Está en la página 1de 370

Integrated Security Appliance

5/16/06

Instructor Guide

Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328-4233 United States (404) 236-2600 http://www.iss.net Internet Security Systems, Inc. 2003-2004. All rights reserved worldwide. This publication may not be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc. Patent Pending. Internet Security Systems, the Internet Security Systems logo, System Scanner, Wireless Scanner, SiteProtector, Proventa, Proventa Manager, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, X-Force, and X-Press Update are trademarks and service marks, and SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. InstallShield is a registered trademark and service mark of InstallShield Software Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice. Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an AS IS condition, without warranties of any kind, and any use of this information is at the users own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes. Please direct any comments concerning ISS courseware to training@iss.net. Print Date: May 16, 2006

Contents
How to Use this Training Guide
About the Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i Time Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-i About the Training Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii For the Students . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii For the Instructor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Following the Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Using Leader Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-ii Understanding the Icons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-v Providing Feedback on the Training Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H-v Preparing for Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Required Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi Assumptions for Performing the Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-vi

Welcome to the Class!


Getting Acquainted... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...With the Instructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...With Others in the Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting the Most Out of this Course.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Instructors Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Your Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using this Training Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About this Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Course Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
W-1 W-1 W-1 W-2 W-2 W-2 W-2 W-3 W-3 W-4

Module 1: Introduction to the Proventa M Series


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protection Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Increasing Threat at the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting the Gateway Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Challenges of Multiple Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The ISS Solution: Unified Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-1 1-1 1-1 1-2 1-3 1-4 1-5 1-5 1-6

Integrated Security Appliance

Contents

Overview of Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 What is Proventa M? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Key Benefits of the Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Proventa M Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Traditional Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 Gateway Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Virus Prevention System (VPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Additional Proventa M Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Local Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 SiteProtector Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Appliance Specification Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Module 2: Set up the Proventa M Appliance


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 What You Need to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Classroom Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Classroom IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Lab: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Re-cable the class network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Configuring the Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Rebooting the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Connecting to the Proventa Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Module 3: General Settings


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Home page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventa Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab: Installing License Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integrated Security Appliance Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Update Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-1 3-1 3-1 3-2 3-2 3-3 3-4 3-5 3-5 3-6 3-7

ii

Integrated Security Appliance

Contents

Retrieving Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab: Check and install updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventa Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logs Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintenance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter DB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backup & Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System/Full Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Support File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Labs: Configuring and Enabling Event Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring an Email Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Email System Warning Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-11 3-12 3-14 3-17 3-18 3-18 3-20 3-20 3-23 3-24 3-25 3-26 3-28 3-28 3-33 3-34 3-38 3-39 3-40 3-41 3-43 3-45 3-45 3-46 3-48 3-49 3-50 3-51 3-51 3-51 3-52 3-53

Module 4: Transparent Mode


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transparent Mode Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Local Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Local Router Entry to the Local Router Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transparent Mode Failover Protection Using STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-1 4-1 4-1 4-2 4-2 4-4 4-5 4-5 4-5 4-7 4-7

Integrated Security Appliance

iii

Contents

Why Use Spanning Tree Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 STP Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Bridge IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Failover Process - Determining the Primary Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 The STP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 STP Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Failover Protection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Configuring Spanning Tree Protocol Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Considerations When Deciding to Use Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 4-13 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Module 5: Intrusion Prevention


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Intrusion Prevention and Proventa M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Why a Firewall is not Enough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 The Intrusion Prevention Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 The Protocol Analysis Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 What is Protocol Analysis?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Proventa M and Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Benefits of PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Examples of Protocols Included in the PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Quarantine Rules Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Intrusion Prevention Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 Intrusion Prevention Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10 Issue List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 Quarantined Intrusions and the Rules Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17 Labs: Working with Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Enabling the Intrusion Prevention Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Detecting an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Blocking an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20 Clearing Quarantined Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

Module 6: Antivirus
About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An Antivirus Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Is A Computer Virus? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventa Ms Antivirus Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-1 6-1 6-1 6-2 6-2 6-3 6-4

iv

Integrated Security Appliance

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Types of AV Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Proventa Ms Antivirus Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 The Signature Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Signature Scanner Pros and Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Virus Prevention System (VPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 What Ms AV Components Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Protocols Scanned by Proventa M Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 The Blocking Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 Antivirus Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 A Note About Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 Configuring Proventa M Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Antivirus Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 Quarantine File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 SMTP Config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19 Labs: Testing with the eicar Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Disable IIS SMTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Install a Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22 Creating an Email Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Enabling Antivirus Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Sending an Email to Test Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Pulling the eicar Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

Module 7: Web Filtering


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Why Filter the Web? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 The Challenge for Web Content Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 What This Means in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prevention Instead of Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Proventa Ms Web Filtering Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 The Web Filter Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 Web Crawlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Applying Web Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 The Web Filter Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Classification Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 Filter Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14 Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 URL Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Integrated Security Appliance

Contents

ISS Web Filter Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Web Filter and Antispam Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sources of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WebLearn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Proventa M Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Filtering Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Labs: Configuring and Testing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Web Filter Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing a Web Site in the Sports Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Web Filter Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing your Access to the Blocked Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Destination Blacklist Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing your Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7-18 7-20 7-20 7-20 7-20 7-21 7-23 7-23 7-23 7-24 7-24 7-25 7-29 7-29 7-29 7-30 7-30 7-31 7-31 7-31 7-32

Module 8: Antispam
About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Why Use Antispam? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Challenges for Email Content Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Email Flood Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 The Costs of Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Countering the Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Proventa Ms Antispam Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Spam Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 The Antispam Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Configuring Proventa M Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Antispam Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 Labs: Testing Antispam Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Configuring Antispam Functionality for SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 Sending an Email to Test SMTP Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17 Configuring Antispam Functionality for POP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Sending an Email to Test POP3 Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 Configuring Antispam Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

vi

Integrated Security Appliance

Contents

Sending an Email to Test Antispam Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 View the Spam Detected events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

Module 9: Routing Mode


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 What You Need to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Classroom Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Classroom IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Lab: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Configuring the Proventa M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Reconfigure the class network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Connecting to the Proventa Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 Returning to Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Switching Between Routing and Transparent Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13 What Happens when I Switch to Transparent Mode? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 How to Switch Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 Routing Mode Configuration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23 Maintenance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

Module 10: Firewalls


About This Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integrated Security Appliances Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventas Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Translating Your Organizations Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rule Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implicit Denial Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Proventa M Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10-1 10-1 10-1 10-2 10-2 10-3 10-3 10-4 10-4 10-4 10-5

Integrated Security Appliance

vii

Contents

Firewall Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Advantages of Network Obejcts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Network Object Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Dynamic Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Lab: Creating Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10 Creating Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 Proventa M Firewall Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12 The Proventa M Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13 Creating an Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Lab: Configuring your Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17 Enable Partner 2 to connect to Proventa Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18 Testing your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Creating Inbound Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19 Creating Outbound Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21 Re-Test your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25 How Proventas NAT Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27 Destination NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Lab: Creating Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Configuring Destination NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Adding an Access Rule for the Translated Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30 Testing your Firewalls Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31 Configuring Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31 Verify the Disabled NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32 More Firewall Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 Advanced Firewall ALG Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-34 Asymteric Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-35 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-37

Module 11: Configuring the VPN


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPN Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPN Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPN Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-1 11-1 11-1 11-2 11-2 11-4 11-5

viii

Integrated Security Appliance

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 Types of wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 What is Created by the Wizards? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6 Rules for using VPN wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6 Lab: Configuring the VPN for Site-to-Site Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Use the M Series to M Series Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Lab: Configuring the VPN for Client-to-Site Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Using the SoftRemote VPN Client to M Series Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Demonstration: Creating a New Connection for SoftRemote. . . . . . . . . . . . . . . . . . . . . . . 11-10 Creating the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11 Testing the Client-to-Site Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13 More VPN Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14 VPN Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14 Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-18 Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19

Module 12: High Availability


About this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Purpose of this Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Module Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 About High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 About High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Required Tasks Before Using HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Acquiring License Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Creating New Address Name Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Adding Required Access Policies and a Source NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Adding a Source NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8 Editing Existing Policies and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9 Dedicating an HA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11 Monitoring IP Addresses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17 Viewing High Availabilty Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20 Updating Appliances in High Availability Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21 Upgrading Existing Devices to use HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22 Lab: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-23 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-23

Integrated Security Appliance

ix

Contents

HA Classroom Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HA IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable and Test High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconfigure the class network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Proventa Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable the eth2 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the High-Availability Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test High-Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12-23 12-24 12-24 12-25 12-25 12-28 12-29 12-31 12-33 12-35

Course Review
Review Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R-1 Ask Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R-2

Appendix A: VPN and Encryption Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1


VPNs and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 What is a Virtual Private Network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 What is Encryption? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Symmetric (Shared Key) Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Asymmetric (Public/Private Key) Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9 IPSEC Initiators and Responders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10 IPSEC Encapsulation Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10 IPSEC Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13 Introduction to ISAKMP/Oakley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13 IKE Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13 Phase 1 Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14 IKE Phase 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-16 IKE policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17 IKE XAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17

Integrated Security Appliance

How to Use this Training Guide


About the Course
Introduction
The Integrated Security Appliance is a 2 day course that teaches you how to configure your Proventa M appliance for firewall, VPN, intrusion prevention, basic antivirus, web filtering, and antispam functionality.

Time Requirements
The following tables provide suggested times for each module: Day 1 Introduction to the Proventa M Series Configuration of the Proventa M appliance General Settings Transparent Mode Configuring Intrusion Prevention Configuring Antivirus Configuring Web Filtering Configuring Antispam Approximate Length 15 minutes 1 hour 1 hours 45 minutes 45 minutes 30 minutes 1 hour 45 minutes

Day 2 Routing Mode Configuring Firewalls Configuring the VPN High Availability

Approximate Length 45 minutes 3 hours 2 hours 1 hour

Integrated Security Applliance

H-i

How to Use this Training Guide

About the Training Guide


For the Students
This training guide provides information and exercises for the students as you lead them through the course. Space is provided for the students to take notes, answer questions, and complete exercises.
Note: Part of your job as trainer is to teach the students to use their

resources. Encourage the students to takes notes in the training guide during class and to use the guide as a reference when back on the job.

For the Instructor


The Instructor Guide and the Student Guide match page for page, but the Instructor Guide also includes notes for the instructor on conducting the course. The student does not see any instructor notes. As you read through the guide, notice that instructor notes are provided in blue text on the left side of the page. See the example in the left column.

In this column, you see suggestions and instructions for conducting the class.

Underlined blue text in the right column (this main column) provides answers for questions the instructor should ask the class. See the following example: Underlined blue text in this column provides answers to questions or information for a discussion.

Following the Guide


Your product knowledge and real-world experiences add depth to the course and make it successful. However, it is also important that you follow the training guide to teach the information and exercises. The information presented in the training guide has been through an extensive design and approval process. ISS wants to provide a consistent message to every customer in any course the world over, so your cooperation in using and following the materials is appreciated.

Using Leader Notes


Leader notes are provided to give you instructions on how to teach each section of the course. As explained below, various formats are used, but the overall goal is to make it easier for you to determine how to cover the information provided for the students.

H-ii

Integrated Security Applliance

How to Use this Training Guide You will see the following types of leader notes (in the table, they are listed in alphabetical order): This word in bold... Ask Provides this kind of information... Followed by a question the instructor can pose to the students to stimulate a group discussion. Example ASK: Who are some people you think should be involved?

Demonstrate

Indicates that the instructor DEMONSTRATE: should perform a Installing the Console procedure while the students watch. Provides guidelines for conducting the demonstration. Indicates that the instructor should stress the importance of this information. EMPHASIZE: Setup can archive private keys only when it creates them; it cannot archive existing private keys. EXAMPLE: If this Console is going to communicate with any Unix sensors, a Certicom provider, like the ISS ECNRA Built-In provider, must be listed in this dialog.

Emphasize

Example

Provides a specific, real-world example.

Explain

Provides information on the EXPLAIN: topic to help the Instructor If the destination teach it. location is the same and you choose not to use or back up these databases, info in the database is lost when the installation is complete. Provides instructions for conducting an exercise or demonstration. GUIDELINES: You demonstrate the installation first. Students will install the Console at the end of this module.

Guidelines

H-iii

Integrated Security Applliance

How to Use this Training Guide This word in bold... Key Points Provides this kind of information... Summarizes, at a high level, the main points of a section. If the instructor says only this, he/she is presenting the most important information. Provides information that the instructor may use if asked a question.

Example KEY POINTS: You should monitor your systems to identify risks and apply the appropriate patches and software. NOTE: This is just an overview. Youll go into more detail in the following sections. POINT OUT: These options on the View menu: Auto-Scroll Lock Clear All Events Inspect Events

Note

Point Out

Indicates that the instructor should physically point to a feature/function/option to show the location of it.

Review

Briefly lists information the REVIEW: instructor has covered The options for before. Used as a reminder installing RealSecure. to students of options/ processes/similarities. Information the instructor can actually say. STATE: When you come under attack, its time to implement your incident response procedures. STEP 6REVIEW: Installation options: From the CD From the website How well do it in class

State

Step # + word Provides information that applies to that specific step of a procedure. Works in conjunction with other words listed here.

H-iv

Integrated Security Applliance

How to Use this Training Guide This word in bold... Transition Provides this kind of information...

Example

Summarizes a section and TRANSITION: leads into the next one. Now that you have seen how RS responds when under attack, lets discuss why you need intrusion detection software such as RealSecure.

Understanding the Icons


As you read the guide, you will notice several icons. The icons indicate that you should take a particular action. This training guide uses the following icons: Icon Name Description Indicates how much time you should spend on this module of the class.

Stopwatch

Slide

Show the students the slide that displays key points on this topic.

Exercise

Allow students to perform the exercises on their own.

Providing Feedback on the Training Materials


Your feedback on the training materials is valuable and can help make ISS training more successful. When you have ideas or suggestions, send a detailed e-mail to EMEA-Coursefeedback@iss.net. The subject line of the e-mail should indicate which course your feedback applies to. Please include feedback on only one course per e-mail.

Integrated Security Applliance

H-v

How to Use this Training Guide

Preparing for Class


Preparation Checklist
Use this checklist to prepare for the class:

Read the training guide carefully. Familiarize yourself with the


course flow, as well as each modules objectives and content.

Study how the leader notes guide you through the course. Make
your own notes in the training guide to help you teach the course.

Practice the demonstrations and exercises until you are comfortable


with them.

Make sure all equipment and software is working. Make sure all student materials are available.

Required Data Files


default.htm logo_splash.gif EducationSvcsReversed.gif bigwidget.htm bw_logo.gif eicar.com.zip (pwd: eicar)

Required Software
Carefully read the Classroom Set-Up Guide for Product End-User Training; it contains all hardware and software requirements for each training.

Required Hardware
Make sure you have enough extra cables for the setup exercises.

INSTRUCTOR: Refer to the ISS Classroom Set-Up Guide for Product End-User Training for details about configuring the SiteProtector classroom.
H-vi

Assumptions for Performing the Exercises


Course exercises require the classroom equipment to be configured as described in the Classroom Set-Up Guide for Product End-User Training. The exercises for this course assume the following: Each classroom computer has one physical network interface on the <LAN>.0/24 network. This interface is connected to the classroom switch.

Integrated Security Applliance

15 minutes

Welcome to the Class!


...With the Instructor
Here at Internet Security Systems, Inc., we believe that it takes a team to achieve the best results with whatever we do. Its important to us that the classroom environment for each course fosters that team spirit as well. We want you to know about your instructor and your fellow students. The instructor will tell you about his/her background. Use the space below to take any notes:

Getting Acquainted...
Slide 1

GUIDELINES: Welcome students to the class. Introduce yourself and describe your background. Ask students to introduce themselves and describe their job responsibilities. TRANSITION: Now that we have introduced ourselves, lets talk about getting the most out of this course.

...With Others in the Class


Were glad youre here. As you spend the next few days learning about the Internet Security Systems, Inc., products you have purchased, we encourage you to get acquainted with your fellow students. Introduce yourselves and tell a bit about your background. Share whatever information you feel comfortable with. Use the space below to take any notes:

Notes

Integrated Security Appliance

W-1

Welcome to the Class!

Getting the Most Out of this Course...


STATE: This class teaches you through lecture, discussion, demos, and hands-on exercises. Feel free to ask questions and share experiences. If I cant answer a question, Ill write it down and get back to you with an answer. EXPLAIN: Ground rules for: breaks and lunch phone calls interruptions EXPLAIN: Students should use the training guide: To follow along through the class. To take notes. As a resource when back on the job. EMPHASIZE: Information on slides is also in the training guide.

The Instructors Role


The Integrated Security Appliance course introduces concepts, frameworks, methodologies, and strategies that are effective in successfully teaching you to use the Proventa M Series appliance. The instructor serves as a guide to lead you through the course with lectures, discussions, demonstrations, and hands-on exercises.

Your Role
Your active participation is important to us. Feel free to share your experiences with the class. Take this chance to build relationships with other professionals in the field. We can all learn from each other. Ask questionsboth of the instructor and your fellow students. If the instructor cannot immediately answer your question, the instructor will write the question down and consult other resources at Internet Security Systems, Inc.

Using this Training Guide


This training guide leads you through the Integrated Security Appliance course. It provides background information and exercises that teach you how to use components more effectively. Each module has its own specific objectives and related exercises. Each module ends with a review that helps to reinforce the knowledge and skills you have acquired during the module.

Notes

W-2

Integrated Security Appliance

Welcome to the Class!

About this Course


Slide 2

Course Objectives
By the end of this course, you will be able to: Describe the six components of the Proventa M. Reconfiguring the Proventa M appliance. Discuss Transparent Mode functionlality and configuration. Discuss components of the Proventa M Intrusion Prevention module and configure Intrusion Prevention functionality. Detect and block an attack, enable auditing, and view intrusion prevention events. Discuss the basics of antivirus technology and configure the antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M. Describe the Proventa M Series Web filtering process. Configure the Web filtering module, creating whitelists and blacklists.

Slide 3

Describe the basics of Proventa Ms antispam technology and configure the antispam portion of the Proventa M using whitelists and blacklists. Identify firewall methods and translate your security policy into firewall policies. Configure the Proventa M firewall, creating objects and policies. Perform network address translation. Configure a Virtual Private Network for site-to-site and client-to-site connectivity. Describe High Availability deployments and configuration of a HA environment.

Notes

Integrated Security Appliance

W-3

Welcome to the Class!

Slide 4

Course Outline
Integrated Security Appliance is a 2-day course that covers the following topics: Day 1 Module 1 Module 2 Module 3 Module 4 Module 5 Module 6 Module 7 Module 8 Day 2 Module 9 Module 10 Module 11 Module 12 Routing Mode Configuring Firewalls Configuring the VPN High Availability Introduction to the Proventa M Series Configuration of the Proventa M appliance General Settings Transparent Mode Configuring Intrusion Prevention Configuring Antivirus Configuring Web Filtering Configuring Antispam

Course Review

Notes

W-4

Integrated Security Appliance

15 minutes

Introduction to the Proventa M Series


Purpose of this Module
The purpose of this module is to introduce you to the features and benefits of the Proventa M appliance.

Module 1

About this Module


Slide 5

Slide 6

Module Objectives
When you complete this module, you will be able to: Discuss the need for a unified protection solution. Describe the six components of the Proventa M. Discuss the differences between the M10, M30 and M50 appliances.

Notes

Integrated Security Appliance

1-1

Module 1: Introduction to the Proventa M Series

Secure Communications
Slide 7
The three main objectives of secure communication are Confidentiality, Integrity, and Availability.

C onfidentiality

Integrity
Confidentiality
Confidentiality can be defined as:

Availability

The prevention of unauthorized users accessing information to which they are not entitled
Example: A salesperson looking through employee records in the HR

payroll database. He has seen data that he is not authorized to view.

Notes

1-2

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Integrity
Information Integrity can be defined as: The prevention of unauthorized users from modifying, inserting and deleting data, such that the data itself remains in its intended state
Example: That same salesperson changing his pay rate in the payroll

database. He has not breached the confidentiality of the data if he has not seen anyone elses pay rate. He has modified data that he is not authorized to modify.

Availability
Availability can be defined as: Ensuring that the systems services are accessible on demand, by an authorized entity
Example: The same salesperson deleting the payroll file. He has made it

so that this data is unavailable.

Slide 8

Protection Controls
Authentication making sure you are who you say you are. We will accomplish this with the use of encryption. Access Control making sure you have access to only what you should have access to. We will accomplish this with the use of firewalls.

NOTE: Slide builds automatically.

Audit catching breaches to mitigate damage. We will accomplish this with the use of log files and intrusion detection.

Notes

Integrated Security Appliance

1-3

Module 1: Introduction to the Proventa M Series

Slide 9

Increasing Threat at the Gateway


There are many threats to your organizations systems and information: Unauthorized users, including spammers, may gain access to your corporate Intranet and file shares. Viruses can be found in emails (corporate email and personal email accounts), downloaded files, and files exchanged using peer-to-peer networks. Hackers steal data (customer lists, credit card numbers), deface your company property, and send denial of service attacks to tie up your systems. Worms are spread which are self propogating and act like automated hackers.

Notes

1-4

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Slide 10

Protecting the Gateway Today


A complete security plan needs to incorporate tools for: Firewall VPN Antivirus Intrusion Provention Content Filtering SPAM Not only is this a lot to manage, it also requires multiple packet inspection which leads to redundancy and inefficiency.

Slide 11

Challenges of Multiple Solutions


Gaps in protection Multiple management systems Degraded network performance Resources required to evaluate, acquire, deploy, manage, and update Physical constraints

Notes

Integrated Security Appliance

1-5

Module 1: Introduction to the Proventa M Series

Slide 12

The ISS Solution: Unified Protection


The Proventa M offers unified protection in one appliance.

EXPLAIN: M stands for Multi Function, and it does it all.

With the Proventa M multi-function edge appliance in place, you no longer need to acquire, install and manage separate gateway and network products.

Notes

1-6

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Overview of Proventa M
Slide 13

What is Proventa M?
The Internet Security Systems (ISS) Proventa M Series Appliance is a gateway protection appliance that offers the following protection technologies:

NOTE: Slide builds automatically.

Stateful packet inspection firewall VPN server (for client-toserver and site-to-site implementations) Intrusion Prevention Gateway Antivirus and Virus Prevention System (VPS) Web Filtering Antispam The Proventa M automatically blocks viruses, unauthorized access, network attacks, malicious code, and hybrid threats like SQL Slammer, Code Red and MS Blaster. It also filters out unauthrized Web access and alerts you to unwanted email. Built on ISS award-winning intrusion detection and prevention system, the Proventa M brings the level of protection demanded by global enterprises and world governments to remote offices and mid-sized businesses.
IPS AV FW VPN WF AS

IMPORTANT: Mention that Proventa M now addresses the issue of Spyware - its been added as a category that is blocked by the web filter.

Notes

Integrated Security Appliance

1-7

Module 1: Introduction to the Proventa M Series

Slide 14

Key Benefits of the Proventa M


Simpler - easier to secure the network and the gateway because it protects against a full spectrum of threats. Smarter - built on a unified protection engine that examines network traffic once for all threats. Receives automatic updates on the latest threats and vulnerabilities to protect against the latest attacks. More Cost Effective - protects more with less fewer resources, fewer steps and lower costs.

Notes

1-8

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Proventa M Components
Slide 15

Traditional Stateful Firewall


The following are all part of Proventa M firewall functionality: Traditional allow/deny rules by address/port Named lists of objects DHCP server NAT, PAT DHCP client PPPoE (for DSL/cable connections) ICSA certified

STATE: Now lets talk about some of the features of each Proventa component.

Notes

Integrated Security Appliance

1-9

Module 1: Introduction to the Proventa M Series

Slide 16

Virtual Private Networking


The Proventa M accepts VPN connections from: Site to Site: Remote office and partners Clients: Home offices and mobile users

Proventia G Proventia G

M M

ICSA Certification is pending.

Notes

1-10

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Slide 17

Intrusion Prevention
Proventa M offers the same proven intrusion prevention technology as the Proventa A & G series: High speed deep traffic analysis Multiple methods of detection Automatic updates from the X-Force the world leader in security research and vulnerability detection In addition, the M Series has been called X-Force in a box because it has automatic protection (users are not required to set policies or analyze events): X-Force tags events as block or alert. Tuning by users is allowed. ICSA Certification is pending.

Notes

Integrated Security Appliance

1-11

Module 1: Introduction to the Proventa M Series

Slide 18

Gateway Antivirus
With the Antivirus module, Proventa M offers: High speed analysis of files in real time from:

STRESS: Ms AV is SOPHOS, the top-tier AV provider, fastest to market, etc. EXPLAIN: The WildList Organization International is a great source of information on which viruses are spreading in the wild. Their site: http://www.wildlist.org

Web sites and webmail (HTTP) Download sites (FTP) Corporate and personal email (SMTP, POP3)

100% wildlist coverage Easy, single-point-of-administration

All traffic through the gateway is filtered, even if desktop protection is disabled or out of date

ICSA Certification is pending.

Slide 19

Virus Prevention System (VPS)


ISS Virus Prevention Ssytem , working with the gateway antivirus functionality, offers zero day protection, taking preemptive action against suspicious code even before it is publicly known.

Notes

1-12

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Slide 20

Web Filtering
With the web filtering module, the Proventa M Series offers the following: Filtering of Web sites based on pre-defined categories that you select Protection against spyware Specification of individual URLs, domains, or IP addresses that the appliance blocks or allows Tracking of URLs that users request and access Specification of static source IPs that can override the filters, to allow select users to surf the Internet freely

Slide 21

Antispam
Based on a huge database of known sources, key words, etc., Proventa Ms antispam software allows you to prevent undesired advertisements and offensive emails from entering your network undetected.

Slide 22

Additional Proventa M Functionality


In addition to the six protection components, Proventa M also offers the following: Management through SiteProtector High Availability Transparent Bridging Mode Failover Protection in Transparent Mode using Spanning Tree Protocol (STP)

Slide 23

Local Management Interface


The appliance comes with a local management interface (LMI) where you can configure and work with all Proventa M functionality.

Notes

Integrated Security Appliance

1-13

Module 1: Introduction to the Proventa M Series

Slide 24

SiteProtector Management
SiteProtector is an ISS management console. SiteProtector can manage a variety of network assets such as appliances, agents, and sensors. If you use a SiteProtector controller with your appliance, you can:

POINT OUT: We will not talk about SiteProtectorTM during this training. Slide 25

Report alerts and events to the SiteProtector console Enable a SiteProtector Agent Manager to manage many important functions of your M Series appliance

High Availability
The Proventa M Series appliance offers active-passive high availability (HA) by using Virtual IP addresses shared between a primary appliance and a secondary appliance. With HA enabled and configured, the secondary appliance (in passive mode) is ready to operate as the primary appliance if the primary appliance fails.

Slide 26

Routing and Transparent Modes


You can configure your appliance in either Routing or Transparent Mode. Routing Mode allows your appliance to work with full functionality. When your appliance is in Transparent Mode, it acts as a bridge device and filters packets that traverse the firewall without modifying any of the source or destination information in the IP packet header. The IP addresses of all interfaces are set at 0.0.0.0, which makes the presence of the appliance invisible to the network.

Slide 27

Failover Protection using STP


The Spanning Tree Protocol (STP) is a link management protocol that is part of the IEEE 802.1 standard for media access control bridges. The Spanning Tree Algorithm provides failover or high availability for Ms running in transparent mode, and re-routes traffic to a secondary M if the primary M fails.

Notes

1-14

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Appliance Specification Details


At this time, there are three different appliance models in the Proventa M Series, the M10, the M30 and the M50. Although the protection functionality they provide is the same, there are some differences in hardware specifications and performance. The charts that follow give you a good comparison of these models.

Slide 28

All-in-One Protection
M10
Firewall VPN Intrusion Prevention with blocking IDS Antivirus Web Filtering Antispam X X X X X X X

M30
X X X X X X X

M50
X X X X X X X

Notes

Integrated Security Appliance

1-15

Module 1: Introduction to the Proventa M Series

Slide 29

Performance
M10
Maximum Recommended Users Stateful Throughput Speed (Firewall only) Full Inspection Speed: Protecting over 600 vulnerabilities Blocking 0 viruses Blocking over 95% of spam Blocking available for over 60M URLs by category Full Inspection Speed: Protecting over 600 vulnerabilities Blocking over 120,000 viruses over SMTP and POP3 Blocking over 95% of spam Blocking available for over 60M URLs by category Maximum Connections per Second Maximum Concurrent Sessions 100 100 Mbps 100 Mbps

M30
500 200 Mbps 200 Mbps

M50
2500 1600 Mbps 800 Mbps

43 Mbps

200 Mbps

566 Mbps

2,125 101,000

4,100 101,000

4,100 101,000

Note: The more modules and blades you utilize, the more performance

is offset.

Management
M10
Centralized Management Web-Based Local Management X X

M30
X X

M50
X X

Notes

1-16

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

The Front of the Proventa M50


Slide 30
Below is a graphic illustrating the front of the M50 appliance. The front panel includes the following: A -internal interface traffic LED B - external interface traffic LED

POINT OUT: M50 is too loud to run the training on but all we will see applies the same way. CAUTION: You must operate this unit with the top cover installed to ensure proper cooling. NOTE: ISS does not support use of additional PCI cards.

C - power button D - power LED E - hard drive activity LED F - fault LED G - system ID LED H - system ID button I - reset button J - USB (unused) K - NMI (unused) L - video

A B

C D

E F

Notes

Integrated Security Appliance

1-17

Module 1: Introduction to the Proventa M Series

Slide 31

The Back of the Proventa M50


Below is a graphic illustrating the back of the M50 appliance. The back panel includes the following:

CAUTION: Reset button immediately reboots appliance without performing normal shutdown procedure. If you use the reset button, you may lose data. Use only when a normal shutdown is not possible.

redundant AC power one serial port an internal interface (INT0) an external interface (EXT1) six additional ethernet interfaces eth2 through eth7 one video interface one keyboard port strain relief

Notes

1-18

Integrated Security Appliance

Module 1: Introduction to the Proventa M Series

Module Review
Slide 32
You should now be able to:

Discuss the need for a unified protection solution. Describe the six components of the Proventa M. Discuss the differences between the M10, M30, and M50 appliances.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

1-19

Module 1: Introduction to the Proventa M Series

Notes

1-20

Integrated Security Appliance

1 hour

Set up the Proventa M Appliance


Purpose of this Module
This module describes how to configure the Proventa M appliance software and view appliance settings.

Module 2

About this Module


Slide 33

Slide 34

Module Objectives
When you complete this module, you will be able to: Install the Proventa M software and configure the appliance. Set the time, date and time zone settings. Change passwords. Reboot the appliance. Connect to the Web-based Proventa Manager.

Notes

Integrated Security Appliance

2-1

Module 2: Set up the Proventa M Appliance

Slide 35

What You Need to Know


To install the Proventa appliance, you must first know the following: IP address, subnet mask and default gateway of of the appliances management address. Hostname for the appliance. Domain Name Server for the appliance. This is the information you will use for the initial configuration.

Notes

2-2

Integrated Security Appliance

Module 2: Set up the Proventa M Appliance

Slide 36

Classroom Topology
The graphic below illustrates the final layout of the classroom at the conclusion of the exercises contained in this module.

Notes

Integrated Security Appliance

2-3

Module 2: Set up the Proventa M Appliance

Classroom IP Addresses
The following table highlights the resulting IP settings.

Table 1

Host Name iss10 iss20

IP Address Appliance Name <LAN>.10 <LAN>.20 <LAN>.30 <LAN>.40 <LAN>.50 <LAN>.60 <LAN>.70 <LAN>.80 MF49.xfeducation.local MF39.xfeducation.local MF29.xfeducation.local MF19.xfeducation.local

IP Address MGMT: <LAN>.19

iss30 iss40

MGMT: <LAN>.29

iss50 iss60

MGMT: <LAN>.39

iss70 iss80

MGMT: <LAN>.49

Notes

2-4

Integrated Security Appliance

Module 2: Set up the Proventa M Appliance

Lab: Configuration
Slide 37

Introduction
This lab walks you through the steps that you will take when configuring your Proventa M appliance: Re-cable the network Configure the appliance Connect to Proventa Manager

Exercise 1

Re-cable the class network.


Partner 1
1. Umplug your network cable and connect it to the powered off

Proventa M in the EXT1 socket.

NOTE: Each table will need an additional network cable.

