw data Click on the button Download raw data The data will be transferred in txt format fig 204 raw data of the log entries ...

Page 190: ...ection Systems Messages of the IPSec service Messages of the L2TP service Communication ntp Network Time Protocol ntp client server Communication pop3 Post Office Protocol 3client server or pop3 via POP3 proxy Messages of the pppd service Messages of the pptp service Communication smtp Mail despatch Communication ssh Secure Shell Protocol Messages by the virus scanner Communication VNC client serv...

Page 191: ...Securepoint 10 Securepoint Security Solutions 191 Part 2 User Interface ...

Page 192: ...the possibility to change the password The users can reach the user interface with their webbbroser over the IP address of the in ternal interface by using the HTTPS protocol for example https 192 168 175 1 If the users want to enter the user interface from outside the internal net for example from the internet or the DMZ the administrator has to create a firewall rule for reaching the inter nal i...

Page 193: ...nagement à tab Extras Spam filter Shows all received e mails and their classifica tion into ham desired e mails and spam unde sired e mails Possibility for resorting of mis classified e mails User Interface with Spam Filter Admin Download SSL VPN client ZIP archive which includes the portable OpenVPN client preconfigured configuration file CA and user certificate User Interface with SSL VPN SPUVA ...

Page 194: ...n in to the user interface Click the button Change Password The dialog Change Password appears Enter your current password in the field Old Password Enter your new password into the field New Password and retype it in the field Con firm Password The password must meet the conditions which are shown in the section Password Restriction Click Change Password fig 206 change password ...

Page 195: ...he option Save File or accordingly The downloaded file is a packed ZIP archive including the portable OpenVPN client a preconfigured configuration file and the needed certificates fig 207 save dialog of the Mozilla Firefox Decompress the ZIP archive and save the directory on your computer or on an USB flash drive Open the directory Doubleclick the file OpenVPNPortable exe The OpenVPN client starts...

Page 196: ...or ham by the system If he finds e mails which are misclassified as spam he can mark them as ham It is important to move not identified spam mails from the ham section into the spam section to train the adaptive filter Bayes filter The spam filter interface only shows e mails if the spam filter is activated 14 4 1 Overview over the spam filter interface The mails are ordered by time the newest at ...

Page 197: ...r some criteria a pattern is needed Insert the pattern in the input field Execute the filter by clicking on Filter You can reset the selection by clicking on Reset 3 Navigation The display shows 10 entries per side With the buttons back and next you can scroll through the pages With the buttons first page and last page you can jump to the first or to the last side 4 Action You can choose an action...

Page 198: ...ils will be unchecked if you click the checkbox again Date Date and time of the e mail Status E mail type SMTP or POP3 Shows a symbol if the e mail contains a virus In the tab Spam is shown which filter has detected the e mails as spam mail Bayes filter Commtouch filter From Sender of the e mail To Recipient of the e mail Subject Subject of the e mail fig 210 columns in the tab Ham ...

Page 199: ...ated in the spam filter settings Other wise only the e mail header is shown Note Showing the content of an e mail may violate the data privacy Notice the data protection act of your state Activate the detailed view with a doubleclick in the row of the desired e mails Attachment of the mail will be displayed as a hyperlink in the row at the bottom of the window Click on the hyperlink to download th...

Page 200: ...s the selected e mails as spam and moves them to the tab Spam Delete selected e mails Moves the marked e mails to the tab Trash Resend selected e mails Sends the marked e mails again Select all e mails Marks all e mails on this tab Delete all e mails Moves all e mails on this tab to the tab Trash Resend all e mails Sends all e mails on the tab again fig 212 actions on the tab Ham ...

Page 201: ...s as ham and moves them to the tab Ham Delete selected e mails Moves the marked e mails to the tab Trash Resend selected e mails Sends the marked e mails again Mark all e mails as ham Marks all e mails on this tab as ham and moves them to the tab Ham Delete all e mails Moves all e mails on this tab to the tab Trash Resend all e mails Sends all e mails on the tab again fig 213 actions on the tab sp...

Page 202: ...am and moves them to the tab Spam Delete selected e mails permanent Deletes the marked e mails irrevocably Resend selected e mails Sends the marked e mails again Mark all e mails as ham Marks all e mails on this tab as ham and moves them to the tab Ham Mark all e mails as spam Marks all e mails on this tab as spam and moves them to the tab Spam Delete all e mails permanent Deletes the e mails on t...

Page 203: ...cally Fur ther diagrams show the numbers of mails depending on their origin 14 4 7 1 Filter With the filter function above the diagram all statistics can be displayed for different time in tervals Select the interval from the dropdown box Possible intervals are o Today o Yesterday o Last week o Last month Click Refresh to reload the diagram fig 215 select intervall ...

Page 204: ...he total amount of every bar on the y axis The legend on the right side shows the numbers of every section and the percentage fig 216 tab general 14 4 7 3 Tab Virus On this tab a diagram shows the total number of virus infected e mails The blue lines clarify the total amount of every bar on the y axis The legend on the right side shows the numbers of every section and the percentage fig 217 tab vi...

Page 205: ...urepoint Security Solutions 205 14 4 7 4 Tab Top Level Domain On this tab a diagram shows from which state the e mails are received The statistic is split into ham e mails spam e mails and deleted e mails fig 218 tab top level domain ...

Page 206: ...utton SPUVA Login A new browser window appears in which a Java applet is starting Confirm the security query for starting the applet The java applet can only be executed if the Java Runtime Environment is installed If it isn t installed visit the website http www java com Enter your user name into the field User and your password into the field Password Click Connect to login in to the system If t...

Page 207: ...cess the remote computer if according rules are defined This function must be supported by the comuter The settings for this function are made in the BIOS or at the network adapter settings Click on the button Wake on LAN in the User Interface The dialog Wake on Lan appears Here are all computers listed which you allowed to start Click on the button with the start symbol The related computer will ...

Page 208: ...hich are stored on the appliance The hyperlink is positioned in the first column of the list The second column contains the version of the file and the third column contains a short description of the file Login in to the user interface Click the button Download Click on the hyperlink in the first column to start the download Click on Save or according in the browser query The download will begin ...

Page 209: ...ect This action defines behind which interface a network object is positioned A well known attack scenario on a router is to fake a sender IP address IP Address Spoof ing If the attacker uses a sender address from the internal network and the packet is send from a wrong zone for example external the packet will be dropped automatically on the basis of the zone concept The administrator doesn t hav...

Page 210: ... internal is as signed to the firewall zone firewall internal with the internal interface In the group zones computers and networks are positioned which are connected with the firewall by the related interface The VPN zones are provided for VPN computers and networks These are assigned to the external interface too but they are different from the devices of the zone external because they connect t...