2. Obtain a network cable from instructor and connect your host

system to the Proventa M appliance in the INT0 socket.


3. Connect the serial cable to the Proventa M appliance and to your

host system. Partner 2


4. Connect your network cable to the Proventa M appliance in the

EXT2 socket.

Exercise 2

Configuring the Proventa M


This exercise will be conducted by Partner 1 only.
1. Instert the Restore CD for Proventa M in your CD tray and reboot

your system.
2. If asked, select to boot from the CD. 3. When prompted, boot your Proventa M appliance. 4. When prompted, press L to boot from LAN.

Note: you have 5 seconds before the system will boot normally.

Notes

Integrated Security Appliance

2-5

Module 2: Set up the Proventa M Appliance

POINT OUT: Should they forget the nodb option they can kill the setup when the DB CD is requested. POINT OUT: As of Firmware 3.2 there is a web setup. With earlier firmware versions there was only the admin interface via serial connection.

5. At the boot prompt, type reinstall nodb and press ENTER.

The system will restore the distribution image without copying the database used for the web and mail filtering. These will be copied in the following exercise.
6. Allow the appliance to reboot.

Configure via the web interface


7. Press CTRL+G to reboot your system and remove the ejected CD. 8. Modify the Local Area Connection properties as follows:

IP: 192.168.123.X/24 where X remains unchanged from the current value (if the NIC is not set to DHCP, you can simply add the new address). Note the settings as you will have to restore them.
9. Launch your web browser. Once at the browser window, enter the

IP address for your web server, https://192.168.123.123.


Note: make sure to put an s at the end of http.

STATE: Make sure to put an s at the end of http or it wont work.

10. On the Security Alert dialog, click Yes to accept the digital

certificate.
11. On the login dialog, enter your user name, admin, and press TAB. 12. Enter your password, admin, and press ENTER. 13. If you are not prompted to install Java, proceed to step 21. 14. If you are prompted to install Java, click download the file here. 15. Click Open. 16. Choose I accept the terms in the license agreement, and click Next. 17. Accept the Typical installation, and click Next. 18. Click Finish. 19. Close your browser. 20. If you are prompted to restart your system, click Yes to restart and

proceed from step 9.


21. On the Proventa Setup Assistent screen click Next.

Notes

2-6

Integrated Security Appliance

Module 2: Set up the Proventa M Appliance


22. In the End User License Agreement screen select the I accept check

box and click Next.


23. In the Mode screen select the Transparent and click Next. 24. Read the information related to the Transparent Mode

Configuration and click Next.


25. On the Hostname screen, type your appliances hostname,

MF<yourtable #>9.xfeducation.local and click Next.


Note: You would normally use your site specific domain. 26. On the Management Address screen insert:

IP Address: <LAN>.X9 (see table on page 2-4 for reference) Netmask: 255.255.255.0 Default gateway (IP): <LAN>.GW. Your instructor will give you this address.
27. Click Next.

POINT OUT: Communicate the students DNS settings.

28. On the Name Servers screen insert Primary, Secondary and Tertiary

Nameservers as given by the instructor and click Next.


29. On the DNS Search Path screen type xfeducation.local as the DNS

Search path name and click Next.


30. On the Appliance Management Access screen, in the IP Addresses

field add both students IP addresses space delimited <LAN>.X0 <LAN>.Y0 and click Next.
31. On the Time Zone screen select the appropriate Timezone and click

Next.
32. On the Date and Time screen insert the appropriate Month, Day,

Year, Hour, and Minutes and click Next.

EXPLAIN: The difference between the passwords.

33. On the Root Password screen type in the new password iss123+

and confirm it. Click Next.


Note: You will need this password for command line access. 34. On the Administrator Password screen check the Same as Root

checkbox and click Next.

Notes

Integrated Security Appliance

2-7

Module 2: Set up the Proventa M Appliance


Note: You will need this administrative password to access the

appliance.
35. On the Proventa Manager Password screen check the Same as

Root checkbox and click Next.


Note: You will need this password to access the Proventa Manager. 36. On the Bootloader screen select Disable and click Next. Note: The bootloader password protects the appliance from

unauthorized users during the boot process. When you enable the bootloader password, then you must enter the root password to use a boot option other than the default.
37. Review your settings and click on Finish. 38. Read the information on the Setup Complete screen and close the

browser window.
39. Restore the original Local Area Connection settings.

POINT OUT: Students wont have to go through these steps; they are added here only as reference.

Configure via the command line


Note: You wont have to go through these steps; they are added here only as reference.
7. At the unconfigured.appliance login prompt, type admin and

press ENTER.
8. At the password prompt, type admin and press ENTER. Note: No text appears on screen when you type a password. 9. On the HTTP Authenticatoin screen press TAB twice and press

ENTER.
10. On the Welcome screen press ENTER to select Next (default

position).
11. On the End User License Agreement screen, review the license

agreement and press ENTER to select I Accept.


12. TAB to the NEXT button and press ENTER. 13. Press TAB and ENTER to select Transparent. 14. TAB to the NEXT button and press ENTER.

Notes

2-8

Integrated Security Appliance

Module 2: Set up the Proventa M Appliance


15. Read the information on your screen and press ENTER to continue. 16. On the Hostname screen, press BACKSPACE as necessary to delete

the default host name (unconfigured.appliance).


17. Type your Gateway Protection Hostname, MF<yourtable

#>9.xfeducation.local.
18. TAB to the NEXT button and press ENTER. 19. On the Management Address screen insert:

IP Address: <LAN>.X9 (see table on page 2-4 for reference) Netmask: 255.255.255.0 Default gateway (IP): <LAN>.GW. Your instructor will give you this address.
20. TAB to the NEXT button and press ENTER. 21. On the Name Servers screen, type the IP address of the Primary,

Secondary and Tertiary nameserver. Your instructor will provide this IP address.
22. TAB to the NEXT button and press ENTER. 23. On the DNS Search Path screen, type the DNS search path list

name, xfeducation.local.
24. TAB to the NEXT button and press ENTER.

POINT OUT: By typing a letter the cursor moves to the first entry starting with it. Use PgDn and PgUp to move more quickly.

25. On the Configure Time Zones screen, select the appropriate time

zone by pressing ENTER and scrolling to desired value (the default time zone is America/New York).
26. TAB to the NEXT button and press ENTER. 27. On the Date and Time insert the appropriate Month, Day, Year,

Hour, and Minutes.


28. TAB to the NEXT button and press ENTER. 29. On the Root password screen, type your root user password,

iss123+, and press ENTER.


30. Reenter your root user password, iss123+, and press ENTER. 31. To select NEXT, press ENTER.

Notes

Integrated Security Appliance

2-9

Module 2: Set up the Proventa M Appliance


32. On the Administrator password screen press ENTER to select Same

as Root, press TAB 3 times to the NEXT button and press ENTER.
33. On the Proventa Manager Password screen press ENTER to select

Same as Root, press TAB 3 times to the NEXT button and press ENTER.
34. On the Enable Bootloader Password screen, press ENTER to select

Enable, press TAB twice to the NEXT button and press ENTER.
35. Scroll the Setting Review and press ENTER when the cursor is

positioned on Fininsh.
36. After the request is sent and the system reboots, press CTRL+G to

reboot your system and remove the ejected CD.

Exercise 3

Rebooting the appliance


To do properly reboot the appliance:
1. StartProgramsAccessoriesCommunicationsHyperTerminal. 2. Enter Proventa in the Name field and click OK.

POINT OUT: This is the way to connect via HyperTerminal even when there are no troubles.

3. Click OK to accept the connection via COM1. 4. Select 9600 Bits per second and click OK to start the connection. 5. Under FileProperties select the Settings tab. 6. Select VT100 under Emulation and click OK to accept the settings. 7. Under FileSave As... save the settings for future perusal by just

clicking on Save.
8. Press ENTER to see the prompt. 9. Log into Proventa as root. 10. Enter your password, iss123+. 11. Type reboot and press ENTER.

Notes

2-10

Integrated Security Appliance

Module 2: Set up the Proventa M Appliance

Exercise 4

Connecting to the Proventa Manager


This exercise will be conduct by Partner 1 only. To connect to the Proventa Manager through your browser:
1. Launch your web browser. Once at the browser window, enter the

IP address for your web server, https://<LAN>.X9.


Note: make sure to put an s at the end of http.

STATE: Make sure to put an s at the end of http or it wont work. POINT OUT: This can happen only if the appliance was configure via the LMI.

2. On the Security Alert dialog, click Yes to accept the digital

certificate.
3. On the login dialog, enter your user name, admin, and press TAB. 4. Enter your password, iss123+, and press ENTER. 5. If you are not prompted to install Java, proceed to step 14. 6. If you are prompted to install Java, click download the file here. 7. Click Open. 8. Choose I accept the terms in the license agreement, and click Next. 9. Accept the Typical installation, and click Next. 10. Click Finish. 11. Close your browser. 12. If you are prompted to restart your system, click Yes to restart. 13. Proceed from step 4. 14. If you are prompted that the Certificate is not valid, click Yes or OK

to continue.
15. If the Hostname Mismatch message dialog appears, click Yes or OK

to continue.
16. When you are prompted to log in a second time. If so, on the login

dialog, enter your user name, admin, and press TAB.


17. Enter your password, iss123+, and press ENTER. 18. Click No to bypass the Getting Started Guide. 19. Click the Launch Proventa Manager button.

Notes

Integrated Security Appliance

2-11

Module 2: Set up the Proventa M Appliance

Module Review
Slide 38
You should now be able to:

Install the Proventa M software and configure the appliance. Set the time, date and time zone settings. Change passwords. Reboot the appliance. Connect to the Web-based Proventa Manager.
Review Objectives Ask For additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

2-12

Integrated Security Appliance

1 hour

General Settings

Module 3

About this Module


Slide 39

Purpose of this Module


The purpose of this module is to familiarize you with the Proventa M interface and general configuration.

Slide 40

Module Objectives
When you complete this module, you will be able to: Install license keys. Install firmware and security updates. Describe information on the Home page. Get the status of Proventa components on your system. Describe information in the System node and subnodes. Locate ISS contact and support information. Set up your basic configuration.

Notes

Integrated Security Appliance

3-1

Module 3: General Settings

The License
The Home page
The Home page provides a snapshot of the current status of the appliance as well as access to all modules.

EXPLAIN: To completely exit out of a Proventa M session, you must click the End Session button and close your browser.

Important System Messages


The Home page also displays important messages about licensing and updates. If you have not configured your system to download updates automatically, such messages may appear with a link to the appropriate Proventa Manager page. When you first enter the Proventa Manager, you are given a message that you have not acquired and uploaded your System License. You are also given the link to upload your license.

Notes

3-2

Integrated Security Appliance

Module 3: General Settings

Proventa Licensing
EXPLAIN: Base license covers HW maintenance, firmeware update, security content downloads, and the IPS module is essentially free with the firewall purchase. On the M10 there are only 2 licenses. EXPLAIN: It is important to install the IP license first.
The auto update and/or download mechanisms require a license in order to function. Before you can install the license key file, you must do the following: Register your customer license. Download the license key file from the ISS Registration Center.

Installing the License Key File


You must install the license key file to make your appliance run at full capacity. Installing the key simply means browsing for the license and saving the key in the appropriate place so that the appliance software can access it. Once the key is installed in the appropriate directory for the appliance, you are shown the status for your license.

Notes

Integrated Security Appliance

3-3

Module 3: General Settings

Slide 41

Lab: Licensing
Installing the license key file.

Exercise 5

Lab: Installing License Key Files


Partner 1. To install the license key file:
1. In the Important System Messages click on the Install License link. 2. The Licensing page appears. Click Browse. 3. Locate and select the Intrusion Prevention license key file that was

given to you by the instructor. Click Open. The file path appears in the field.
4. Click Upload. 5. Locate and select the AntiVirus license key file that was given to you

by the instructor. Click Open. The file directory path appears in the field.
6. Click Upload. 7. Note your license information now on the page.

Notes

3-4

Integrated Security Appliance

Module 3: General Settings

Integrated Security Appliance Updates


Slide 42

Introduction
You should always make sure your appliance is running the latest firmware, security content, and database updates. The updates that you can install are: Firmware updates Security content updates Database updates
Note: Your appliance retrieves updates from the ISS Download Center,

accessible over the Internet.

INSTRUCTOR: Navigate through the GUI to show the update-related interfaces.

Update Status
The Update Status page lets you know if you are up-to-date and gives you your update history.

Notes

Integrated Security Appliance

3-5

Module 3: General Settings

Update Alerts
On the Alerts page, you can filter for information on appliance updates.

Notes

3-6

Integrated Security Appliance

Module 3: General Settings

Automatic Update Settings


You can update the firmware in two ways: Configure automatic updates Find, download, and install updates manually You will use this page to configure how the appliance locates, downloads, and installs available updates.

Update Settings Tab

On this page, you will do the following: Enable or disable automatic updates Enable or disable automatic installations Schedule automatic updates and installations Set up HTTP proxy You can set up the following automatic options:

Notes

Integrated Security Appliance

3-7

Module 3: General Settings Automatically Check for Updates This option automatically checks for new updates that are available for download and installation. Automatically Download Security, Database and Firmware Updates These options automatically download intrusion prevention, antivirus, and firmware updates based on your settings. Automatically Install Firmware Updates This option automatically installs firmware updates based on your settings. You can also enable the option to automatically perform a full system backup the appliance installs each firmware update. Automatically Update Web Filter and Antispam Database This option downloads and applies updates to the Web Filter and Antispam Database.
Note: You must install a Intrusion Prevention license before you can

configure automatic updates. Defining Settings You must define the following when configuring automatic updates for your appliance: When the appliance automatically checks for updates When to download and install security updates When to download database updates When to download firmware updates How and when to install firmware updates Which firmware update version(s) to install

Notes

3-8

Integrated Security Appliance

Module 3: General Settings

Alternate Update Server Tab

On this page you will be able to configure a different server than the default one at ISS. When using a different server you will have to specify its name (or IP address if DNS resolution might be problematic), the port (3994 is used to talk to SiteProtectors Update Server), the trust level and the CA Certificate if you decide to use the explicit-trust security level.

Notes

Integrated Security Appliance

3-9

Module 3: General Settings

Event NotificationTab

On this page you will be able to configure the notification settings for available updates, for update installation and for update errors. The three different type of notifications are email, SNMP or notification via SiteProtector.

Advanced ParametersTab
You can configure (or tune) certain parameters for the appliance to better meet your security needs, e.g. for a specific update retrieval policy and update storage policy.

Advanced parameters are composed of name/value pairs. Each name/ value pair has a default value. Not all general settings advanced parameters appear here, but the most often used ones do.

Notes

3-10

Integrated Security Appliance

Module 3: General Settings If you do not want to use the default value, you can add or edit name/ value pairs for any component that can be tuned.

Retrieving Updates
Your appliance retrieves updates from the ISS Download Center, accessible over the Internet. The appliance first checks for updates that have been downloaded, but not yet installed. Then, it connects to the ISS download center or other network location that is specified in the Source Location field of the Automatic Update Settings page for updates that have not been downloaded. To manually find updates, click the button on the Update Status page.
Note: If you have enabled email notification for System Informative Events, the appliance notifies you via email when updates are available to download and install.

Update packages and rollbacks


A rollback removes the last intrusion prevention or antivirus update that was installed on the appliance. You cannot rollback firmware updates. ISS recommends that you perform a full system backup before installing a firmware update. If you enable automatic firmware updates, you can enable the Perform Full System Backup Before Installation option. After an update is installed, the appliance deletes the update package and the downloaded package is no longer on your appliance. If you rollback the update, then the appliance finds the update available for download and installation the next time you find updates or at the next scheduled automatic update.

Updating with SiteProtector


If you manage your appliance with SiteProtector, you can install an update while the appliance is registered with the SiteProtector agent manager.

Notes

Integrated Security Appliance

3-11

Module 3: General Settings In addition, if you use SiteProtector to manage your appliance, you can configure the appliance to use the SiteProtector X-Press Update Server as an alternate update server (instead of the ISS Download Center). You will configure the appliance to use the SiteProtector X-Press Update Server on the Automatic Update Settings page.

Slide 43

Lab: Proventa Updates


Check and Install Updates

Exercise 6

Lab: Check and install updates


Partner 2.
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance. 3. If the Hostname Mismatch message dialog or any other message

dialogs appear, click Yes or OK to bypass them.


4. Select the MaintenanceUpdatesStatus node. 5. You may be prompted to log in a second time. If so, on the login

dialog, enter your user name, admin, and press TAB.


6. Click on Find Updates. This will download the latest information

on the available updates.


7. Select the MaintenanceUpdatesAvailable Downloads node to

see which updates are available on the ISS server.


8. Select the MaintenanceUpdatesAvailable Installs node and

you will see that they have not yet been downloaded.
9. Select the MaintenanceUpdatesAvailable Downloads node

and click on Download All Available Updates.


10. While the system is downloading the updates, unzip the file

containing the filter database.

Notes

3-12

Integrated Security Appliance

Module 3: General Settings

POINT OUT: The same comand could be used to transfer update packages. INSTRUCTOR: Tell the students if they should wait after the updates or go ahead. POINT OUT: We will not install any firmware update; this is where Install Firmware Updates would be selected.

11. Transfer the database with the following comand:

<path>\pscp.exe <updates path>\*.db root@<LAN>.X9:/cache/ ofconf/ofdb Note: once this transfer has started you will have to wait for its termination before being able to install firmware updates. Decide together with the instructor if it is better to update the appliance before uploading the database.
12. If prompted, type y and ENTER. 13. Type the root password iss123+. 14. When the transfer is finished you are positioned in the

MaintenanceUpdatesStatus node. In the Updates window, in the Intrusion Prevention section click on Install Now.
15. In the Updates window, in the Antivirus section click on Install

Now
16. Go to the MaintenanceUpdatesAutomatic Settings node. 17. In the Automatically Check For Updates area, select an Interval of

60 minutes.
18. In the Security Updates ares, enable both Automatically Download

and Automatically Install.

INSTRUCTOR: It is important to enable the filter DB update because it will trigger the creation of the index file and categories file.

19. In the Web Filter & Antispam Database Updates area, enable

Automatically Update Web Filter and Antispam Database.


20. In the Firmware Updates area, enable Automatically Download

and ensure that Do Not Install is selected.


21. Click on Save Changes. 22. Select the Home node.

Notes

Integrated Security Appliance

3-13

Module 3: General Settings

Proventa Manager Home Page


Lets spend a little bit more time to analyze the content of the Proventa Manager interface.

Navigation Tree
In the left pane, this tree gives you quick access to any module page in the Proventa Manager. You can minimize or maximize the navigation pane by clicking on the icon on the top right.

Notes

3-14

Integrated Security Appliance

Module 3: General Settings

Device Name
Located in the top right corner, this is the appliance domain name you configured during setup.

End Session
In order to completely exit out of a Proventa M session, you must click the End Session button and close your browser.

Protection Status
This describes the current status of each of the Proventa components. In addition, each of the component names is a link to that components status page. The status page includes statistics that may help you identify a problem in the event of an unexpected component status.

EXPLAIN: Antivirus status is stopped when you first install because Antivirus functionality has not yet been enabled.

You can determine the current status of a component by glancing at the status icon. The status icons are as follows: Icon Status
Indicates that the component is active. Indicates that the component is stopped. Indicates that the component is in an unknown state. This status may require immediate attention.

EXPLAIN: You can also access module status info from SiteProtector if the appliance is managed centrally.

Module Status
This area describes the current status of each module in the appliance. You can access this information from the Home Page in two ways:
1. Click on the module name in the Protection Status area 2. Click on the module name in the navigation pane

(StatusModuleStatus).

Notes

Integrated Security Appliance

3-15

Module 3: General Settings

System Status Overview


This area describes the current status of the system, including the date and time of last firmware, antivirus, and intrusion prevention updates, high availability status, and the date and time of the last system backup.

System Logs and Alerts Buttons


These button (at the top of the screen) take you directly to LogsSystem Logs and LogsAlerts respectively.

Help

TRANSITION: In the rest of this module, were going to cover System Settings, Backup and Recovery, Updates, Support and Logs.

ISS Help is based on Web technologies and uses Internet Explorer (the browser) as its viewer. Topics use many common features of Web pages, such as links to other information. The built-in functionality of Internet Explorer is also available.

Notes

3-16

Integrated Security Appliance

Module 3: General Settings

System Status
Slide 44
There are three tabs within the StatusSystem area. Each one provides useful information for you to use in analyzing your system. Selecting the Status node the System Status page appears, displaying statistics for memory usage, CPU usage, the bridge configureation, and the internal and external interfaces.

Notes

Integrated Security Appliance

3-17

Module 3: General Settings

Logs Status
The Logs Status page displays summary data for the Alert Event Log statistics:

Here are definitions for the alert statistics: Statistic


Number of Logged Alerts Percentage Full Time of Last Alert

Description
The number of alert events that have been written to the log file. The percentage of allocated space that contains alert event log entries. The date and time of the last alert written to the log file.

Alerts
This is the same interface used for the Log Alerts (Alerts on page 320) filtered by System alert type.

Notes

3-18

Integrated Security Appliance

Module 3: General Settings

Refreshing Data
STATE: This is the first place we are seeing the Refresh Data option. Lets take a minute and discuss it.
The Proventa M allows you to refresh data on a page manually or automatically at the following intervals: Now (use to manually refresh the page) Every 10 seconds Every 20 seconds Every 30 seconds Every 1 minute Every 2 minutes Auto off (use to disable automatic refresh) You will determine the refresh setting for each module separately.

Notes

Integrated Security Appliance

3-19

Module 3: General Settings

Logs
Messages for all components are logged on the Proventa M. It's essentially the same thing as a console, only web-based. Events generated by all components are formatted with the appropriate information and presented in the Logs area for correlation. There are two tabs within the Logs area. Each one provides useful information for you to use in analyzing your system.

Alerts
EXPLAIN: The Alert Event Log keeps 31 days worth of information in a rolling refresh.
The Alerts Event Log is a subset of events from the System Event Log that are pulled out of the system log. The detail is presented in an ordered and easy fashion. This is where you would look to find information such as traffic blocked by a firewall rule or VPN conflicts preventing clients from connecting. When you click on an event name, you are presented with the details of that event.

EXPLAIN: The circled X icon after an event name will take you to online XForce Help. Antivirus events will be followed by a bug icon which will take you straight to the SOPHOS web page. POINT OUT: The Refresh dropdown.

Notes

3-20

Integrated Security Appliance

Module 3: General Settings This page also allows you to access Log File Management where you save, clear and view log files.

There are three levels of risk in this log: Icon Description


Indicates a Low Risk event. Indicates a Medium Risk event. Indicates a High Risk event.

Clicking on the circled X icon just after an event name will take you to online X-Force help about this issue. Antivirus events will be followed by a bug icon which will take you straight to the SOPHOS web page.

Notes

Integrated Security Appliance

3-21

Module 3: General Settings

Alert Event Details


NOTE: The IP addresses have been blocked out for security purposes.
Here is an example of an Alert Event Details page:

Notes

3-22

Integrated Security Appliance

Module 3: General Settings

System Logs
This is a graphical representation of the system log. This is not Mspecific information, but it is useful for application or system issues.

Notes

Integrated Security Appliance

3-23

Module 3: General Settings

Configuration Settings
Slide 45
You will user Configuration settings to configure access to the appliance andpasswords, SMTP and HTTP proxy servers, time settings, SSH, service groups, and SiteProtector management. Once you click the ConfigurationSystem node in the navigation tree, the following subnodes are displayed (remember the appliance is configured in transparent mode. More/differnet subnodes: are available in routing mode and they will be discussed later in the training). Appliance Access Networking

Interfaces Routing

Notification Passwords

STATE: We will now take a look at each of these subnodes.

Services SiteProtector Time

Notes

3-24

Integrated Security Appliance

Module 3: General Settings

Appliance Access
When the appliance is in transparent mode, all interfaces reply to the same management IP address (see Network on page 3-26 for further details. You can use one of the following options to determine which system is allowed to connect to the management interface: Single IP Address Static Address Address Name Dynamic Address Name Address Range Static Address Range Address Range Name Dynamic Address Range Name

Notes

Integrated Security Appliance

3-25

Module 3: General Settings

Network
NOTE: Go through options on the screen and show them what was entered during installation.
The Network Configuration page houses configuration for the appliance network interface cards. This is the same data that you first entered when you reinstalled the appliance. You can alter that data here.

Network Interfaces
This page is where you can change the settings you configured for the Managment Address when you installed the appliance.

Notes

3-26

Integrated Security Appliance

Module 3: General Settings

Internal Interface Tabs


In Tranparent mode, there i no configuration at interface level. All that is determined is which interfaces are enabled and which are not. eth1 is the external interface.

Spanning Tree Tab


In order to enable High Availability in transparent mode, you will have to enable the Spanning Tree Protocol.

Notes

Integrated Security Appliance

3-27

Module 3: General Settings

Routing
NOTE: Open the Add screen and discuss.
If necessary, static routes may be added through the Routing tab.

Note: The Proventa M appliance will accept a gateway IP addresses

that do not reside on the same network as one of the interfaces.

Notification
You wil use the Event Notification Options page to configure how the appliance sends notification responses for events. There are three tabs within the Notification area: Delivery Setup Event Notification Advanced Parameters

Notes

3-28

Integrated Security Appliance

Module 3: General Settings

Delivery Setup Tab


DEMONSTRATE: Open the default email and discuss.
This page is used to configure how the appliance sends notification responses for events. Email responses send alerts by email to an individual address or email group, and you can define multiple email notifications for these responses and configure the data sent.

EXPLAIN: Leaving the body format blank will send full event details.

Note: Leaving the body format blank will send full event details.

Notes

Integrated Security Appliance

3-29

Module 3: General Settings This table describes icons that may appear on the page: Icon Description
If this icon appears next to a field on this page, then data is required in the field or the data in the field is invalid. If the icon appears next to a policy or a tab on this page, then the policy or tab contains invalid settings or empty fields that require data. If this icon appears at the top of a list, you can select an item in the list and click the icon to move the item toward the top of the list.

If this icon appears at the top of a list, you can select an item in the list and click the icon to move the item toward the bottom of the list.

If this icon appears at the top of a list, you can select an item in the list and click the icon to copy the item to the clipboard.

If this icon appears at the top of a list, you can paste select an item in the list and click the icon to paste the item from the clipboard into a list. Then, you can edit the pasted item.

Notes

3-30

Integrated Security Appliance

Module 3: General Settings

Event Notification Tab


On this page you enable alert logging and message notification options, including email and SNMP traps. This enables you to send specific types of emails to specific people.

STATE: The Alert Logging for System Informative Events option is useful for firmware updates or auto download when youre not auto installing. In this case, it will give you an update that it has been downloaded.

By default the first option is enabled, so you need to make sure to enter an email address.

Notes

Integrated Security Appliance

3-31

Module 3: General Settings

Advanced Parameters Tab


There may be instances in which notification settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

Notes

3-32

Integrated Security Appliance

Module 3: General Settings

Passwords
You will use the ConfigurationSystemPassword page to manage the appliance passwords.

Root: for the command line, it should be used with ISS Tech Support assistance. Admin: terminal account which invokes the reconfiguration process Proventa Mgr User: separate account for logging into the interface Boot Loader: protects the appliance from unauthorized users during the boot process. When you enable the bootloader password, then you must enter the root password to use a boot option other than the default. Note: To change passwords, you must enter both your current and new passwords.

Notes

Integrated Security Appliance

3-33

Module 3: General Settings

Services
Use the Service page to enable and configure the following: SSH SMTP proxy HTTP proxy SNMP response

Note: If SSH is disabled, the only way into the machine is via the serial

cable.

Notes

3-34

Integrated Security Appliance

Module 3: General Settings

SMTP Tab
EXPLAIN: This will be covered in depth in the Antivirus module.
You must configure the SMTP proxy server to use the Antivirus and Antispam modules. This will allow you to scan files for viruses and to prevent the use of your email server in sending SPAM to others.

Item
My Domain

Description
The primary doman where you expect mail to be coming to and going from. This option is used to prevent spam and open relay. Allow users to email other domains and allow inbound email to the internal network and from other top level domains.

Relay IPs

Notes

Integrated Security Appliance

3-35

Module 3: General Settings

HTTP Proxy Tab


EXPLAIN: Use this tab only for updates.
If your network uses an HTTP proxy to get to the Internet, you must configure the proxy settings on your appliance to use Web Filters and configure updates.

SNMP Tab
The SNMP tab allows you to configure SNMP to poll the device for information and specify the SNMP server where traps are processed. You can configure two SNMP responses: SNMP Get SNMP Traps

Notes

3-36

Integrated Security Appliance

Module 3: General Settings


Note: After you configure the SNMP response, you must enable the

SNMP notification option.

Advanced Parameters Tab


There may be instances in which Service Configuration settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

Notes

Integrated Security Appliance

3-37

Module 3: General Settings

SiteProtector
EXPLAIN: This will be covered in depth in an upcoming module.
You will use the SiteProtector Management page to do the following: Register your appliance with a SiteProtector desktop controller Manage most appliance functions in SiteProtector Add multiple Agent Managers

EXPLAIN: The appliance will try to heartbeat into the agent managers in the order in which they are listed.

Note: The appliance will try to heartbeat into the agent managers in the order in which they are listed.

Notes

3-38

Integrated Security Appliance

Module 3: General Settings

Time
Use the Time Settings page to configure the date, time, and time zone. In addition, use this page to enable and configure Network Time Protocol (NTP).

Notes

Integrated Security Appliance

3-39

Module 3: General Settings

Maintenance Settings
Slide 46
You will user Maintenance settings to configure backup and recovery settings, manager the Filter Database, Licensing and the updates Settings. Once you click the Maintenance node in the navigation tree, the following subnodes are displayed. Backup and Recovery (see page 3-45)

STATE: We will now take a look at the tabs we have not seen yet.

Filter DB Licensing Tools Updates


Alerts Automated Settings Automated Downloads Automated Installs Status

Notes

3-40

Integrated Security Appliance

Module 3: General Settings

Filter DB
EXPLAIN: This will be covered in depth in an upcoming module.
Use the Web Filter and Antispam Database page to: View database status Download or overwrite the database Use advanced tuning parameters

When the Integrated security appliance has been re-initialized without a database, the system wont have any information to show and will not allow any of the filtering tasks to be enabled before downloading or uploading a filter database.

Notes

Integrated Security Appliance

3-41

Module 3: General Settings Once a valid database is locally available, the page will show its version:

Advanced Parameters Tab


There may be instances in which the Filter DB Configuration settings need to be tuned. For example, it may be relevant to limit the bandwidth available for updates. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

Notes

3-42

Integrated Security Appliance

Module 3: General Settings

Tools
You can use the options on the System Tools page to do the following: Reboot or shut down the appliance

NOTE: The features on this page are available only in Proventa Manager; you cannot perform these tasks from the SiteProtector interface.

Use the traceroute utility to provide a list of all the routers along the path to a computer or destination Ping a computer on your network to determine whether it is reachable

Note: more tools are available in routing mode.

Traceroute Protocols
You can use two types of protocols for the traceroute utility: UDP (UNIX "traceroute" command) ICMP (Windows "tracert" command) When you select a UDP traceroute protocol, the appliance sends a UDP packet to a random port on the target host. The TTL (Time to Live) field and the destination port field are incremented for each "ICMP Port Unreachable" message that is returned, or 30 hops are reached.

Notes

Integrated Security Appliance

3-43

Module 3: General Settings When you select an ICMP traceroute protocol, the TTL (Time to Live) field and the destination port field are incremented for each "ICMP Echo Request" message that is returned, or 30 hops are reached..

Notes

3-44

Integrated Security Appliance

Module 3: General Settings

Backup & Recovery


There are two components to backup and recovery of your appliance: Snapshots System/Full Backups

Snapshots
A snapshot is a file that stores your appliances configuration settings. You can use the file to restore the appliances settings or to configure the settings on another appliance.

Note: FactoryDefault.settings is the default snapshot file and includes

the original appliance settings.

Notes

Integrated Security Appliance

3-45

Module 3: General Settings

System/Full Backup
Backups store the operating system and configuration of the appliance. When you restore from a system backup, you restore the appliance to a previous state.

EXPLAIN: You should create a full system backup before you apply firmware updates and when you need to save your configuration.

You should create a full system backup before you apply firmware updates and when you need to save your configuration.

The following restrictions apply when creating backups:

INSTRUCTOR: Talk about restrictions.

You can have only one system backup. Creating a system backup overwrites the previous backup. Creating a system backup takes the appliance offline and disrupts connectivity for several minutes. If you configure the appliance and then click Restore from Backup before you create a system backup, the appliance is restored from the default system backup. This default backup does not contain your system configuration. You cannot log into the Proventa Manager interface until you reconfigure the appliance using the Proventa Setup utility (the command line interface).

Notes

3-46

Integrated Security Appliance

Module 3: General Settings In addition to creating a system backup before applying a firmware update, ISS recommends that you download snapshot files to a local computer. After you restore the system from backup, be sure that you close all browser windows and clear the Java cache before you log back into the Proventa Manager. If you do not , the Proventa Manager may behave unpredictably after the system restore is completed.

Notes

Integrated Security Appliance

3-47

Module 3: General Settings

Support
Clicking on the Support node in the navigation tree displays self-help information such as the ISS Knowledgbase and product documentation.

Notes

3-48

Integrated Security Appliance

Module 3: General Settings

Support Contacts
Clicking on the Support Contacts subnode displays the following ISS support information:

Notes

Integrated Security Appliance

3-49

Module 3: General Settings

System Support File


In almost all cases in which you will contact support, you will be asked to deliver a provinfo of your appliance. By clicking on the System Support File subnode you will be offered the interface which will allow you to create such file.

This page allows you to create, delete, or download data files that capture appliance information.
Note: Support data files have a .tgz file extension.

Notes

3-50

Integrated Security Appliance

Module 3: General Settings

Labs: Configuring and Enabling Event Notifications


Slide 47

Introduction
Complete the following exercises to: Configure an email response Disable Email System Warning Notification

Exercise 7

Configuring an Email Response


You will now configure the email notification response for events.
Note: To send email notification to a group, create an email distribution

list on your corporate server. To add an email response Partner 1:


1. Select the following nodes: ConfigurationSystemNotification. 2. On the Delivery Setup tab, in the Email Configuration section,

click Add.
3. The Add Email Configuration window appears. Type Email Note

in the Name field.


4. Type your mail server address, <LAN>.X0, in the SMTP Host field. Note: The SMTP Host must be accessible to the appliance to send

email notifications.
5. In the To field, enter sp_partner1. 6. Click the Subject Format arrow to see a list of message subject

fields, and then leave the default.


7. Click the Body Format arrow to see a list of message body fields,

and then select one or more body fields.


Note: You can customize the Subject Format and Body Format by

typing your own text and embedding fields from lists.


Note: If you leave the Body Format blank, the email response

includes all available fields.

Notes

Integrated Security Appliance

3-51

Module 3: General Settings


8. Click OK. 9. Click Save Changes. Note: After you configure the email response, you must enable the

email notification option for the response to function.

Exercise 8

Disabling Email System Warning Notification


To disable your email system warning notification:
1. Select the Event Notification tab. 2. In the System Warning Notification Delivery area, uncheck the

Email Enabled option.


3. Click Save Changes.

Notes

3-52

Integrated Security Appliance

Module 3: General Settings

Module Review
Slide 48
You should now be able to:

Install a license key. Install firmware and security updates. Describe information on the Home page. Get the status of Proventa components on your system. Describe information in the System node and subnodes. Locate ISS contact and support information. Set up your basic configuration.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

3-53

Module 3: General Settings

Notes

3-54

Integrated Security Appliance

45 minutes

Transparent Mode

Module 4

About this Module


Slide 49

Purpose of this Module


The purpose of this module is to familiarize you with Proventa Ms trasnparent mode functionality.

Slide 50

Module Objectives
When you complete this module, you will be able to: Describe Transparent Mode functionality. Explain how to configure Local Routers. Describe the use of Spanning Tree Protocol to set up a Failover Configuration.

Notes

Integrated Security Appliance

4-1

Module 4: Transparent Mode

Transparent Mode
Slide 51

Introduction
When your appliance is in Transparent Mode, it acts as a bridge device and filters packets that traverse the firewall, without modifying any of the source or destination information in the IP packet header. The IP addresses of all interfaces are set at 0. 0.0. 0, which makes the presence of the appliance invisible to the network. When you power on an appliance in transparent mode, required access policies to allow traffic through the appliance are enabled by default.

Slide 52

When to use Transparent Mode


You will use transparent mode when: You already have a router infrastructure in place. You want to protect servers receiving traffic from untrusted sources. You want to place the appliance in your network with a minimum of routing configuration or network changes such as subnetting.

Slide 53

Features not Available in Transparent Mode


The following features are not available in Proventa Manager when the appliance is in Transparent Mode: VPN NAT DHCP Server & DHCP Relay OSPF Certificates High Availability

Notes

4-2

Integrated Security Appliance

Module 4: Transparent Mode

Slide 54

A Note About Transparent Mode and VPN Although the appliance does not function as a VPN appliance, in transparent mode, VPN traffic can still travel through the appliance to another VPN transportation point. If you want to see alerts about VPN traffic, you can configure alert notification for these events on the Firewall/VPN Event Notification tab.

Notes

Integrated Security Appliance

4-3

Module 4: Transparent Mode

Slide 55

Transparent Mode Deployment


The example below shows a logical diagram of a transparent network deployment where the IP addresses of all physical interfaces on the Proventa appliance are set to 0.0.0.0/0.

The management IP, configured during your appliance setup, should reside within the same IP range as your external gateway IP address. The management IP is restricted, by default, to hosts on the same subnet. Hosts on different IP subnets that need to manage the Proventa appliance require appropriate static routes and access rules. In this example, the management address (10.10.10.2) is a virtual IP, configured during your appliance setup. The internal and external interfaces do not apply in transparent mode and do not need IPs. The management address IP should reside within the same IP range as your external gateway. The management IP is restricted, by default, to hosts on the same subnet. Hosts on different IP subnets that need to manage the Proventa appliance, require appropriate static routes and access rules.

Notes

4-4

Integrated Security Appliance

Module 4: Transparent Mode

Configuring Local Routers


Slide 56

Introduction
The Local Routers tab only appears when you are in transparent mode, and you will need to configure the IP addresses of routers that reside in the same network segment as your appliance. The appliance uses this information to resolve destination MAC addresses that it does not find in its internal forwarding database. When the appliance receives a packet, it checks the IP address of the packet against the IP addresses and destination MAC addresses in its internal forwarding database. The appliance sends an ARP message to: Each local router IP address The destination IP address of the packet that has no destination MAC address When each local router responds with its ARP information, the appliance can resolve the packet's IP address with the destination MAC address.

Adding a Local Router Entry to the Local Router Table


To add a local router to the Local Router table:
1. Do one of the following:

In the Proventa Manager, select the following nodes: ConfigurationFirewall, or In the SiteProtector interface navigation pane, select the Firewall/VPN node, and then select Settings.

2. Select the Local Routers tab. 3. Click Add. The Add Local Routers window appears. 4. Type a name for the router in the Name box. 5. Type the IP address for the router in the Router IP Address field.

Notes

Integrated Security Appliance

4-5

Module 4: Transparent Mode


6. Type a descriptive comment for the router in the Comment field. 7. Click OK. 8. Do one of the following:

In the Proventa Manager interface, click Save Changes. In the SiteProtector interface, click OK.

Notes

4-6

Integrated Security Appliance

Module 4: Transparent Mode

Transparent Mode Failover Protection Using STP


Slide 57

Introduction
When you appliance is in transparent mode, you can not use the high availability functionality. You can, however, use Spanning Tree Protocol (STP), a link management protocol that is part of the IEEE 802.1 standard for media access control bridges, to configure your appliance for failover to a second appliance.

Slide 58

Why Use Spanning Tree Protocol?


Using the spanning tree algorithm, STP provides path redundancy while preventing undesirable loops in a network that are created by multiple active paths between devices. Loops occur when there are alternate routes between hosts. To establish path redundancy, STP creates a tree that spans all of the switches in an extended network, forcing redundant paths into a standby, or blocked, state.

Slide 59

STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail. If STP costs change, or if one network segment in the STP becomes unreachable, the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path. Without spanning tree in place, it is possible that both connections may be simultaneously live, which could result in an endless loop of traffic on the LAN.

Notes

Integrated Security Appliance

4-7

Module 4: Transparent Mode

Slide 60

STP Illustration
Here is a diagram illustrating the physical connectivity for two appliances in transparent mode failover configuration:

Hub/Switch 1 connects M1(eth0) and M2(eth0) Hub/Switch 2 connects M1(eth1) and M2(eth1

Notes

4-8

Integrated Security Appliance

Module 4: Transparent Mode

Slide 61

Bridge IDs
STP requires that: Each bridge is assigned an unique identifier, typically the bridge's MAC address plus a priority value On each bridge, each port is also assigned a unique identifier on the bridge, typically the port's MAC address Each bridge port is associated with a path cost that represents the cost of transmitting a packet to the LAN on that port

Slide 62

Failover Process - Determining the Primary Bridge


If all other STP parameters are equal, the bridge ID is the determining factor for which appliance is the root, or primary, bridge. The bridge ID is determined by the lowest MAC address, so the appliance with the lowest MAC address becomes the root bridge. When both appliances are present, the one with the lowest MAC address will always be the root bridge. If you remove an appliance, in 20 seconds the other appliance becomes the root bridge. If you reinstall the appliance, it becomes the root bridge in another 20 seconds.
Note: You cannot configure the priority value on a Proventa appliance to force STP to select the appliance as the root bridge irrespective of the appliance MAC address.

Notes

Integrated Security Appliance

4-9

Module 4: Transparent Mode

The STP Process


The following table describes the STP process: Stage
1

Description
Select a root bridge. The bridge with the lowest assigned priority value becomes the root bridge. This is the only bridge on all the connected LANs that performs the root bridge function. Select a root port. Each bridge identifies a root port that it uses to connect to the root bridge. The root port has the lowest assigned path cost. Select a designated bridge for each LAN. The designated bridge has the path with the lowest cost value to the root bridge, and forwards packets from that LAN to the root bridge. Select a designated port for each bridge. This is the port that each bridge on the LAN uses to connect to the designated bridge.

STP Tasks
You will perform the following tasks to configure failover protection for two appliances in Transparent Mode: Task
1 2

Description
Make sure that both appliances are connected to a managed switch that has Spanning Tree Protocol (STP 802.1D) enabled Install the first appliance using one cable to connect only a single interface (not more than one). Use Proventa Setup Assistant to configure the appliance for Transparent Mode. Important: Assign a unique IP address for management purposes. Install the other appliance using one cable to connect only a single interface (not more than one), using a unique IP address for management purposes. On the first appliance, go to the Spanning Tree Tab and select the Spanning Tree Protocol Enabled checkbox. Accept all other default settings on this tab, and then click Save.

Notes

4-10

Integrated Security Appliance

Module 4: Transparent Mode Task


5

Description
On the other appliance, go to the Spanning Tree Tab and select the Spanning Tree Protocol Enabled checkbox. Accept all other default settings on this tab, and then click Save.

Tip: Open two Web browsers so that you can easily access both

appliances during the initial configuration process.

Failover Protection Status


You can view information about the bridge configuration on the Firewall/VPN Protection Status page.

Notes

Integrated Security Appliance

4-11

Module 4: Transparent Mode

Configuring Spanning Tree Protocol Settings


To configure Spanning Tree Protocol settings:
1. Do one of the following:

In the Proventa Manager interface navigation pane, click + to expand the System node, select the Networking node, and then select the Spanning Tree tab. In the SiteProtector interface navigation pane, select the Spanning Tree tab: Networking node, and then select the Spanning Tree tab.

Note: You must first select Transparent from the Mode list for this

tab to appear.
2. Select the Spanning Tree Protocol Enabled checkbox. 3. In the Maximum Age (secs) field, use the up and down arrows to

specify the maximum number of seconds that the appliance waits before it discards protocol information received on a port.
4. In the Hello Time (secs) field, use the up and down arrows to specify

the maximum number of seconds that the appliance waits between sending STP hello broadcast messages.
5. In the Forward Delay (secs) field, use the up and down arrows to

specify the number of seconds that the appliance waits before forwarding packets.
6. In the Aging Delay (secs) field, use the up and down arrows to

specify the maximum number of seconds that the appliance waits before aging out dynamically learned forwarding information.
7. Do one of the following:

In the Proventa Manager interface, click Save Changes. In the SiteProtector interface, click OK.

Notes

4-12

Integrated Security Appliance

Module 4: Transparent Mode

Slide 63

Considerations When Deciding to Use Spanning Tree Protocol


It is important to consider the following: ISS recommends that you enable Spanning Tree Protocol on your appliance only if the appliance is redundantly connected to another Proventa appliance in a transparent mode failover protection configuration. You must configure both appliances in the failover configuration identically. To utilize the STP failover capability of the appliance in transparent mode, you must connect your appliance to a managed switch or bridge that has IEEE 802.1d STP enabled, but ISS may not be able to help you troubleshoot problems with this configuration. While ISS recommends that you enable Spanning Tree Protocol on your appliance only if the appliance is redundantly connected to another appliance in a Transparent Mode failover protection configuration, you may also use a true hub for connecting the M ports.

Slide 64

If you enable STP on a Proventa appliance that is connected to other managed devices, STP topology changes could cause network traffic to bypass the appliance. If the network traffic bypasses the appliance, then the traffic bypasses appliance security functionality. Non-STP devices do not monitor the STP heartbeats and are not aware of a topology change, so you must enable STP on the managed device for the failover to occur. Non-STP switches will continue to relate MAC addresses to the original switch ports. If using Spanning Tree Protocol to enable HA for transparent mode appliances, SiteProtector sees the appliances by their management IPs as two different non-related systems. You should make sure however, that both appliances have identical configurations and policies.

Notes

Integrated Security Appliance

4-13

Module 4: Transparent Mode

Module Review
Slide 65
You should now be able to:

Describe Transparent Mode functionality. Explain how to configure Local Routers. Describe the use of Spanning Tree Protocol to set up a Failover
Configuration.

Review Objectives Ask: For additional questions

Take this opportunity to ask questions about the information we have discussed.

Notes

4-14

Integrated Security Appliance

45 minutes

Intrusion Prevention

Module 5

About this Module


Slide 66

Purpose of this Module


The purpose of this module is to describe configuration and use of intrusion protection within the Proventa Manager.

Slide 67

Module Objectives
When you complete this module, you will be able to: Discuss components of the Proventa M intrusion prevention module. Detect and block an attack. View events.

Notes

Integrated Security Appliance

5-1

Module 5: Intrusion Prevention

Intrusion Prevention and Proventa M


Slide 68

Why a Firewall is not Enough


Whether it is performing access control via packet filtering, stateful inspection, or application layer control, your standard firewall makes its access control decisions based on the source and destination IP addresses and either the destination port or protocol being used. Your standard firewall is incapable of differentiating valid traffic from malicious traffic. If you have port 80 opened up through your firewall to your public web server, your standard firewall cannot prevent malicious attacks destined for port 80.

Slide 69

The Intrusion Prevention Solution


The key protection mechanism in the Proventa M is the Intrusion Prevention module. This encompasses the prevention module, the leading intrusion prevention technology. This component allows the appliance to be used for Intrusion Detection (forensics, research, and reporting) and full network protection (blocking, dropping and resetting). The Proventa M inspects all packets traveling through the appliance for application data, matching known attacks. This allows it to perform access control based on valid or malicious uses of protocols. For example, the Proventa M can distinguish between the valid GET / Index.html and a harmful buffer overflow attack, allowing the GET request through, but blocking the attack. By default, the Proventa M reports every attack that it sees, and for many attacks that have severe consequences, it responds automatically.

Notes

5-2

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 70

Proventa M Intrusion Prevention consists of two components, the Protocol Analysis Module and the Quarantined Rules Table. Here is a brief description of both: Protocol Analysis Module (PAM) The core of the intrusion prevention module, PAM is capable of analyzing and reporting more than 1500 network events. Currently, over 600 of these events have a dynamic blocking response enabled.

STATE: Proventas Intrusion Prevention consists of two modules: PAM and Quarantine Rules table. Here is a brief description of both. EXPLAIN: Signatures are based on vulnerabilities, not exploits. We are stopping them before the exploit is released.

Quarantine Rules Table (QRT) Populated by PAM/IPM as a response to events, this table consists of dynamically created quarantine rules. These rules specify the packets to block and the length of time to block them.

Notes

Integrated Security Appliance

5-3

Module 5: Intrusion Prevention

The Protocol Analysis Module


Slide 71

What is Protocol Analysis?


Protocol analysis is the use of software and/or hardware to decode, interpret, and react to the contents of data packets as they travel through the Proventa M appliance. The protocol analysis process uses both the known structure of protocols and intelligent parsing technology to detect attacks.

EXPLAIN: PAM looks for inconsistencies in behavior. Signatures look for specific behavior - PAM evaluates behavior, & compares it against known standards or expected behavior. Slide 72

Structural analysis of packets is the first step in protocol analysis. By analyzing individual IP header fields relative to known field structure, bit definitions, and RFC compliance guidelines, it is possible to identify anomalous packets. The next step is to apply intelligent parsing technology. Protocol analysis provides fast and efficient processing by minimizing the number of calculations required to identify an attack. It is also highly accurate because it can determine what a packet actually is and how it behaves on the network, as opposed to what it appears to be.

Proventa M and Protocol Analysis


Proventa uses the protocol analysis module (PAM) to interpret network activity and detect attacks at all layers of the protocol stack. The PAM is based on stateful application layer protocol decodes and represents the complete integration of RealSecure technology and the BlackICE Sentry products. PAM signatures are based on protocol analysis because it provides better accuracy, fewer false positives, and higher performance levels.

Notes

5-4

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 73

The PAM logic uses these deep packet analysis techniques in a variety of orders and combinations. It performs full seven-layer, state-based decoding and analysis of over 100 Internet protocols. The specific elements within this broader category are: Stateful packet inspection Protocol anomaly detection

STATE: The PAM logic uses these deep packet analysis techniques in a variety of orders and combinations. It performs full sevenlayer, state-based decoding and analysis of over 100 internet protocols.Outbound hybrid threat detection

Port Variability (port-independent protocol decoding) Application-layer Pre-processing Heuristics Context Field Analysis IP Defragmentation TCP Reassembly Vulnerability Signatures Exploit Signatures Pattern-matching Signatures Host Response Analysis Pre-emptive Behavioral Analysis IPv6 Native Traffic Analysis IPv6 Tunnel Analysis SIT Tunnel Analysis Reconnaissance (port probe detection) Custom Signatures

Notes

Integrated Security Appliance

5-5

Module 5: Intrusion Prevention

Slide 74

Benefits of PAM
The benefits of using the PAM include: Protocols are decoded and interpreted making the Proventa practically immune to evasion techniques, such as:

Polymorphic shellcode Unicode URL encoding SNMP floods SNMP OID translation RPC record marking FTP, Telnet option code insertion Evasion tools such as ADMutate, stick, snot, whisker, and fragroute

Verify protocol compliance by checking protocol fields for illegal or suspicious values, such as sequence number gaps or overlap, and checksum and CRC modification. Minimize false positives The speed and accuracy that Proventa M achieves by utilizing the PAM cannot be matched by systems which rely on simpler analysis techniques, pure anomaly detection, or pattern matching alone.

Notes

5-6

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 75

Examples of Protocols Included in the PAM


ISS updates the PAM with additional protocols to keep pace with the evolving threat spectrum. Some of the protocols included in the PAM are listed in the following table. Examples of Protocols 802.1q 802.5 backorifice cmsd fddi h245 icmpv6 ipv6 lpr ms_ messenger nis pop3 quake rlogin smb socks subseven tcp tooltalk xfs ypupdated 802.2 ah bgp dcom finger hsrp ident irc mime msrpc nntp portmapper radius rsh smtp ssh sunadmind tds udp xml 802.3 aolim bo2k dhcp fsp http igmp java mms napster ospf pppoe rexec rtsp snmp ssl sunrpc telnet url yahoo_ messenger 802.3u arp bootp dns ftp icecap imap4 lanman mountd netbios 802.3z automount bootparam email gnutella icmp ip ldap mpls nfs

pcanywhere pcnfsd pptp rfb selnsvc snmpxdmid ssrp syslog tftp virus ypbind q931 rip sgifam sntp statd talk tns xdmcp yppasswdd

Notes

Integrated Security Appliance

5-7

Module 5: Intrusion Prevention

Slide 76

Quarantine Rules Table


The Quarantine Rules Table ( QRT) is a very significant feature in the Proventa M, as it performs high-impact, low-cost protection. Dynamic blocks are automatically generated based on attack, attacker and victim. These dynamic mechanisms occur for a period of time (to block a repeated stateful attack) or allow a percentage of traffic through (to prevent against a mindless flood attack).

EXPLAIN: Dynamic blocking response and protection response are the same thing. Both are referred to in the appliance interface. Slide 77

Although PAM can flag well over 1,000 known attacks, dynamic blocking is limited to a subset of attacks that may be persistent and reccuring. This set of attacks will grow over time. When a packet matches a PAM signature which has dynamic blocking enabled, the Proventa M responds in one of several ways. The response taken is based on many variables such as the protocol involved, the direction of the traffic, the state of the connection, etc. Here are two of the possible responses:
Response Blockconnection Definition IPM will drop the packet and tear down the connection by sending resets to both sides, preventing retransmission of the dropped packet. No quarantine table (QRT) rule is added. IPM will drop the packet, stopping the attack at the Proventa M. No QRT rule is added.

Drop-packet

EXPLAIN: There is a time limit to mitigate attacks.

Since quarantine rules are automatically created, the only user interaction is to remove them. All QRT issues expire automatically after one hour by default, but this can be customized in the Advanced Parameters section of IPM settings.

Notes

5-8

Integrated Security Appliance

Module 5: Intrusion Prevention

Intrusion Prevention Configuration


Intrusion prevention settings monitor network traffic and block attacks. You can protect local applications and servers or protect client computers on a router or firewall. The settings seldom change. However, you may occasionally need to perform maintenance tasks to keep the appliance properly configured.

Slide 78

Intrusion Prevention Status Information


The status screen StatusIntrusion PreventionStatus provides a high level list of network traffic and attacks. A more detailed summary with event information is located in the Alerts section.

Notes

Integrated Security Appliance

5-9

Module 5: Intrusion Prevention

Settings
You will use the ConfigurationIntrusion PreventionIntrusion Prevention Settings page to make changes to your intrusion prevention configuration.

Slide 79

Protection Settings Tab


You will use this tab to make changes to your intrusion prevention settings.

EXPLAIN: Module enabled by default to prevent log flooding. Consolidated events will appear with a count in the event details. EXPLAIN: If your X-Force Protection Responses box is unchecked, you will have detection but not prevention. EXPLAIN: The IPM module is enabled by default to prevent log flooding (someone sending a ton of attacks and filling your logs) Consolidated events will appear with a count in the event details.

To configure the appliance to enable protection responses as specified by the X-Force, you will enable the X-Force Protection Responses, featuring Virtual Patch Technology checkbox. If this box is left unchecked, you will have detection but not prevention.

The intrusion prevention options you can enable are as follows:


Response X-Force Protection Responses Enabled Definition This allows the Proventa M to block traffic where we have configured block responses.

Notes

5-10

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 80

Event Notification Tab


This tab allows you to configure delivery notification for attack and audit events. You can: Enable alert logging options, including email and SNMP traps. Disable alert logging for blocked and non-blocked events. Configure alert logging for general events. Configure message notification for general events.

Notes

Integrated Security Appliance

5-11

Module 5: Intrusion Prevention General Intrusion Prevention Notifications The following table defines the options in the Alert Logging for General Events section of this page:
Option Quarantine Rule Added Quarantine Rule Removed Quarantine Rule Expired Packet Dropped Definition Rule added to the Quarantine Rules Table (QRT) Rule was removed from the DBT by the administrator Rule expired in the DBT and has been removed Notification that IPM has dropped a packet This is not an error. Common causes include: Invalid Checksum Packet not part of an existing connection

Notes

5-12

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 81

Event Filters Tab


Event filters are a quick method for blocking or passing traffic from trusted hosts to trusted hosts, or using a specific protocol or attack. The intrusion prevention module allows the following:

DEMONSTRATE: Adding a filter. EXPLAIN: You can only set these after you have some traffic flowing through the system. If you keep getting a false positive on a certain IP address, you can use Event Filters to make an exception.

Filtering of false alarms and false positives without disabling the event entirely Advanced filtering by IP address, ICMP type, protocol number, or port Reverse filters - ignore all traffic except for this

Note: You can use the not for your reverse filters.

Notes

Integrated Security Appliance

5-13

Module 5: Intrusion Prevention This graphic shows an event filter for an HTTP GET.

Slide 82

Advanced Parameters Tab


Advanced Parameters are used to build new rules or modify existing ones. They can also be used to perform blocks on signatures without responses. Advanced Parameters allow you to: Modify Responses Enable / Disable individual events Tune intrusion prevention for unique situations

Notes

5-14

Integrated Security Appliance

Module 5: Intrusion Prevention You will find PAM information, including a list of PAM tuning parameteres, at the following address: http://www.iss.net/security_center/reference/help/pam?

Slide 83

Issue List
The Intrusion Prevention Issue List provides a comprehensive summary of the attacks and audits the Intrusion Prevention module of your Proventa M software can detect. It is also only found in the Proventa Manager.

DEMONSTRATE: Pull up an issue and point out the Issue ID and the status. Shot of Issue ID is on the next page.

Notes:

The priority, status and response can be modified via the Advanced Parameters or Event Filters, but the category (attack or audit) is hard coded. Attacks and audits can be individually enabled via the main Settings screen. The pam.zip .chm file is found in SiteProtector in the following directory: Help/Attack Signatures/Protocol Analysis Module. This file will give you information about Pam and the Issues list.

Notes

Integrated Security Appliance

5-15

Module 5: Intrusion Prevention

Slide 84

Issue IDs
An issue id is required when using advanced parameters to modify an event, and each intrusion prevention event has its own unique issue id mapped to its event name. This is labeled as algorithm-id when viewing events.

Notes

5-16

Integrated Security Appliance

Module 5: Intrusion Prevention

Slide 85

Quarantined Intrusions and the Rules Table


This table is populated by the intrusion prevention module in response to an event detected with an X-Force protection response enabled. You will only find it in the Proventa Manager under StatusIntrusion PreventionQuarantined Intrusions.

STATE: You will only find Quarantine Rules in the Proventa Manager. EXPLAIN: Rules cannot be added.

A rule can be viewed or removed and will expire after a set period of time (Default is 3600 seconds).
Note: Rules cannot be added.

Notes

Integrated Security Appliance

5-17

Module 5: Intrusion Prevention The following table lists the fields available in the quarantine rules table:
Field Source IP Source Port Dest IP Dest Port ICMP Type ICMP Code Protocol Expiration Time Block Percentage Description Indicates the source IP address of packets to block. Indicates the source port number of packets (if protocol is 6 or 17) to block. Indicates the destination IP address of packets to block. Indicates the destination port number of packets (if protocol is 6 or 17) to block. Indicates the ICMP type number of packets (if protocol is 1) to block. Indicates the ICMP code number of packets (if protocol is 1) to block. Indicates the IP protocol of the rule (ICMP=1, TCP=6, UDP=17). Indicates the expiration time of the rule. Indicates the percentage of packets that will be dropped (values less than 100% can be used to lessen the impact of some denial-of-service attacks).

Note: An asterisk * in a field means that the rule is ignoring that aspect.

Notes

5-18

Integrated Security Appliance

Module 5: Intrusion Prevention

Labs: Working with Attacks


Slide 86

Introduction
Complete the following exercises to: Enable Intrusion Prevention Module Detect an Attack Block an Attack Clearing Quarantined Hosts

Exercise 9

Enabling the Intrusion Prevention Module


Partner 2
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationIntrusion

PreventionIntrusion Prevention Settings.

3. In the right pane, on the Protection Settings tab, ensure that the

Intrusion Prevention Module Enabled option is selected.


4. Ensure that the Attack Detection Enabled and the X-Force

Protection Response Enabled options are selected.

Exercise 10

Detecting an Attack
Both partners
1. Copy the follwing files in the c:\inetpub\wwwroot directory:

default.htm logo_splash.gif EducationSvcsReversed.gif

You can modify the default.htm as you like; it will make it easier to understand which web server you are accessing.

Notes

Integrated Security Appliance

5-19

Module 5: Intrusion Prevention Now can try to access partners web site:
1. Make sure that your partner has completed the previous exercises. 2. Open a new web browser window. 3. Enter http://<your partners web server>. 4. Press ENTER.

A page will appear that says Welcome to our Website, indicating that you have accessed your partners site.
5. Close this browser window.

Partner 1 From the internal network, you will now attack your external machine with an HTTP_DotDot directory traversal attack.
1. Launch a new browser window. 2. Enter http://<Partner 2 web server IP address>/ to

make sure you can reach it.


3. Enter http://<Partner 2 web server IP address>/../

../../../../../etc/init.d/httpd You get an error from the web server.

Exercise 11

Blocking an Attack
Partner 2
1. Navigate to your Proventa Manager. 2. In the navigation pane, select the StatusIntrusion

PreventionAlerts node.

The Alert page is displayed, and you should see an HTTP_DotDot alert. Click on the Alert link.

INSTRUCTOR Make sure the students know where to look for.

3. Review this alert and the response that IPM took to the alert. Notice

that it did not take any block response and it is reporting the attack.

Notes

5-20

Integrated Security Appliance

Module 5: Intrusion Prevention Look up the issue id for the dotdot attack and record it: _______2000603___________________
4. Close the Alert window. 5. Go to the ConfigurationIntrusion PreventionIntrusion

Prevention Settings. node.


6. In the right pane, select the Advanced Parameters tab. 7. Click Add. 8. Enter the name of your new advanced parameter:

ipm.issue.response.<http_dotdot_issue_id#>.
9. Set the type of value to string, and set it's value to block-worm. 10. Click OK. 11. Click Save Changes to update.

POINT OUT Close the browser or empty the cache for the exercise to work.

12. Partner 1 repeat the steps outlined in the Exercise Detecting an

Attack on page 5-19. This time you will not get an error from the web server.
13. Partner 2 Repeat step 2 and notice that this time the attack has been

blocked.
14. In the navigation pane, select the following nodes:

StatusIntrusion PreventionQuarantined Intrusions.


15. Youll find 2 dynamically generated rules in response to the attack.

Exercise 12

Clearing Quarantined Hosts


1. Still in the Proventa Manager, select the following nodes: Intrusion

PreventionQuarantined Intrusions.
2. Select each rule and click Remove. 3. Click Save Changes.

Notes

Integrated Security Appliance

5-21

Module 5: Intrusion Prevention

Module Review
Slide 87
You should now be able to:

Discuss components of the Proventa M intrusion prevention


module.

Detect and block an attack. View events.


Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

5-22

Integrated Security Appliance

30 minutes

Antivirus

Module 6

About this Module


Slide 88

Purpose of this Module


The purpose of this module is to describe how to configure antivirus settings used by the Proventa Manager.

Slide 89

Module Objectives
When you complete this module, you will be able to: Discuss the basics of Antivirus signature-based technology. Describe Proventa Ms Virus Prevention System (VPS) functionality. Configure the Antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M.

Notes

Proventia Integrated Security Appliance (M Series)

6-1

Module 6: Antivirus

An Antivirus Overview
Slide 90

What Is A Computer Virus?


Computer viruses are parasitic programs which are designed to alter the way your computer operates without your permission. They incorporate themselves within, or "infect," executable program files. Since it is possible to put strings of program macros in certain kinds of data files (like Microsoft Word documents), these files can also be infected with viruses. Other types of viruses attach themselves to boot records, which contain information your computer needs to start. Viruses can infect other files and pass to other computers without a users knowledge. Eventually, the program decides to release the damaging part, called the payload, a destructive sequence activated on a certain trigger. The trigger may be the arrival of a particular date or an action by the user. The effect of this payload can be anything as benign as a harmless message appearing on screen to as malicious as the destruction of all files on the disk drive, making it completely unusable and in most cases completely irrepairable.

Notes

6-2

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Slide 91

Types of Malicious Code


There are many types of malicious code. Some examples are as follows: Trojan Horse - A program designed to deliver malicious code. This is not a virus, but simply a program (often harmful) that pretends to be something else. It differs from a virus in that it doesn't usually reproduce. Worm - A program that spreads automatically over network connections. Unlike a virus, it does not attach itself to a host program and is not normally associated with personal computer systems. Macro Virus - A small macro (usually MS Word or Excel) written to annoy you and possibly damage your documents and hard disk data. These viruses are cross platform (the same macro can run on Mac or PC) and are most easily passed via an infected document attached to an email.

Notes

Proventia Integrated Security Appliance (M Series)

6-3

Module 6: Antivirus

Proventa Ms Antivirus Component


Slide 92

Introduction
A virus is a program like any other, and it is made up of binary code. The precise order of that code will be unique and can be used to identify a virus. This is called the virus' signature. Each virus has a different signature. Antivirus programs reference a database of all the different replicating viral signatures that are already out there, and then compare them to the signatures of incoming files to see if anything suspect is lurking on your doorstep.

Slide 93

Types of AV Technology
The are many different types of antivirus technology: Integrity Checkers Sandboxes/Behavior Blockers Heuristics Signature Scanners

Slide 94

Proventa Ms Antivirus Technology


The M Series antivirus software uses two engines to protect your appliance:

EXPLAIN: Its important to use these engines together.

The Signature Engine that uses virus definitions, or signatures, to detect viruses The new ISS VPS Engine, which uses behavioral analysis to identify new and unknown viruses and worms that do not yet have virus signature updates

Notes

6-4

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Slide 95

The Signature Engine


A signature scanner compares code to virus signatures and creates a digital fingerprint for known MalCode. It then stores this information in a database and draws on this data to protect your network. The Proventa Ms signature engine uses signatures to identify viruses on your network. Once identified, the virus signatures are updated in the database each time you download and install security content to your appliance.
Note: As mentioned earlier, the WildList Organization International

(http://www.wildlist.org) is a great source of information about which viruses are spreading in the wild.

Slide 96

Signature Scanner Pros and Cons


Pros:

Easy to implement Proven, reliable detection of known attacks Little to no false positives Does not find new or modified viruses Perpetual signature update process - performing auto download and auto install will combat this con Exposed to a virus while waiting for signature update and distribution

NOTE: Proventa M is a signature scanner.

Cons:

Notes

Proventia Integrated Security Appliance (M Series)

6-5

Module 6: Antivirus

Slide 97

Virus Prevention System (VPS)


While a signature scanner works to address known viruses, VPS can help prevent infections from both known and unknown worms and viruses.

Slide 98

VPS complements traditional antivirus software by: Using behavioral analysis to detect and block any malicious code coming into your network. Preemtively detecting and preventing entire famillies of malicious code, based on what they do. Gathering a complete picture of the entire code execution before making a diagnosis, so there is a high degree of detection and almost no false positives. Offering zero-day virus prevention.

Notes

6-6

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Slide 99

What Ms AV Components Do
ISS highly recommends that you use both antivirus components for full protection. Together, they do the following: Check all email traffic passing through your network, providing protection against mass mailing viruses and zero-day attacks

STATE: A great site, www.virustotal.com, offers a free service for scanning suspicious files using several antivirus engines. Slide 100

Quarantine infected email and attachments at the gateway, protecting WANs and LANs from viruses before they enter or leave your network. Note: Proventa Ms antivirus functionality does not scan encrypted, password protected or corrupted files (due to SOPHOS).

Protocols Scanned by Proventa M Antivirus


The antivirus component scans the following protocols:
Protocol FTP SMTP HTTP POP3 Port 21 25 80 110

Notes

Proventia Integrated Security Appliance (M Series)

6-7

Module 6: Antivirus

Slide 101

An Example
An email server is setup in the DMZ. A default firewall rule is setup that allows the email server to receive email on port 25. The email goes through the appliance, where the Proventa M SMTP component intercepts the email. The SMTP component then disassembles and scans the email for viruses. If the email is not infected, the appliance routes the email to the destination email server. If the email is infected, then one of the following occurs: If the Quarantine Infected Files option is selected, the portion of the email that is infected is quarantined and the remainder of the file is deleted. If the Quarantine Infected Files option is not selected, the entire file is deleted. In either case, a reject message is returned to the sender and an alert is written to the logs.

Notes

6-8

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Slide 102

The Blocking Page


Here is an example of the antivirus functionality in action. The user has just been notified that the URL he was attempting to access contains a malicious file or virus:

Note: You can not modify the AV block page as it is generated on the fly

from the binaries themselves

Notes

Proventia Integrated Security Appliance (M Series)

6-9

Module 6: Antivirus

Slide 103

Antivirus Deployment
The Proventa M is intended to provide reinforcement or redundancy for your desktop antivirus solution. You should deploy antivirus software on the following: Desktops Servers

Slide 104

A Note About Logs


By default, alerts are written for the first occurrence of an antivirus event. After that, once an hour you will receive a notification with the total number of hits received for that virus during that hour. This setting can be changed using advanced parameters.

Notes

6-10

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Configuring Proventa M Antivirus


Antivirus Status Information
Slide 105
This page displays data for antivirus software status and statistics. Antivirus status items are described in the following table:
Statistic Antivirus Cache Daemon Enabled Antivirus Cache Daemon State Antivirus Quarantine Daemon Enabled Description Status of the antivirus cache daemon. The antivirus cache daemon is enabled when the antivirus software is enabled. Current state of the antivirus cache daemon. The possible statuses for all items involving a "State" are: active, stopped, unknown Status of the antivirus quarantine daemon. The antivirus quarantine daemon runs in the background and periodically deletes files from the quarantine directory. Default setting: enabled. In addition, by default, files are deleted every 30 days. Both default settings can be adjusted with a tuning parameter. Refer to the Appliance User Guide for more information about advanced parameter names and values. Current state of the antivirus quarantine daemon. Whether the antivirus software is monitoring for HTTP-transmitted viruses. Current state of HTTP monitoring. Whether the antivirus software is monitoring for FTP-transmitted viruses. Current state of FTP monitoring. Whether the antivirus software is monitoring for SMTP-transmitted viruses. Current state of SMTP monitoring.

Antivirus Quarantine Daemon State HTTP Enabled HTTP State FTP Enabled FTP State SMTP Enabled SMTP State

Notes

Proventia Integrated Security Appliance (M Series)

6-11

Module 6: Antivirus
Statistic POP3 Enabled POP3 State Description Whether the antivirus software is monitoring for POP3-transmitted viruses. Current state of POP3 monitoring

Antivirus statistics are described in the following table:


Note: If the antivirus software is not enabled, antivirus statistics do not

appear on this page.


Statistic Virus Signatures Poll Time Signature Date Total Blocked FTP Blocked HTTP Blocked SMTP Blocked POP3 Blocked Unknown Blocked Last Detect Total Checked Last Check Description Number of viruses that the current version of antivirus software detects. Date and time that the appliance last polled the ISS Web site for antivirus signature updates. Date and time of the last antivirus signature update. Total number of viruses blocked on all enabled protocols since the antivirus software was last enabled. Number of FTP-transmitted viruses blocked since the antivirus software was last enabled. Number of HTTP-transmitted viruses blocked since the antivirus software was last enabled. Number of SMTP-transmitted viruses blocked since the antivirus software was last enabled. Number of POP3-transmitted viruses blocked since the antivirus software was last enabled. Number of unknown types of viruses blocked since the antivirus software was last enabled. Date and time the last virus was detected. Total number of files checked for viruses since the antivirus software was last enabled. Date and time the last file was checked for viruses.

Notes

6-12

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Settings
There are two main tabs within Antivirus Protection Settings that you will use to configure the antivirus software: Basic Configuration Advanced Parameters

Basic Configuration - General Settings Tab


STATE: By default the Antivirus module is disabled. The module remembers the last known state, so if AV is turned on it will assume that behavior until turned off.
This area allows you to perform the general antivirus set up. On the General Settings tab, you will enable or disable the antivirus components and tell Proventa whether or not to quarantine infected files.

Notes

Proventia Integrated Security Appliance (M Series)

6-13

Module 6: Antivirus

Basic Configuration - Protocols to Protect Tab


You can select which protocols to scan for viruses on this page.

An Important Note About Protected Ports The antivirus software protects POP3, SMTP, HTTP, and FTP protocols that are set up on standard ports. If these protocols are set up in your network using non-standard ports, then the protocols are not protected.
Note: To successfully implement proxy settings, you must enable proxy

redirection rules for any protocols you select. If you select the SMTP protocol, you must configure the SMTP proxy server.

Notes

6-14

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Basic Configuration - Event Notification


To receive an alert message when the appliance detects a virus and takes action, you will need to enable the Alert Logging for Antivirus Events option on this page. You can also select how the appliance notifies you of the event.

Notes

Proventia Integrated Security Appliance (M Series)

6-15

Module 6: Antivirus

Basic Configuration - File Extensions Excluded from HTTP Antivirus Tab


This list includes the file extensions that you would typically want to exclude from virus scanning, such as image or music files. You can add, edit, or remove extensions from this list and should review the file extensions in this list to ensure that they are appropriate for your network.

Notes

6-16

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Advanced Parameters
STATE: The User Guide Appendix has details about advanced parameter names and values.
There may be instances in which the antivirus settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs on this page.

Important: Before configuring an antivirus advanced parameter, refer to

the Appliance User Guide for more information about advanced parameter names and values.

Quarantine File Management


STATE: This page is found in the Proventa M. EXPLAIN: Quarantine files are stored separately for AV and VPS. In LMI, both are listed here.
The Quarantine File Management page lists files that have been quarantined.

Notes

Proventia Integrated Security Appliance (M Series)

6-17

Module 6: Antivirus

EXPLAIN: Only the infected portion of the file is quarantined. There is only one quarantine entry for each instance, based on md5 sum, and entries listed are on a 1st in-1st out basis. Files will stay in the list for thirty days unless the hardware space hits a cerain watermark. Then the system starts deleting files. NOTE: This page should be used for forensics purposes only

The files listed here are suspected of containing or are known to contain a virus. Only the infected portion of the file is quarantined. The remainder of the file is deleted. Quarantine files will stay in the list for thirty days. There is only one quarantine entry for each instance, and entries listing are on a 1st in/1st out basis.
Caution: ISS recommends that you use this page for forensic purposes

only. Files are quarantined so that they cannot be executed inadvertently on the client system. If you take files out of quarantine, you risk infecting your network with whatever virus is contained in the files.

Notes

6-18

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

SMTP Config
NOTE: This is the same SMTP info that we saw in the Proventa M System Settings area. In SiteProtector, its found in Services. EXPLAIN: Proxying the connection when you use Antivirus can cause latency.
You must configure the SMTP proxy server to use the Antivirus and Antispam modules. You will need to configure SMTP for transparent proxy to scan files for viruses and to prevent the use of your email server in sending SPAM to others.

You can use relay IPs to control which computers in your network can send email outside your domain (outside your network), and which domains can send email to users in your network.

How Transparent Proxy Works


A transparent proxy is invisible to users on your network. You can configure the proxy server to use specified ports, and then configure the firewall to allow email traffic on those port numbers. The proxy server passes data between the email sender and the email receiver, but remains invisible to the users. The users appear to be talking directly to each other.

Notes

Proventia Integrated Security Appliance (M Series)

6-19

Module 6: Antivirus Example You set up an email server on the DMZ segment of your network, and then create an access policy on your appliance that allows the email server to receive email on port 25. When a sender outside the network sends an email to a user inside the network, the email goes through the appliance, where the SMTP proxy server intercepts the email. The SMTP proxy server disassembles and scans the email for viruses. If the email is not infected, the SMTP proxy server routes the email to the destination email server. There is no indication to either user that the email was intercepted or scanned. If the email is infected, then one of the following occurs: If you have selected the Quarantine Infected Files option, the appliance quarantines the portion of the email that is infected, deletes the remainder of the file, and returns a reject message to the sender. If you have not selected the Quarantine Infected Files option, the appliance deletes the entire file and returns a reject message to the sender.

Relay IPs and Local Domains


The SMTP proxy server configuration includes two components: The Relay IP list - defines the users in your network that can send and receive email. If you add a range of IP addresses to the list of Relay IPs , then the appliance allows any computer in the range to send email to another domain. The Local Domain list - defines the domains in your network that can receive email from users in your network. If you add a domain to the list of Local Domains, then the appliance allows all email from that domain. If you have more than one domain, you must include all domains in the Local Domain list for the appliance to allow email to pass between them.

Notes

6-20

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus When a user in your domain sends an email to another domain, the antivirus software compares the source IP address of the email sender to the list of relay IP addresses. The appliance does one of the following: If the source IP address is on the relay IP list, then the appliance relays the email to the destination domain. If the source IP address is not on the list, and the destination domain is not listed in the local domains, then the appliance notifies the sender that the system is not authorized to relay the email.

Enabling SMTP Proxy on Your Network


NOTE: Walk them through the configuration.
You must complete the following tasks to configure the SMTP proxy on your network:
1. Add IP address ranges to the Relay IP list to define users that can

send email outside your domain.


2. Add any additional corporate domains to the Local Domain list to

define the domains that can receive email.

Notes

Proventia Integrated Security Appliance (M Series)

6-21

Module 6: Antivirus

Labs: Testing with the eicar Virus


Slide 106

Introduction
Complete the following exercises to: Disable IIS SMTP service Install a Mail Server Create email accounts Send a virus via email Verify the antivirus module for HTTP

Exercise 13

Disable IIS SMTP Service


Partner 1 & 2 - To disable IIS SMTP service:
1. Click StartProgramsAdministrative ToolsInternet

Information Services (IIS) Manager


2. In the left pane, click to expand <your computer name>. 3. In the left pane, right click on Default SMTP Virtual Server. 4. Select Stop. 5. Close the IIS Manager.

Exercise 14

Install a Mail Server


Partner 2 - Install the mail server the instructor gave to you
1. Extract the files in MailRoot.zip to your c:\ drive. 2. Double click on c:\MailRoot\XMail.reg. 3. Open a cmd window and go to c:\MailRoot\bin 4. Type XMail.exe --install-auto. 5. Type net start xmail. 6. Double click on c:\MailRoot\XmailAdminSetup.exe. 7. Click on Install.

Notes

6-22

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus
8. Click on I agree to accept the End-user license agreement. 9. Click on OK to accept the default install directory. 10. Click on OK to terminate. 11. Open StartProgramsAdministrative ToosServices and make

sure that XMail Server has started. Note: in doubt you can reboot now.
12. Start StartProgramsXMail AdministratoXMail Admin. 13. Add the local server:

Server Name: <Your Host Name> Server Address: <Your IP Address> Login Name: admin Password: admin
14. Click Add New Server. The server will be listed on the left pane. 15. Click on the Server on the left hand pane. You will see its

configuration and the existing sp_partner1 and sp_partner2 accounts.

Exercise 15

Creating an Email Account


Partner 1 & Partner 2 complete the following steps to create an email account in Outlook Express:
1. To open Outlook Express, select StartProgramsOutlook

Express.
2. If the Internet Connection Wizard appears click on Cancel and Yes. 3. In the Outlook Express window, select ToolsAccounts. The

Internet Accounts dialog appears.


4. Click Import. 5. Locate yout pre-configured account setting (partner1.iaf or

partner2.iaf) and click Open.


6. Click on Properties. 7. Select the Servers tab.

Notes

Proventia Integrated Security Appliance (M Series)

6-23

Module 6: Antivirus
8. Update the mail server address with <Partner 2 IP Address>. 9. Click on Apply, OK and Close.

Send emails to sp_partner1@xfeducation.local and sp_partner2@xfeducation.local to make sure the mails are exchanged.

Send a test email to your yourself:


1. In Outlook Express, click the Create Mail toolbar button. 2. Complete your email message as follows:

To: sp_partner1@xfeducation.local Cc: sp_partner2@xfeducation.local Subject: Training Message Body: This Proventa M class sure is swell!

3. After you complete your email, click Send.

Exercise 16

Enabling Antivirus Functionality


By default, the Antivirus module is disabled. Partner 1 enable Antivirus functionality by doing the following:
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationAntivirus. 3. In the right pane, on the Basic Configuration tab, select the

Antivirus Module Enabled option.


4. Select the Quarantine Infected Files option in the General Settings

area for both the signature engine and VPS.


5. Select the Protocols To Protect tab. 6. Select the all protocols options. 7. Select the Event Notification tab. 8. Ensure that the Alert Logging for Antivirus Events option is

enabled.
9. Click Save Changes to update.

Notes

6-24

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Exercise 17

Sending an Email to Test Antivirus


Both Partner 1 and Partner 2 must go through the following exercises.

Send an email to each other:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: sp_partner1@xfeducation.local; sp_partner2@xfeducation.local Subject: AV test Message Body: This is an AV test

3. Attach the file eicar_com.zip after having unzipped it.

POINT OUT: The direction of the traffic is relevant for AV.

4. After you complete your email, click Send. 5. Analyze the different behaviour based on the position of the

appliance and the protocol monitored:


Partner 1 cannot send any email because the SMTP AV blocks it before it reaches the server. Partner 2 can send his/her emails because the server is local on the host, hence the appliance has not chances to block it. Partner 2 can receive his/her own mail because, again, the appliance is not between the POP3 server and the client. Partner 1 receives a mail from the appliance informing that an email was sent but blocked because it had a virus.

POINT OUT: The message is different with or without signature AV.

Note: If the signature AV is enabled the message will contain Virus name: EICAR-AV-Test, if only VPS is enabled, the message will contain Virus name: Malcode-5083.

Notes

Proventia Integrated Security Appliance (M Series)

6-25

Module 6: Antivirus

Exercise 18

Pulling the eicar Virus


Your instructor will have already downloaded a test virus file called eicar.com which acts like a virus but isnt. This test file is safe to pass around because it is not a virus and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test"). Partner 1 - To test your antivirus functionality:
1. Access http://www.eicar.org/anti_virus_test_file.htm

If there is no internet access, you can access your instructors machine by entering the following in your web browser: http:// <Instructors IP>/eicar.exe).
2. When you attempt to access this file, you should be alerted that this

file contains a virus.

POINT OUT: The message is different with or without signature AV.

Note: If the signature AV is enabled the message will contain Virus name: EICAR-AV-Test, if only VPS is enabled, the message will contain Virus name: Malcode-5083.
3. Navigate to your Proventa Manager. 4. In the navigation pane, select the following nodes:

StatusAntivirusAlerts. The Alert page is displayed. Check your logs for a virus alert.
5. Select the following nodes: StatusAntivirusQuarantine. 6. You should now see a listing of the virus file on this page. Note: The virus scanner uses a MD5 caching daemon. When you

transfer the same eicar virus over HTTP or FTP, you will only see one virus alert. In the background the caching daemon (when enabled) will be keeping track of how many times it has seen the same virus-infected file. 3600 seconds (1 hour) later, you will receive a second event updating your on this count.

Notes

6-26

Proventia Integrated Security Appliance (M Series)

Module 6: Antivirus

Module Review
Slide 107
You should now be able to:

Discuss the basics of Antivirus signature-based technology. Describe Proventa Ms Virus Prevention System (VPS)
functionality.

Configure the Antivirus portion of the Proventa M. Use a test virus to view virus blocking within the Proventa M.
Review Objectives Ask: For additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Proventia Integrated Security Appliance (M Series)

6-27

Module 6: Antivirus

Notes

6-28

Proventia Integrated Security Appliance (M Series)

1hour

Web Filtering

Module 7

About this Module


Slide 108

Purpose of this Module


The purpose of this module is to describe how to configure web filter settings used by the Proventa Manager.

Slide 109

Module Objectives
When you complete this module, you will be able to: Discuss the use for Web filters. Describe the Proventa M Series Web filtering process and each of the technologies used in that process. Configure the Web filtering module, creating whitelists and blacklists. Test category blocking and Web site filtering.

Notes

Integrated Security Appliance

7-1

Module 7: Web Filtering

Why Filter the Web?


Slide 110

The Challenge for Web Content Security


The main challenge for Web content security is that: The Internet is the No. 1 source for information:

Employees need it to acquire and transmit information At least every 3rd workplace has access to the Internet

NOTE: Sources - gartner, sextracker.com, and vault.com

Private use of Internet connections in companies is as follows:


30-40% of usage is not job-related At least 60% of all employees use the Internet privately (news, chats, job market, auctions,...) 70% of all accesses to porn sites occur on weekdays between 9:00 and 17.00 hours Liability risks for company management

Notes

7-2

Integrated Security Appliance

Module 7: Web Filtering

Slide 111

What This Means in Practice


Company integrity must be protected from: Non work-relevant surfing (costs) Undesirable or illegal Internet contents (liability, image) Network integrity must be protected from: Inappropriate use of bandwidth and storage capacity Network congestion

Notes

Integrated Security Appliance

7-3

Module 7: Web Filtering

Slide 112

Prevention Instead of Monitoring


An organization can counter improper usage of the Internet by: Conducting a survey of surfing behavior by means of a companywide Internet usage study Improving productivity and security without endangering employee satisfaction or morale by:

Blocking undesirable sites Allowing free access to permitted sites Defining company-related requirements Implementing organizational and technical changes Taking legal requirements into account

Notes

7-4

Integrated Security Appliance

Module 7: Web Filtering

Proventa Ms Web Filtering Technology


Slide 113

Introduction
The Web Filter Module of the Proventa M Series blocks or allows access to Web sites based on criteria that you select, allowing you to control the following on your network: What Web content is allowed or blocked Who can override the Web filters to freely surf the Internet How the appliance notifies you about URL requests on your network

P ro ven tia M W eb F ilter

When a computer in your network attempts to access a Web site, the appliance will reference the Web Filter and Antispam Database, enforce the Web filter rules you have established, and display statistics about the Web filter data.

Notes

Integrated Security Appliance

7-5

Module 7: Web Filtering

Slide 114

The Web Filter Process


The following table details the Web filtering process:
Stage 1 Description You enable the Web Filter Module on the appliance, and set the options. You can choose the following:


2 3

Web Filter categories containing the URLs that you want the appliance to log Whether the appliance blocks requests for the URLs in those categories How the appliance responds to Web Filter eventshow often the appliance downloads database updates

To control access to specific Web sites, domains, and servers, add these entries to the Blacklist or Whitelist filter overrides. The appliance enforces your Web Filters. If a user attempts to access a forbidden Web site, the appliance displays a Web page that informs the user that the site is blocked.

STATE: We will now cover each of these topics in detail.

Notes

7-6

Integrated Security Appliance

Module 7: Web Filtering

Slide 115

Web Crawlers
ISS Web crawlers classify millions of Web pages every day. The process of crawling the Internet is based on a "snowball" principle, so that the Web crawler analyzes a Web site and then follows all the hyperlinks to other sites as well.

Slide 116

The following table describes how a Web crawler downloads information about a Web site.
Stage Description 1 2 3 4 The Web crawler visits a new or updated Web site. The Web crawler downloads all HTML text and images on the Web site, and stores this content for further analysis. The Web crawler follows all hyperlinks to other sites, until no more unknown hyperlinks are found. The Web crawler sends the information to ISS for analysis and inclusion in the Web Filter and Antispam Database.

Notes

Integrated Security Appliance

7-7

Module 7: Web Filtering

Slide 117

Web Crawling Strategy


The Web crawling strategy includes the following: Visiting newly discovered servers and domains before going deeper on the same server Visiting one server multiple times, rather than downloading massive amounts of data in a single visit Using some Web crawlers to update and maintain the database while others search for new content Frequently visiting Web sites that change often Updating the Web crawling system with information about new Web sites, domains, and servers based on public host lists, domain registry information, and other external sources

Notes

7-8

Integrated Security Appliance

Module 7: Web Filtering

Slide 118

Applying Web Filters


There are two ways to apply web filters to your network: Select Web Filter categories Add specific URL, domain, and IP address entries to the blacklist and whitelists

Slide 119

Web Filter Categorization


After ISS has analyzed the content of a Web site, that Web site is assigned to one of 60 categories in the Web Filter and Antispam Database.

Notes

Integrated Security Appliance

7-9

Module 7: Web Filtering

Slide 120

Web Categories
Here are the 60 categories:

EXPLAIN: The chart has not been officially updated to show Spam and Spyware categories, but they have been added. NOTE: Dark blocks represent major categories, and lighter blocks represent subcategories.

These categories are then organized into 19 major groups and displayed in the Web Filter tree.
Note: Dark blocks represent major categories, and lighter blocks

represent subcategories.

Notes

7-10

Integrated Security Appliance

Module 7: Web Filtering

Slide 121

The Web Filter Tree


The Web Filter tree appears in the left pane and you can click any node on the Web Filter tree to expand it. When you select a category group, the category description displays in the right pane. You can select any or all of the categories at one time. Category List Here is a list of the main categories: Nudity Ordering Society/Education/Religion Criminal Activities Extreme Games/Gambling Entertainment/Culture Information/Communication IT (Information Technology) Drugs Lifestyle Private Homepages Job Search Finance/Investing Transportation Weapons Medicine Spam Spyware

Notes

Integrated Security Appliance

7-11

Module 7: Web Filtering

Slide 122

Classification Tools
ISS uses the following tools to classify Web sites into categories: Keyword searches Intelligent text classification Visual pornography detection Visual object recognition Visual optical character recognition Overall classification

STATE: Details for each tool are in your book.

Keyword Searches
The keyword search determines the appropriate category for a Web site based on the occurrence of certain words. Keyword searches are useful for classifying a URL.

Intelligent Text Classification


Intelligent text classification evaluates keywords, how frequently a keyword appears, and combinations of words. This method is a more reliable way of classifying a Web site that contains a large number of words. A combination of keyword searches and intelligent text classification can thoroughly analyze the text of a Web site.

Visual Pornography Detection


Visual pornography detection can detect a high concentration of flesh tones in an image. If an image contains a high concentration of flesh tones in comparison to the size of a face in the image, then that image is potentially pornographic. The Web crawler determines whether the image contains a face. If the Web crawler detects a face in an image, it creates a sample color from the skin and evaluates how much of this sample flesh color is present in the image. If the image does not contain a face, then the Web crawler makes statistical assumptions about the amount of flesh in the image.

Notes

7-12

Integrated Security Appliance

Module 7: Web Filtering

Visual Object Recognition


Visual object recognition analyzes each image for specific objects such as signs, symbols, and trademarks. The Web crawlers can identify objects such as the following: inappropriate symbols (such as symbols used by hate groups) credit card logos sports brands car brands other well-known objects

Visual Optical Character Recognition


Visual optical character recognition analyzes text that is embedded in an image. Using this tool together with keyword searches and text classification, the Web crawler can accurately identify all text content on the Web site.

Overall Classification
Overall classification processes the results of all the tools that the Web crawler uses to analyze Web content. This prevents a single tool from incorrectly classifying a Web site.

Notes

Integrated Security Appliance

7-13

Module 7: Web Filtering

Slide 123

Filter Overrides
You can also use the Blacklist or Whitelist filter overrides to control access to specific Web sites, domains, and servers. These Web filter overrides will do the following:

EMPHASIZE: If a user is put on a Source Whitelist, that user is exempt from all Web filters. and can access any URL, domain, or IP address, even those on the Destination Blacklist. Slide 124

Exempt one or more specific Web sites, domains, or servers from Web Filters Block or allow access to individual Web sites, domains, or servers Allow specific users in your network to surf the Internet freely When you add a URL, domain, or IP address to a Blacklist or Whitelist, that entry is an exception to the Web filter category.

The following table explains the List terms:


List Source Allow List (Whitelist) Description A list of static IP addresses that can freely access the Internet from your network. This is useful if specific users in your network need unrestricted Internet access. A list of URLs, domains, or IP addresses that users can always access from your network, even if the destination belongs to a blocked Web filter category. This is useful if you want to override a Web filter to allow access to specific destinations in a blocked category, such as a single news site. A list of URLs, domains, or IP addresses that users can never access from your network. You can use this list to block destinations that arent included in the Web filters youve selected.

Destination Allow List (Whitelist)

Destination Block List (Blacklist)

Important Note: When you add a URL, domain, or IP address to the

Source Whitelist, that entry is an exception to all Web filter categories. The user can access any URL, domain, or IP address on the Whitelist, even those included on the Destination Blacklist.

Notes

7-14

Integrated Security Appliance

Module 7: Web Filtering

Slide 125

Wildcards
Wildcards are an important part of utilizing filter overrides to their fullest.

Whitelist Wildcards
In a Source Whitelist filter override entry, you can use the asterisk (*) wildcard character in the trailing segment of an IP address range.
Note: The asterisk must be the final character in the entry.

The following examples include all IP addresses in the subnet: 192.168.120.* 192.168.* 192.*

Slide 126

Blacklist Wildcards
You can use two wildcard characters in the Destination Whitelist or Blacklist filter override entries: The question mark (?) represents any single character The asterisk (*) includes groups of URLs such as the following:

An entire IP address range All the pages in a Web site

You can use the asterisk wildcard character in the leading or trailing segments of an IP address range or URL.
Note: You cannot use a wildcard character in the middle segment of an

IP address or URL.

Notes

Integrated Security Appliance

7-15

Module 7: Web Filtering

Slide 127

More About Wildcards


If no wildcard is used in an incomplete entry, then the appliance assumes a wildcard at the start and end of the entry. For example: iss This is interpreted by the appliance as *.iss.* Each of these examples includes all Web pages in the ISS Web site:

*.iss.* iss ?*.iss.net 172.16.106.*

This following includes all IP addresses in the IP segment:

Notes

7-16

Integrated Security Appliance

Module 7: Web Filtering

Slide 128

URL Blocking
When you enable Web Filters, URL blocking is enabled by default, and the appliance blocks all requests for URLs that belong to the Web Filter categories you select.

NOTE: Even if the site is blocked by more than one category, it will only show one at a time. NOTE: See the note below the graphic about altering the blocking page.

Note: If you want to log URL requests, but not block them, then you can

disable URL Blocking.

Blocking page
When you attempt to access a blocked Web site, the appliance generates a blocking page in your Web browser. This page displays the blocked URL, and informs you that the Web site is blocked.

Note: Altering the blocking page is not supported. There is, however, a

Knowledgebase article (2466) on the ISS Web site which tells you how to. The web-filter block page template is located on the box at /etc/ squid/errors/ERR_ISS_BLOCKED.

Notes

Integrated Security Appliance

7-17

Module 7: Web Filtering

Slide 129

ISS Web Filter Resources


You will find tools that will assist you with your Web filter categories on the ISS Web site under SupportSupport Resources:

Slide 130

Proventa Web Filter Policy Checker


This link takes you to a page where you can check to see if you have blocked access to a particular category or sub category:

Notes

7-18

Integrated Security Appliance

Module 7: Web Filtering

Slide 131

Proventa Web Filter Test-a-Site


This link allows you to test a specific URL to determine to what category, if any, the site has been assigned in the Database:

EXPLAIN: The Proventa Web/ Mail Filter Database Categories gives you an up-to-date listing of all categories and sub categories.

Notes

Integrated Security Appliance

7-19

Module 7: Web Filtering

The Web Filter and Antispam Database


Slide 132

Introduction
The ISS Web Filter and AntiSpam Database contains the classification information that ISS gathers about Web sites. Once ISS has used Web crawlers to inspect Web sites, and then analyzed and classified that information into categories, the database acts as a repository for this data. The appliance then uses this information to enforce Web filters and identify spam email.

Slide 133

Sources of Information
In addition to Web crawlers, ISS uses several methods to add information to the database, including: Managed link lists Newsgroups Search engines Other Resources

Slide 134

Types of Information
The following is a list of the types of information contained in the database: Domains - inappropriate_site.com Hosts - www.inappropriate_site.com Directories - www.inappropriate_site.com/pics/ HTML pages - www.inappropriate_site.com/pics/index.html Image URLs - www.inappropriate_site.com/pics/001.jpg

Notes

7-20

Integrated Security Appliance

Module 7: Web Filtering

Slide 135

Filter Database
In order to access the Proventa Database, you must navigate to the Filter DB tab within your general Settings. You will use the Web Filter and Antispam Database page to: View database status

STATE: In order to look at the Database, we have to go back to the main System Settings area in Proventa Manager and look at the Filter DB tab that we skipped earlier. Explain: Bottom tabs and Web Learn are invisible in Proventa Manager when SiteProtector management is turned on. Those features are then found in SP.

Download or overwrite the database Use advanced tuning parameters

Database Status
The appliance displays status information based on the following: The database mode Whether a local database is installed

Notes

Integrated Security Appliance

7-21

Module 7: Web Filtering Current database statistics are described in the following table:
Statistic Mode Description The current database status. The mode statuses are: Not installed Installed The local database version, in the following format: x.xxxx The status of the local database. The possible statuses are: Installed Downloading Updating The progress of the local database download. The possible statistics are: x% (percentage of completed download) Indexing Database

Version Status

Download Progress

Notes

7-22

Integrated Security Appliance

Module 7: Web Filtering

Slide 136

Downloading the Database


As we saw during the installation process, you are prompted to install the database when you configure the appliance. You must install or download a new copy of the Web Filtering and Antispam Database if you restore the appliance from a system backup or experience problems that require you to overwrite your existing database.
Note: If you download a local database from the ISS Web site, the

download overwrites the existing database on your appliance. This could take several hours.

Slide 137

Updating the Database


It is recommended that you update your database frequently. This is the only way that you will be able to keep your data fresh and utilize the database to its fullest.

Explain: Because the database gets updated so frequently, a full download will be performed if it has been 10 days or more since the last update. Slide 138

Update Methods
The two ways to update your database are as follows: Manually update the database from the MaintenanceUpdatesStatus page. You can click on the Find Updates button at the top of the screen to access it. Schedule automatic database updates from the Automatic Update Settings page. This is the recommended way to update.

WebLearn
The WebLearn feature helps increase coverage of the Web crawling process, so that the ISS database is kept as current as possible. If you enable the WebLearn feature, the appliance automatically reports unknown or unrecognized URLs to ISS anonymously during database updates.
Note: the appliance waits until it has gathered 10 uncategorized URLs

and then sends them in batch to ISS.

Notes

Integrated Security Appliance

7-23

Module 7: Web Filtering

Configuring Proventa M Web Filtering


Slide 139

Web Filtering Status Information


This page displays data for Web filtering software status and statistics. On this page, you will be able to view the Web filter categories you are using and how many URLs in each category are allowed or blocked. The statistics are grouped into three areas: Overview - Overall statistics about requests for Web site access Filtered Categories - Statistics for each Web Filter category you select White/Black List - Statistics about the requests for Web sites that youve included in a Whitelist or Blacklist

Notes

7-24

Integrated Security Appliance

Module 7: Web Filtering

Settings
There are two tabs that you will use to configure settings: Protection Settings Event Notification

Slide 140

Protection Settings Tab


This page allows you to perform the general Web filter set up. On this page you will enable Web filtering as well as populate your Source and Destinations lists.

Notes

Integrated Security Appliance

7-25

Module 7: Web Filtering

Slide 141

After you enable the Web Filter Module, the appliance enforces the default Web filter settings described below:
Option URL Blocking Filter Override - Destination Allow List Web Filter Categories Default Setting Enabled The following URL is added to the Destination Whitelist by default: www.iss.net The following Web Filter Categories are selected by default:

Pornography/Nudity Erotic/Sex IT Drugs Extreme

An Important Note about URL Blocking When you enable Web Filters, URL Blocking is enabled by default. When URL blocking is enabled, the appliance blocks all requests for URLs that belong to the Web Filter categories you select. If you want to log URL requests, but not block them, then you can disable URL Blocking.

Notes

7-26

Integrated Security Appliance

Module 7: Web Filtering

Slide 142

Event Notification Tab


If you enable Web filter Event Logging, you can choose the following: Which Web Filter events to log on the Alert Event Log page How the appliance responds to Web Filter events

Notes

Integrated Security Appliance

7-27

Module 7: Web Filtering

Event Logging Type


If you enable Web Filter event logging, you can choose which events the appliance displays on the Alert Event Log page. You can select one of the following event log types:
Type Description

Log Only Blocked Web Displays an event on the Alert Event Log page for Page Requests each blocked URL request. Log All Web Page Requests Displays an event on the Alert Event Log page for each URL request.

Note: If you enable the Log All Web Page Requests option, the event log

file could fill very quickly. ISS recommends that you enable this option for troubleshooting only.
Note: If you have registered your appliance with SiteProtector, enable

alert reporting to SiteProtector, and then enable the Log All Web Page Requests option, then the appliance could send a large number of alerts to SiteProtector.

Delivery Options
The table below details the notification delivery options:
Option Email Enabled Default Setting Sends an email for each blocked URL request. The email contains the source IP address, the requested URL, and the corresponding Web Filter category. Sends an SNMP trap for each blocked URL request. The trap contains the source IP address, the the requested URL, and the corresponding Web Filter category. Sends the alert to the SiteProtector Agent Manager. Caution: If you send alerts to SiteProtector for events that occur frequently, the appliance can generate a large number of alerts to SiteProtector.

SNMP Trap

SiteProtector Enabled

Notes

7-28

Integrated Security Appliance

Module 7: Web Filtering

Labs: Configuring and Testing Filters


Slide 143

Introduction
Complete the following exercises to: Enable Web filter functionality Access a Web site in the sport category

Important Note: Exercises 34-46 will ony work if you have Internet access.

Select web filter categories Test access to your blocked category Test access to anoter web site Add a destination blacklist entry Test your filter

Enabling Web Filter Functionality


By default, the Web filtering module is disabled. Enable Web filtering functionality by doing the following: Partner 2
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationWeb FilterWeb Filter

Settings.

EXPLAIN: If you pull sites from cash, they will not display the blocking page. You must launch a new browser.

3. In the right pane, on the Protection Settings tab, select the Web

Filter Module Enabled option.


4. Click Save Changes to update.

Notes

Integrated Security Appliance

7-29

Module 7: Web Filtering

Exercise 19

Accessing a Web Site in the Sports Category


This exercise will only work if your classroom has Internet connectivity. Partner 1 - To test your access to www.gazzetta.it:
1. Open a browser window. 2. Type the following URL in the Address box:

www.gazzetta.it
3. Press ENTER.

If your classroom has Internet connectivity, you should be able to gain access.

Exercise 20

Selecting Web Filter Categories


This exercise will only work if your classroom has Internet access. Partner 2 - To block the Sports category in the Proventa Manager interface:
1. Position yourself on the ConfigurationWeb FilterWeb Filter

Categories.
2. In the right pane, select the Lifestyle node on the Web Filter tree to

expand it, and select the box for the Sports category.
3. Click Save Changes to update.

Notes

7-30

Integrated Security Appliance

Module 7: Web Filtering

Exercise 21

Testing your Access to the Blocked Category


This exercise will only work if your classroom has Internet access. Partner 1 - Now test your access to www.gazzetta.it again:
1. Reload the page or click on any link to a page link within the

newspaper. You should no longer be able to gain access.


2. Now to to www.thesun.co.uk. 3. You should be able to access the newspaper. 4. Click on the Sport link on the left-hand site. 5. You should be blocked again. 6. Close the browser window.

Exercise 22

Adding a Destination Blacklist Entry


Partner 2 - To add www.thesun.co.uk to the Destination Blacklist:
1. Position yourself on the ConfigurationWeb FilterWeb Filter

Settings.
1. In the right pane, on the Protection Settings tab, select the Filter

Override - Destination Block List tab.


2. Click Add. 3. In the Name box, type *sun* 4. Click Save Changes to update.

Exercise 23

Testing your Filter


Partner 1 - To test your access to bigwidget.htm:
1. Open your browser and connect to www.thesun.co.uk 2. You now will be blocked due to the match in the Block List. 3. Connect to www.sun.com. 4. You will be blocked again.

Notes

Integrated Security Appliance

7-31

Module 7: Web Filtering

Module Review
Slide 144
You should now be able to:

Discuss the use for Web filters. Describe the Proventa M Series Web filtering process and each of
the technologies used in that process.

Configure the Web filtering module, creating whitelists and


blacklists.

Test category blocking and Web site filtering.


Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

7-32

Integrated Security Appliance

45 minutes

Antispam

Module 8

About this Module


Slide 145

Purpose of this Module


The purpose of this module is to describe how to configure antispam settings used by the Proventa Manager.

Slide 146

Module Objectives
When you complete this module, you will be able to: Discuss the need for antispam technology. Describe the basics of Proventa Ms antispam module. Configure the antispam portion of the Proventa M using whitelists and blacklists.

Notes

Integrated Security Appliance

8-1

Module 8: Antispam

Why Use Antispam?


Slide 147

Challenges for Email Content Security


Here are a few examples of the many challenges for email content security: Communication via e-mail is an integral part of business. Up to 25% of daily working time involves e-mail processing. 30% of all e-mails are spam. Every 2nd employee sends more than five private messages per day.

NOTE: One of the sources is Ferris Research.

30% of all employees have sent confidential information to external recipients, intentionally or by mistake. 66% of all companies have received viruses in e-mail attachments.

Notes

8-2

Integrated Security Appliance

Module 8: Antispam

Slide 148

Email Flood Statistics


The statistics are as follows: 2002: 25 to 50 e-mails daily per user 2006: Projected 50% increase in e-mail volume Spam e-mail is the number one challenge

Notes

Integrated Security Appliance

8-3

Module 8: Antispam

Slide 149

The Costs of Spam


The total cost of spam can be seen in the following: Consumption of IT resources Help Desk costs Lost user productivity Billions of dollars lost annually by US companies Equivalent loss for Europe in 2003 according to the European Commission

Slide 150

Countering the Cost


An organization can counter improper usage of email by: Creating written policies for e-mail communication to prevent potential conflict between employee and employer. Considering all internal and external risks. Expanding technology for full-scale protection for Internet and intranet. Prevention instead of monitoring through a mail/content filter.

Notes

8-4

Integrated Security Appliance

Module 8: Antispam

Proventa Ms Antispam Component


Slide 151

Introduction
The purpose of antispam functionality is to prevent annoying, nonproductive, or offensive spam emails from entering your network undetected.

Inbound

Proventia Antispam

Outbound
The M Series appliance filters spam email by analyzing the text and attachments in all email traffic passing through your network. It then references the list of known spam sources in the Web Filter and Antispam Database. If an email is identified as harmless, it is allowed to pass instantly. If the appliance identifies an email as spam, one of the following will happen: The email is labeled as spam by [SPAM] being added to the subject line. The email is deleted.

Notes

Integrated Security Appliance

8-5

Module 8: Antispam

Slide 152

Spam Identification
Proventa Ms antispam software uses a variety of analysis techniques to identify spam without blocking legitimate email. Some of the technologies used to scan email traffic passing through your network are as follows: Text recognition Text classification Object recognition Pornography and nudity detection Keyword detection URL detection

Notes

8-6

Integrated Security Appliance

Module 8: Antispam

Slide 153

The Antispam Process


The following table describes the Antispam process:
Stage 1 Description You enable the Antispam Module on the appliance, and set the options. You can choose the following:

Whether the appliance tags or deletes emails identified as spam The threshold of spam content in a spam email that results in tagging or deleting How the appliance responds to Antispam events

If you want to control access to specific email addresses or domains, you can add these entries to the Email Sender Whitelist or the Email Sender Blacklist. The appliance evaluates all incoming email for sender information and spam content. The appliance references the Web Filter and Antispam Database to identify known spam sources and URLs linked to inappropriate Web sites. If the appliance identifies an email as spam, the appliance assigns a numerical value to the email based on the amount of spam content. A higher value corresponds to a higher amount of spam content. The appliance tags or deletes the spam email, based on the spam sensitivity settings.

3 4

Notes

Integrated Security Appliance

8-7

Module 8: Antispam

Configuring Proventa M Antispam


There are two tabs within the antispam module: Status Settings

Slide 154

Antispam Status Information


This page displays statistics for the antispam configuration.
Note: For each Antispam statistic, the number of URLs is followed by

its percentage of the total.

Notes

8-8

Integrated Security Appliance

Module 8: Antispam

EXPLAIN: For each Antispam statistic, the number of URLs is followed by its percentage of the total.

The following table describes the Antispam statistics:


Statistic Total emails Ham Spam Allowed Description The total number of emails that the appliance processed. The number of legitimate emails that the appliance processed. The number of spam emails that the appliance processed. The number of emails that the appliance allowed. Note: This number includes emails that the appliance allowed, but tagged as spam. The number of emails that the appliance dropped. The number of emails from a sender on the Email Sender Whitelist. The number of emails from a sender on the Email Sender Blacklist.

Blocked Whitelist Blacklist

Notes

Integrated Security Appliance

8-9

Module 8: Antispam

Settings
There are two main tabs that you will use to configure antispam settings: Protection Settings Event Notification

Slide 155

Protection Settings Tab - Spam Tagging Sensitivity


This page allows you to perform the general antispam set up.

Slide 156

Spam Tagging Settings


The Spam Tagging Sensitivity settings are: Delete Threshold Learning Mode Delete Mode

Slide 157

The Delete Threshold and the Slider


When the appliance identifies an email as spam, the appliance assigns a numerical value to the email based on the amount of spam content. A higher value corresponds to a higher amount of spam content, and the spam email rates higher on the delete threshold. A lower value corresponds to less spam content, and the spam email rates lower on the threshold.

Notes

8-10

Integrated Security Appliance

Module 8: Antispam The Delete Threshold slider allows you to set the level of spam content that the appliance uses as the baseline to tag or delete spam email. This setting determines whether the appliance responds to a spam email by: Tagging it as [SPAM] Tagging it as [SPAM+] Deleting it Setting the slider to the minimum delete threshold will delete all email that might be spam, even if some emails might be legitimate. Setting the slider to the maximum delete threshold will delete only the email with high spam content.

Slide 158

Learning Mode
In Learning Mode, the appliance tags spam emails according to the Delete Threshold level you select. If the email contains less spam content than the threshold, the appliance adds a [SPAM] header to the email subject line.

EXPLAIN: Anything to the left of the slider is tagged as [SPAM]. Anything to the right is [SPAM+].

If the email contains more spam content than the threshold, the appliance adds a [SPAM+] header to the email subject line.
Note: Learning Mode is useful if you want to see which emails the

appliance identifies as [SPAM] and [SPAM+]. This allows you to adjust the Delete Threshold setting to get the best performance for your network before you begin deleting spam emails.

Notes

Integrated Security Appliance

8-11

Module 8: Antispam

Slide 159

Delete Mode
In Delete Mode, the appliance deletes spam emails according to the delete threshold level you select.

EXPLAIN: Anything to the left of the slider is tagged as [SPAM]. Anything to the right is deleted. Slide 160

If the email contains less spam content than the threshold, the appliance adds a [SPAM] header to the email subject line. If the email contains more spam content than the threshold, the appliance deletes the email.

Sender Email Lists


The Email Sender Whitelist and Blacklist control which domains or email addresses the appliance identifies as spam.

EXPLAIN: You can include email distribution lists in an Email Sender list. The appliance filters for the entries on the Email Sender list, but does not enforce the Antispam settings for individuals included in that distribution list.

If you include an email address or domain on the Email Sender Whitelist, then the appliance accepts all email from that sender, regardless of content. If you include an email address or domain on the Email Sender Blacklist, then the appliance blocks all email from that sender, regardless of whether the Antispam Module is in Learning Mode or Delete Mode.
Note: You can include email distribution lists in an Email Sender list.

The appliance filters for the entries on the Email Sender list, but does not enforce the Antispam settings for individuals included in that distribution list.

Notes

8-12

Integrated Security Appliance

Module 8: Antispam

Slide 161

Wildcards
You can use two wildcard characters in an Email List entry: The question mark wildcard character (?) represents any single character The asterisk wildcard character (*) includes groups of email addresses or domains You can use wildcards to the left, middle, or right of entries, and you can combine wildcards. Both of these examples identify spam_sender as a source of spam: spam_sender@*. *spam_sender@
Note: If an entry is incomplete and includes no wildcards, then the

appliance assumes wildcards at the start and end of the entry.

Notes

Integrated Security Appliance

8-13

Module 8: Antispam

Slide 162

Event Notification Tab


You can choose how the appliance responds to Antispam events on the Notification page:

Event Logging Type If you enable Web Filter event logging, you can choose which events the appliance displays on the Alert Event Log page. You can select one of the following event log types:
Type Log Only Email Tagged As Spam Log All Email Description Displays an event on the Alert Event Log page for each email tagged as spam. Displays an event on the Alert Event Log page for each email the appliance processes.

Note: If you select Log All Email, then the appliance logs all email that

the appliance processes, but the email and SNMP Trap delivery options are not available.

Notes

8-14

Integrated Security Appliance

Module 8: Antispam
Caution: Enabling the Log All Email option, the event log file could fill

very quickly. ISS recommends that you enable this option for troubleshooting only. Delivery Options Below is a description of the delivery options:
Option SNMP Trap Description Sends an SNMP trap for each email identified as spam. The trap contains the sender's email address, the target email address, and the corresponding category in the Web Filter and Antispam Database controller Sends the alert to the SiteProtector desktop

SiteProtector Enabled

Note: If you send alerts to SiteProtector for events that occur frequently,

the appliance can generate a large number of alerts to SiteProtector.

Notes

Integrated Security Appliance

8-15

Module 8: Antispam

Labs: Testing Antispam Functionality


Slide 163

Introduction
Complete the following exercises to: Configure antispam functionality Send emails to test antispam functionality

Exercise 24

Configuring Antispam Functionality for SMTP


By default, the antispam module is disabled. Enable and configure the antispam functionality using the following steps. Partner 1
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationAntispam. 3. On the Protection Settings tab, select the Spam Detection Enabled

option.
4. On the Protected Protocols sub-tab, select SMTP only. 5. On the Spam Tagging Sensitivity sub-tab, select the Learning

Mode option.
6. Select the Event Notification tab. 7. Select the Enable Event Logging option. 8. Select the Log Only Email Tagged As Spam option. 9. Click Save Changes to update.

Notes

8-16

Integrated Security Appliance

Module 8: Antispam

Exercise 25

Sending an Email to Test SMTP Antispam


Both Partner 1 and Partner 2 must go through the following exercises.

Send a spam email to yourself:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: partnerx@xfeducation.local Subject: Penis enlargement 1 Message Body: Limited offer, act now! Only $29.95

3. After you complete your email, click Send. 4. When received, Partner 1 will see his own mail tagged whereas

Partner 2 wont. This is due to outbound SMTP Anti-Spam.

Send a spam email to each other:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: partnery@xfeducation.local Subject: Penis enlargement 2 Message Body: Limited offer, act now! Only $29.95

3. After you complete your email, click Send. 4. When received, the mail to Partner 2 will be tagged whereas the

mail to Partner 1 wont. Again this is due to outbound SMTP AntiSpam. Note: this is the opposite result as when sending the mail to yourself.

Notes

Integrated Security Appliance

8-17

Module 8: Antispam

Exercise 26

Configuring Antispam Functionality for POP3


Partner 1
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationAntispam. 3. On the Protected Protocols sub-tab, disable SMTP and enable

POP3 only.
4. Click Save Changes to update.

Exercise 27

Sending an Email to Test POP3 Antispam


Both Partner 1 and Partner 2 must go through the following exercises.

Send a spam email to yourself:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: partnerx@xfeducation.local Subject: Penis enlargement 3 Message Body: Limited offer, act now! Only $29.95

3. After you complete your email, click Send. 4. When received, Partner 1 will see his own mail tagged whereas

Partner 2 wont. This is due to POP3 Anti-Spam. Note: So far there is no difference with the previous exercise.

Send a spam email to each other:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: partnery@xfeducation.local Subject: Penis enlargement 4 Message Body: Limited offer, act now! Only $29.95

Notes

8-18

Integrated Security Appliance

Module 8: Antispam
3. After you complete your email, click Send. 4. When received, the mail to Partner 1will be tagged whereas the mail

to Partner 2 wont due to POP3 Anti-Spam. Note: This is the opposite behaviour as for SMTP Anti-Spam.

Exercise 28

Configuring Antispam Blocking


Partner 1
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationAntispam. 3. On the Protected Protocols sub-tab, enable SMTP. 4. On the Spam Tagging Sensitivity sub-tab, enable Delete Mode. 5. Click Save Changes to update.

Exercise 29

Sending an Email to Test Antispam Blocking


Both Partner 1 and Partner 2 must go through the following exercises.

Send a spam email to each other:


1. In Outlook Express, click the Create New toolbar button. 2. Complete your email message as follows:

To: partnery@xfeducation.local Subject: Penis enlargement 5 Message Body: Limited offer, act now! Only $29.95

3. After you complete your email, click Send. 4. Partner 1 will receive an error message (552 Seems to be spam)

because the mail it is sending is deemed to be SPAM.


5. Partner 2 will be able to send.

Notes

Integrated Security Appliance

8-19

Module 8: Antispam

EXPLAIN: This is due to the implementation of the POP protocol.

6. Partner 1 will receive an email from ISS Proventa(R) M POP3

Scanner with subject [SPAM_BLOCK] informing him/her that a mail was blocked. Note: Without enabling the Delete Mode, both partners would receive a tagged mail.

Exercise 30

View the Spam Detected events


Partner 1
1. Connect to the Proventa Manager. 2. Position yourself on the StatusAntispamAlerts. 3. Analyze the alerts you see. In particular locate the information

about blocking or tagging the message.

Notes

8-20

Integrated Security Appliance

Module 8: Antispam

Module Review
Slide 164
You should now be able to:

Discuss the need for antispam technology. Describe the basics of Proventa Ms antispam technology. Configure the antispam portion of the Proventa M using whitelists
and blacklists.

Review Objectives Ask: For additional questions

Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

8-21

Module 8: Antispam

Notes

8-22

Integrated Security Appliance

45 minutes

Routing Mode

Module 9

About this Module


Slide 165

Purpose of this Module


The purpose of this module is to familiarize you with Proventa Ms trasnparent mode functionality.

Slide 166

Module Objectives
When you complete this module, you will be able to: Configure the appliance in Routing Mode Describe Routing Mode functionality. Review how to switch to Transparent mode. Discuss Routing Mode settings.

Notes

Integrated Security Appliance

9-1

Module 9: Routing Mode

Slide 167

What You Need to Know


To configure Routing Mode, you must first know the following: IP address and subnet mask of the appliances internal and external interfaces Default gateway of the appliance Hostname for the appliance Domain Name Server for the appliance Any static routes you may need to apply. This is the information you will use for the initial configuration.

Notes

9-2

Integrated Security Appliance

Module 9: Routing Mode

Slide 168

Classroom Topology
The graphic below illustrates the final layout of the classroom at the conclusion of the exercises contained in this module.

Notes

Integrated Security Appliance

9-3

Module 9: Routing Mode

Classroom IP Addresses
The following table highlights the resulting IP settings. Table 1 Host Name iss10 iss20 2 iss30 iss40 3 iss50 iss60 4 iss70 iss80 IP Address 192.168.1.101 192.168.2.101 192.168.3.101 192.168.4.101 192.168.5.101 192.168.6.101 192.168.7.101 192.168.8.101 MF49.xfeducation.local MF39.xfeducation.local MF29.xfeducation.local Appliance Name MF19.xfeducation.local IP Address EXT1: <LAN>.19 INT0: 192.168.1.1 EXT2: 192.168.2.1 EXT1: <LAN>.29 INT0: 192.168.3.1 EXT2: 192.168.4.1 EXT1: <LAN>.39 INT0: 192.168.5.1 EXT2: 192.168.6.1 EXT1: <LAN>.49 INT0: 192.168.7.1 EXT2: 192.168.8.1

Notes

9-4

Integrated Security Appliance

Module 9: Routing Mode

Lab: Configuration
Slide 169

Introduction
This lab walks you through the steps that you will take when reconfiguring your Proventa M appliance: Reconfigure the appliance Reconfigure the hosts IP addresses

Exercise 31

Configuring the Proventa M


This exercise will be conduct by Partner 1 only.
1. Connect to Proventa Manager. 2. Position yourself on the

ConfigurationSystemObjectsDynamic Address.

EXPLAIN: Partner 1 must do the reconfiguration because he is connected to eth0.

3. Select CORP and click on Edit.... 4. Insert the parameters according to the table starting on page 9-4:

Comment: Corporate Network Dynamic AddressNetwork Address / Subnet Mask: 192.168.Y.0 / 255.255.255.0 (network of EXT1).
5. Click on OK. 6. Click on Add.... 7. Insert the parameters according to the table starting on page 9-4:

Name: DMZ (it is the only available option) Comment: DMZ Network Dynamic AddressNetwork Address / Subnet Mask: 192.168.X.0 / 255.255.255.0 (network of INT0).
8. Click on OK. 9. Position yourself on the

ConfigurationSystemNetworkInterfaces.
10. Change Transparent Mode to Routing Mode. 11. On the External Interface Tab, check the Enabled box.

Notes

Integrated Security Appliance

9-5

Module 9: Routing Mode


12. In the Host Name field type MF<yourtable #>9.xfeducation.local. 13. In the IP Address area select Static and add the values according

the table starting on page 9-4: IP Address: <LAN>.X9 Subnet Mask: 255.255.255.0 Gateway: <LAN>.GW
14. In the DNS area, disable the Use Dynamic Settings and insert

Primary, Secondary and Tertiary DNS Servers according to the instructorss directions.
15. In the DNS Search Path area click Add.... 16. Insert xfeducation.local as a Domain Name and click OK. 17. Select the Internal Interfaces tab. 18. Click Add. 19. Insert the values for INT0 according the table starting on page 9-4:

Interface: eth0 Check Enabled IP Address: 192.168.X.1 Subnet Mask: 255.255.255.0 Check Primary Management Interface Click OK
20. Click Add.

INSTRUCTOR: If the students get an error due to SysTransmgmtRange they will have to go to the Appliance Access tab and remove the line that contains the variable.

21. Insert the values for EXT1 according the table starting on page 9-4:

Interface: eth2 Check Enabled IP Address: 192.168.Y.1 Subnet Mask: 255.255.255.0 Click OK
22. Click on Save Changes. 23. Read the Alert message and close your browser while the appliance

reboots.
Note: You can follow the reboot process using the hyperterminal

connection.

Notes

9-6

Integrated Security Appliance

Module 9: Routing Mode

Exercise 32

Reconfigure the class network.


During the reboot process, you can reconfigure your systems for the new network layout. Partner 1
1. Modify the Local Area Connection properties as follows:

IP: 192.168.X.101/24 (refer to the table starting on page 9-4) GW: 192.168.X.1 DNS: Ask the instructor. Partner 2
1. Modify the Local Area Connection properties as follows:

IP: 192.168.Y.101/24 (refer to the table starting on page 9-4) GW: 192.168.Y.1 DNS: Ask the instructor.

Exercise 33

Connecting to the Proventa Manager


This exercise will be conduct by Partner 1 only. To connect to the Proventa Manager through your browser:
1. Launch your web browser. Once at the browser window, enter the

IP address for your web server, https://192.168.X.1.


Note: make sure to put an s at the end of http.

STATE: Make sure to put an s at the end of http or it wont work.

2. On the Security Alert dialog, click Yes to accept the digital

certificate.
3. On the login dialog, enter your user name, admin, and press TAB. 4. Enter your password, iss123+, and press ENTER. 5. If the Hostname Mismatch message dialog or any other message

dialogs appear, click Yes or OK to bypass them.


6. You may be prompted to log in a second time. If so, on the login

dialog, enter your user name, admin, and press TAB.


7. Enter your password, iss123+, and press ENTER. 8. Click No to bypass the Getting Started Guide.

Notes

Integrated Security Appliance

9-7

Module 9: Routing Mode


9. Click the Launch Proventa Manager button.

The Proventa Manager interface appears.


10. Take over the session (yours died when you reconfigured the

appliance).

Notes

9-8

Integrated Security Appliance

Module 9: Routing Mode

Routing Mode
Slide 170

Introduction
When your appliance is in Routing Mode, it routes and filters traffic according to its firewall, VPN and NAT-ing rules, accordingly modifying source and destination information in the IP packet header. Each interface has its own IP address and must be in different collision domains. When you power on an appliance in routing mode, required access policies to allow traffic through the appliance are disabled by default but for the traffic coming from the Corporate network.

Slide 171

When to use Routing Mode


You will use routing mode when: You need and additional routing and filtering device. You want to protect servers receiving traffic from untrusted sources. You want to create VPN tunnels.

Slide 172

Features Available only in Routing Mode


The following features are available in Proventa Manager when the appliance is in Routing Mode: VPN NAT DHCP Server & DHCP Relay OSPF Certificates High Availability

Notes

Integrated Security Appliance

9-9

Module 9: Routing Mode

Returning to Transparent Mode


You can use the Proventa Setup Assistant to configure a new appliance for transparent mode, or you can switch between routing mode and transparent mode after you install the appliance on your network.

Slide 173

Prerequisites and Recommendations


You will want to be sure that you do the following before you switch your appliance to transparent mode: Have a router infrastructure in place on your network Place the appliance behind a router, and do not connect the appliance directly to the Internet in transparent mode

Slide 174

Configuration Tasks
To complete Transparent Mode settings, you must do the following: Configure the CORPTRANS Dynamic Address Configure Transparent Mode management settings Edit the Transparent Mode external interface Configure the Transparent Mode internal interfaces

Notes

9-10

Integrated Security Appliance

Module 9: Routing Mode Again, ISS recommends that you use the Proventa Setup Assistant to configure initial settings for Transparent Mode on your appliance. Use the following tasks to configure Transparent Mode if you switch modes after initial configuration: Task
1

Description
On the Firewall/VPN Dynamic Addresses Page, create a Dynamic Address List that contains the static IP address that you will use as the virtual management IP address associate the new Dynamic Address List with the CORPTRANS Dynamic Address Name. Important: The static IP address must be in the subnet that you defined as the CORPTRANS Dynamic Address Name in the IP Address field on the Network Configuration Management tab. Create a system backup of your appliance in Routing Mode. Important: A system backup is a safety net to preserve your system configuration until you are sure that your appliance is working correctly in Transparent Mode. After you are sure that your appliance is working correctly in Transparent Mode, create another system backup. Create and save a settings snapshot of your appliance in Routing Mode. Important: If you switch from Transparent Mode to Routing Mode, the appliance reverts to default settings. After you switch to Routing Mode, you can apply a settings snapshot to restore your appliance settings. Select one of the following options from the Action to Take When Changing Modes area: Reboot Halt Select Transparent Mode from the Network Mode list on the Network Configuration Page. Configure appliance management settings on the Management tab. Make sure that the external interface is enabled on the External Interface tab. On the Internal Interfaces tab, configure the internal interfaces to allow network segments.

5 6 7 8

Notes

Integrated Security Appliance

9-11

Module 9: Routing Mode Task


9 10

Description
Click Save Changes. The appliance halts or reboots, depending on the option you selected. Close your Web browser, and then restart the browser to access Proventa Manager with the virtual management IP address that you configured. Important: You must access the appliance from an IP address in the same subnet as the appliance. After the appliance powers up in Transparent Mode, you can modify access policies to allow HTTPS traffic from other subnets to allow you to manage the appliance from an IP address outside the subnet. View the Transparent Mode access policies on the Firewall/VPN Settings Access Policy tab to allow network traffic through the appliance, and make sure that the policy settings are appropriate for your appliance. View the configure Layer Two protocol access rules on the Firewall/ VPN Settings Layer Two Access Control tab, and make sure that the protocol rule settings are appropriate for your appliance. You must add any routers that bracket the M appliance. If needed, configure local routers on the Firewall/VPN/Settings/ Local Routers tab.

11

12

13

Notes

9-12

Integrated Security Appliance

Module 9: Routing Mode

Switching Between Routing and Transparent Modes


Slide 175

Introduction
This section describes how to switch your appliance operation between Routing and Transparent modes.

Considerations
You will want to consider the following before you switch network modes:

POINT OUT: We will not do a change of operation mode from Routing to Transparent mode.

If you switch from routing to transparent mode, you must define the Transparent Mode settings before you click Save Changes. After the appliance reboots in transparent mode, you must use the management virtual interface to access Proventa Manager. You must create a Dynamic Address List that contains the static IP address that you will use as the virtual management IP address

Slide 176

You must associate the new Dynamic Address List with the CORPTRANS Dynamic Address Name
Note: The static IP address must be in the subnet that you defined as

the CORPTRANS Dynamic Address Name in the IP Address field on the Network Configuration Management tab. You are not required to enable full transparency for advanced firewall ALGs to run your appliance in transparent mode. You can use tuning parameters to enable or disable full transparency for firewall ALGs when your appliance is running in routing mode, but any firewall ALGs that you are using become fully transparent when your appliance is running in transparent mode.

Notes

Integrated Security Appliance

9-13

Module 9: Routing Mode

Slide 177

What Happens when I Switch to Transparent Mode?


The appliance does the following when you switch to Transparent Mode: Drops all VPN and NAT connections Becomes inaccessible outside the subnet, so that you must access the appliance from inside the subnet
Note: If you are using Proventa Manager, you can create a static

route from another subnet to the virtual management IP address to manage the appliance in Transparent Mode.

How to Switch Modes


To switch between Routing and Transparent Mode:
1. Select the following nodes:

ConfigurationSystemNetworkInterfaces .
2. In the Action to Take When Changing Modes area, select one of the

following:

Reboot Halt

3. In the Network Mode area, select Transparent Mode of the

following from the list.


4. Click Save Changes. The appliance reboots or halts, depending on

the option you chose in Step 3.


Caution! If you selected the Halt option, wait until Power down

appears at the command line before you press the power button to turn off the appliance.

Notes

9-14

Integrated Security Appliance

Module 9: Routing Mode

Routing Mode Configuration Settings


Slide 178
Additionally to the settings available in Tranparent mode, you will use System settings to configure routing, firewalling and all those feature that require the appliance to be visible (layer 3) in the network.

System Status
POINT OUT: It has different content than in Transparent mode.
When you click on the System node, the System Status page appears, displaying statistics for memory usage, CPU usage, and the internal and external interfaces.

Caution: When you first click on any tab in Settings, you will get

warning message and login screens. You MUST say Yes to all prompts and log in again.

Notes

Integrated Security Appliance

9-15

Module 9: Routing Mode Once you click the System node in the navigation tree, the following subnodes are displayed: Appliance Access DHCP High Availability Networking

Interfaces OSPF Routing

Notification Passwords

STATE: We will now take a look at the subnodes we have not analyzed yet or have changed.

Services SiteProtector Time

Notes

9-16

Integrated Security Appliance

Module 9: Routing Mode

DHCP
Use the DHCP Configuration pages allow you to enable and configure the following: DHCP relay agent DHCP server, including DNS and WINS configuration DHCP advanced parameters In addition, you can view the current DHCP leases.

Notes

Integrated Security Appliance

9-17

Module 9: Routing Mode

DHCP Server Tab


This page allows you to: Enable the DHCP server Add an address range for a group of addresses Edit, copy or remove address ranges.

Notes

9-18

Integrated Security Appliance

Module 9: Routing Mode

Advanced Parameters Tab


This page allows you to: Enable the DHCP server Add an address range for a group of addresses Edit, copy or remove address ranges.

DHCP Lease History Tab


EXPLAIN: It indicates what IP addresesses have been leased and to what MAC addresses they have been leased.
This page allows you to view or copy DHCP leases.

Note: This window is available under the Status subtree.

Notes

Integrated Security Appliance

9-19

Module 9: Routing Mode

High Availability
In many environment, there is very little downtime tollerance, therefore the Integrated Security Appliance offers the possiblity to configure two systems in High Availability.

In this section you enable High Availability by determining the interface that will be connected to the second device, the timeout setting (per default 30 seconds), the secret phrase the two systems share and the virtual gateway IP address. The virtual IP addresses have to be defined in the bottom part of the window, together with the list of IP addresses to monitor and the list of Alternate Node Interfaces.

Advanced Parameters Tab


There may be instances in which high availability settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

Notes

9-20

Integrated Security Appliance

Module 9: Routing Mode

Networking
POINT OUT: Here the content is different than in Transparent mode.
The Network Configuration page houses configuration for the appliance network interface cards. This is the same data that you entered when you configured the Routing mode the appliance. You can alter that data here.

External Interface Tab


This page is where you can change the settings you configured for the External Interface when you installed the appliance:

Notes

Integrated Security Appliance

9-21

Module 9: Routing Mode

Internal Interface Tab


This page is where you can change the settings you configured for the Internal Interface when you installed the appliance.

This is also where you add interfaces such as DMZ as eth2 and above.

Notes

9-22

Integrated Security Appliance

Module 9: Routing Mode

OSPF
STATE: More info on OSPF is in the User Guide.
OSPF is an internal routing protocol used within autonomous systems, such as service provider networks, universities, and private companies. OSPF was developed to satisfy the need for a scalable, open-standards routing protocol for large IP networks. It is a link state protocol that provides highly efficient routing and fast convergence.

Router ConfigurationTab

Explain: Proventa M does not support other protocols like RIP. If you dont use OSPF as routing protocol, you can only configure static routes on the appliance. Work with your ISP to configure OSPF.

Notes:

The M appliance supports only OSPF. If does not support other routing protocols such as RIP. If you do not use OSPF as the routing protocol, then you can only configure static routes on the appliance. You should work with your ISP to configure OSPF. In order to use OSPF, you must configure some access policies to allow OSPF traffic. Consult your User Guide for more information concerning OSPF and your Proventa M.

Notes

Integrated Security Appliance

9-23

Module 9: Routing Mode

Area ConfigurationTab

An OSPF Area Configuration is a generalization of an IP subnetted network. Area Configurations accomplish the following: Make the network more manageable by enabling you to partition them into administrative domains. Reduce the amount of routing information that the appliance and neighboring routers. Allow the appliance and neighboring routers to maintain a link state database only for the Area Configuration where the device resides. The following steps have to be taken for each Area Configuration : Define the network area as a number, or as an IP address.

NOTE: A stub area cannot receive external advertisements (LSAs), which means RIP or static routes cannot be redistributed into this area.

Specify whether the Area Configuration is a stub area. Specify whether to use authentication for LSAs that the appliance and neighboring routers broadcast in the area

Notes

9-24

Integrated Security Appliance

Module 9: Routing Mode

Interface Configuration Tab

This is the node where OSPF Interface Configuration can be added, edited, copied, pasted, and removed.

Virtual Link ConfigurationTab

The appliance supports the use of virtual links between the appliance and neighboring routers that are not physically connected to the backbone Area Configuration. This virtual tunnel provides a logical path to the appliance through another Area Configuration that is

Notes

Integrated Security Appliance

9-25

Module 9: Routing Mode connected to both. This area is called the transit area. The virtual link must be configured both on the appliance and the remote router for the Area Configuration that provides the virtual link to the backbone.

OSPF Database
The OSPF database on your appliance contains the information about neighboring routers and the traffic status of the network. The appliance and other routers in the domain broadcast (LSAs) throughout the domain, and the routing devices use this information to form the database. The appliance and each router on the domain has an identical, synchronized database. The appliance and network routers each use the database to build a routing table by calculating a shortestpath tree, with the root of the tree being the device itself. In particular the fields shown are: OSPF Router ID Router Link States Net Link States Summary Link States

NOTE: ABSR=Autonomous System Boundary Router. An ASBR located between an OSPF autonomous system and a non-OSPF network.

ABSR-Summary Link State

OSPF Neighbors
The OSPF neighbors page allows you to have a more operational view of the neighboring routers and their status. In particular the fields shown are: Neighbor IP address Interface IP address The routers area and interface The assigned priority The state The state changes The Designated Router

Notes

9-26

Integrated Security Appliance

Module 9: Routing Mode The Backup Designated Router The number of seconds befor the neighbor is declared down

NOTE: Link Stated Advertisement

List of summary LSAs from the adjacent neighbor List of LSA requests from the adjacent neighbor List of LSA retransmission from the adjacent neighbor Thread Database Description Retransmition (On/Off) Thread Link State Request Retransmission (On/Off) Thread Link State Update Retransmission (On/Off)

Notes

Integrated Security Appliance

9-27

Module 9: Routing Mode

Maintenance Tools
You can now additionally use the options on the System Tools page to do the following:

NOTE: The features on this page are available only in Proventa Manager; you cannot perform these tasks from the SiteProtector interface.

Reset all existing firewall connections, and reload all Firewall/VPN policies Reconnect the PPPoE on the external interface Release and renew a DHCP lease for the external interface

Notes

9-28

Integrated Security Appliance

Module 9: Routing Mode

Module Review
Slide 179
You should now be able to:

Configure the appliance in Routing Mode. Describe Routing Mode functionality. Review how to switch to Transparent mode Discuss Routing Mode settings.
Review Objectives Ask: For additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

9-29

Module 9: Routing Mode

Notes

9-30

Integrated Security Appliance

3 hours

Firewalls

Module 10

About This Module


Slide 180

Purpose of this Module


The purpose of this module is to familiarize you with firewall technology and describe how to configure the Proventa M firewall to meet your organizations security needs.

Slide 181

Module Objectives
When you complete this module, you will be able to: Translate your security policy into firewall policies. Configure the Proventa M firewall. Create network objects. Create rules. Perform Network Address Translation (NAT)

Notes

Integrated Security Appliance

10-1

Module 10: Firewalls

Integrated Security Appliances Firewall


Slide 182

Proventas Interfaces
Proventa M appliances have up to eight interfaces:

INT0 (eth0)
This interface leads to your internal, trusted network. The internal LMI rule is the only one enabled by default.

EXT1 (eth1)
This external interface leads up-stream, usually towards the Internet. This is considered the untrusted side of your firewall.

EXT2 (eth2)
NOTE: The user can still use and configure their DMZ network on any eth port except INT0 or EXT1. If migrating, those polices will be migrated to eth2.
This interface can be configured as the DMZ. This is a network segment that is designated for publicly-accessed servers. The DMZ segment is treated differently, since the hosts on this network tend to be of both high value and high risk. They are high value because they are generally public-facing assets like your web servers and mail servers. They are high risk because you have to open these assets up to the entire Internet. If a security breach is going to occur, it will likely take place in the DMZ. That is why it is important to isolate these potential breaches to their own segment. These interfaces can also be configured as any other internal network interface (after the release of 2.2 they can be used for high availability).

EXT3-EXT7 (eth3-eth7)
These are all user-configured interfaces and their availability depends on the model to be configured.

Notes

10-2

Integrated Security Appliance

Module 10: Firewalls

Slide 183

Firewall Policies
Your firewall policy should be derived from your organizations toplevel security policy, specifically what is acceptable usage of your Internet connection - both inbound and outbound.

EXPLAIN: If you follow best practices and allow your organizations security policy to be derived from an ongoing vulnerability assessment plan, you will minimize the risks associated with opening up protocols through your perimeter firewall.

Your firewall policy should answer the following questions: What protocols and servers do you need to make available to the untrusted public? What protocols and servers do you need to make available to your trusted internal users? What protocols and servers do you need to make available to trusted users coming from the Internet (road warriors, partner organizations, etc.)? If you follow best practices and allow your organizations security policy to be derived from an on-going vulnerability assessment plan, you will minimize the risks associated with opening up protocols through your perimeter firewall.

Slide 184

Translating Your Organizations Security Policy


Your organizations security policy will need some translation to be implemented properly by your firewall. For instance, your users may be allowed to browse the web. This broad organizational policy must be thought of in terms of the specific traffic the firewall will see and translated into a rule the firewall can understand.

Notes

Integrated Security Appliance

10-3

Module 10: Firewalls

Slide 185

Access Policies
The Proventa appliance firewall uses access policies to prevent unwanted traffic from coming into and leaving your network.

NOTE: More about them coming up. Slide 186

You can use access policies together with NAT policies or port forwarding to customize the way your firewall handles network traffic.

Rule Order
In the Proventa M firewall, rule order is very important: Rules are applied in order and the packet is processed by the first rule it matches.

NOTE: Give an example of why rule order matters. Slide 187

Once you have created a list of rules, the appliance firewall compares network packets against each rule in descending order until it finds a rule that accepts or denies the packet. You can reorder your rules by moving them up or down in the list.

Implicit Denial Rule


The Proventa M has an implicit Deny All rule whereby if no rule accepts or denies a packet, then the packet is automatically denied. Packets denied by this implicit rule will show up as an alert rule Firewall rule not Found.

EXPLAIN: If you create deny rules for all networks and they are above enabled LMI access rules, you will lock yourself out of the box.

Notes

10-4

Integrated Security Appliance

Module 10: Firewalls

Configuring the Proventa M Firewall


Slide 188

Firewall Status Information


There are three types of statistics for which the Firewall/VPN Status displays data. Current Connections apply to the firewall.

There is a limit to the number of connections each interface will allow: Internal - 100,000 External - 100,000 Self - 100,000 External to Self - 4,999 Future sessions to or through the Proventa M will not be established once these limits are reached.

Notes

Integrated Security Appliance

10-5

Module 10: Firewalls

Slide 189

Network Objects
Your appliance uses information, such as IP addresses and ports, for several firewall (access policy) and VPN components. Instead of entering this data over and over again, Proventa M has Network Objects, which allow you to create object containers and then share this data across multiple components.

Types of Network Objects


There are five types of Network Objects:

NOTE: Self is a dynamic address.

Address Name Address Group Port Name Port Group Dynamic Address Name

Notes

10-6

Integrated Security Appliance

Module 10: Firewalls

Slide 190

Address Objects
Address objects are a shorthand, representing individual IP addresses, IP ranges, network IDs, and groups of IP addresses. Typical entries would include:

EXPLAIN: Network objects are stored on the Proventa M, not in SiteProtector. Slide 191

Your public web server Your internal network IP range of your administrative staff A group of back-end networks

Port Objects
You can use a network object to assign a name to a particular TCP or UDP service. Use the port name to create a firewall rule instead of specifying the protocol and port for the service.

STATE: Well dicuss dynamic addresses in a minute. Slide 192

Example: You can set up a port list entry, named "https," for the TCP

protocol on port 443. When you configure firewall rules, use the https port name entry for TCP traffic on port 443 instead of specifying the protocol and port number each time.

Advantages of Network Obejcts


There are several advantages to using network objects such as: Centralization of data entry in one location so you may make changes only to the network object instead of each instance of the data Easily recognized names for objects such as:

192.168.5.34 becomes Sales Web Server 192.168.5.35 - 192.168.5.45 becomes Atlanta Web Servers

Notes

Integrated Security Appliance

10-7

Module 10: Firewalls

Slide 193

Network Object Conventions


Here are things to remember about using network objects: The name of a network object has a limit of 24 characters. The name of a network object cannot contain blank spaces, dots, or special characters. You may use dashes and underscores. If you edit the name of a network object after saving it, any links to other network objects or policies are broken. You must go back and re-establish the connections using the new name. You can nest groups, so that one group can contain other groups or names.

Slide 194

Dynamic Objects
There are two types of dynamic network objects: Dynamic Address Names - Containers to be used in firewall rules, they provide one name with which you can associate unique dynamic address lists across multiple appliances in your Site.

EXPLAIN: You can only set up dynamic names on the device itself. Dynamic addresses can be used to represent multiple IP addresses. Create them at the top level so they will be available to all Ms in your site.

Dynamic Address Lists - Defining what is in the container in each individual appliance, lists contain addresses specific to an appliance that are associated with a shared dynamic address name. Each appliance has one or more Dynamic Address Lists that contain addresses specific to that appliance.

Note: Dynamic addresses can only be set up on the device itself.

Notes

10-8

Integrated Security Appliance

Module 10: Firewalls

Creating Dynamic Objects


You first create the Dynamic Address Name, and then define the Dynamic Address List for the appliance. You can share a Dynamic Address Name among appliances but associate individual addresses for each appliance in its Dynamic Address Lists.
Important: If you remove a Dynamic Address List that is associated

with other firewall components, those associations are also removed. To restore those associations, you must manually associate those network objects with another Dynamic Address List or other network object.

Copying Lists
You can copy and paste a Dynamic Address List before editing it. This is useful if you want to add an entry that is similar to an entry already in the list.

Notes

Integrated Security Appliance

10-9

Module 10: Firewalls

Slide 195

Lab: Creating Network Objects


Complete the following exercise to create address name entries.

Exercise 34

Creating Address Name Objects


Partner 1 will now create four Address List entries. To do so:
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationObjectsNetwork

Objects node.
3. In the right pane, select the Address Names tab. 4. Click Add. The Add Address Name window appears. 5. Enter the following values: Item Name Comment Single IP Address IP Address 6. Click OK. 7. Click Add. 8. Enter another address name using the following values: Item Name Comment Network Address/ Network Bits (CIDR) IP Address/Mask 9. Click OK. Select/Enter int_net Internal Network Select 192.168.X.0 / 24 Select/Enter www Web Server on Partner 1 Select Your IP address: 192.168.X.101

Notes

10-10

Integrated Security Appliance

Module 10: Firewalls


10. Click Add. 11. Enter another address name using the following values: Item Name Comment Single IP Address IP Address 12. Click OK. 13. Click Add. 14. Enter another address name using the following values: Item Name Comment Network Address/ Network Bits (CIDR) IP Address/Mask Select/Enter int_neighbor Internal Network Partner 1 neighbor Table Select Your neighbors network address: 192.168.N.0 / 24 Select/Enter www_neighbor Web Server on Partner 1 of neighbor Table Select Your neighbors address: 192.168.N.101

15. Click OK. 16. Click Save Changes to update.

Notes

Integrated Security Appliance

10-11

Module 10: Firewalls

Creating Access Policies


Slide 196

Proventa M Firewall Tabs


There are eight tabs in the Firewall/VPN area, but only five of them apply to firewalls. The tabs below correspond to Proventa M firewall components:

The following table describes these tabs:


Component Access Policies NAT Policies Description Define firewall rules that prevent unwanted traffic from coming into and leaving your network Define how the firewall translates IP addresses for inbound and outbound network traffic when you enable NAT Defines how the appliance notifies you of events Controls which direction the appliance scans network traffic for viruses and spam email Used to allow all traffic destined between a group of hosts or networks to bypass security checking, when only one direction of the connection passes through the appliance. Include firewall and VPN advanced parameters

Event Notification Advanced Firewall ALG Policy Assymetric Redirection

Advanced Parameters

Notes

10-12

Integrated Security Appliance

Module 10: Firewalls

Slide 197

The Proventa M Access Policy

Access policies contain the firewall rules that define how your firewall responds to network traffic. An access policy applies to both inbound and outbound traffic on your network.EXPLAIN:

The checkboxes can be enabled from the main screen, and most of the fields are editable.

Were now going totalk about Proventas firewall policies and then configure the firewall.
Notes:

POINT OUT: The checkboxes can be enabled from the main screen and most of the fields are editable here. EXPLAIN: Policies are not active until you enable them.

You can add an access policy to the list without enabling it, but the policy is not active. You must enable the policy before the appliance applies it to traffic on your network. You can use access policies together with NAT policies or port forwarding to customize the way your firewall handles network traffic.

Notes

Integrated Security Appliance

10-13

Module 10: Firewalls

Creating an Access Rule


STATE: Lets discuss the tabs while I demonstrate how to create a rule. You have the steps to follow along.
Here are the steps for creating a rule:
1. In the left pane of the Policy Editor, select ConfigurationFirewall. 2. In the right pane, on the Access Policy tab, click Add. The Add

Access Policy window appears.

Note: If you select a rule before clicking Add, the new rule that you

create is added above the selected rule. If no rule is selected, the new rule is added to the bottom of the list.
Note: Adding a rule without changing any options will create a rule

that drops all traffic.


3. Select Enabled.

Notes

10-14

Integrated Security Appliance

Module 10: Firewalls


4. Select Allow. 5. To allow log records to be written when the rule is applied to a

packet, select Log Enabled.


Note: If the Log Enabled box is selected, the Proventa M

appliance will create an entry in the system logs for packets that match the rule. The alert name is either Firewall_Deny_Rule or Firewall_Allow_Rule Contents display the flow information of the packet (Source IP/ Port, Destination IP/Port, Protocol)
6. Enter a meaningful description in the Comment field. 7. Select the Protocol tab. 8. Select a protocol for the network packet. 9. Select the Source Address tab. 10. Select a source IP address or addresses in the Source Address area. 11. Select the Source Port tab. 12. Select a source port. 13. Select the Destination Address tab. 14. Select a destination IP address or addresses in the Destination

Address area.
15. Select the Destination Port tab. 16. Select a destination port in the Destination Port area. 17. Click OK.

Notes

Integrated Security Appliance

10-15

Module 10: Firewalls

Slide 198

Deprecation
If you update your appliance to the current firmware version from older versions, the appliance automatically migrates existing firewall settings. After the appliance migrates firewall settings from some older versions, firewall rules contain settings that are deprecated. They exist so that you can continue using your old rules. If an access policy has deprecated settings, then a check mark appears for that policy in the Deprecated column of the Access Policy table, and the settings are indicated on the Deprecated tab.

Slide 199

Reordering Your Rules


To rearrange the order of your rules once they are created:
1. Select a rule. 2. To move the rule up in the list, click the Up arrow. 3. To move the rule down in the list, click the Down arrow.

Notes

10-16

Integrated Security Appliance

Module 10: Firewalls

Lab: Configuring your Firewall


Slide 200

Introduction
You have a web server that you want to make publicly available. You also want to protect this server with the Proventa M. You will deploy the Proventa M to make HTTP, HTTPS, and SMTP publicly available (to the rest of the class). You will also allow FTP, but only to a trusted neighbor (your neighbor in the class). As a review, here is the class topology:

Notes

Integrated Security Appliance

10-17

Module 10: Firewalls

Exercise 35

Enable Partner 2 to connect to Proventa Manager


Partner 1
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationFirewall node. 3. In the right pane, on the Access Policy tab, click Add. The Add

Access Policy window appears.


4. By selecting the available tabs, enter an inbound rule for HTTP

using the following values:


Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Partner 2 IP: 192.168.Y.101 Select/Enter Select Allow Select Enable Partner 2

Source Address Single IP Address Source Port Destination Address Any Self

Destination Port Specific Network Objects Add OK 5. Bring the rule to the top (Rule 0). 6. Click Save Changes to validate and apply your updates. HTTPS, SSH

Partner 2
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance.

Notes

10-18

Integrated Security Appliance

Module 10: Firewalls

Exercise 36

Testing your Firewalls Access


Before you configure your firewall, try to access the neighbor tables Partner 1 web site: Partner 1
1. Open a new web browser window. 2. Enter the neighbor tables Partner 1 web server address: http://

192.168.X.101.
3. Press ENTER.

You will find that you cant access it because no firewall rules have been put in place. If the routing exercise was completed successfully you will have an alert from Proventa M with Service Unavailable. If this is not the case, please review your routing settings.
4. Close this browser window.

Exercise 37

Creating Inbound Rules


You will now create the following rules: Inbound policies allowing any source IP address access to your web servers IP address for HTTP, HTTPS, and SMTP. An inbound policy allowing your neighbors source IP address access to your web servers IP address for FTP.

Notes

Integrated Security Appliance

10-19

Module 10: Firewalls

NOTE: Instead of Ingress and Egress, Inbound and Outbound are the terms used in this guide because they match the interface and Help. Feel free to refer to them as you wish. EXPLAIN: When selecting ports, you must leave the protocol as Any if you are using Network Objects for the port definitions. Otherwise, you will receive errors when the policy is applied.

To create these rules, Partner 2 do the following:


1. Connect to the Proventa Manager if no longer connected. 2. Position yourself on the ConfigurationFirewall node. 3. In the right pane, on the Access Policy tab, click Add. The Add

Access Policy window appears.


4. By selecting the available tabs, enter an inbound rule for HTTP

using the following values:


Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Allow inbound HTTP, HTTPS and SMTP

Source Address Any Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add Add Add OK 5. Click OK. 6. Click Add. HTTP HTTPS SMTP www

Notes

10-20

Integrated Security Appliance

Module 10: Firewalls


7. Enter an inbound rule for FTP using the following values: Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Allow inbound FTP from neighbor

Source Address Specific Network Objects Add OK Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add OK 8. Click OK. 9. If the HTTP rule is not already at the top of the 2 rules you created, FTP www int_neighbor

select it and move it to the top using the up arrow.

Exercise 38

Creating Outbound Rules


You will now do the following: Disable the default outbound rule, Corporate (Any, Any, Allow). Create outbound rule allowing your local client source IP address access to the rest of the class for HTTP, HTTPS, and SMTP.

Notes

Integrated Security Appliance

10-21

Module 10: Firewalls Create an outbound rule allowing your local client source IP address access to your neighbors web server IP address for FTP. To create these rules, do the following:
1. First, delete the default outbound rule. To do so, click on the default

rule, (CORP, any, any, any, any, Allow), and clean the Enabled check box.
2. Click Add. The Add Access Policy window appears. 3. Enter an outbound rule for HTTP using the following values: Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Allow outbound traffic for www

Source Address Specific Network Objects Add OK Source Port Destination Address Any Any www

Destination Port Specific Network Objects Add OK 4. Click OK. 5. Click Add. HTTP, HTTPS, SMTP, DNS_namequery and DNS_zonetft

Notes

10-22

Integrated Security Appliance

Module 10: Firewalls


6. Enter an outbound rule for FTP using the following values: Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Allow outbound FTP to neighbor

Source Address Specific Network Objects Add OK Source Port Destination Address Any Specific Network Objects Add OK Destination Port Specific Network Objects Add OK 7. Click OK. 8. Ensure the HTTP rule is at the top of the 2 rules you just created. 9. Click Save Changes to validate and apply your updates. FTP int_neighbor www

Notes

Integrated Security Appliance

10-23

Module 10: Firewalls

Exercise 39

Re-Test your Firewalls Access


Both partners
1. Copy the follwing files in the c:\inetpub\wwwroot directory:

default.htm logo_splash.gif EducationSvcsReversed.gif

You can modify the default.htm as you like; it will make it easier to understand which web server you are accessing. Partner 1 now can try to access neighbors Partner 1 web site:
1. Make sure that your neighbor has completed the previous exercises. 2. Open a new web browser window. 3. Enter your neighbors web server address: http://192.168.N.101. 4. Press ENTER.

A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can access it because firewall rules have been put in place.
5. Close this browser window.

Notes

10-24

Integrated Security Appliance

Module 10: Firewalls

Network Address Translation


Slide 201

Introduction
With IP addresses becoming scarce and expensive, Cisco developed Network Address Translation (NAT) to allow a single device such as a firewall, router, or Proventa appliance to act as an agent between an internal (or private) network and the public network (Internet). NAT allows the appliance to translate your non-routable IP addresses to routable ones, so that computers inside your network can use the Internet to communicate with outside computers and servers.

STATE: Well now discuss NAT and NAT lists. Slide 202

The device "translates" public and private IP addresses so that one public IP address can represent an entire group of computers with private IP addresses. RFC 1918 provides three reusable address ranges that are available to anyone: 10.0.0.0 - 10.255.255.255 (Class A) 172.16.0.0 - 172.31.255.255 (Class B) 192.168.0.0 - 192.168.255.255 (Class C)

NOTE: Give an example of on the board.

Addresses in these ranges can be used without fear of conflict with another network using the same address range. The only drawback is that, in order to avoid conflicts, these addresses are not routable on the Internet without network address translation. NAT enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. If you use nonroutable IP addresses in your internal network, you must use NAT to translate those addresses into one or more routable addresses.

Notes

Integrated Security Appliance

10-25

Module 10: Firewalls

Slide 203

How Proventas NAT Works


Here is how the Proventa Ms NAT works:
Stage 1 Description Set up an internal network (or stub domain) with non-routable IP addresses. These addresses are non-routable because they are not unique. Place a Proventa appliance on your network. Set up NAT, and use the routable IP addresses allocated to you by your ISP as the local addresses on your appliance. These are the external addresses visible to the public network. A computer on your network attempts to communicate outside the network, and the appliance intercepts the packet. The appliance checks the address translation table for the destination address. Note: In a NAT policy, you can define which destination addresses the appliance accepts. You can specify single addresses, groups or ranges of addresses, or all addresses. The appliance does one of the following: If the appliance finds an entry for the destination address, then it translates the original IP address in the packet to a routable IP address, and forwards the packet to its destination outside the network. 7 If the appliance does not find an entry for the destination address, it drops the packet.

2 3

4 5

When a packet comes back from the destination computer, the appliance checks the address translation table for the incoming address on the packet to determine which computer inside the network should receive the packet. If the appliance finds a match in the table, it translates the incoming address to the non-routable internal address, and forwards the packet to the computer inside the network. The process repeats as long as the internal computer is communicating outside the network.

Notes

10-26

Integrated Security Appliance

Module 10: Firewalls

Slide 204

Below is the NAT Policy screen.

Slide 205

Configuring NAT
There are two kinds of NAT rules: Source Destination

Source NAT Rules


DEMONSTRATE: Use the default rule, hide as eth1 to demonstrate Source NAT. EXPLAIN: You can only NAT outbound for Source NAT rules.
Source NAT rules translate source addresses for all outbound traffic. The source address is removed and replaced by the firewalls external interface -- eth1. To add a Source NAT Rule:
1. In the left pane of the Policy Editor, select ConfigurationFirewall. 2. In the right pane, select the NAT Policy tab. 3. Select the Source NAT Rules tab. 4. Click Add, and the Add Source NAT Rules window appears. 5. Enter a meaningful name for this entry in the Name field.

Notes

Integrated Security Appliance

10-27

Module 10: Firewalls


6. Select the Enabled check box. 7. Enter a meaningful description of the policy in the Comment field. 8. Select the Protocol tab, and then select a protocol. Note: If you specify a port value, you must select TCP or UDP. 9. Select the Source Address tab, and then select a source IP address or

addresses.
10. Select the Destination Address tab, and then select a destination IP

address or addresses.
11. Select the Destination Port tab, and then select a destination port. 12. Select the Translated Address tab: 13. Click OK.

Slide 206

Destination NAT Rules


Destination NAT rules serve a number of functions: They translate routable IP addresses to internal, non-routable IP addresses for incoming network traffic.

EXPLAIN: You can only NAT inbound for Destination NAT rules.

They prevent non-routable IP addresses in your network from appearing to users outside the network. They translate the destination port of a TCP or UDP packet to another port. In the Proventa M, you will use Destination NAT Rules to configure NAT for inbound network traffic.

Notes

10-28

Integrated Security Appliance

Module 10: Firewalls

Lab: Creating Destination NAT


Slide 207

Introduction
You will now configure a destination NAT rule which masks your actual web server address. To do so, you will need to create the following: A destination NAT rule which creates a translated address, <LAN>.X9, for your web server A firewall access policy which allows traffic to the new, translated address

Exercise 40

Configuring Destination NAT Rules


To reach your web server at a routable IP address: Partner 2 - To add a Destination NAT Rule:
1. Connect to the Proventa Manager. 2. Position yourself on the ConfigurationFirewall node. 3. In the right pane, select the NAT Policy tab. 4. Select the Destination NAT Rules tab. 5. Click Add, and the Add Destination NAT Rules window appears. 6. Enter your destination NAT rule with the following settings: Tab Main Select/Click Name Enabled Comment Protocol Any Select/Enter valid_ip_webserver Select nat for webserver Partner 1

Source Address Any Destination Address Single IP Address NAT address: <LAN>.X9 80

Destination Port Single Port

Notes

Integrated Security Appliance

10-29

Module 10: Firewalls


Tab Translated Address 7. Click OK. Select/Click Single IP Address Select/Enter Partner 1 IP address: 192.168.X.101

Exercise 41

Adding an Access Rule for the Translated Address


To add the access rule for your new, translated address:
1. Position yourself on the ConfigurationFirewall node. 2. In the right pane,on the Access Policy tab, click Add. The Add

Access Policy window appears.


3. Enter your access rule for the translated address with the following

settings:
Tab Main Select/Click Enabled Action Log Enabled Comment Protocol Any Select/Enter Select Allow Select Access rule for NAT

Source Address Any Source Port Destination Address Any Single IP Address Partner 1 NAT address: <LAN>.X9 HTTP

Destination Port Specify Network Object 4. Click OK. 5. Click Save Changes to update.

Notes

10-30

Integrated Security Appliance

Module 10: Firewalls

Exercise 42

Testing your Firewalls Access


Try to access Partner 1s web on the neighbor table with the new NAT address:
1. Make sure that Partner 1 on the neighbor table has completed the

previous exercises.
2. Open a new web browser window. 3. Enter his web server address: http://<LAN>.X9/. 4. Press ENTER.

A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can access it because NAT rules have been put in place.
5. Close this browser window.

Exercise 43

Configuring Source NAT Rules


Partner 1: To reach Partner 2s web server.
1. Open your web browser and try to reach Partner 2s web server

(http://192.168.Y.101/).
2. You will obtain the message that The page cannot be displayed.

To modify the default Source NAT Rule:


1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance if

necessary.
3. Position yourself on the ConfigurationFirewall node. 4. In the right pane, select the NAT Policy tab. 5. Select the Source NAT Rules tab. 6. Click Add, and the Add Source NAT Rules window appears.

Notes

Integrated Security Appliance

10-31

Module 10: Firewalls


7. Enter your destination NAT rule with the following settings: Tab Main Select/Click Name Enabled Comment Protocol Any www Select/Enter no_NAT_to_partner2 Select Disable NAT towards Partner 2

Source Address Address Name Destination Address

Network Address / Partner 2s Network: 192.168.Y.0/24 #Network Bits (CIDR)

Destination Port Any Translated Address 8. Click OK. 9. Select the new rule as use the Arrows to position it above the default Do Not Translate

Hide rule.
10. Click Save Changes to update.

Exercise 44

Verify the Disabled NAT Rule


1. Open a new web browser window. 2. Enter partner 2s web server address: http://192.168.Y.101/. 3. Press ENTER.

A page will appear that says Welcome to our Website, indicating that you have accessed your neighbors site. You can now access it because NAT has been disable withing the 2 networks of the appliance.

Notes

10-32

Integrated Security Appliance

Module 10: Firewalls

More Firewall Functionality


Slide 208

Event Notification
This page is specific to the firewall/VPN module. This notification page allows you to choose the events you want to be notified of.

TRANSITION: Now lets look at the rest of the tabs.

Event Messages
You can configure the types of messages that the firewall writes to the log file. There are two types: Alert General

CAUTION: Do not turn on Access Statistics. It will log every packet and be a huge performance hit.

Alert Messages Alert Messages notify you of security-related events: Syn Flooding Ping of Death IP Spoofing Invalid Packets General Attacks

Notes

Integrated Security Appliance

10-33

Module 10: Firewalls General Messages General messages are events that are related to the following aspects of your network: Status of the firewall or firewall activity Network or system activity User activity Level of detail in messages written to the log file There are three event notification options from which to choose: Alert Logs Alert emails Alert SNMP traps Enabling alert logging for alert or general events will flag those log entries to be listed in the Alert Log. If you would also like to receive an email or SNMP trap, you can enable those options here.

Slide 209

Advanced Firewall ALG Policy


ALG policies are default rules that have to remain in place for AV, web filtering and antispam functionality. You will want to keep them enabled.

Explain: The ALG policies have to remain in place for AV, web filtering and antispam functionality. You will want to keep them enabled.

Notes

10-34

Integrated Security Appliance

Module 10: Firewalls

Slide 210

Asymteric Redirection
Asymmetric redirection allows you to bypass security functionality on the M by allowing out-of-state traffic to pass through the appliance. In addition, the M will send ICMP redirect messages if needed. Here is an example:

Caution: ISS recommends that you use the Asymmetric Redirection

feature on your appliance ONLY if your network contains a mix of internal hosts and routing devices that rely on ICMP Redirect for proper routing.

Notes

Integrated Security Appliance

10-35

Module 10: Firewalls

Advanced Parameters
There may be instances in which the firewall settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

Note: Before configuring a firewall advanced parameter, refer to the

Appliance User Guide for more information about advanced parameter names and values.

Notes

10-36

Integrated Security Appliance

Module 10: Firewalls

Module Review
Slide 211
You should now be able to:

Translate your security policy into firewall policies. Configure the Proventa M firewall. Create network objects. Create rules. Perform Network Address Translation (NAT).
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

10-37

Module 10: Firewalls

Notes

10-38

Integrated Security Appliance

2 hours

Configuring the VPN

Module 11

About this Module


Slide 212

Purpose of this Module


The purpose of this module is to familiarize you with configuring a virtual private network on the Proventa M.

Slide 213

Module Objectives
When you complete this module, you will be able to: Configure a virtual private network for site-to-site connectivity using the VPN Wizard. Configure a virtual private network for client-to-site connectivity using the VPN Wizard.

Notes

Integrated Security Appliance

11-1

Module 11: Configuring the VPN

Introduction
This module walks you through adding site-to-site and client-to-site VPN configurations. We will also discuss the radius client page, certificates, and advanced parameters as they relate to VPNs.

Slide 214

VPN Status Information


Firewall/VPN module status holds the Security Association information for your VPN.

Notes

11-2

Integrated Security Appliance

Module 11: Configuring the VPN IKE SA information statistics are described in the following table:
Statistic Policy Name State Description The name of the policy in use in one or more VPN connections. The current state of the policy. The possible states are as follows: Unused states (indicate that the policy is not in use) INIT_IDLE RESP_IDLE Transient states (indicate that IKE negotiations are occurring) Note: These states may last for a few seconds only. MM_SA_WAIT AM_SA_WAIT RESP_KE_WAIT INIT_KE_WAIT RESP_ID_WAIT INIT_ID_WAIT HASH_WAIT

Established states (indicates that IKE SA is established) SA_MATURE IPSEC SA count The total number of SAin and SAout.

Notes

Integrated Security Appliance

11-3

Module 11: Configuring the VPN

VPN Checklist
This checklist is helpful when gathering information you need before configuring your VPN tunnel.

EXPLAIN: This checklist is for you to use when you get back to work.

Proventa M series Unit A External IP address


__________________________

Proventa M series Unit A Internal IP Address


_____________________________

Subnet A IP address/mask
_____________________________

SoftRemote clients IP address


_____________________________

Preshared key (minimum of 16 characters)


________________________________

Note: Use signed certificates identifying the Proventa M series

appliance and SoftRemote client for better security.

IKE Phase 1 (Main Mode) Authentication __MD5 __SHA1 IKE Phase 1 Encryption __3DES __DES __AES IKE Phase 1 Key Lifetime Seconds ____________________________ IKE Phase 1 Key Lifetime Kbytes _____________________________ IKE Phase 1 Diffie-Hellman Group __ Group1 __ Group2 __
Group5

IKE Phase 2 (Quick Mode) Authentication __ MD5 __ SHA1 IKE Phase 2 Encryption ___ 3DES __ DES __ AES IKE Phase 2 Key Lifetime Seconds ____________________________ IKE Phase 2 Key Lifetime Kbytes _____________________________ IKE Phase 2 Diffie-Hellman Group ___ None ___ Group1 ___
Group2 ___ Group5

Firewall Policies Notes

11-4

Integrated Security Appliance

Module 11: Configuring the VPN

VPN Wizards
Introduction
VPN wizards simplify the task of creating VPNs between your M Series appliance and various VPN clients. The wizard uses the information you provide to automatically create required firewall rules and other settings.
Note: The wizards contain default settings that are optimized for most networks. ISS recommends that you accept the default settings.

Slide 215

Types of wizards
There are three VPN Wizards that will help you create the VPN connections for your appliance:

Slide 216

The following table describes each wizard:


Wizard SoftRemote VPN Client to M Series Wizard M Series to M Series Wizard Description Creates a VPN connection to the M Series appliance for users who connect remotely using a SoftRemote VPN client. Creates a VPN connection to the M Series appliance for another M Series appliance. This wizard only creates the VPN connection for its appliance. You must use each appliance's wizard to establish the VPN connection.

Notes

Integrated Security Appliance

11-5

Module 11: Configuring the VPN


Wizard W2K and XP to M Series Wizard Description Creates a VPN connection for users who connect remotely using a Windows 2000 or XP VPN client.

Slide 217

What is Created by the Wizards?


After you complete the wizard and click Save Changes, the wizard creates Access and IPSEC policies for the VPN connection. This wizard creates the following: One IPSEC policy Two Access policies

Slide 218

Rules for using VPN wizards


Remember the following rules when you use the VPN wizards: You must save your changes and update before the appliance can create the VPN tunnel.

Explain: Once you complete the wizard and establish your connections, you will want to fine tune the policies that were created. The wizard rules grant all access between the two networks.

Use the wizards to create the VPN connection. To edit the VPN connection, you must manually edit individual firewall rules, security gateways, or network objects created by the wizard. To remove the VPN connection, you must remove individual firewall or IPSEC rules created by the wizard.

Notes

11-6

Integrated Security Appliance

Module 11: Configuring the VPN

Lab: Configuring the VPN for Site-to-Site Connectivity


Slide 219

Introduction
You will now use the M-to-M VPN wizard to connect your appliance to your neighbors. You will also go back to your Access Policy to see the additions that have been made by the wizard.

Exercise 45

Use the M Series to M Series Wizard


To monitor the creation of the tunnel Partner 1 do the following:
1. StartRun..., type cmd and press ENTER. 2. Type ping -t <your neighbors IP address on the other table>

(192.168.N.101) You will see that you wont be able to reach it. Let the ping run while you continue the exercise. Partner 2:
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance if

necessary.
3. Position yourself on the VPNWizardM Series to M Series. 4. Select the General tab and enter the following settings: Select Name Log Enabled Select/Enter VPN_2_<your neighbors table number> Selected

5. Select the Local Network tab and enter the following settings: Select Network Address/ #Network Bits Select/Enter Partner 1 network address: 192.168.x.0 / 24

Notes

Integrated Security Appliance

11-7

Module 11: Configuring the VPN


6. Select the Remote Network tab and enter the following settings: Select Network Address/ #Network Bits Select/Enter Your neighbors Partner 1 network address: 192.168.N.0 / 24

7. Select the VPN tab and configure the following security gateway

settings:
Select Select/Enter

Create New Auto Select Key Security IPSEC... Name Local Address Remote IP Address Remote ID IP Address Authentication Mode Preshared Key <Your neighbors table number>_IKE Your external address: <LAN>.X0 Your neighbors external address: <LAN>.N0 Static Address <LAN>.N9 Pre-shared Key 123456789abcdefg

8. Click Save Changes.

INSTRUCTOR: Walk through the policy which was created by the wizard.

Once both you and your neighbor have completed your VPN configuration, the ping will succeed through the tunnel.

Notes

11-8

Integrated Security Appliance

Module 11: Configuring the VPN

Lab: Configuring the VPN for Client-to-Site Connectivity


Slide 220

Introduction
There are two things that must happen in order for a client-to-site VPN connection to be established:

EXPLAIN: You will configure the VPN for client-to-site connectivity with SR. I will then create a new connection for SoftRemote. Exercise 46

A tunnel for the VPN connection A connection for the new VPN tunnel, created specifically for the client system You will now configure the VPN for client-to-site connectivity with a SoftRemote client. The instructor will then create a new connection for SoftRemote.

Using the SoftRemote VPN Client to M Series Wizard


Partner 1:
1. Connect to the Proventa Manager. 2. Take over the management of the Integrated Security Appliance if

necessary.
3. Position yourself on the VPNWizardSoftRemote VPN Client to

M Series.
4. Enter the following settings: Select Comment Select/Enter SoftRemote to M

Logging Enabled Select Local Network IP Your network address: 192.168.x.0 / 24 Address/ #Network Bits Authenticate Peer Users Disabled

Notes

Integrated Security Appliance

11-9

Module 11: Configuring the VPN


Select New Security Gateway Name Select/Enter roadwarriors

Address Range1 10.1.2.1-10.1.2.254 Local IP Address Your firewalls external address: <LAN>.X9 Remote ID Authentication Type FQDN: xfeducation.local Preshared Key: 123456789abcdefg

5. Click Save Changes.

Demonstration: Creating a New Connection for SoftRemote


If you are using SoftRemote for your VPN connectivity, you must create a new connection for the VPN tunnel for the SoftRemote system. Your instructor will now demonstrate this creation.

Before you Begin


INSTRUCTOR: With the release of HA, the password requires a minimum lenght of 8 characters.
Your instructor will need to do a few things before he creates this connection:
1. Connect the host directly to the class network. 2. Change the IP address for his main interface to his firewalls

external IP address.
3. Install SafeNet with typical installation options. 4. After reboot open an cmd shell with ping -t <Student IP>.

Notes

11-10

Integrated Security Appliance

Module 11: Configuring the VPN

Creating the Connection


To create a Proventa M Series connection:
1. Select StartProgramsHighAssurance RemoteSecurity Policy

Editor.
2. In the Security Policy Editor, click the New icon (top left), and then

name the new connection Proventa M.


3. In the tree view, select the connection you just created. 4. In the Connection Security area, select Secure. 5. In the Remote Party Identity and Addressing area, configure the

following settings:
Item ID Type Subnet Mask Protocol Connect using ID Type Select/Enter IP Subnet Students IP Address, 192.168.X.0 255.255.255.0 All Enable and select Secure Gateway Tunnel Select IP Address and enter the students external IP Address: <LAN>.X9

Configuring the Security Policy


You must configure Aggressive Mode in the Security Policy settings before you can select certain specified settings under My Policy.
1. In the tree view, doubleclick Security Policy. 2. In the Select Phase 1 Negotiation Mode area, select Aggressive

Mode.
3. Enable Perfect Forward Secrecy with PFS Key Group set to Diffie-

Hellman Group 2.
4. Disable the Enable Replay Detection option.

Notes

Integrated Security Appliance

11-11

Module 11: Configuring the VPN

Configuring My Identity
1. In the tree view, select My Identity. 2. In the My Identity area, configure the following settings: Item Select Certificate ID Type Virtual Adapter Select/Enter None Select Domain Name and enter the domain name for the client: xfeducation.local Disabled

3. In the My Identity area, click the Pre-Shared Key button.

The Pre-Shared Key window appears.


4. Click Enter Key and enter the 16-character pre-shared key,

123456789abcdefg, then click OK.


5. In the Internet Interface area, select Any.

Configuring Authentication (Phase 1)


1. In the tree view, expand Authentication (Phase 1) 2. Select Proposal 1, and configure the following settings: Item Authentication Method Encrypt Algorithm Hash Alg SA Life Key Group Select/Enter Pre-Shared Key Triple DES SHA-1 Seconds: 7200 Diffie-Helman Group 2

Notes

11-12

Integrated Security Appliance

Module 11: Configuring the VPN

Configuring Key Exchange (Phase 2)


1. In the tree view, expand Key Exchange (Phase 2). 2. Select Proposal 1, and configure the following settings: Item SA Life Compression Select/Enter Seconds: 7200 None

3. Select Encapsulation Protocol (ESP), and configure the following

settings:
Item Encrypt Algorithm Hash Alg Encapsulation 4. Click FileSave. 5. The ping is now successful. Select/Enter Triple DES SHA-1 Tunnel

Exercise 47

Testing the Client-to-Site Connection


Once your instructor has completed the SoftRemote setup, he will test it by doing the following:
1. Launch a web browser.

NOTE: Do this test on 1 or 2 student machines.

2. Enter the IP address for the students web server:

http://192.168.X.101.

Notes

Integrated Security Appliance

11-13

Module 11: Configuring the VPN

More VPN Functionality


VPN Advanced
There are three tabs on the VPN Advanced main tab: Radius Client Configuration VPN Users L2TP IP Pool

Slide 221

Radius Client Tab


If you configured an IKE policy to use a Radius server for authenticating user name/password pairs, then you must configure the Radius client. Configuring the Radius client allows the appliance to communicate with the Radius server.

Notes

11-14

Integrated Security Appliance

Module 11: Configuring the VPN

Slide 222

VPN User List Tab


The VPN user list is used to authenticate users when Xauth is enabled and configured to use generic authentication on IKE policies for remote clients.

Notes

Integrated Security Appliance

11-15

Module 11: Configuring the VPN

Slide 223

L2TP IP Pool Tab


L2TP (Layer 2 Tunneling Protocol) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider to enable the operation of a virtual private network over the Internet.

NOTE: L2TP is included with most new Microsoft Operating systems. EXPLAIN: You can configure an L2TP/IPSEC VPMN connection between the appliane and a Windows 2000 or XP VON client.

L2TP does not include encryption, but defaults to using IPSec in order to provide VPN connections from remote users to the corporate LAN. The combination of L2TP for packet encapsulation and IPSec for encryption, known as L2TP/IPSec, is a highly secure technology for creating remote access VPN connections across public networks. L2TP IP addresses will be used when you create an L2TP/IPSEC VPN connection, and you add them on the VPN Advanced tab.

Notes

11-16

Integrated Security Appliance

Module 11: Configuring the VPN

Slide 224

Advanced Parameters
There may be instances in which the VPN settings need to be tuned. Tuning is accomplished by adding or editing name/value pairs in the Advanced Parameters tab.

MENTION: Advanced Parameters are case sensitive.

Note: Enabling ICMP for the external interface in the Self policy is not

enough to allow you to ping. In order to do so, you must add the advanced parameter access.ext_allow_ping and make sure that Boolean is enabled.

Notes

Integrated Security Appliance

11-17

Module 11: Configuring the VPN

Slide 225

Certificates
In order for public key cryptography systems to work on a large scale, there must be a method of trust established such that entities that do not know of each other can have enough faith in the public keys they receive to trust any transactions that take place with them. This is the function of Certifying Authorities. Basically, they validate the owners of public keys so that when someone gets a key from that certifying authority, there is a high degree of assurance that the key belongs to the entity whose name is associated with that key.

EXPLAIN: Certificates are found in the Proventa M. They allow you to integrate PKI with your Proventa box. EXAMPLES: VeriSign - issues digital IDs for individuals, independent software vendors, and secure servers. Entrust - creates software and services that secure digital identities and information for enterprise and government customers.

In order to use certificates from your trusted certificate authority, you must install the certificate on the appliance. Doing so adds the authority to the trusted certificate authority list.

Note: Before installing a trusted certificate authority certificate, you must download the certificate file from your chosen certificate authority.

Notes

11-18

Integrated Security Appliance

Module 11: Configuring the VPN

Module Review
Slide 226
You should now be able to:

Configure a VPN for site-to-site connectivity. Configure a VPN for client-to-site connectivity.
Review Objectives Ask for additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

11-19

Module 11: Configuring the VPN

Notes

11-20

Integrated Security Appliance

1 hour

High Availability

Module 12

About this Module


Slide 227

Purpose of this Module


The purpose of this module is to describe how to configure and enable two Proventa M appliances for use in a high availability (HA) environment.

Slide 228

Module Objectives
When you complete this module, you will be able to: Explain the concept of High Availability. Describe High Availability Deployments and Configuration of a HA Environment. Discuss the Updating of Appliances in High Availability Mode.

Notes

Integrated Security Appliance

12-1

Module 12: High Availability

About High Availability


Slide 229

About High Availability


When in routing mode, the Proventa M Series appliance offers activepassive high availability (HA) by using Virtual IP addresses shared between the primary appliance and the secondary appliance. With HA enabled, the secondary appliance, in passive mode, is ready to operate as the primary appliance if the primary appliance fails.

Slide 230

With a dedicated interface link connecting the primary and secondary appliances, the appliances periodically send heartbeats to monitor status. If the secondary appliance does not receive a response from the primary appliance for a predetermined period of time, called the dead timeout, the primary appliance is considered to have failed. When this occurs, the secondary appliance takes over all virtual IP addresses for all interfaces and becomes the primary appliance. When the primary appliance fails, it loses FTP, VPN and other TCP persistent connections, and you must reconnect them on the secondary appliance. This is known as "warm" failover.

Slide 231

Notes

12-2

Integrated Security Appliance

Module 12: High Availability

High Availability Deployment


Introduction
The diagrams below illustrate high availability scenarios.

Slide 232

Logical HA Diagram
First is a logical diagram of standard HA deployment. In this example, there is only one external IP address: 10.10.100.1. The appliances use non-routable IP addresses for their external interface:

Notes

Integrated Security Appliance

12-3

Module 12: High Availability

Required Tasks Before Using HA


Introduction
You must do the following things before you enable the high availability feature. You will do them on the primary appliance first, then do them on the secondary appliance:
1. Acquire license files and/or make sure that the licenses are the same

on both appliances.
2. Create new Address Name network objects 3. Add Required Access Policies and Source NAT Rule 4. Edit existing policies and configurations 5. Dedicate an HA Interface

Slide 233

Acquiring License Files


Appliances do not synchronize license files. You must upload the license file to each appliance individually.

Notes

12-4

Integrated Security Appliance

Module 12: High Availability

Slide 234

Creating New Address Name Network Objects


Before you create the HA policies, you must create the following Address Name network objects: An Address Name network object for the IP address ranges of all enabled interfaces, including the HA interface and virtual IP addresses An Address Name network object for the static IP address range of the HA interface only

Slide 235

Example - In this example, you have configured your network as

shown in the Logical Network Diagram shown previously. Create an Address Name network object called ClusterIPAddresses for the IP address ranges of all enabled interfaces in the HA cluster, including the HA interface and virtual IP addresses:

10.10.100.1 192.168.200.1-192.168.200.2 172.16.100.2-172.16.100.3 192.168.100.1-192.168.100.2 172.10.100.1

Create an Address Name network object called HANetIPAddresses for the static IP address range of the HA interface only, as follows:

192.168.100.1-192.168.100.2

Notes

Integrated Security Appliance

12-5

Module 12: High Availability

Slide 236

Adding Required Access Policies and a Source NAT Rule


You must add three new firewall access policies and a source NAT rule before you begin HA configuration.
Notes:

The access policies and Source NAT Rule must work on both appliances in the cluster. You must add the access policies and Source NAT Rule before you enable the HA feature.

Slide 237

The new access rules that must be created are as follows:


Policy Description 1 This policy allows TCP communication though the HA interface (eth2) to the destination port, so that the appliances can communicate policy and state information. For the Source Address, you must use an Address Name network object for the static IP address range of the HA interface only. Example: Name: Allow policy synchronization over HA network Action: Allow Protocol: TCP Source Address: HANetIPAddresses (Address Name network object) Source Port: Any Destination Address: Self Destination Port: 2998

Notes

12-6

Integrated Security Appliance

Module 12: High Availability


Policy Description 2 This policy allows UDP heartbeat packets from M appliances on all interfaces. For the Source Address, you must use an Address Name network object for the static IP address ranges of all enabled interfaces, including the HA interface. Example: Name: Allow UDP heartbeat on all enabled interfaces 3 Action: Allow Protocol: UDP Source Address: ClusterIPAddresses (Address Name network object) Source Port: Any Destination Address: Self Destination Port: 694

This policy allows the secondary appliance to receive updates. For the Source Address, you must use an Address Name network object for the static IP address range of the HA interface only. Example: Name: Allow secondary appliance updates over HA network Action: Allow Protocol: TCP Source Address: HANetIPAddresses (Address Name network object) Source Port: Any Destination Address: Any Destination Port: Any

Note: When you configure the secondary appliance, you are not required to add this access policy, because the first two access policies allow HA functionality. The secondary appliance can receive the third access policy to allow updates from the primary appliance after you enable HA.

Notes

Integrated Security Appliance

12-7

Module 12: High Availability

Slide 238

Adding a Source NAT Rule


The required Source NAT rule specifies the source NAT address for the secondary appliance so that it can receive updates:
Entry Protocol Source Address Source Port Destination Address Destination Port Translated Address Setting Any HANetIPAddresses (Address Name network object) None Any Any Single IP Address - use the external virtual IP address

Notes

12-8

Integrated Security Appliance

Module 12: High Availability

Slide 239

Editing Existing Policies and Configurations


You must edit existing policies as follows: You must configure all firewall access polices, VPN configurations and external DNS entries to use virtual IP addresses. If you have created firewall policies or rules that use a static IP address, then you must revise those policies or rules.
Caution: When you enable or disable the high availability feature,

the appliance uses the virtual IP addresses to route traffic. In the case of access policies, IPSEC policies, NAT policies, or advanced firewall ALGs, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting security gateways. If Source or Destination NAT Rules reference a static IP address (physical interface), you must change the IP address for the rule to match the virtual IP address of that interface.

The Hide NAT Source Rule is enabled by default. This Many-toOne configuration translates all non-routable IP addresses to the IP address of the eth1 interface. If you use the high availability feature, you must edit the Hide NAT Source rule. On the Translated Address tab, change the IP address entry to the virtual IP address for the HA cluster. When you set up a security gateway with an IP address as the Local ID, you must use the first virtual IP address for the interface as the Local ID value. Do not use an alias, an IP address using a proxy ARP, or the second or later virtual IP address.

Notes

Integrated Security Appliance

12-9

Module 12: High Availability

Slide 240

Dedicating an HA Interface
You must dedicate an interface to enable HA functionality, and each appliance must dedicate the same HA interface. This simplifies use of HA functionality and provides good throughput when the appliances share state information. The HA interface must also be dedicated to avoid the possibility of user traffic interfering with the cluster nodes' communication. Match any of the available interfaces eth2 through eth7; the number of available interfaces varies depending on your appliance model. Do not use INT0 (eth0) or EXT1 (eth1) for your high availability interface. Use the same appliance model for both the primary and secondary device. Example - M50 to M50 Do not route user network traffic across the dedicated HA interfaces.

Notes

12-10

Integrated Security Appliance

Module 12: High Availability

High Availability Configuration


Slide 241

Introduction
You will now walk through each of the steps involved in configuring a high availability environment. You cannot save the changes in this area until you have completed all required settings on the following tabs: Base Configuration Virtual IP Addresses

State: You cannot save the changes on this page until you have completed all required settings on these tabs.

Monitor IP Addresses (optional) Alternate Node IP Addresess


Important: If you need to add new entries after configuration, HA must

be disabled, then re-enabled after changes are made.

Notes

Integrated Security Appliance

12-11

Module 12: High Availability

Slide 242

High Availability Configuration Tab


You will use this tab to establish your initial configuration.

Notes

12-12

Integrated Security Appliance

Module 12: High Availability The following table describes the required fields:
Option Enabled Definition Check to enable high availability. Important: The default setting is unchecked. Complete the configuration procedures, required access policies, and required NAT Source Rule for HA on both appliances before you select the Enabled check box. The interface for HA state communication. Note: The default is eth2. The dead timeout or failure timeout is the amount of time that the secondary appliance waits for a heartbeat message or ICMP reply message from the primary appliance. The default value is 30000 milliseconds (30 seconds). A smaller dead timeout value causes a faster failover to the secondary appliance. Note: To help determine the timeout value, ISS recommends you monitor the system logs for warning messages from the heartbeat module, to see if heartbeats arrive late. The heartbeat message indicates how late the message is. Double this time and use that value as a new failure timeout. Continue to monitor the system logs for more heartbeat warning messages. You should not see more than one or two heartbeat warning messages per day. The secret text string shared between the primary and secondary appliances. Note: The text string must contain no spaces, and must be between 16 and 64 characters. The IP address of the default external gateway for the HA cluster. Example: 10.10.100.1

HA Interface Name Dead Timeout

Shared Secret

Virtual Gateway

Notes

Integrated Security Appliance

12-13

Module 12: High Availability

Slide 243

Virtual IP Addresses Tab


Virtual IP addresses are configured on both HA appliances, but are enabled only on the primary appliance so that only the primary appliance is routing network traffic. All external clients use these addresses to communicate with the primary appliance. Each of the appliances within the HA cluster must have a static IP address on all enabled interfaces. DHCP and PPPoE are not supported on the external interface when in High Availability mode. Each enabled interface must also have at least one virtual IP address specified in the High Availability settings. The Virtual IP addresses must not exist on any other interface on the appliances or on the network. The following table describes the required fields on the Virtual IP Address tab:
Option Enabled Definition Virtual IP address is enabled. The default is Checked.

Interface Name Network interface name. The default is None. IP Address Virtual IP address. Also known as virtual IP address. The default is none. The external VIP is also used as your Virtual Gateway IP address, on the Base Configuration page.

Notes

12-14

Integrated Security Appliance

Module 12: High Availability

Slide 244

Here is an example: A common configuration contains two appliances with the following assigned IP addresses:

one static internal interface address one static external interface address one static high availability interface address one virtual internal address one virtual external address

This address is also your Virtual Gateway IP address. The primary appliance owns the virtual IP addresses until a failover occurs. When a failover occurs, the secondary appliance takes ownership of the virtual IP addresses, and becomes primary.

Notes

Integrated Security Appliance

12-15

Module 12: High Availability

Slide 245

When You Will NOT Use Virtual IP Addresses When performing HA management, you will always use virtual IP addresses, except when you must connect to each appliance individually to do the following: Install firmware updates Perform a system backup Restore from a system backup You are directed to do so by ISS Technical Support personnel You can connect to individual appliances by using the unique IP address of the appliance, or with a serial connection. You must perform all other HA cluster management tasks using the virtual IP addresses.

Notes

12-16

Integrated Security Appliance

Module 12: High Availability

Slide 246

Monitoring IP Addresses Tab


Monitor IP addresses are an optional feature that you can use to periodically determine if the network is healthy. You can specify the IP address of another network device, outside of the HA cluster, to send ICMP echo request packets and wait for replies. If the appliances do not reply within the dead timeout period, then the connection is considered down. The primary HA appliance polls the secondary appliance to determine which appliance has the highest number of reachable network devices. If the primary appliance does not have the highest count, then a failover occurs..

State: Now lets discuss Monitoring IP Addresses.

Notes:

To add or remove Monitor IP Addresses after enabling HA, you must disable HA before you make any changes. ISS recommends that you carefully select devices such as an email server or Web server that are highly available, reliable, and maintain average traffic. If you use Monitor IP addresses, the dead timeout value should be set to accommodate peak traffic. The following table describes the required fields on the Monitor IP Addresses tab:
Field Enabled IP Address Definition Monitor IP Address usage is enabled. The default is Checked. IP Address to send SICMP requests. The default is None.

Notes

Integrated Security Appliance

12-17

Module 12: High Availability

Slide 247

Monitoring Internal and External Connections


You can use Monitor IP Addresses to monitor both external and internal connections. To monitor the external connections, choose a device on the EXT1 (eth1) side of the Proventa cluster, such as your router, or other IP addressable device. To monitor an internal connection, choose a device on the connected network, such as a file server or domain controller, that is reliable and maintains average network traffic. Use careful planning and consideration when you choose an IP address to monitor. You may experience problems when using web servers, email servers, or other devices which are frequently subjected to high traffic loads. Hardware devices such as routers and managed switches make excellent candidates, since they are less likely to become unresponsive during times of heavy network usage.
Note: To add or remove Monitor IP Addresses after enabling HA, you

must disable HA before you make any changes. It is important to choose devices which are known to be reliable before enabling HA to avoid unnecessary downtime.

Notes

12-18

Integrated Security Appliance

Module 12: High Availability

Slide 248

Alternate Node InterfaceTab


The Alternate Node Interface tab is where IP information about the other appliance in the HA cluster is entered. You must enter IP information for all active interfaces on the alternate node, including the HA interface. The following table describes the required fields:
Field Interface Name IP Address Definition

Network interface name. The default is None.


IP Address. The default is None..

Notes

Integrated Security Appliance

12-19

Module 12: High Availability

Slide 249

Viewing High Availabilty Status


The appliance displays high availability status on the Proventa Manager Home page in the System Status box.
Note: A message appears in the Important System Messages area on

the Proventa Manager home page if an HA appliance is in a failure state and not responding to requests. This status information only pertains to appliances in a high availability configuration in routing mode. The following table describes the HA Status fields:
Field Definition

High Availability The status of the HA feature. Options are as follows: Mode Enabled
Disabled

High Availability The node name of the appliance, in the following format as Node Name follows: hostname.ipaddress High Availability The HA role of the appliance. Options are as follows: Operating As Unknown
Primary Secondary

High Availability The status of the primary appliance. Options are as Active Status follows:
Running Stopped Not configured Not installed Unknown

High Availability If the High Availability feature is enabled, then this statistic Secondary appears on the primary appliance only. This is the status Status of the secondary appliance. Options are as follows:
Unknown Running Stopped Failure

Notes

12-20

Integrated Security Appliance

Module 12: High Availability

Updating Appliances in High Availability Mode


Slide 250

Introduction
The following update requirements apply to both appliances with the HA feature enabled: You can enable automatic update downloads and automatic security update installation, but you must apply firmware updates manually in the Proventa Manager for each appliance.
Important: Do not enable the automatic firmware update installation

option. You must apply the same firmware version to both the primary and the secondary appliances. The HA feature will not function properly if the primary and secondary appliances run different versions of firmware. In a standard IP high availability environment, a firmware update installation to the primary appliance forces a failover to the secondary appliance. The primary appliance becomes the secondary appliance in the cluster.
Caution: Applying firmware updates to an HA appliances requires a

failover. ISS recommends that you install firmware updates during off hours.

Notes

Integrated Security Appliance

12-21

Module 12: High Availability

Slide 251

Upgrading Existing Devices to use HA


You can upgrade existing Proventa appliances for use in a HA cluster in routing mode by assigning new unique IP addresses to all static IP interfaces on both the designated primary and secondary M appliances. Use the existing static IP addresses as the HA virtual IP address. Some additional configuration may be required.

Recommendations
Consider the following recommendations before you apply updates to an appliance in routing mode with the HA feature enabled: To maintain up-to-date security and database content, enable automatic scheduled security and database updates.
Important: Do not enable automatic firmware updates.

Open two browser windows so that you can more easily access both appliances during the update process.

Notes

12-22

Integrated Security Appliance

Module 12: High Availability

Lab: Configuration
Introduction
In this lab you will re-install the appliance from scratch in routing mode, in order to configure and test High-Availability.

Slide 252

HA Classroom Topology
The graphic below illustrates the final layout of the first raw of the classroom at the conclusion of the exercises contained in this module.

Notes

Integrated Security Appliance

12-23

Module 12: High Availability

HA IP Addresses
The following table highlights the resulting IP settings. Table Host IP Address Name Appliance Name IP Address EXT1: <LAN>.19 INT0: 172.16.100.2 EXT2: 10.10.100.1 EXT1: <LAN>.29 INT0: 172.16.100.3 EXT2: 10.10.100.2 EXT1: <LAN>.39 INT0: 172.16.200.2 EXT2: 10.10.200.1 EXT1: <LAN>.49 INT0: 172.16.200.3 EXT2: 10.10.200.2

1 & 2 iss10 iss20 iss30 iss40 3 & 4 iss10 iss20 iss30 iss40

172.16.100.4 MF19.xfeducation.local 172.16.100.5 172.16.100.6 MF29.xfeducation.local 172.16.100.7 172.16.200.4 MF39.xfeducation.local 172.16.200.5 172.16.200.6 MF49.xfeducation.local 172.16.200.7

Slide 253

Enable and Test High-Availability


You will now enable High-Availabilty working with your collegues of another table, as you will need 2 appliances to work together. The steps to follow are the: Reconfigure the class network Configure the Proventa Appliances Enable the eth2 interface Creathe the HA Access Rules Configure High-Availability Test High-Availability

Notes

12-24

Integrated Security Appliance

Module 12: High Availability

Exercise 48

Reconfigure the class network.


Verify there is a crossed cable connecting both EXT2 interfaces. Partner 1
1. Modify the Local Area Connection properties as follows:

IP: 172.16.X00.Y (refer to the tables starting on page 12-24) GW: 172.16.X00.1 DNS: Ask the instructor.

POINT OUT: The default GW is already the one which will be valid after the HA configuration.

2. Recable the system to match the topology of page 12-23.

Partner 2
1. Modify the Local Area Connection properties as follows:

IP: 172.16.X00.Z/24 (refer to the table on page 12-24) GW: 172.16.X00.1 DNS: Ask the instructor.

Exercise 49

Configuring the Proventa Appliances


This exercise will be conduct by Partner 2 only. Note: you must transfer the serial cable in order to see what is happening.
1. Instert the Restore CD for Proventa M in your CD tray and reboot

your system.
2. If asked, select to boot from the CD. 3. When prompted, boot your Proventa M appliance. 4. When prompted, press L to boot from LAN.

Note: you have 5 seconds before the system will boot normally.
5. At the boot prompt, type reinstall nodb and press ENTER.

The system will restore the distribution image without copying the database used for the web and mail filtering. These will be copied in the following exercise.
6. Allow the appliance to reboot.

Notes

Integrated Security Appliance

12-25

Module 12: High Availability


7. At the unconfigured.appliance login prompt, type admin and

press ENTER.
8. At the password prompt, type admin and press ENTER. 9. On the HTTP Authenticatoin screen press TAB twice and press

ENTER.
10. On the Welcome screen press ENTER to select Next (default

position).
11. On the End User License Agreement screen, review the license

agreement and press ENTER to select I Accept.


12. TAB to the NEXT button and press ENTER. 13. Accept the Routing setting; TAB twice to the NEXT button and

press ENTER.
14. Read the information on your screen and press ENTER to continue. 15. On the Hostname screen, press BACKSPACE as necessary to delete

the default host name (unconfigured.appliance).


16. Type your Gateway Protection Hostname, MF<yourtable

#>9.xfeducation.local.
17. TAB to the NEXT button and press ENTER. 18. On the Internal Interface (eth0) screen, accept the default Activate

Interface on boot option, and press TAB to go to the IP address field.


19. Press BACKSPACE as necessary to delete the default address, type

your internal IP address, 172.16.X00.# (refer to the tables starting on page 12-24), and press ENTER.
20. To accept the default Netmask (network mask) value, 255.255.255.0,

press ENTER.
21. To select NEXT, press ENTER. 22. On the Configure External IP Type screen, press the SPACE BAR to

select Static IP Address.


23. TAB to the NEXT button and press ENTER.

Notes

12-26

Integrated Security Appliance

Module 12: High Availability


24. On the External Interface (eth1) screen, accept the default Activate

Interface on boot option, and press TAB to go to the IP address field.

POINT OUT: Communicate the students the actual classroom network might be different.

25. Type the IP address of your appliances external interface,

<LAN>.X9 (refer to the tables starting on page 12-24 and verify with the instructor), and press ENTER.
26. To accept the default Netmask (network mask) value, 255.255.255.0,

press ENTER.
27. Type the Default gateway (IP Address), <LAN>.GW. Your

instructor will define this address.


28. TAB to the NEXT button and press ENTER. 29. On the Name Servers screen, type the IP address of the Primary,

Secondary and Tertiary nameserver. Your instructor will provide this IP address.
30. TAB to the NEXT button and press ENTER. 31. On the DNS Search Path screen, type the DNS search path list

name, xfeducation.local.
32. TAB to the NEXT button and press ENTER. 33. On the Appliance Management Access screen leave Management

access for machines on the eth0 subnet enabled checked; click TAB 4 times and press ENTER.
34. On the Configure Time Zones screen, select the appropriate time

zone by pressing ENTER and scrolling to desired value (the default time zone is America/New York).
35. TAB to the NEXT button and press ENTER. 36. On the Date and Time insert the appropriate Month, Day, Year,

Hour, and Minutes.


37. TAB to the NEXT button and press ENTER. 38. On the Root password screen, type your root user password,

iss123+, and press ENTER.


39. Reenter your root user password, iss123+, and press ENTER.

Notes

Integrated Security Appliance

12-27

Module 12: High Availability


40. To select NEXT, press ENTER. 41. On the Administrator password screen press ENTER to select Same

as Root, press TAB 3 times to the NEXT button and press ENTER.
42. On the Proventa Manager Password screen press ENTER to select

Same as Root, press TAB 3 times to the NEXT button and press ENTER.
43. On the Enable Bootloader Password screen select Enable and press

TAB twice to the NEXT button and press ENTER.


44. Scroll the Setting Review and press ENTER when the cursor is

positioned on Fininsh.
45. After the request is sent and the system reboots, press CTRL+G to

reboot your system and remove the ejected CD.

Exercise 50

Enable the eth2 interface


Both Partner 1 and Partner 2
1. Connect to your Proventa Manager by using its own IP address

(different from your current gateway).


2. Under Network Configuration, select the Internal Interfaces tab

and add the eth2 netwok interface with IP 10.10.X.Y (refer to the tables starting on page 12-24 and verify with the instructor).

Notes

12-28

Integrated Security Appliance

Module 12: High Availability

Exercise 51

Create the High-Availability Access Rules


Both Partner 1 and Partner 2
1. Connect to your Proventa Manager. 2. Position yourself on the ConfigurationObjectsNetwork

Objects node.
3. Select the Address Names tab. 4. Create an object ClusterIPAddresses containing:

The IP addresses of the external inteface of both Proventa appliances (<LAN>.X9 and <LAN>.N9). The IP addresses of the internal interface of both Proventa appliances (172.16.X00.2 and 172.16.X00.3). The IP addresses of the EXT2 interface of both Proventa appliances (10.10.X00.1 and 10.10.X00.2). Both the External and Internal virtual IP addresses of your HA setup (<LAN>.X5 and 172.16.X00.1). The IP addresses of the EXT2 interface of both Proventa appliances (10.10.X00.1 and 10.10.X00.2).

5. Create an object HANetIPAddresses containing:

6. Position yourself on the Firewall/VPNSettings node. 7. In the right pane, on the Access Policy tab, click Add. The Add

Access Policy window appears.


8. By selecting the available tabs, create a rule to allow the

synchronization of the policies:


Tab Main Select/Click Enabled Action Log Enabled Comment Protocol TCP Select/Enter Select Allow Select Enable policy synchronization

Notes

Integrated Security Appliance

12-29

Module 12: High Availability


Tab Select/Click Select/Enter HANetIPAddresses

Source Address Address Name network object Source Port Destination Address Any Self

Destination Port Single

2998

POINT OUT: In our configuration we have 3 valid IP addresses in the same range, therefore we dont need an access and a NAT rule to allow the secondary appliance to receive updates via the primary.

9. By selecting the available tabs, create a rule to allow the UDP

hearbeat to be sent on all interfaces:


Tab Main Select/Click Enabled Action Log Enabled Comment Protocol UDP ClusterIPAddresses Select/Enter Select Allow Select Enable UDP Heartbeat

Source Address Address Name network object Source Port Destination Address Any Self

Destination Port Single 10. Click Save Settings.

694

Notes

12-30

Integrated Security Appliance

Module 12: High Availability

Exercise 52

Configure High-Availability
Note: Do NOT save changes until you complete all tabs. Partner 1
1. Connect to your Proventa Manager. 2. Position yourself on the ConfigurationSystemHigh

Availability node.

POINT OUT: Do NOT save changes until you complete all tab. POINT OUT: On the primary appliance the default gateway entered during the setup will be overwritten with this Virtual Gateway value.

3. Select the Enable check box. 4. Select eth2 as the HA Interface Name. 5. Leave the Dead Timeout default value of 30000. 6. In the Shared Secret field enter abcdefghij123456 (16 characters). 7. In the Virtual Gateway field enter the network gateway

(<LAN>.GW).
8. On the Virtual IP Addresses tab, Add the following 2 addresses:

Internal Virtual IP Address: Verify that the Enabled field is checked. Interface Name: eth0 IP Address: 172.16.X00.1 Subnet Mask: 255.255.255.0 External Virtual IP Address: Verify that the Enabled field is checked. Interface Name: eth1 IP Address: <LAN>.X5 Subnet Mask: 255.255.255.0 Monitor the Instructors machine: Verify that the Enabled field is checked. IP Address: <Instructors IP> Your partners machine: Verify that the Enabled field is checked. IP Address: <Your partners IP>

9. On the Monitor IP Addresses tab, Add the following 2 addresses:

Notes

Integrated Security Appliance

12-31

Module 12: High Availability

POINT OUT: It is important to add all active interfaces of the other appliance. If this doesnt match the actual settings of the alternate appliance, the HA configuration cannot be applied.

10. On the Alternate IP Addresses tab, Add the following 3 addresses: Value Alternate Node Internal Interface (eth0) External Interface (eth1) EXT2 Interface (eth2) 11. Click Save Changes. 1st Table MFN9 172.16.X00.3 <LAN>.N9 10.10.X00.2 2nd Table MFX9 172.16.X00.2 <LAN>.X9 10.10.X00.1

Partner 2
1. Connect to your Proventa Manager. 2. Wait until you get the LMI screeen with an orange banner

indicating that High Availability is active.

Notes

12-32

Integrated Security Appliance

Module 12: High Availability

Exercise 53

Test High-Availability
Partner 1
1. Connect to the Proventa Manager via the Internal Virtual IP

address 172.16.X00.1.
2. Add an Access Rule to allow ICMP traffic from the Instructor

machine.

INSTRUCTOR: Verify you can ping the external interfaces of both Proventas and the External Virtual IP. If it does not work, verify that ICMP is enabled for you.

Partner 1 and Partner 2


1. Verify you can ping the internal interfaces of both Proventa

appliances and the Internal Virtual IP address: ping 172.16.X00.1. ping 172.16.X00.2. ping 172.16.X00.3.
2. On your host machine, open a command shell and at the command

prompt issue an arp -a command. Verify that the Phyisical Addresses of 172.16.X00.1 and 172.16.X00.2 are the same. This implies that 172.16.X00.2 currently is the primary node of the HA setup. Partner 1
1. Connect to the primary appliance via putty. 2. Start tail -f /var/log/messages. 3. On your host machine open a command shell and start ping -t

Also verify your arp table to make sure which appliance is primary.

<Instructor IP>
4. Unplug the cable going from MFX9 (the primary appliance) to the

external switch. You will see:


Clear messages in your tail...-session indicating that a monitored IP cannot be reached anymore. The failover procedure taking place. Your ping will fail for about 30 seconds and succeed again after the failover.

Notes

Integrated Security Appliance

12-33

Module 12: High Availability


5. On your host machine, open a command shell and at the command

prompt issue an arp -a command. Verify that the Phyisical Addresses of 172.16.X00.1 and 172.16.X00.3 are the same. This implies that 172.16.X00.3 has become the primary node of the HA setup. Partner 2
1. Connect to the Proventa Manager via the Internal Virtual IP

address 172.16.X00.1.
2. Verify on the Home Page that the High Availability settings have

changed in such a way to make the 172.16.X00.3 as the primary node.

Notes

12-34

Integrated Security Appliance

Module 12: High Availability

Module Review
Slide 254
You should now be able to:

Explain the concept of High Availability. Describe High Availability Deployments and Configuration of a HA
Environment.

Discuss the Updating of Appliances in High Availability Mode.


Review Objectives Ask: For additional questions
Take this opportunity to ask questions about the information we have discussed.

Notes

Integrated Security Appliance

12-35

Module 12: High Availability

Notes

12-36

Integrated Security Appliance

15 minutes

Course Review
Review Objectives
You should now be able to:

Slide 255

Describe the six components of the Proventa M. Reconfigure the Proventa M appliance. Discuss Transparent Mode functionlality and configuration. Discuss components of the Proventa M Intrusion Prevention
module and configure Intrusion Prevention functionality.

Detect and block an attack, enable auditing, and view intrusion


prevention events.

Discuss the basics of antivirus technology and configure the


antivirus portion of the Proventa M.

Use a test virus to view virus blocking within the Proventa M. Describe the Proventa M Series Web filtering process. Configure the Web filtering module, creating whitelists and
blacklists.

Notes

Integrated Security Appliance

R-1

Slide 256

Describe the basics of Proventa Ms antispam technology and


configure the antispam portion of the Proventa M using whitelists and blacklists.

Identify firewall methods and translate your security policy into


firewall policies.

Configure the Proventa M firewall, creating lists and rules. Perform network address translation and Reverse NAT. Configure a Virtual Private Network for site-to-site and client-to-site
connectivity.

Describe High Availability deployments and configuration of a HA


environment.

Ask: For additional questions

Ask Questions

Notes

R-2

Integrated Security Appliance

VPN and Encryption Technologies


VPNs and Encryption
What is a Virtual Private Network?
The short definition of a Virtual Private Network, or VPN, is encrypted communication across a public network. VPNs may exist between an individual machine and a private network (client-to-site) or a private network (site-to-site). VPNs include encryption, strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network. VPN technology includes: Encryption Algorithms Digital Signatures IKE IPSEC

Appendix A

What is Encryption?
Encryption is the science of encoding data to ensure the privacy or integrity of a communication. The most effective way to achieve data security, it is a fundamental component of techniques that provide confidentiality, integrity, and authentication. The encryption process involves three components: Plain text - the original message you want to encrypt

Notes

Integrated Security Appliance

A-1

Appendix A: VPN and Encryption Technologies Encryption algorithm - a mathematical algorithm used to jumble your plain text Encryption key - a small piece of data used in conjunction with the encryption algorithm to jumble your plain text The result of this process is ciphertext, encrypted data which can be stored on non-secure media or transmitted on a non-secure network and still remain secret. Later, the ciphertext can be decrypted back to plain text using the same encryption algorithm and a decryption key. There are two types of encryption algorithm: Symmetric Asymmetric They are used to protect the confidentiality of data.

Symmetric (Shared Key) Algorithms


Symmetric algorithms are the most common type of encryption algorithm. They are known as symmetric because the same key is used for both encryption and decryption. In other words, any plain text that you encrypt with a symmetric algorithm can only be decrypted with the exact same key.

Symmetric algorithms are considered very fast and are therefore preferred when encrypting large amounts of data. A disadvantage to using a symmetric algorithm is that keys must be distributed in advance, thereby leaving open the possibility that they are discovered. Examples of symmetric encryption algorithms:

Notes

A-2

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies DES 3DES RC4 RC5 AES (Rijndael)

DES
The Data Encryption Standard (DES) algorithm was the United States Governments encryption standard through the 1990s. It uses a 56-bit key and is considered insecure these days.

3DES
The 3DES algorithm, a simple variant on the DES algorithm, was created to overcome security weaknesses in the short DES key. A single DES round is replaced by three rounds and three DES keys. Because of a specific type of attack, the brute force strength of 3DES is 112 bits. Although 3DES solves the security issues of the short, 56-bit DES key, it must go through the DES process 3 times in order to gain 112 bits of security. This can be resource intensive.

AES
The Advanced Encryption Standard (AES) is a symmetric block cipher. The AES algorithm was designed from the ground up to use long keys with a single round of encryption. AES key lengths are variable - 128, 192, or 256 bits in length. AES is the current encryption standard of the United States Government.

Scenario
We will use Bob and Alice, two coworkers, to illustrate symmetric encryption: Bob and Alice are coworkers at the ABC company.

Notes

Integrated Security Appliance

A-3

Appendix A: VPN and Encryption Technologies Evil Eve, another coworker, is in charge of all corporate communications. She has been abusing her access and rights to eavesdrop in on everyone elses communications. To avoid Evil Eve, Bob and Alice have decided to use encryption and initially decide to use symmetric encryption because of its speed. Bob encrypts a message to Alice and emails it to her. In order for Alice to decrypt the message, she will need a copy of the same key Bob used to encrypt the message. This will be their shared secret. How does Bob securely get the key to Alice?

Can he tell it to her over the phone? No, Evil Eve is listening. Can he email it to her? No, Evil Eve can access their email. Can he send it to her in an envelope? No, Evil Eve is in charge of all interoffice mail.

The Problem
Symmetric encryption is very fast but suffers from a catch 22 - Bob and Alice want to use symmetric encryption in order to secure their communication channel, but they need a secure channel of communication before they can share symmetric keys.

Asymmetric (Public/Private Key) Algorithms


In 1977, Diffie and Hellman wrote a paper in which they postulated that there be two separate keys - one to create ciphertext and one to get it back to plain text. Rivest, Shamir and Adelman were the first to make this concept a reality with the introduction of the RSA algorithm. Examples of asymmetric encryption algorithms: RSA DSA Diffie-Hellman

Notes

A-4

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies ElGamal Asymmetric cryptography uses a pair of mathematically related keys: a public key, which is freely distributed and can be seen by all users; and a private key, which is kept secret and not shared among users.

The public key and private key perform inverse operations and are used together. For example, if a message is encrypted with the public key, only the private key can decrypt it. Conversely, a message encrypted with the private key can only be decrypted with the public key. Compared to symmetric encryption, asymmetric encryption is approximately 1000 times slower, but it does not suffer the key distribution problems that plague symmetric encryption.

Scenario
We will use Bob and Alice to illustrate the Asymmetric algorithm: Bob generates a pair of keys. One he calls his private key, the other his public key. Anything encrypted with the public key can only be decrypted using the private key, and vice-versa. Bob sends his public key to Alice in an email attachment. Alice encrypts messages to Bob using his public key. Since Bobs public key was transferred to Alice insecurely (via email), we can assume that Evil Eve has a copy as well. Luckily, Bobs public key does not help Evil Eve. She cannot decrypt Alices message to Bob without Bobs private key.

Notes

Integrated Security Appliance

A-5

Appendix A: VPN and Encryption Technologies It is Bobs responsibility to keep his private key safe and confidential.

The Problem
Although secure in its method of key distribution, Asymmetric encryption is far too slow and resource intensive for large amounts of data.

Hashing Algorithms
While symmetric and asymmetric algorithms protect confidentiality of data, hashing algorithms protect data integrity. Hashing algorithms rely on mathematical formulas that take a given input, such as a message, and produce a message digest, or output, that is statistically unique to the original message. With this technology, if the message is altered in any way, the hash output will change dramatically. This makes it very easy to detect if a message has been tampered with. The two most used hashing algorithms are: MD5: creates a 128 bit message digest SHA-1: creates a 160 bit message digest

Scenario
Alice wants to send Bob an email congratulating him on a job well done and announcing his promotion. The congratulatory email is public information, so we are not concerned with the confidentiality of the message. If Alice sends the message in the clear to Bob, Evil Eve can intercept it and modify it to read that Bob has been fired rather than promoted. A message digest would help Bob verify that the message he received was the same message that Alice originally sent.

Notes

A-6

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies Alice creates a message digest of the promotion before she sends it, and Bob creates a message digest of the email after he receives it. If the two message digests are equal, the message received is the same as the one that was sent.

The Problem
If Evil Eve can intercept and modify the email, she can also intercept and modify the message digest. We need to make sure that the message digest is not tampered with. We do this with digital signatures.

Digital Signatures
A digital signature is a encrypted message digest that performs the following functions: Makes sure that a message can only have come from the sender that sent it. Makes sure that the message has not been tampered with.

Notes

Integrated Security Appliance

A-7

Appendix A: VPN and Encryption Technologies

Scenario
Alice runs her email through a hashing algorithm to produce a message digest. Alice encrypts the message digest with her private key - producing a digital signature. Alice sends the original message and the digital signature to Bob. Bob extracts the digital signature and decrypts it with Alices public key - producing the original message digest. Bob runs the message he receives through the same hashing algorithm used by Alice and compares the resulting message digest to the one that was decrypted with Alices public key. If the results are equal, Bob knows that the message could only have come from Alice and that the message has not been tampered with.

Encryption Schemes
In practice, algorithms are not used independently. Symmetric algorithms are very fast but insecure in their key distribution. Asymmetric algorithms are very slow but secure in their key distribution. This makes symmetric and asymmetric encryption very complimentary, each providing what the other lacks. The same holds true for hashing algorithms. Hashing algorithms protect integrity but not confidentiality while encryption algorithms protect confidentiality but not integrity. Again, each has what the other is lacking. In order to truly secure our communication channel, we must blend all of these algorithm types together. Blending multiple algorithms in this fashion is referred to as an encryption scheme. Examples of encryption schemes: SSL PPTP L2TP IKE/IPSEC

Notes

A-8

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies

Internet Protocol Security


Introduction
Internet Protocol Security (IPSEC) is a suite of protocols that enables secure communication over an unsecured network, such as the Internet. IPSEC provides security to the Internet Protocol (IP) packet as it is transmitted over the unsecured network by use of cryptography. IPSEC policies define the IPSEC protocol, key exchange method, and other necessary information needed to provide security to IP packets. IPSEC provides the following protection: Data Confidentiality - IPSEC protects data being transferred in IP datagrams by encrypting the IP packet. IPSEC encryption prevents third parties from listening on the public, unsecured network and obtaining private information from the packets. If a third party intercepts the IPSEC packets, the third party is unable to decrypt the data. Data Integrity - IPSEC protects data by discarding a packet if the packet was modified by an unknown third party. This technique is sometimes called data authentication or content integrity. Origination Authentication - The IPSEC packet always contains information that uniquely identifies the host that sent the packet. This feature is called origination authentication. It is also called sender authentication or non-repudiation. Anti-Replay Protection - IPSEC protects packets from being captured and replayed. If a third party intercepts a packet or a series of packets, and then attempts to replay the packets with the intention of either compromising the host or performing a denial of service attack, then the receiving host determines that the packets have already been received and the packets are discarded.

Notes

Integrated Security Appliance

A-9

Appendix A: VPN and Encryption Technologies

IPSEC Initiators and Responders


IPSEC is a peer-to-peer standard, therefore one party is the initiator and the other is the responder. The initiator is the VPN peer that begins the negotiations. The responder is the VPN peer that replies to the negotiations. You can configure the appliance as the initiator or responder or both for peer-to-peer VPN connections.

IPSEC Encapsulation Modes


IPSEC supports the following encapsulation modes: Tunnel Transport

Tunnel Mode
Tunnel mode is the most used encapsulation method. In tunnel mode, the entire IP datagram is protected. Tunnel mode allows a packet to be delivered to a host that is not the cryptographic endpoint, such as a Gateway device.

An IPSEC packet in tunnel mode has two IP headers. The outer IP header contains the information for delivering the entire packet to the Gateway device. The inner IP header is encrypted and contains only the original information intended for the targeted host on the other side of the VPN tunnel.

Notes

A-10

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies

Transport Mode
Transport mode is used to protect only the upper layer of protocols; the original IP header is not encrypted. Transport mode can only be used when the cryptographic endpoint is the same as the communication endpoint. This limits transport mode to host-to-host tunnels.

IPSEC Protocols
IPSEC uses the following protocols for data encryption and authentication: Encapsulating Security Payload (ESP) for encryption Authentication Header (AH) for authentication

Encapsulating Security Payload


ESP is used to ensure data integrity, anti-replay protection, data privacy, and origination authentication. ESP uses symmetric encryption to encrypt the packet. In tunnel mode, the most commonly used mode, IPSEC encrypts the entire packet and adds on a new IP and ESP header.

Authentication Header
AH is used to ensure data integrity, origination authentication, and limited anti-replay protection. AH does not encrypt the IP datagram, so it does not need to use an encryption algorithm. In tunnel mode, the most commonly used mode, IPSEC hashes the entire packet and adds on a new IP and AH header.

Notes

Integrated Security Appliance

A-11

Appendix A: VPN and Encryption Technologies

Security Associations
A Security Association (SA) defines how two hosts communicate with each other using IPSEC. An SA defines: Which protocol to use. Which encapsulation mode to use. The keys involved. The duration for which the keys are valid. SAs are maintained in an SA database (SADB) for the lifetime of the IPSEC connection, which can be defined in seconds or in bytes transferred. Each host creates a minimum of two SAs: SAin and SAout. If the hosts use more than one protocol, such as ESP and AH, then additional pairs of SAs are created for each protocol. SAs are created either manually and off-line, such as in manual keying IPSEC, or automatically by a key management protocol, such as IKE. Since a single host may need to maintain many different security associations, SAs are referenced using a unique 32-bit address called a security parameters index or SPI. The initiator includes the SPI in the ESP or AH header so that the responder can locate the correct SA for the packet.

Notes

A-12

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies

Internet Key Exchange


Introduction to ISAKMP/Oakley
ISAKMP/Oakley is a hybrid protocol. It integrates the Internet Security Association and Key Management Protocol (ISAKMP) with a subset of the Oakley key exchange scheme. ISAKMP/Oakley provides a way to: Agree on which protocols, algorithms, and keys to use (negotiation services) ensure from the beginning of the exchange that youre talking to whom you think youre talking to (primary authentication services) Manage those keys after theyve been agreed upon (key management) Exchange those keys safely This combined technique is now referred to as Internet Key Exchange (IKE), and it provides a dynamic method for creating Security Associations (SAs) and exchanging keys for use by IPSEC. IKE enables the keys and SAs to be exchanged in a multi-phase process: Phase 1 - often referred to as the IKE phase Phase 2 - often referred to as the IPSEC phase

IKE Phase 1
Phase 1 begins with an exchange of proposals on how to protect the secure channel. This involves exchanging public keys and agreeing on all of the components of the security association. The two hosts exchange the following information: Encryption algorithms and hashing-algorithms A Diffie-Hellman group and nonce (pseudo-random number) A preshared key or a certificate that proves their identity The IKE Phase 1 session results in a shared SA that will define the encrypted channel over which Phase 2 can take place.

Notes

Integrated Security Appliance

A-13

Appendix A: VPN and Encryption Technologies

Phase 1 Modes
Phase 1 uses one of two modes: Main Aggressive

Main Mode
In main mode, the initiator (client) and responder (server) exchange six packets:

The steps are as follows:


1. The initiator sends an IKE proposal to the responder that contains

the encryption and the authentication algorithms for the Phase 1 negotiation.
2. The responder accepts the proposal. 3. The initiator sends a Diffie-Hellman proposal and a nonce value

(random number).

Notes

A-14

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies


4. The responder accepts the Diffie-Hellman proposal, and then sends

its own nonce value.


5. The initiator sends its proof of identity, which is a certificate or a

pre-shared secret key.


6. The responder sends its proof of identity, which is a certificate or a

pre-shared secret key.

Aggressive Mode
With Aggressive mode connections, the Initiator and Responder exchange only three packets:

Here are the steps:


1. The initiator sends the IKE proposal for encryption and

authentication, starts the Diffie-Hellman exchange, and then sends its nonce value and proof of identity.
2. The responder accepts the security proposal, and then sends its own

nonce value and proof of identity.


3. The initiator confirms the identity and the exchange.

While aggressive mode saves three packets during negotiation, it sends ID information in the clear and is open to denial of service attacks.

Notes

Integrated Security Appliance

A-15

Appendix A: VPN and Encryption Technologies


Note: If the initiator has a dynamic IP address, aggressive mode is the

only method that can be used.

IKE Phase 2
Phase 2 negotiation looks very similar to Phase 1 in Aggressive Mode. It is a three packet exchange used to establish a shared SA on both sides. The primary difference between Phase 1 in Aggressive Mode and Phase 2 is that Phase 2 negotiation is encrypted using the SAs negotiated in Phase 1. Hosts use the following items in a proposal: Security protocol: Authentication Header (AH) or Encapsulating Security Protocol (ESP) or both If ESP is involved, an Encryption method (DES, 3DES, or AES) If AH is involved, an Authentication algorithm (MD5 or SHA1) If Perfect Forward Secrecy is used, a Diffie-Hellman group At the end of Phase 2, a shared SA has been securely negotiated through an encrypted channel. We are now ready to encrypt our communication.

Notes

A-16

Integrated Security Appliance

Appendix A: VPN and Encryption Technologies

Phase 2 Mode
Phase 2 takes place in "quick mode".

IKE policies
IKE policies define the security protocol, authentication algorithm, and other necessary information needed to create Security Associations (SAs) and to exchange keys.

IKE XAuth
XAuth, which is short for extended authentication, provides secondary authentication for the IKE session using username/password pairs rather than preshared secrets or digital certificates. After IKE Phase I is completed, an extra session occurs in which the remote VPN and peer send a message requesting a user name and password. The local peer prompts the user for it or finds it in a policy, and then forwards it to the remote peer. The remote peer validates the user name and password pair. There are two methods for authenticating the name/password pair: Generic, which uses a built-in local database Radius, which passes the information to a Radius server

Notes

Integrated Security Appliance

A-17

Appendix A: VPN and Encryption Technologies

Notes

A-18

Integrated Security Appliance